Konfirm

Legal

Data Processing Addendum

Last updated · May 2026

This is a template provided for convenience and does not constitute legal advice. Have it reviewed by qualified counsel before relying on it.

This Data Processing Addendum (“DPA”) forms part of the agreement between Konfirm, Inc. (“Konfirm”, the “Processor”) and the merchant (“Customer”, the “Controller”) for the use of the Konfirm platform. It governs the processing of personal data the Customer submits through the Service.

Roles of the parties

For end-customer personal data, the Customer is the controller and Konfirm is the processor, processing such data only on the Customer's documented instructions — including those given through the product's configuration.

Subject matter & duration

The subject matter is the provision of WhatsApp order-confirmation services. Processing lasts for the term of the agreement and any limited wind-down period thereafter.

Nature & purpose of processing

We process personal data to send transactional order confirmations, classify replies, update order tags, enforce sending limits and opt-outs, maintain audit logs, and provide support.

Categories of data & data subjects

  • Data subjects: the Customer's end customers and authorized account users.
  • Personal data: names, phone numbers, order details, message content, delivery and read receipts, and reply classifications.

Our obligations as processor

  • Process personal data only on the Customer's documented instructions.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Assist the Customer with data-subject requests and security obligations.
  • Maintain logical isolation between tenants so data is never co-mingled.
  • Make available information necessary to demonstrate compliance.

Sub-processors

The Customer authorizes Konfirm to engage sub-processors for hosting, messaging infrastructure, payment processing, email delivery, and analytics. We impose data-protection terms on each sub-processor no less protective than this DPA and remain responsible for their performance. We will give notice of new sub-processors and a reasonable opportunity to object.

Security measures

Measures include encryption in transit, access controls and least-privilege access, per-organization data isolation, audit logging of automated actions, and monitoring. A summary of measures is available on request.

International transfers

Where personal data is transferred across borders, the parties rely on standard contractual clauses or an equivalent lawful transfer mechanism.

Personal data breach

We will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide information reasonably needed to meet the Customer's notification obligations.

Return & deletion

On termination, the Customer may export its data within a limited window, after which Konfirm will delete or anonymize personal data except where retention is required by law.

Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and, subject to confidentiality and reasonable notice, allow for audits conducted by the Customer or an independent auditor.

Contact

To execute this DPA or ask questions, email support@konfirm.app or use our contact page. See also our Privacy Policy.