RippleCom processes (Art. 4(8) AVG) on behalf of its customer named in the Cooperation Agreement the personal data (Art. 4(1) AVG) necessary for the use of the RippleCom platform, the WhatsApp Team Inbox.
Processing takes place exclusively for:
RippleCom does not process data for its own purposes or purposes for third parties.
Processing via the RippleCom platform is limited to functional service and transaction messages directly related to an existing (treatment) relationship or service agreement between the customer and the data subject (such as appointment confirmations, reminders and practical information).
Marketing and bulk messages are only allowed if (i) customer demonstrates compliance with Telecommunications Act and AVG, (ii) parties document this in writing, and (iii) RippleCom has explicitly activated this functionality.
The processing operations may involve personal data such as but not limited to phone number, name, gender, region (location), job title, sex, age.
The stakeholders consist of prospects, interactions, conversations and relationships of the customer.
The processing of personal data as mentioned takes place within the European Union with development in the Netherlands and hosting in Germany (Frankfurt am Main) and sub-processor Meta Platforms Ireland Ltd (Ireland).
RippleCom retains the data processed via the platform for 12 to 24 months as standard, unless other periods are expressly agreed in this agreement:
After these deadlines, the data will be automatically deleted or anonymised.
If the customer demonstrates that shorter or longer retention periods are necessary on the grounds of:
then a different retention period may be agreed in writing.
As the controller, the client bears full responsibility for:
RippleCom only facilitates the technical possibility of shorter or longer retention periods upon the customer's written instruction. RippleCom is not responsible for the legality of shorter or longer retention periods instructed by the customer.
Meta Platforms Ireland Ltd's retention period (maximum 30 days) is a fixed condition of the WhatsApp Cloud API and cannot be extended or shortened. The customer acknowledges and accepts this technical limitation.
RippleCom uses Dutch telephony infrastructure on behalf of Speakup BV in Enschede and Meta Platforms Ireland Ltd (the owner and provider of WhatsApp and the WhatsApp Cloud API) as processor of WhatsApp traffic within the EU. RippleCom has conducted a Transfer Impact Assessment (see DPIA). Customer declares that it has taken note of this and agrees.
No other sub-processors or gateways will be used without the prior written consent of the customer.
RippleCom has taken appropriate technical and organisational measures to keep the data as secure as possible.
The following measures, among others, were applied for this purpose:
RippleCom ensures that its staff handles all personal data confidentially.
As a data controller, the client is primarily responsible for dealing with data subjects' requests based on art. 15-22 AVG.
If a data subject requests the customer for access, correction, deletion, objection or data portability regarding their own personal data, this will be communicated by the customer to RippleCom in writing and ad hoc.
RippleCom will ensure that the request is processed within five working days and will inform its customer to take care of the processing to data subject.
RippleCom reserves the right to charge additional fees for handling these issues.
RippleCom implements a technical blockade by which SMS / WhatsApp messages bearing the text “STOP” (or an equivalent agreed by the parties) will be flagged and blocked from future transmission via the platform as soon as possible and without unreasonable delay.
RippleCom processes STOP messages in principle within 15 minutes after receipt, except that short-term disruptions or maintenance may cause longer processing time.
The platform supports automatic processing of STOP messages:
Note: STOP functionality applies to marketing/bulk messages. Individual service messages that are necessary for contract performance (e.g. confirmation of appointments that the person concerned has scheduled himself) can continue.
The customer remains responsible for updating its own source systems and contact records and for fully effecting the right of objection of data subjects in its own processes. RippleCom is not responsible for messages sent by or on behalf of the customer outside the platform.
In the event of a possible data breach or violation of AVG/privacy legislation, RippleCom shall notify the customer in writing without delay and in any case no later than 24 hours after discovery.
The notification shall include at least and not limited to the nature of the incident, the nature of the personal data involved, the possible consequences and the measures taken.
Upon discovery of a potential data breach, RippleCom will notify the customer as follows:
The customer is the owner of the data at all times and responsible for any notifications to the Personal Data Authority and data subjects (within 72 hours of customer becoming aware of the data breach). Assessment of whether notification to data subjects is necessary (without delay if high risk to rights and freedoms) Content and timing of these notifications.
