1. Parties
Controller: you, the NusaBook account holder (the business operator).
Processor: NusaBook, processing personal data on the Controller's behalf in connection with the Service described in our Terms of Service.
2. Subject matter
NusaBook processes personal data of the Controller's customers (the Data Subjects) for the purpose of operating the WhatsApp booking flow the Controller has configured: receiving inbound messages, generating AI replies, creating bookings, and storing conversation history.
3. Duration
Processing continues for as long as the Controller's NusaBook account is active, plus the retention windows in the Privacy Policy.
4. Categories of personal data
- Phone numbers (E.164 format).
- WhatsApp display names (where the Data Subject has set one).
- Detected language preference.
- Message content exchanged with the Controller's business.
- Booking details (service, date, time, name).
We do not process special categories of personal data (Article 9 GDPR) unless the Controller chooses to enter them.
5. Categories of data subjects
Individuals who contact the Controller's business via WhatsApp and, through that flow, become customers or prospective customers.
6. Processor obligations
NusaBook will:
- Process personal data only on documented instructions from the Controller (as configured in the dashboard).
- Ensure persons authorised to process the data are bound by confidentiality.
- Apply appropriate technical and organisational measures (Section 9).
- Assist the Controller in responding to Data Subject rights requests (Section 8).
- Notify the Controller of any personal data breach affecting their tenant within 72 hours of confirming the incident.
- Delete or return personal data on termination of the agreement, except where retention is required by law (see Section 7 of the Privacy Policy).
- Make available all information necessary to demonstrate compliance with this DPA and allow audits as reasonably requested.
7. Sub-processors
The Controller authorises NusaBook to engage the sub-processors listed in Section 8 of the Privacy Policy (Supabase, Vercel, Anthropic, Twilio, Stripe). NusaBook will give at least 30 days' prior notice (via email and dashboard announcement) before engaging any new sub-processor.
8. Data Subject rights
The Controller is responsible for responding to Data Subject rights requests (access, deletion, etc.). NusaBook provides tools in the dashboard to:
- Export a customer's data (their messages, bookings, profile).
- Delete a customer record and associated history.
- Suppress a phone number from future processing.
If you receive a rights request you cannot fulfil through the dashboard, contact hello@nusabook.com and we will respond within 5 business days.
9. Security measures
NusaBook applies (at minimum):
- TLS 1.2+ for all data in transit.
- Encryption at rest for database and backups (AES-256 via Supabase).
- Row-level security policies isolating each tenant's data.
- Service-role credentials stored in encrypted environment variables, never in code.
- Principle-of-least-privilege staff access and audit logging.
- Regular dependency updates and vulnerability monitoring.
10. International transfers
Some sub-processors are located outside the EEA/UK. NusaBook relies on the European Commission's Standard Contractual Clauses (2021/914) for transfers to non-adequate jurisdictions. Copies are available on request.
11. Liability
Each party's liability under this DPA is subject to the limits set out in the Terms of Service.
12. Term and termination
This DPA continues as long as NusaBook processes personal data on the Controller's behalf. It survives termination of the main agreement to the extent necessary for NusaBook to comply with deletion or return obligations.
13. Contact
DPA-specific questions: hello@nusabook.com (subject line "DPA").