Data Processing Agreement

Last updated: March 22, 2026

Effective: March 22, 2026 · Last Updated: March 22, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Bestia Technologies Inc. ("Processor", "Bestia", "we") and the organisation or individual using WhatsDone ("Controller", "you") for the processing of personal data in connection with the WhatsDone service.

This DPA supplements our Terms of Service and Privacy Policy, and is designed to meet the requirements of UK GDPR Article 28, EU GDPR Article 28, and applicable data protection legislation.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Bestia on behalf of the Controller in connection with the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, and deletion.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-Processor" means a third party engaged by Bestia to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and Roles

  • The Controller determines the purposes and means of processing Personal Data by using the WhatsDone service.
  • The Processor (Bestia) processes Personal Data solely on behalf of the Controller and in accordance with the Controller's documented instructions (as set out in this DPA and the Terms of Service).
  • The categories of Personal Data processed include: email content, calendar data, contact information, account information, usage data, and feedback data.
  • The categories of Data Subjects include: the Controller's employees, contractors, customers, and other individuals whose data appears in the Controller's email and calendar.

3. Controller Obligations

The Controller shall:

  • Ensure that it has a lawful basis for the processing of Personal Data and has provided all necessary notices and obtained all necessary consents
  • Ensure that its instructions to the Processor comply with applicable data protection laws
  • Be responsible for the accuracy, quality, and legality of the Personal Data provided to the Processor
  • Inform the Processor without undue delay if it becomes aware of any Data Breach or security incident affecting the Personal Data

4. Processor Obligations

The Processor shall:

  • Process only on instructions: Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law (in which case, the Processor shall inform the Controller before processing, unless prohibited by law)
  • Confidentiality: Ensure that all persons authorised to process Personal Data are bound by confidentiality obligations
  • Security: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in our Security Practices document
  • Sub-processing: Not engage a Sub-Processor without the prior written consent of the Controller (see Section 6)
  • Assistance: Assist the Controller in responding to Data Subject requests and in meeting obligations under Articles 32-36 of the UK GDPR (security, breach notification, DPIA, prior consultation)
  • Deletion: Upon termination of the Service, delete or return all Personal Data to the Controller and delete existing copies, unless required by law to retain them
  • Audit: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections

5. Security Measures

The Processor implements the following technical and organisational measures:

  • Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls based on the principle of least privilege
  • No standing access to customer data for Bestia personnel
  • Multi-factor authentication for all production systems
  • Regular security assessments and dependency auditing
  • Immutable audit logging for all data access
  • Automated backup with encryption and geographic redundancy
  • Incident detection, containment, and response procedures

Full details are described in our Security Practices & Architecture document.

6. Sub-Processors

The Controller grants general authorisation for the Processor to engage Sub-Processors, subject to the following conditions:

  • The Processor shall provide at least 30 days' advance notice before adding or replacing a Sub-Processor
  • The Controller may object to a new Sub-Processor by notifying the Processor within 14 days of receiving notice. If the objection cannot be resolved, the Controller may terminate the agreement
  • The Processor shall impose equivalent data protection obligations on each Sub-Processor by way of a written agreement
  • The Processor remains fully liable for the performance of its Sub-Processors

The current list of Sub-Processors is available at Sub-Processor List.

7. Data Breach Notification

  • The Processor shall notify the Controller without undue delay (and in any event within 24 hours) after becoming aware of a Data Breach affecting the Controller's Personal Data
  • The notification shall include: a description of the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach
  • The Processor shall cooperate with the Controller in investigating and remediating the breach and in meeting notification obligations to supervisory authorities and Data Subjects
  • The Processor shall document all Data Breaches, including their effects and the remedial action taken

8. International Data Transfers

Where Personal Data is transferred outside the UK or EEA:

  • The Processor shall ensure that appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs)
  • The Processor shall conduct Transfer Impact Assessments where required
  • The Processor shall implement supplementary technical and organisational measures as necessary to ensure an essentially equivalent level of protection

9. Data Subject Requests

  • The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under applicable data protection law
  • The Processor shall assist the Controller in fulfilling Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection
  • The Processor shall not respond directly to Data Subject requests unless instructed to do so by the Controller or required by law

10. Audit Rights

  • The Controller may audit the Processor's compliance with this DPA up to once per year, with at least 30 days' written notice
  • Audits shall be conducted during normal business hours, at the Controller's expense, and shall not unreasonably interfere with the Processor's operations
  • The Processor may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2), or detailed questionnaire responses
  • If an audit reveals non-compliance, the Processor shall remediate the issues within a reasonable timeframe and bear the cost of any follow-up audit

11. Term and Termination

  • This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller
  • Upon termination of the Service agreement, the Processor shall delete all Personal Data within 30 days (primary data) and 90 days (backups), unless retention is required by applicable law
  • The Controller may request return of Personal Data in a structured, machine-readable format (JSON or CSV) before deletion
  • The obligations in this DPA shall survive termination to the extent necessary to protect Personal Data

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that neither party limits its liability for breaches of data protection obligations arising from its own wilful misconduct or gross negligence.

13. Governing Law

This DPA is governed by the laws of the State of California, United States, except that data protection obligations are governed by the applicable data protection law of the relevant jurisdiction (UK GDPR, EU GDPR, or other applicable legislation).

14. Contact

Show the world how it’s done.

Join the waitlist. Be first in line when early access opens.

Join Waitlist