Skip to main content
📋 Legal - DPA

Data Processing Agreement

Our Data Processing Agreement governs how GoUltra processes personal data on behalf of customers under GDPR Article 28 and equivalent laws.

Last updated: April 27, 2026

Data Processing Agreement (DPA)

Last Updated: April 27, 2026 Effective Date: April 27, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between GoUltra Systems LLC ("GoUltra," "Processor") and the customer identified in the GoUltra account ("Customer," "Controller") for the use of the GoUltra Service (the "Agreement"). This DPA reflects the parties' obligations under applicable data protection laws when GoUltra processes personal data on Customer's behalf.

By using the GoUltra Service, Customer accepts this DPA.

1. Definitions

Terms used in this DPA have the meanings given to them in:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • The Israeli Privacy Protection Law, 5741-1981 and its regulations ("Israeli Law")
  • The Saudi Personal Data Protection Law issued by Royal Decree No. M/19 ("PDPL")
  • The UAE Federal Decree-Law No. 45 of 2021 ("UAE Law")

For this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by GoUltra on Customer's behalf
  • "Data Subject" means the natural person to whom Personal Data relates (typically Customer's End-users)
  • "Processing" has the meaning given by GDPR Article 4(2)
  • "Sub-processor" means any third party engaged by GoUltra to process Personal Data on Customer's behalf

2. Roles of the Parties

For the purposes of this DPA:

  • Customer is the Controller of Personal Data they upload to the Service (typically End-user phone numbers, message content, contact information)
  • GoUltra is the Processor, processing Personal Data only on documented instructions from Customer
  • Sub-processors engaged by GoUltra are Sub-processors of Customer

For Personal Data of Customer's own employees, account administrators, and billing contacts, GoUltra acts as a Controller and processes such data under our Privacy Policy.

3. Subject Matter and Duration

3.1 Subject matter

GoUltra processes Personal Data to provide the Service, which includes:

  • WhatsApp message delivery via Meta's Cloud API
  • Two-way Google Calendar synchronization
  • AI-powered chat agent (where enabled)
  • Team inbox and customer relationship management
  • Campaign management and message templates
  • Analytics and reporting

3.2 Duration

This DPA applies for the duration of the Agreement and during any post-termination period when GoUltra retains Personal Data (see Section 9).

4. Categories of Data Subjects and Personal Data

4.1 Categories of Data Subjects

  • Customer's end-users, customers, patients, clients, contacts (collectively, "End-users")
  • Customer's team members and administrators

4.2 Categories of Personal Data

  • Identifiers: phone numbers, names, email addresses
  • Communication content: WhatsApp messages, message templates, conversation history
  • Calendar data: appointment titles, descriptions, start/end times (only when Google Calendar is connected)
  • Customer-attributed metadata: tags, notes, custom fields, contact properties added by Customer
  • Technical data: delivery status, read receipts, timestamps, IP addresses where applicable

4.3 Special categories

GoUltra is not designed for processing special categories of Personal Data (health data, religious beliefs, biometric data, etc.) under GDPR Article 9 or equivalent local provisions.

If Customer's use case requires processing special categories (e.g., medical clinics sending health-related reminders), Customer is responsible for:

  • Obtaining the lawful basis for such processing under their applicable law
  • Implementing additional safeguards as required
  • Ensuring End-user consent meets the elevated standard (e.g., GDPR Article 9(2)(a))

5. GoUltra's Obligations as Processor

GoUltra agrees to:

5.1 Process only on documented instructions

Process Personal Data only on Customer's documented instructions, including with regard to international transfers, except where required by law (we will inform Customer of any such legal requirement before processing, unless prohibited by law).

5.2 Confidentiality

Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.

5.3 Security measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption in transit: TLS 1.2/1.3
  • Encryption at rest: AES-256
  • Access controls: Role-based access control (RBAC), principle of least privilege
  • Logging and monitoring: audit logs for security-relevant events
  • Vulnerability management: regular scanning and patching
  • Incident response: documented procedures and 24/7 on-call coverage
  • Backup and recovery: encrypted backups with tested restoration procedures
  • Sub-processor security: due diligence and contractual obligations

5.4 Sub-processor management

  • Maintain a current list of Sub-processors at goultra.ai/sub-processors
  • Notify Customer at least 30 days before adding or replacing a Sub-processor (Customer may object on reasonable grounds within 14 days)
  • Impose data protection obligations on Sub-processors substantially equivalent to those in this DPA
  • Remain liable for Sub-processor performance under this DPA

5.5 Assistance with Data Subject rights

Provide reasonable assistance to Customer in responding to Data Subject requests for access, rectification, deletion, restriction, portability, or objection. We provide self-service tools in the Customer dashboard and direct support upon request.

5.6 Assistance with security and DPIAs

Provide reasonable assistance to Customer with:

  • Personal data breach notifications (Section 7)
  • Data Protection Impact Assessments (DPIAs) where required
  • Prior consultations with supervisory authorities

5.7 Audit rights

Once per year, upon at least 30 days' written notice, Customer (or an independent third-party auditor bound by confidentiality) may audit GoUltra's compliance with this DPA. Audits will be conducted during business hours and not unreasonably interfere with GoUltra's operations. We may provide standardized audit reports (e.g., SOC 2) in lieu of on-site audits where appropriate.

