Data Processing Agreement
Last updated: October 24, 2023
This Data Processing Agreement ("DPA") forms part of the Terms of Service between CloudySMS ("Processor") and the Customer ("Controller").
1. Subject Matter
This DPA applies to the processing of Personal Data by CloudySMS on behalf of the Customer in the course of providing the WhatsApp Marketing Platform services (the "Services").
2. Processing of Personal Data
2.1 Instructions: CloudySMS shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law.
2.2 Nature and Purpose: The processing activities include storage, retrieval, transmission, and deletion of data necessary to send WhatsApp messages and manage marketing campaigns.
2.3 Categories of Data Subjects: Customers, prospects, employees, and other end-users of the Controller.
3. Security Measures
CloudySMS implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access control (RBAC) for internal staff.
- Regular vulnerability assessments and penetration testing.
- Physical security measures for data centers (via our cloud providers).
4. Sub-processors
The Controller grants general authorization to CloudySMS to engage sub-processors. Our current critical sub-processors include:
| Name | Service | Location |
|---|---|---|
| Google Cloud Platform | Hosting & Database | USA / EU / India |
| Meta Platforms, Inc. | WhatsApp Business API | USA |
| Razorpay / PayPal | Payment Processing | India / USA |
5. Data Subject Rights
CloudySMS shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights under the GDPR (e.g., right to access, rectification, erasure).
6. Data Breach Notification
CloudySMS shall notify the Controller without undue delay after becoming aware of a Personal Data Breach. The notification will describe the nature of the breach, the likely consequences, and the measures taken to address it.
7. Termination and Deletion
Upon termination of the Services, CloudySMS shall, at the choice of the Controller, delete or return all the Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.
Need a signed copy?
Enterprise customers can request a countersigned version of this DPA for their compliance records.