Data Protection Agreement (DPA)

Last updated: 12 June 2026

This Data Protection Agreement forms part of the Terms & Conditions between SlimHippo (Partnership Firm) (“Processor”, “we”) and the customer (“Controller”, “you”) and governs our processing of personal data on your behalf when you use SlimHippo.

1. Roles

You are the data fiduciary/controller of personal data contained in your WhatsApp conversations and contact lists. We act as a data processor, processing that data only to provide the Service. Meta Platforms acts as a separate processor/controller per its own terms.

2. Scope of processing

Subject matter: operation of WhatsApp Business messaging via Meta's Cloud API.
Categories of data: phone numbers, names, message content, delivery metadata, WABA identifiers and access tokens.
Data subjects: your customers and staff who message via your WABA.
Duration: the term of your subscription plus the retention window in our Privacy Policy.

3. Our obligations

Process personal data only on your documented instructions (using the Service constitutes such instructions).
Ensure staff with access are bound by confidentiality.
Apply appropriate technical and organisational measures: TLS in transit, server-side token storage, bcrypt-hashed credentials, least-privilege access, isolated container infrastructure and firewalled databases.
Notify you without undue delay (and within 72 hours) after becoming aware of a personal data breach affecting your data.
Assist you, where reasonable, in fulfilling data-subject requests (access, correction, erasure).
Delete or return your personal data on termination of the Service, within 30 days.

4. Sub-processors

You authorise the following sub-processors. We will give notice before adding new ones:

Meta Platforms, Inc. — WhatsApp Business Platform message transport.
E2E Networks Ltd. (India) — cloud infrastructure hosting.

5. International transfers

Our servers are located in India. Message transport via Meta may involve transfers to Meta's global infrastructure under Meta's own compliance mechanisms.

6. Audits

Upon reasonable written notice (max once per year), we will make available information necessary to demonstrate compliance with this DPA.

7. Liability & order of precedence

Liability under this DPA is subject to the limitations in the Terms. If this DPA conflicts with the Terms, this DPA prevails for data-protection matters.

8. Contact

Data protection contact: admin@slimhippo.in · SlimHippo (Partnership Firm), Bengaluru, Karnataka, India