SMS WhatsApp Viber Voice Push Email 2FA / OTP FlashCall Number Lookup Number Validation Email Validation URL Tracking REST API SDKs WordPress Zapier Make All integrations
Pricing Developers Company Start building

Data Processing Agreement

Last updated: June 2026 · Governs processing under UK GDPR Article 28

This DPA forms part of the Terms of Service between ComniCube Ltd (Processor) and the Customer (Controller). It should be read alongside the Terms of Service.

Contents

1. Definitions2. Subject matter and duration3. Nature and purpose of processing4. Processor obligations5. Sub-processors6. Security measures7. Data subject rights8. Breach notification9. Deletion and return10. Audit rights11. Governing law

1. Definitions

“Controller” means the Customer, who determines the purposes and means of processing Personal Data.

“Processor” means ComniCube Ltd, who processes Personal Data on behalf of the Controller.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under UK GDPR.

“Processing” has the meaning given in UK GDPR Article 4.

“Sub-processor” means any third party engaged by the Processor to process Personal Data under this DPA.

“UK GDPR” means the UK General Data Protection Regulation as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018.

2. Subject matter and duration

This DPA governs the processing of Personal Data by ComniCube on behalf of the Customer in connection with the provision of the ComniCube messaging platform services.

This DPA remains in force for the duration of the service agreement between the parties and any period required for the deletion or return of Personal Data following termination.

3. Nature and purpose of processing

ComniCube processes Personal Data provided by the Controller for the following purposes:

  • Routing and delivering messages (SMS, WhatsApp, Viber, Voice, Push, Email) to telephone numbers and email addresses provided by the Controller
  • Receiving and forwarding inbound message replies to the Controller
  • Generating delivery reports and message status data
  • Fraud detection and platform security

Categories of Personal Data processed: telephone numbers, email addresses, message content, and delivery metadata (timestamps, status, carrier).

Categories of data subjects: the Controller’s customers, contacts, and end users whose data the Controller submits for message delivery.

4. Processor obligations

ComniCube shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by law to process otherwise
  • Ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations
  • Implement and maintain appropriate technical and organisational security measures (see Section 6)
  • Not engage new sub-processors without prior notification to the Controller
  • Assist the Controller in fulfilling data subject rights requests where technically feasible
  • Delete or return all Personal Data upon termination of services
  • Provide the Controller with all information necessary to demonstrate compliance with this DPA

5. Sub-processors

The Controller provides general authorisation for ComniCube to engage sub-processors. Current sub-processors include:

AMD Telecom SA (Routee)
Role: carrier infrastructure, message routing and delivery
Location: EU / Global carrier network
Safeguard: Standard Contractual Clauses

Stripe Inc
Role: payment processing only (not engaged for message delivery)
Location: USA / EU
Safeguard: Standard Contractual Clauses

Cloud hosting provider
Role: platform infrastructure and data storage
Location: UK / EU
[Provider details: pending]

ComniCube will notify the Controller at least 14 days prior to adding new sub-processors, providing the Controller with an opportunity to object on reasonable grounds.

6. Security measures

ComniCube implements the following technical and organisational security measures:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Role-based access controls with least privilege enforcement
  • Multi-factor authentication for all system access
  • Regular security assessments
  • Security incident monitoring and logging with 12-month retention
  • Employee security training and confidentiality obligations

7. Data subject rights

ComniCube will assist the Controller in responding to data subject requests by:

  • Providing tools within the platform to export or delete contact data
  • Responding to written requests for data deletion from ComniCube’s own systems within 30 days
  • Notifying the Controller of any data subject requests received directly by ComniCube

8. Breach notification

ComniCube will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data breach affecting Controller data. Notification will include:

  • Nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9. Deletion and return

Upon termination of services, ComniCube will:

  • Delete all Personal Data from live systems within 30 days of termination
  • Provide the Controller with a certificate of deletion on request
  • Retain data only where required by applicable law, and delete such data when the legal obligation expires

10. Audit rights

The Controller may request, no more than once per year, an audit of ComniCube’s compliance with this DPA. ComniCube will provide relevant documentation and respond to reasonable information requests within 30 days. Physical audits require 30 days written notice and are subject to reasonable confidentiality obligations.

11. Governing law

This DPA is governed by the laws of England and Wales and forms part of the Terms of Service between the parties.