Data Processing Addendum
Version 1.0 – Effective 1 November 2025
DIDWW Ireland Limited | legal@didww.com
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement (the "MSA") or other principal services agreement (as applicable) between the Customer (the "Controller") and DIDWW Ireland Limited (the "Processor").
This DPA governs the processing of Personal Data by the Processor on behalf of the Controller under the MSA.
1. Definitions
Capitalised terms not defined herein shall have the meanings assigned to them in the MSA.
1.1. "Applicable Law" means the GDPR, the UK GDPR, the Data Protection Act 2018, ePrivacy/PECR, TCPA/CTIA, the CCPA/CPRA, and any equivalent or successor data protection or electronic communications law applicable to the Processing under this DPA.
1.2. "Controller Personal Data" means any Personal Data processed by the Processor on behalf of the Controller pursuant to or in connection with the MSA. For clarity, “Controller Personal Data” includes Customer end-user data as described in the Privacy Policy Section 5.
1.3. “DPO” means the Processor’s Data Protection Officer, contactable at dpo@didww.com.
1.4. "GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679). References to “GDPR” include the United Kingdom GDPR and the Data Protection Act 2018 where applicable.
1.5. "Personal Data", "Data Subject," "Processing", "Processor" and "Controller" shall have the meanings ascribed to them in the GDPR.
1.6. “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data.
1.7. "Prohibited Data" means special-category data, children’s data, or any other data specifically prohibited from being uploaded by the Controller under the terms of the Services or this DPA.
1.8. “Services” means the Messaging Platform and related communication, automation, and integration services provided by the Processor under the MSA.
1.9 "Sub-processor" any third party appointed by the Processor to process Controller Personal Data under the MSA..
1.10 “Supervisory Authority” means the relevant data protection authority with jurisdiction over either Party.
2. Data Processing Obligations and Instructions
2.1 For the purposes of the GDPR and other Applicable Laws, the Customer acts as the Data Controller and DIDWW acts as the Data Processor when processing Controller Personal Data through the Services.
DIDWW may also process limited Personal Data as an independent Data Controller for its own operational purposes (for example, account administration, billing, compliance, and fraud prevention) as described in the Privacy Policy.
These independent processing activities fall outside the scope of this DPA.
2.2 The Controller shall:
a) Determine the purposes and means of Processing of Controller Personal Data and warrants that such Processing has a valid lawful basis and complies with Applicable Law (including ePrivacy/PECR, TCPA/CTIA and equivalent local rules for consent/opt-out, sender ID/CLI, and marketing restrictions).
b) Provide documented, lawful instructions (including configuration choices within the Services) and acknowledges that the Processor may decline or request clarification of instructions that would breach Applicable Law or exceed the Services’ capabilities.
c) Ensure data accuracy, proportionality, and retention, supplies only data necessary for the Services, and does not upload Prohibited Data.
d) Implement Controller-side controls (e.g., audience selection, suppression lists, opt-out management, sender authentication) and be responsible for message/content legality and customer communications.
e) Respond to Data Subject Requests using available self-service features and will request Processor assistance only where necessary and bear associated reasonable costs as set out in the MSA/DPA.
f) Notify the Processor without undue delay of any suspected security incident, complaint, or regulatory inquiry that involves the Services and may affect Processor compliance.
g) Set or approve retention parameters within the Services consistent with Appendix 1 and its own policies.
h) Indemnify the Processor against any and all claims, fines, liabilities, and expenses arising from the Controller’s breach of this Section 2.2, including the submission of Prohibited Data or the lack of a lawful basis for Processing.
2.3 The Processor shall:
a) Process Controller Personal Data only on documented instructions from the Controller (including transfers), except where Processing is required by EU or Member State law; in such cases the Processor will inform the Controller unless prohibited.
b) Promptly inform the Controller if, in its opinion, an instruction infringes Applicable Law or the DPA.
c) Not determine purposes or means of Processing and may reject instructions that would violate law or the DPA.
d) Implement and maintain appropriate security measures as described in section 3 and Appendix 2.
e) Engage Sub-processors only under section 4 and remain fully liable for their performance.
f) Provide reasonable cooperation and make available information necessary for the Controller to verify the Processor’s compliance with this DPA, including through audit rights as set out in Section 5.
g) Notify without undue delay (target: within 48 hours) of any Personal Data Breach affecting Controller Personal Data and provide information reasonably required for the Controller’s notifications, per section 5.2.
h) Support audits under Section 5.3 by making available reasonable information and documentation demonstrating the Processor’s compliance with this DPA and applicable data-protection obligations, prior to any on-site inspection or as otherwise agreed between the Parties.
i) Manage international transfers under section 7, including general authorisation for interconnection/routing necessary to provide the Services, subject to appropriate safeguards.
j) Delete or return Controller Personal Data at the end of Services under section 8 and provide written confirmation upon request.
k) Maintain records of processing activities relevant to its role (Art. 30(2)), and cooperate with Supervisory Authorities on reasonable request.
