MassiveSMS
Buy a pack
[Legal]Data Processing Agreement

Data Processing Agreement.

Last updated · May 1, 2026·Massive SMS Inc.

This Data Processing Agreement ("DPA") supplements the MassiveSMS Terms of Service and applies whenever Customer (the "Controller") processes Personal Data subject to GDPR, UK GDPR, LGPD, or analogous laws through the Service. By accepting the Terms, Customer enters into this DPA. No counter-signature is required; a countersigned PDF is available on request from legal@massivesms.com.

1. Definitions

  • Controller: the Customer, who decides why and how Personal Data is processed.
  • Processor: Massive SMS Inc., processing Personal Data on the Customers instructions.
  • Subprocessor: a third party engaged by the Processor to process Personal Data.
  • Personal Data: any data uploaded by Customer that identifies a natural person, including phone numbers and contact attributes.
  • Data Subject: the individual to whom Personal Data relates (e.g., a Recipient).

2. Subject matter, duration, nature

  • Subject matter: SMS routing, contact list management, campaign dispatch, webhook delivery, and ancillary services.
  • Duration: for the term of the underlying Terms of Service, plus 30 days grace for export.
  • Nature & purpose: providing the Service as instructed by the Controller.
  • Categories of Data Subjects: Customers employees and contacts (the Recipients).
  • Categories of Personal Data: phone numbers, names, email addresses (optional), opt-in metadata, message content authored by the Controller.

3. Controller instructions

Processor will process Personal Data only on documented instructions from Controller, as set out in the Terms, this DPA, and reasonable in-product configuration. Processor will inform Controller if an instruction infringes applicable data protection law.

4. Confidentiality

Processor ensures all personnel authorized to process Personal Data are bound by a contractual or statutory confidentiality obligation.

5. Security measures

Processor implements appropriate technical and organizational measures including: encryption in transit (TLS 1.3) and at rest (AES-256), least-privilege access controls, multi-factor authentication for production systems, audit logging, intrusion detection, regular vulnerability scans, annual penetration tests, SOC 2 Type II compliance, and a documented incident response process. Detailed posture in our Security Overview.

6. Subprocessors

Customer authorizes the use of the following Subprocessors:

  • Amazon Web Services (US, EU) — primary infrastructure, storage, queues.
  • Vercel (US, EU, global edge) — application hosting and CDN.
  • Telnyx (US, EU) — primary SMS carrier route.
  • Twilio (US, EU) — failover SMS carrier route.
  • Stripe, Inc. (US, EU) — payment processing under Stripes DPA and Standard Contractual Clauses where applicable. Stripe processes card data exclusively (PCI DSS Level 1); MassiveSMS receives only tokens. Stripe sub-processors: stripe.com/privacy/subprocessors.
  • Resend (US) — transactional email delivery.
  • PostHog (US, self-hosted EU optional) — product analytics, opt-in only.
  • Datadog (US) — application monitoring and logging.
  • Linear (US) — engineering ticketing (no Personal Data of Recipients).
  • Notion (US) — internal documentation (no Personal Data of Recipients).

Processor will provide at least 30 days prior notice of any new Subprocessor by email and changelog entry. Controller may object on reasonable grounds related to data protection. If the parties cannot resolve, Controller may terminate the Service for the affected scope.

7. International transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) as approved by Commission Implementing Decision (EU) 2021/914, and the UK International Data Transfer Addendum where applicable. The Annexes are deemed populated with the information in this DPA.

8. Data subject rights

Processor will, taking into account the nature of the processing, assist Controller through appropriate technical and organizational measures, insofar as possible, in fulfilling Controllers obligation to respond to Data Subject requests for access, rectification, deletion, restriction, portability, and objection.

9. Personal Data breach

Processor will notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Controllers data, including details of the nature, categories of Data Subjects affected, likely consequences, and measures taken or proposed.

10. Audits

Processor will make available all information necessary to demonstrate compliance with this DPA, including the most recent SOC 2 Type II report and ISO/IEC 27001 certification. On reasonable request, no more than once per 12 months, Processor will accommodate a written audit by an independent third-party auditor agreed by both parties, at Controllers expense and under confidentiality.

11. Deletion or return

On termination of the Service, Processor will, at Controllers choice, delete or return all Personal Data within 30 days, and delete existing copies, unless retention is required by law. Audit logs and opt-out records may be retained for compliance purposes.

12. Liability

Each partys liability under this DPA is subject to the liability limits set out in the Terms. The total combined liability under the Terms and this DPA is capped at the amount stated in the Terms.

13. Order of precedence

In case of conflict, the order of precedence is: (1) the Standard Contractual Clauses, (2) this DPA, (3) the Terms of Service.

14. Contact

Data protection contact: privacy@massivesms.com.
DPA-related notices: legal@massivesms.com.