FCB.ai is a Meta-approved WhatsApp Tech Provider operating since 2017. We are the direct contractual party between your organisation and Meta's WhatsApp infrastructure. This document outlines our security architecture, data processing practices, and GDPR compliance posture for enterprise clients in regulated industries.

2.1Server Location

All client data is processed and stored on EU-certified servers. We do not default to US-based infrastructure for EU client deployments. Hosting partners are ISO 27001 certified. Specific infrastructure documentation is available on request.

2.2Network Security

• —TLS 1.2+ enforced on all API communications
• —WhatsApp provides end-to-end encryption at the transport layer (Signal Protocol)
• —Data at rest encrypted via AES-256
• —No employee personal device access to production data

2.3Access Controls

• —Role-based access control (RBAC) on all platform access
• —MFA enforced for all platform administrators
• —Access logs maintained and available on request
• —Principle of least privilege applied across all system roles

2.4Business Continuity

• —99.9% uptime SLA on core messaging infrastructure
• —Incident response protocols with defined RTO/RPO
• —Breach notification within 72 hours per GDPR Article 33

3.1Legal Basis for Processing

FCB.ai operates as a Data Processor under Article 28 GDPR. The Client organisation acts as Data Controller and determines the lawful basis for processing — typically explicit consent under Article 6(1)(a) for marketing communications, or legitimate interest / contract performance for service communications.

3.2Data Minimisation

Only data required for the stated processing purpose is collected and retained. Phone numbers and conversation metadata are the primary data categories processed. FCB.ai performs no behavioural profiling or cross-platform data linkage on client data.

3.3Purpose Limitation

Data collected through FCB.ai infrastructure is used solely for the stated client engagement purpose. FCB.ai does not use client conversation data for its own commercial purposes, model training, or third-party data products.

3.4Storage Limitation

Configurable data retention policies. Default: 12 months from last interaction. Custom retention windows are available per deployment. Automated deletion workflows can be configured.

4.1Opt-In Architecture

All outbound WhatsApp communications require prior explicit opt-in. FCB.ai deployments support:

• —Single opt-in: user provides number and confirms channel preference
• —Double opt-in (recommended): confirmation message sent via WhatsApp requiring active reply before any marketing messages are sent
• —Timestamped consent records stored with channel, source, and opt-in text at time of consent

4.2Opt-Out

STOP keyword handling is built into all deployments. On receipt:

• —User is immediately removed from active contact lists
• —Confirmation message sent via WhatsApp
• —CRM and connected systems updated via webhook
• —Re-opt-in requires fresh consent — no automatic re-subscription

4.3Data Subject Rights (Articles 15–22 GDPR)

• —Right of Access (Art. 15): Data export per subject on request — phone number, conversation history, consent record, timestamps.
• —Right to Erasure (Art. 17): Automated deletion across FCB.ai platform, message logs, and connected CRM integrations. Written confirmation provided.
• —Right to Portability (Art. 20): Data exportable in structured JSON/CSV format.
• —Right to Rectification (Art. 16): Supported via API or manual request.
• —Response SLA: 30 days maximum. Internal target: 10 business days.

5.1EU-US Transfers

Meta (WhatsApp's parent entity) is certified under the EU-US Data Privacy Framework (DPF), which is the current adequacy mechanism for transatlantic data transfers. The DPF was upheld following legal challenge in September 2025; an appeal by NOYB remains active. Clients should monitor DPF status as part of their own ongoing DTIA obligations.

5.2FCB.ai's Position

We do not present the DPF as a risk-free environment. Our standard recommendation for EU-regulated clients:

• —Deploy on EU-hosted infrastructure (FCB.ai default for EU client deployments)
• —Supplementary Standard Contractual Clauses (SCCs) available as belt-and-braces measure
• —Data Transfer Impact Assessment (DTIA) documentation available on request

5.3Sub-Processor List

Full sub-processor list available on request to security@fcb.ai. Primary sub-processors: Meta Platforms Ireland Ltd (WhatsApp infrastructure); EU-based cloud hosting provider (data storage and processing). The full list — including processing locations and legal transfer mechanism per sub-processor — is provided as standard in the DPA schedule.

5.4Data Responsibility Chain

The diagram below illustrates the formal contractual chain and data flow between the three parties involved in a typical FCB.ai deployment.

6.1LLM Integration Policy

FCB.ai deploys LLM capabilities (including Anthropic Claude and other models) within WhatsApp conversation flows. The following controls apply to all AI-assisted deployments:

• —Zero Data Retention (ZDR) policy available: conversation data is not stored by the LLM provider after processing
• —All LLM integrations covered under a separate DPA with the AI provider
• —No training on client conversation data without explicit written agreement
• —AI-generated responses labelled in accordance with emerging DSA obligations where applicable

6.2Prohibited AI Uses

FCB.ai does not use AI to:

• —Make automated decisions with legal or similarly significant effect on end users without human oversight
• —Build persistent user profiles beyond the stated engagement purpose
• —Conduct sentiment analysis for commercial targeting without explicit user consent

7.1Standard Agreements

Every FCB.ai client engagement includes the following instruments as standard:

• —Data Processing Agreement (DPA) per GDPR Article 28
• —Sub-processor list (schedule to DPA)
• —Security Annex (this document or equivalent for the deployment)
• —Service Level Agreement

7.2DPA Highlights

• —FCB.ai's role: Data Processor
• —Client's role: Data Controller
• —Processing purpose, legal basis, and data categories defined per deployment
• —Audit rights: Client may conduct or commission security audits with 30 days notice
• —Breach notification: FCB.ai notifies Client within 24 hours of becoming aware of a personal data breach
• —Term and termination: Data deletion or return within 30 days of contract end

7.3Governing Law

DPAs are available under: English law, French law, Luxembourgish law (Peach Bots S.A., Luxembourg), and South African law (takat.ai, Gauteng). Jurisdiction matched to client requirement.

FCB.ai has operated in regulated financial services environments since 2017. The following reference deployments are available for discussion under NDA where required.

FCB.ai is available to participate in formal vendor security assessments. We can provide the following documentation. Contact security@fcb.ai — reference "Vendor Assessment Request" in subject. Typical turnaround: 5 business days for standard documentation pack.