Watermelon is committed to the highest standards of data protection, security, and regulatory compliance. We ensure that our customers can work safely and in compliance with applicable laws and regulations, such as the GDPR, ISO 27001, and DORA.
This article provides an overview of how Watermelon handles security, privacy, and compliance for both internal and external data.
Security & Certification
Does Watermelon have an ISO 27001 certification?
All Watermelon data is hosted on Google L.L.C.’s European servers, which are ISO 27001 certified. Additionally, Watermelon is actively working towards its own ISO 27001 certification, expected to be obtained in Q2 2025. With the current certification, Watermelon already meets the international ISO 27001 standard for information security. This means that we:
- Implement strict security measures to ensure data protection.
- Conduct regular independent audits to improve our processes.
- Actively monitor and minimize cybersecurity risks.
ISO 27001 certification confirms that Watermelon provides a robust and secure platform for data management and communication.
Regulations & Compliance
Is Watermelon GDPR compliant?
Watermelon is fully GDPR (General Data Protection Regulation) compliant and provides customers with the tools needed to easily meet regulatory requirements. Our compliance includes:
- Privacy by Design: Our platform does not collect unnecessary personal data and offers settings for data minimization.
- Data Access & Management: Customer data can be easily accessed, managed, or deleted in accordance with the right to be forgotten.
- Sub-processors: We work with carefully selected sub-processors and provide full transparency on data processing.
More information on how Watermelon handles privacy and data management can be found here.
Is Watermelon DORA compliant?
DORA (Digital Operational Resilience Act) is a new European regulation focused on the digital resilience of financial institutions. While Watermelon is not a financial institution and is therefore not directly subject to DORA, our platform meets strict security standards, making us a reliable partner for financial institutions aiming to comply with DORA requirements.
If you are a regulated financial institution and need a DORA Addendum, you can sign it via the following link: Sign the DORA Addendum here.
A customized version of the DORA Addendum is available for our Enterprise customers. If you are interested in becoming an Enterprise customer, please contact your Customer Success Manager.
For more details about DORA and Watermelon, click here.
Data Processing
What is a Data Processing Agreement (DPA), and how does Watermelon handle it?
A Data Processing Agreement (DPA) is a legal document that outlines the agreements between a data processor and a data controller regarding the processing of personal data. This document is mandatory under the General Data Protection Regulation (GDPR) and ensures that personal data is processed securely and transparently.
Does Watermelon use sub-processors?
To provide our services, we work with several partners. Some of these partners store personal data. Under GDPR, these partners are classified as data processors and/or sub-processors. We have signed DPAs with our partners or have agreed to their terms to ensure that personal data is processed securely and appropriately.
Your privacy, as well as that of your customers, is central to our services. A complete list of our sub-processor locations can be found on this page.
Data Storage
Where is my data stored?
All data is stored within the EEA (European Economic Area). Watermelon's servers are located in Belgium, and a full list of our sub-processor locations can be found on this page.
Is my data encrypted?
Your data is encrypted in transit to ensure secure communication and data protection.
Who has access to my data?
To provide our services, we work with several partners, some of whom process personal data. These partners are classified as data processors or sub-processors under GDPR.
One of these processors is OpenAI. When the chatbot is active and a message is sent, OpenAI processes the data to generate a response. The data is only used for the chatbot's reply generation and is not stored long-term.
If you use Facebook, Instagram, or WhatsApp, these platforms also have access to chat interactions.
You have full control over whether Watermelon can access your account. Without this access, Watermelon cannot retrieve your data. Instructions on managing these settings can be found in this article.
Note: If you revoke Watermelon's access, it may be more difficult for our Support team to assist you with troubleshooting.
How can I exercise my ‘Right to Be Forgotten’?
Within Watermelon, you can delete end-user data yourself. Detailed steps on how to do this are outlined in this Help Center article.
If you want Watermelon to delete all of your (customer) data, please contact our Support team to discuss the available options.