Your organization usually determines the reporting purpose and governance model
In most deployments, the customer remains the controller for reports collected through its configured channel.
Trust Center
DPA review for controller, processor, and data-handling roles
Privacy, legal, and procurement teams can use this page to understand how Whispr is typically positioned in a DPA discussion, what the review normally covers, and where the signed document remains authoritative.
A concrete basis for privacy review alongside security, subprocessors, and retention
The DPA conversation should cover roles, subprocessors, security measures, deletion expectations, and operational support boundaries.
Use this page with the rest of the trust center
Security, subprocessors, retention, privacy, and signed commercial documents should all be reviewed together.
Controller and processor roles depend on the deployment and contract
For standard Whispr deployments, the customer organization generally determines the purpose of the channel, the users who can access it, and the internal policy for handling reports. BackPR generally acts as a processor or service provider for the hosted platform functions.
- The customer configures workflow, roles, scope, and retention expectations.
- BackPR provides the hosted software, infrastructure, and supporting service operations.
- Signed enterprise agreements or negotiated terms should prevail if they define roles differently.
The DPA discussion should stay practical and specific
A useful DPA review normally covers the categories of personal data handled in the product, the processing purpose tied to the service, the current processor stack, security measures, support boundaries, and offboarding expectations.
- Data categories collected through the configured reporting flow
- Subprocessors and infrastructure providers in current use
- Security and confidentiality controls relevant to the hosted service
- Deletion, export, retention, and legal-hold expectations
- Cross-border transfer language if applicable to the deployment
Trust materials should align with the live stack
The current stack uses Cloudflare for hosted infrastructure and Resend for transactional email, with Stripe relevant only when billing features are used. The DPA packet should reflect that live stack rather than older references.
DPA review should happen during procurement, onboarding, or privacy diligence
If your organization needs a DPA, the appropriate path is to request it directly during commercial or privacy review. That ensures the document version, deployment facts, and any negotiated language are all aligned with the actual deal.
Contact: Use privacy@backpr.com or BackPR contact to request the current DPA package.
The signed DPA remains the controlling document
Whispr does not promise fixed turnaround times, universal negotiation rights, or country-specific transfer mechanics on this page. Those terms belong in the actual DPA and the related commercial paperwork.