RippleCom provides reasonable assistance in gathering information for AP notification (within 48 hours of customer request), answering follow-up questions from AP (to the extent related to RippleCom's processing) and preparing communications to data subjects (template + advice).
RippleCom may charge a reasonable fee for this in accordance with the rates in the agreement, failing which €150 per hour excluding VAT, unless the data breach is demonstrably caused by RippleCom.
If a data leak occurs at Speakup BV, Meta Platforms Ireland Ltd or in the infrastructure, and this leak is not the result of a failure of RippleCom, the following applies:
The choice of Meta as a sub-processor is based on the fact that Meta is the owner and sole provider of the WhatsApp Cloud API and there is no alternative provider for business WhatsApp messaging. Meta complies with ISO 27001/27018 certification and has entered into SCCs for data transfer. Meta is subject to DSA/DMA oversight.
By signing this agreement, customer acknowledges that the use of Meta as a sub-processor involves an inherent risk, and customer accepts this risk.
AP Customer shall indemnify RippleCom against any fines, penalties and claims imposed by the Personal Data Authority or other regulators arising from data breaches at Meta (not caused by RippleCom), Customer's failure to report data breaches in a timely manner and/or correct or incomplete information in Customer's data breach notification.
Violation of AVG obligations by customer (e.g. lack of legal basis, no DPIA carried out, insufficient information to data subjects) RippleCom is indemnified for.
This indemnification shall not apply if the data breach results directly from an attributable failure in the security measures taken by RippleCom as described in section 4.
Customer is responsible for complying with Meta's guidelines on the use of WhatsApp and the WhatsApp Cloud API, including:
Prohibited uses include:
Any claims, fines, penalties or restrictions imposed by Meta on Customer or RippleCom as a result of Customer's actions are entirely at Customer's expense and risk.
Customer shall indemnify RippleCom for all losses incurred by RippleCom due to Customer's breach of Meta Guidelines, including but not limited to:
RippleCom reserves the right to immediately suspend use of the platform if there is reasonable doubt about compliance with Meta guidelines, without liability for the consequences thereof.
RippleCom treats all personal data strictly confidential and does not share it with third parties, unless the legal obligation or necessity allows it for the execution of the cooperation agreement.
Upon termination of the cooperation, RippleCom will delete or anonymise all personal data within 30 days unless legal retention obligations stipulate otherwise.
The processor agreement runs concurrently with the cooperation agreement between the parties. If the cooperation agreement ends, this agreement also ends automatically.
RippleCom shall be liable for damage directly resulting from an attributable failure to perform this processor agreement if such damage is demonstrably caused by RippleCom.
Any liability of RippleCom shall be limited to the amount paid in compensation for the relevant month for the use of the platform and may, at most, be increased by a maximum of three monthly amounts, unless there is intent or deliberate recklessness on the part of RippleCom.
Customer shall include RippleCom in the processing register referred to in Art. 30(2) AVG with the following information:
Processor: | RippleCom BV Binnenhavenstraat 91, 7553 GH Hengelo |
Processor contact: | J.M.M. Klieverik | 0850602509 | joost@ripplecom.eu |
Categories of processing: | sending WhatsApp messages for appointment confirmations, facilitating telephony (voice and SMS messages) |
Categories of personal data: | name, phone number, appointment details (date/time/location) |
Category receivers: | Meta Platforms Ireland Ltd (sub-processor WhatsApp Cloud API) Speakup BV (telephony and SMS sub-processor) |
Transfer outside EU: | No (hosting in EU), except limited metadata to US under SCCs |
Security: | see DPIA |
RippleCom keeps a register of all categories of processing carried out on behalf of customers, in accordance with Art. 30(2) AVG. Upon request by customer (or the AP), RippleCom shall provide a copy of the relevant register information within 10 working days
Upon first request, both parties shall provide each other with information necessary to demonstrate compliance with Art. 30 AVG, e.g. for the purpose of internal audits, Privacy impact assessments, AP inspections and/or ISO 27001 / NEN7510 certification.
This processing agreement is governed by Dutch law. Any disputes will be dealt with by the court in Overijssel.
