Dedicated vs Shared WhatsApp Business API: A GDPR Comparison
Enterprise teams in regulated industries face a binary choice when adopting WhatsApp Business: a dedicated, EU-hosted instance they own, or a shared multi-tenant CPaaS where their contacts sit alongside thousands of other brands. The technical and compliance gap between the two is wider than most buyers realise.
TL;DR
- Dedicated instance: single-tenant database, EU-only data residency, controllable retention, signed DPA covering processing on infrastructure you own. Best for healthcare, finance, public sector, and any GDPR-sensitive workload.
- Shared CPaaS: fast to start, low entry cost, but contact data, message history, and consent records live in a multi-tenant store usually replicated outside the EU. Sub-processor list is long and changes without you.
Side-by-side comparison
| Dimension | Dedicated EU instance | Shared CPaaS |
|---|---|---|
| Tenancy | Single-tenant — your database, your queue, your secrets | Multi-tenant row-level isolation |
| Data residency | EU-WEST only, contractually guaranteed | US + EU replicas; sub-processors in 10+ regions |
| GDPR Article 28 | Processor contract scoped to one controller | Generic processor terms; joint-controller ambiguity |
| DSAR / Right to erasure | Hard delete with signed receipt within hours | Soft delete; backups retained 30–90 days |
| Consent ledger | Append-only audit log, exportable | Vendor-defined, often not exportable |
| Throughput | Tier dedicated to your number — no noisy neighbours | Shared rate-limit pool; throttling under peak load |
| Encryption keys | Customer-managed (CMK) option | Vendor-managed only |
| Number portability | You own the BSP relationship and the number | Number tied to vendor account |
| Audit log | Workspace-level, GDPR audit trail included | Limited to higher tiers, retention capped |
Why GDPR makes this a hard choice
The WhatsApp Business API is operated by Meta, but the controller obligations under GDPR sit with you. A shared CPaaS adds a layer of processing — your contacts' phone numbers, message bodies, and consent state are ingested into the vendor's global data plane before being relayed to Meta. Each replica region and each sub-processor is a new transfer to document, justify with SCCs, and disclose in your privacy notice.
A dedicated instance collapses that chain. Data lives in one EU region, the processor is one entity, and your DPA scopes the relationship to a single tenant. For Article 30 records, Article 32 security measures, and Article 35 DPIAs, the surface area is small enough to actually defend in front of a supervisory authority.
When shared CPaaS still wins
- You're sending under 10k messages a month and the contacts are not sensitive (e.g. e-commerce shipping notifications).
- You need to launch in days, not weeks, and compliance review can follow.
- You don't yet have a Meta BSP relationship and don't want to negotiate one.
When dedicated is the only viable answer
- Healthcare, banking, insurance, public sector, legal.
- Contacts include special-category data under Article 9.
- Your security team requires customer-managed keys or VPC peering.
- You've had a DSAR or a regulator request that the current vendor couldn't fulfil within the statutory deadline.
- You operate in a market (Germany, France, the Nordics) where buyers ask "where exactly does the data live?" in the first call.
How Arino One delivers this
Arino One provisions a dedicated, EU-WEST hosted instance per customer. The inbox, CDP, automations, and consent ledger all run on infrastructure you own — not a shared pool. Erasure DSARs complete in minutes with a signed receipt; the consent log is append-only and exportable; data never leaves the EU. The same product surface handles WhatsApp, SMS, voice, and 18+ other channels in one inbox, so you don't trade compliance for capability.