Digital DevOps
AI and automation icon

Security & Privacy Policy for WhatsApp Use and Protected Data

Last updated: November 19, 2025

1. Scope

This policy applies to all staff, contractors, partners, and systems of Digital DevOps that use WhatsApp (including WhatsApp Business and API) to communicate with customers, prospects, suppliers, or users, as well as any processing of personal and sensitive data carried out through this channel.

1.1. Applicability to the multiagent_wa_chat app

This policy fully applies to the multiagent_wa_chat solution, a multi-agent WhatsApp system that enables multiple users to interact with customers via a single account/instance.

  • Role-based access control (RBAC): Least-privilege access for agents, supervisors, and admins.
  • Traceability and audit: Logging of sign-ins, message send/receive, configuration changes, and exports.
  • Conversation segregation: Assignment, visibility, and filtering to prevent unauthorized access to chats.
  • Operational security: Session management, remote sign-out, idle lock, and anomalous-activity alerts.
  • WhatsApp policy compliance: Approved templates, messaging windows, and consent requirements.
  • Data protection: Encryption in transit (TLS), encryption at rest where applicable, and retention aligned to section 13.

2. Definitions

  • Personal data: Information that identifies or can identify an individual.
  • Sensitive data: Data whose misuse may cause discrimination or significant risk (e.g., health, biometrics, beliefs, ethnic origin).
  • Processing: Any operation performed on data (collection, use, transmission, storage, deletion).

3. Legal basis and principles

Digital DevOps complies with applicable regulations, including Mexico’s LFPDPPP, and follows best practices aligned with GDPR. Core principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation and data minimization
  • Accuracy and storage limitation
  • Integrity and confidentiality
  • Accountability

4. Permitted use of WhatsApp

  • Authorized accounts: Only verified corporate accounts or the official WhatsApp Business API will be used for customer communications.
  • Purpose: Customer care, support, operational notifications, and legitimate business purposes previously disclosed.
  • Consent: Users will be informed about WhatsApp use and consent will be collected when applicable. Alternative channels will be offered.
  • Sensitive messages: Avoid sending sensitive data via chat. When strictly necessary, use secure, approved portals.
  • Templates: Only approved templates compliant with WhatsApp policies and this policy shall be used.

5. Data categories and minimization

We collect only the data strictly necessary for the stated purposes. Examples:

  • Identification and contact: name, phone number, email.
  • Business relationship data: support history, preferences, requests.
  • Communication metadata: message timestamps and delivery status.

6. Information security

  • Secure devices: Access through managed devices with lock, encryption, and up-to-date antivirus.
  • Authentication: Enable two-step verification on WhatsApp Business accounts and restrict access by role.
  • Backup and retention: Encrypted backups. Retention periods are limited to what is necessary per purpose and legal obligations.
  • Logging and monitoring: Access and relevant operations are logged for audit, prevention, and incident detection.
  • Alternate channels: For documents or sensitive data, use secure platforms (portals with MFA) instead of chat attachments.

7. Messaging best practices

  • Do not share passwords or tokens via chat.
  • Verify identity before sharing account information.
  • Avoid group chats for personal data; prefer direct, recorded channels.
  • Use disappearing messages only with a defined retention policy.
  • Prevent phishing and social engineering: do not open unverified links or download suspicious files.

8. Data subjects’ rights

Data subjects may exercise their rights of access, rectification, erasure, and objection, as well as portability and restriction where applicable.

Requests: isaacsauri@digitaldevops.com.mx

9. Transfers and processors

We may share data with service providers acting as processors (e.g., Meta/WhatsApp and integration/API providers) under contracts with confidentiality, security, and compliance clauses. No transfers will be made without legal basis, adequate safeguards, or consent, as applicable.

10. Incident management

  • Immediate internal notification to the security lead upon suspected incident.
  • Containment, analysis, and documented remediation.
  • Notification to authorities and data subjects when required by law.

11. Roles and responsibilities

  • Management: Approve and allocate resources.
  • Security/Privacy Lead: Maintain this policy, train, audit, and manage incidents.
  • Staff and Providers: Comply with the policy and report deviations.

12. Training and awareness

All personnel using WhatsApp for corporate purposes must complete annual training on security and data protection.

13. Retention and deletion

Data will be retained only as long as necessary to fulfill the purpose and applicable legal obligations. Anonymization or secure deletion processes will be applied when no longer needed.

14. Changes to this policy

We may update this policy to reflect regulatory, technological, or operational changes. The current version will be published on this site with its update date.

💬 WhatsApp inquiries ✉️ Email contact