2.4 For the avoidance of doubt, the Controller grants a general authorisation for Processing and transfer of Controller Personal Data as technically necessary to provide, deliver, interconnect, route, and operate the Services (including via DIDWWs, routing partners and network operators outside the EEA), subject to section 7 safeguards.
2.5 If any Controller instruction would breach this DPA, Applicable Law, or exceed the technical capabilities of the Services, the Processor shall promptly notify the Controller. The Processor may suspend only the affected processing until a lawful and feasible instruction is agreed. Such suspension shall not constitute a breach of this DPA.
3. Security of Processing (Art. 32 GDPR)
3.1. Both Parties shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing. Each Party is responsible for the security of the systems, credentials, and data under its control.
3.2. The Processor’s specific technical and organisational measures are described in Appendix 2 (Technical and Organisational Security Measures) and are designed to protect Controller Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures are periodically reviewed and updated to ensure ongoing effectiveness.
4. Sub-processing (Art. 28(2) & 28(4) GDPR)
4.1. The Controller grants the Processor a general written authorisation to engage Sub-processors, subject to the conditions set out in this Section 4.
4.2. A current list of authorised Sub-processors is maintained in Annex 4 (List of Sub-processors).
4.3. The Processor shall provide advance notice of any intended changes concerning Sub-processors via updates to the Sub-processor List or email notification. Continued use of the Services after such posting constitutes acceptance. The Controller may raise reasonable, data-protection-related objections in writing within a commercially reasonable time frame. The Processor shall review and respond to such objections in good faith. If the Processor reasonably determines that it cannot accommodate an objection, the Controller’s sole and exclusive remedy shall be to discontinue the affected Service. Routine updates to telecommunications DIDWWs, routing partners, or infrastructure providers necessary for service continuity, redundancy, or delivery quality shall not constitute a material Sub-Processor change requiring prior notice.
4.4. Each Sub-Processor shall be bound by written contractual terms affording at least the same level of data-protection safeguards as those set out in this DPA. The Processor remains fully liable for all Sub-Processors engaged.
5. Confidentiality and Personnel
5.1. Each Party shall treat as confidential all information disclosed by the other Party that is identified as confidential or would reasonably be considered confidential by its nature, including business, technical, financial, or security information, as well as any Controller Personal Data processed under this DPA (together, “Confidential Information”).
Each Party shall protect the other’s Confidential Information with the same degree of care it uses to protect its own confidential information (but not less than reasonable care) and shall not use or disclose such information except as necessary to perform its obligations under the MSA or this DPA, or as required by law.
5.2. The Processor shall ensure that all persons authorised to process Controller Personal Data are subject to an appropriate duty of confidentiality, whether by contract or statutory obligation, and receive regular data-protection and security awareness training.
5.3. Confidentiality obligations shall not apply to information that (a) is or becomes public other than through breach of this clause; (b) was lawfully obtained from a third party without restriction; or (c) is independently developed without use of the disclosing Party’s Confidential Information.
5.4. Each Party’s confidentiality obligations shall survive termination of the MSA or this DPA for a period of five (5) years, or, with respect to Controller Personal Data, for as long as such data is processed or maintained by the Party under the MSA or this DPA, until its complete and secure deletion or return pursuant to Section 8.
6. International Data Transfers (Art. 44 et seq. GDPR)
6.1. The Processor may transfer and process Controller Personal Data outside the EEA as necessary to deliver the Services, including through telecommunications carrierss and infrastructure partners.
6.2. All international transfers of Controller Personal Data are carried out under the EU Standard Contractual Clauses (Commission Decision 2021/914/EU, Module 2), adequacy decisions, or other lawful transfer mechanisms, including the EU–US Data Privacy Framework where applicable.
6.3. The Processor will notify the Controller of any material change to its transfer mechanisms that materially affects the security or privacy risk of the Processing. Routine routing or DIDWW adjustments are not deemed material.
6.4. Jurisdiction-specific provisions are set out in Appendix 3 (Jurisdiction-Specific Terms) and summarised in the Privacy Policy Section 6. Those provisions apply where the processing or transfer of Personal Data falls within the scope of a relevant jurisdiction (e.g., United Kingdom or Switzerland).
