DATA PROCESSING AGREEMENT (DPA)
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service and Master Service Agreement ("Agreement") between Exsile Digital Ltd., operating under the brand SMS Leads ("Processor", "We", "Us", or "SMS Leads"), and the client utilizing SMS Leads' messaging and API services ("Controller", "Customer", or "You").
By utilizing SMS Leads' services, the Customer accepts and agrees to the terms of this DPA.
1. Definitions
- "Data Protection Laws" refers to all applicable privacy and data protection regulations, including the Israeli Privacy Protection Law (1981) and the EU General Data Protection Regulation (GDPR) 2016/679, where applicable.
- "Personal Data" means any information relating to an identified or identifiable natural person (such as contact names and phone numbers) that is uploaded, stored, or processed on the Processor’s infrastructure by the Customer.
- "Controller" is the Customer, who determines the purposes and means of the processing of Personal Data.
- "Processor" is SMS Leads, providing the platform and API infrastructure for message routing.
2. Scope and Nature of Processing
2.1. Passive Infrastructure Role: SMS Leads provides a platform for message routing and API connectivity. SMS Leads acts solely as a passive conduit for the storage and automated processing of data. We do not monitor, access, mine, or monetize the Personal Data (contact lists) uploaded to our servers by the Customer.
2.2. Processing Activities: Processing is limited exclusively to the storage of contact lists, the technical processing of outgoing messages (SMS), and technical logs necessary to deliver the services requested by the Customer.
2.3. Prohibition of Sensitive Data: The Customer is strictly prohibited from storing highly sensitive data on SMS Leads infrastructure, including but not limited to full credit card numbers (PCI data), protected health information (PHI), or special categories of data under Article 9 of the GDPR.
3. Obligations of the Controller (Customer)
3.1. Lawful Basis and Consent: The Customer bears full and sole responsibility for establishing a lawful basis for data collection. The Customer must ensure that all Personal Data collected and contacted via SMS Leads has been collected legally, with appropriate end-user consent and compliance with anti-spam regulations (including Section 30A of the Israeli Communications Law).
3.2. Account Security: The Customer is completely responsible for the security of their account access, including maintaining secure passwords and protecting API keys from unauthorized access.
4. Obligations of the Processor (SMS Leads)
4.1. Confidentiality: SMS Leads ensures that any personnel authorized to manage the platform are bound by strict obligations of confidentiality.
4.2. Security Measures: SMS Leads shall implement and maintain appropriate technical and organizational measures to protect the platform infrastructure against unauthorized access and hardware failures.
4.3. Data Subject Requests: SMS Leads shall not respond directly to Data Subject Requests (e.g., right to be forgotten). The Customer has full administrative access to their account to fulfill these requests independently. If a request is made directly to SMS Leads, we will forward it to the Customer.
5. Personal Data Breach Management
5.1. Notification: In the event of a confirmed security breach originating at the infrastructure level managed by SMS Leads that compromises Customer Personal Data, SMS Leads will notify the Customer without undue delay.
5.2. Exclusion: SMS Leads is not responsible for, and will not generate breach notifications for, security incidents resulting from Customer negligence, compromised Customer passwords, or third-party breaches.
6. Sub-processing
6.1. The Customer provides general authorization for SMS Leads to engage third-party sub-processors (e.g., SMS network gateways, telecommunication carriers) to facilitate the services.
6.2. SMS Leads ensures that any sub-processor engaged is subject to data protection obligations that are substantially similar to those contained in this DPA.
7. Data Deletion and Return
7.1. Upon termination or cancellation of the services, SMS Leads will permanently delete all Customer Personal Data and contact lists associated with the account from its active databases. The Customer is responsible for exporting any required data prior to account cancellation.
8. Governing Law and Jurisdiction
8.1. This DPA shall be governed by and construed in accordance with the laws of the State of Israel.
8.2. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the competent courts in Tel Aviv-Jaffa, Israel.