5.8 Return or deletion

At the end of the Agreement, at Customer's choice, GoUltra will delete or return all Personal Data, unless retention is required by law. Deletion timelines are described in Section 9.

6. Sub-processors

6.1 Current Sub-processors

Sub-processor Purpose Location Transfer mechanism
Meta Platforms, Inc. WhatsApp message delivery USA Standard Contractual Clauses
Google LLC Calendar sync (only if connected) USA Standard Contractual Clauses
Stripe, Inc. Payment processing USA Standard Contractual Clauses
Cloudflare, Inc. Hosting, CDN, security USA / Global Standard Contractual Clauses
Amazon Web Services Database hosting USA / EU Standard Contractual Clauses

6.2 General authorization

Customer grants general authorization for GoUltra to engage Sub-processors, subject to:

  • Notice obligations in Section 5.4
  • Equivalent contractual protections imposed on Sub-processors
  • Customer's right to object on reasonable grounds

6.3 Customer's objection right

If Customer objects to a new Sub-processor on reasonable grounds, the parties will work in good faith to resolve. If unresolved, Customer may terminate the Agreement and obtain a pro-rated refund of prepaid fees.

7. Personal Data Breaches

GoUltra will notify Customer without undue delay (and no later than 72 hours) after becoming aware of a Personal Data breach affecting Customer's Personal Data. The notification will include:

  • Nature of the breach
  • Categories and approximate number of Data Subjects and records affected
  • Likely consequences
  • Measures taken or proposed to address and mitigate the breach
  • Contact information for further information

GoUltra will assist Customer in notifying supervisory authorities and affected Data Subjects where required by applicable law.

8. International Data Transfers

8.1 Transfer mechanisms

GoUltra may transfer Personal Data outside the EEA, UK, Israel, or other jurisdictions to the United States and other countries where Sub-processors operate. For such transfers:

  • From EEA/UK: we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914), incorporated by reference into this DPA
  • From Israel: we comply with the Israeli Privacy Protection Regulations (Transfer of Information Abroad), 5761-2001
  • From Saudi Arabia: we comply with the SDAIA Regulation on Personal Data Transfer Outside the Kingdom
  • From UAE: we comply with the UAE Data Office requirements

8.2 Supplementary measures

We apply technical safeguards including encryption in transit and at rest, access controls, and contractual commitments to challenge unlawful government access requests.

8.3 SCC modules

Where SCCs apply, the following modules are deemed incorporated:

  • Module Two (Controller to Processor) for transfers from Customer to GoUltra
  • Module Three (Processor to Sub-processor) for transfers from GoUltra to Sub-processors

9. Return and Deletion of Personal Data

9.1 During the Agreement

Customer can request deletion of specific Personal Data at any time through the Service interface or by contacting support@goultra.ai.

9.2 After termination

Within 30 days of termination, GoUltra will:

  • Delete all Personal Data from active production systems
  • Revoke API tokens and integration credentials
  • Purge Personal Data from backups within 90 days

9.3 Retention exceptions

We may retain certain data where required by law:

  • Billing records: 7 years (US tax law)
  • Audit logs of security incidents: until matter resolved
  • Aggregated, anonymized data: indefinitely (cannot be linked to individuals)
  • Records required by Meta's WhatsApp Business Platform agreement

9.4 Certificate of deletion

Upon written request, GoUltra will provide written confirmation of deletion.

10. Liability

The liability of each party under this DPA is subject to the limitations set out in the Agreement, except where applicable law (including GDPR Article 82) requires otherwise.

11. Amendments

GoUltra may amend this DPA from time to time to reflect changes in applicable law or processing activities. Material changes will be communicated to Customer at least 30 days in advance.

12. Conflict

In the event of conflict between this DPA and the Agreement, this DPA prevails with respect to data protection matters.

13. Governing Law

This DPA is governed by the law specified in the Agreement. For Personal Data of EU/EEA Data Subjects, the laws of the EU member state where the Data Subject resides apply with respect to data protection rights.

14. Contact

For DPA-related inquiries:

  • Email: privacy@goultra.ai
  • Postal mail:

GoUltra Systems LLC Privacy Department 312 W 2nd St 2692 Casper, WY 82601, USA

Annex 1: Standard Contractual Clauses (Reference)

Where SCCs apply to international transfers, the parties incorporate by reference:

  • EU SCCs (European Commission Implementing Decision (EU) 2021/914 of 4 June 2021): Modules Two and Three
  • UK Addendum to the EU SCCs (issued by the ICO under Section 119A of the Data Protection Act 2018), where transfers originate from the UK
  • Swiss-specific provisions as required by the Swiss Federal Data Protection Act, where transfers originate from Switzerland

The full text of the SCCs is available at the European Commission's website.

For specific Annex details (parties, transfer details, technical and organizational measures), please contact privacy@goultra.ai.

This DPA is provided in English, Hebrew, and Arabic. In the event of any inconsistency, the English version controls for legal interpretation, except where local law requires otherwise.