6.5. Upon reasonable request, the Processor shall provide summary information on applicable transfer safeguards and partner categories.
7. Liability and Indemnification
7.1. Liability. The liability of the Parties under this DPA shall be subject to the limitations of liability set forth in the Terms of Service.
7.2. The Controller shall indemnify and hold the Processor harmless from all claims, fines, and expenses arising from the Controller’s (or its end-users’) non-compliance with the MSA, this DPA, or Applicable Law, including, but not limited to, the Controller’s failure to secure valid consent, provide accurate instructions, or in connection with the transmission of Prohibited Data.
7.3. In the event of any conflict or inconsistency between this DPA and the Terms of Service, the provisions of the DPA shall prevail solely with respect to the processing of Personal Data, while the Terms of Service shall prevail for all other matters, including liability and indemnification.
8. Assistance and Audit
8.1. The Processor shall, to the extent feasible and based on information available, provide reasonable assistance to the Controller in fulfilling obligations under Articles 32–36 GDPR. Such assistance shall be limited to:
a) Data-subject requests that cannot be handled through the Service’s self-service tools;
b) Personal-data-breach notifications, as set out in § 5.2; and
c) Regulatory consultations, where required by law and directly related to the Services.
All other assistance, including participation in DPIAs or preparation of reports beyond standard documentation, shall be at the Controller’s cost and subject to mutual agreement.
8.2. The Processor shall notify the Controller without undue delay, and, where feasible, within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Controller Personal Data, and shall provide the Controller with sufficient information to meet any obligations to report or inform Data Subjects of the breach.
8.3. Audit rights:
a) The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.
b) Audit hierarchy:
(i) Primary evidence shall be the Processor’s independent third-party audit reports or certifications (e.g., ISO/IEC 27001, SOC 2 Type II, or equivalent).
(ii) If further verification is justified, the Controller may conduct a remote review or written questionnaire.
(iii) On-site audits may occur no more than once per twelve (12) months, upon thirty (30) days’ prior written notice, during normal business hours, and at the Controller’s expense, unless Processor is confirmed to be in material breach of this DPA or an on-site audit is mandated by a Supervisory Authority.
c) Any auditor engaged by the Controller shall be independent, bound by confidentiality, and approved in advance by the Processor (not to be unreasonably withheld).
d) Findings and remediation: The Parties shall discuss findings in good faith and agree on reasonable remediation steps where applicable.
9. Deletion or Return of Data
9.1. Upon termination or expiry of the MSA, the Processor shall, within thirty (30) days, at the choice of the Controller, delete or return all Controller Personal Data and delete existing copies, unless European Union or Member State law requires retention.
9.2. The Processor may retain Controller Personal Data in system backups for up to ninety (90) days after deletion solely for disaster-recovery purposes; such data shall remain protected and automatically overwritten in accordance with standard retention cycles.
9.3. Telecommunications records and routing or billing logs may be retained by the Processor solely in its capacity as an independent Controller, as described in the Privacy Policy Section 4 (Service Usage).
9.4. Upon written request, the Processor shall confirm deletion consistent with Section 7 of the Privacy Policy.
Appendix 1: Details of Processing
Detail
Description
A. Subject Matter of Processing
Controller Personal Data contained within the Customer's contact lists, message content, and engagement data, processed for the purpose of enabling the Customer's multi-channel communications, email marketing automation, and service delivery via the Messaging Platform
B. Duration of Processing
For the term of the Master Services Agreement (MSA), unless earlier deletion is requested by the Controller.
C. Nature and Purpose of Processing
The provision, delivery, routing, interconnection, transmission, storage (temporary), logging, contact management, template storage, campaign execution (including automations and triggered events), delivery-status reporting, analytics and performance tracking, billing, fraud prevention, network and service integrity, troubleshooting, and compliance with telecom regulations.
D. Categories of Data Subjects
End users / message recipients (individuals receiving communications sent by the Controller) and, where applicable, the Controller’s personnel authorised to use the Services.
E. Categories of Controller Personal Data
1. Contact Information: names, surnames, phone numbers, email addresses, and other custom attributes uploaded by the Controller.
2. Customer Content: text, attachments, templates, and associated metadata.
3. Engagement Data: delivery and open statistics, clicks, bounces, unsubscribes.
4. Routing and Diagnostic Data: timestamps, originating and destination numbers, IP addresses, trunk destinations, DIDWW identifiers, and technical signalling data required for message delivery and interconnection.
F. Retention Policy (Campaign Data)
Message Content and Campaign Data – retained for a maximum of one hundred eighty (180) days after delivery, then securely deleted or anonymised.
Contact Lists – retained for the duration of the Controller’s account and deleted or returned within thirty (30) days after account termination.
Telecommunications Records – retained for the period required by law (typically 6 to 24 months) and processed by the Processor as independent Controller.
G. Sub-processors
See the current Sub-Processor List in Annex 4 (List of Sub-Processors)
Appendix 2: Technical and Organisational Security measures
This Appendix details the security commitments and measures implemented by DIDWW Ireland Limited (the Processor) in accordance with Section 3 of the Data Processing Agreement (DPA).
DIDWW maintains security controls consistent with ISO/IEC 27001:2022 or equivalent recognised standards, ensuring confidentiality, integrity, availability, and resilience of the Services.
Key control domains include: access management, encryption, network security, data segregation, business continuity, incident management, and personnel awareness.
Detailed policies and control procedures are reviewed at least annually within the ISMS framework and are available to Customers under NDA upon reasonable request.
1. Access Control and Authentication
Area
Technical/Organisational Measures
User Identification
Unique User IDs are enforced for all systems processing Controller Personal Data.
Authentication
Multi-Factor Authentication (MFA) is mandatory for all administrative and production access points. Strong password policies are enforced.
Internal Access Control
Role-Based Access Control is strictly enforced to limit access to Controller Personal Data based on the principle of least privilege (need-to-know basis). Access is automatically revoked upon termination of employment or change of role.
Customer Access Control
The Services include customer-level access controls, enabling customers to manage User roles and permissions within their accounts.
2. Physical Security
The Services are hosted across DIDWW’s own geographically distributed infrastructure facilities. Each facility is protected by documented physical and environmental security controls, including restricted access, 24/7 monitoring, intrusion detection, and redundancy safeguards consistent with ISO/IEC 27001. Access to these facilities is limited to authorised personnel only, based on role and operational necessity.
3. Data Integrity and Confidentiality
Area
Technical/Organisational Measures
Encryption in Transit
All data transfer between the customer, end-users, and the Messaging Platform is secured using cryptographic protocols (TLS 1.2+).
Encryption at Rest
Controller Personal Data stored in production databases and storage repositories is protected using AES 256-bit encryption.
Data Separation
Customer data is logically segregated within the platform's multi-tenant environment to ensure isolation.
Data Minimisation
Production environments are isolated from development and testing environments. Controller Personal Data is not used for non-production use.
4. Availability, Resilience, and Disaster Recovery
Area
Technical/Organisational Measures
Redundancy
Services are deployed across multiple availability zones to ensure high availability and resilience against single points of failure.
Backup and Recovery
Regular automated backups of production data are performed, securely stored, and regularly tested to ensure reliable recovery.
Disaster Recovery
A documented Business Continuity and Disaster Recovery Plan is in place and periodically tested.
5. Security Monitoring and Auditing
Area
Technical/Organisational Measure (TOM)
Event Logging
Comprehensive logging and monitoring of all systems are maintained.
Threat Detection
Security Information and Event Management (SIEM) systems are used for continuous monitoring, alerting, and rapid response to security threats.
Vulnerability Management
Proactive vulnerability scanning and risk assessments are conducted on a regular basis.
Security Testing
Annual Penetration Tests are conducted by independent third-party security firms, and findings are prioritized and remediated based on risk.
Personnel Security
All personnel are required to undergo security awareness and confidentiality training annually.
The Processor may update these technical and organisational measures from time to time to maintain or enhance their effectiveness; such updates shall not materially reduce the overall level of security.
6. Supplier and Change Management
The Processor maintains a formal supplier-risk-management and change-control process within its ISMS. Sub-processors are evaluated for security and data-protection compliance prior to onboarding and monitored thereafter. All significant system or infrastructure changes follow documented change-control procedures, including testing and approval.
Appendix 3: Jurisdiction-Specific Terms
A. United Kingdom (UK GDPR)
References to the GDPR include the UK GDPR and the Data Protection Act 2018.
The UK Addendum to the EU Standard Contractual Clauses applies to transfers of Personal Data from the United Kingdom.
B. Switzerland (FADP)
References to the GDPR shall be interpreted consistently with theSwiss Federal Act on Data Protection (FADP).
References to the EU or Member States shall include Switzerland where contextually required.
The EU Standard Contractual Clauses, as adapted for Switzerland, apply to cross-border transfers.
