Data Processing Agreement May 2023
This Data Processing Agreement applies to you if you signed up for MessageBird’s Services (including through any of its Affiliates) before, on, or after 3 May, 2023. Our archived Data Processing Agreement is available here.
This Data Processing Agreement, including the appendices, (“DPA”) forms part of the Agreement between MessageBird and Customer for the purchase of (online) communication services from MessageBird to reflect the Parties’ agreement with regard to the processing of Customer Personal Data. In this DPA, the terms “you”, “your”, or “Customer” refer to you (subject to Section 1.2 below), and the terms “we”, “us,” “our” or “MessageBird” refer to us. Capitalised terms used in this DPA but not defined below are defined in the MessageBird General Terms and Conditions or other Agreement with us governing your use of the Services.
The parties agree that this DPA will replace any existing data protection addendum or similar agreement the parties may have previously entered into in connection with the Services.
1. Scope, Customer Affiliates and Term
1.1 Scope. This DPA governs processing of Customer Personal Data by MessageBird as a processor.
1.2 Customer Affiliates. Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Affiliates (as defined in the Terms), if and to the extent you provide such Affiliates with access to the Services and we process Customer Personal Data for which such Affiliates qualify as the data controller (“Customer Affiliates”). For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer” and “you” shall include Customer and Customer Affiliates.
2. Definitions
“Account Data” is any Personal Data provided by or for you to MessageBird in connection with the entering into and administration of the Agreement and of your account, including but not limited to contact information, billing details and correspondence about the entering into and administration of the Agreement and the related Services.
“CCPA” means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.
“Customer Data” means any data and other information or content submitted by you or for you (or by a user of your Customer Application) under the Agreement and processed or stored by the Services.
“Customer Personal Data” means Personal Data contained in Customer Data processed by MessageBird as a processor, unless otherwise specified in this DPA.
“Data Protection Laws” means all laws and regulations of any jurisdiction applicable to the confidentiality, privacy, security, or processing of Personal Data under the Agreement, including, for example and where applicable, the GDPR or the CCPA. .
“EEA” means, for the purposes of this DPA, the European Economic Area and Switzerland.
“GDPR” means either (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation); or (ii) solely with respect to the United Kingdom, the Data Protection Act 2018.
“MessageBird” means the MessageBird Entity which is a party to this DPA, being the contracting entity listed in Section 15 in the General Terms and Conditions (Contracting Entity), unless otherwise stated on your Order Form. You or MessageBird may also be referred to individually as a “Party” and together as “Parties” in this DPA.
“Personal Data” means any information relating to a directly or indirectly identified or identifiable natural person, whether by itself or in combination with other information.
“Personal Data Breach” means any accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to Customer Personal Data and any other similar term under applicable Data Protection Laws such as “Security Breach.”
“Services” means all products and services provided by us or our Affiliates that are (a) ordered by you under any Order Form; or (b) used by you.
“Standard Contractual Clauses” means Controller to Processor (Module Two) or Processor to Processor (Module Three), as applicable, of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj,.
“Sub-processor” means a third party entity that processes Customer Personal Data on behalf of the MessageBird entity acting as a data processor or a Sub-processor.
“UK Standard Contractual Clauses” means any or all of the following: (i) international data transfer agreement issued by the UK Information Commissioner under section 119A of the DPA 2018; (ii) the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the UK Information Commissioner under section 119A of the DPA 2018; or (iii) such standard contractual provisions issued by the UK Information Commissioner or European Commission as may replace these from time to time.
Terms such as “processing”, “data controller”, “data processor”, “data subject”, etc. shall have the meaning assigned to them under the GDPR. The definition of “data controller” includes “business”, “consumer”, “controller”, and “organisation”; "data processor" includes “service provider”, “processor”, and “data intermediary”; “data subject” includes “consumer”, and “individual”; and “Personal Data” includes “personal information”, in each case as defined under the CCPA, , and other applicable Data Protection Laws. The terms “business purpose”, “commercial purpose”, “sell,” and “share” shall have the same meaning as in the applicable Data Protection Laws and, in each case, their cognate terms shall be construed accordingly.
3. Processing of Customer Personal Data
3.1 Purposes. We will process Customer Personal Data only to the extent necessary (i) to provide the Services, including transmission of communication, ensuring the security of the services, providing technical and delivery reports, providing support and developing and implementing improvements and updates in accordance with your documented instructions to us as a data processor as specified in Section 3.2 of this DPA, (ii) for our legitimate business purposes as specified in Section 3.4 of this DPA as a data controller, and (iii) as otherwise required under applicable law.
3.2 Customer Instructions. The Agreement and this DPA constitute your complete instructions to us as a data processor at the time of signature of this DPA. We will comply with other reasonably documented instructions provided that those instructions are consistent with the terms of the Agreement.
3.3 Details of Processing. Annex I, Part B (Description of transfer) of Appendix I to this DPA specifies the nature and purpose of the processing by us as a data processor or Sub-processor, the processing activities, the duration of the processing, the types of Personal Data, and the categories of data subjects.
3.4 Legitimate Business Purposes. You acknowledge that we process Customer Personal Data as an independent data controller to the extent necessary for the following legitimate business purposes: billing, account management, financial and internal reporting, combatting and preventing security threats, cyber attacks, and cybercrime that may affect you, us or our services, business modelling (e.g. forecasting, capacity and revenue planning, and product strategy), fraud, spam, and abuse prevention and detection, improvement of products or services in the MessageBird suite, and to comply with our legal obligations.
4. Customer Obligations
4.1 Lawfulness. Where you act as a data controller of Customer Personal Data, you guarantee that all processing activities are lawful, have a specific purpose, and any required notices and consents or other appropriate legal basis are in place to enable lawful transfer of the Customer Personal Data. If you are a data processor (in which case we will act as a Sub-processor), you will ensure that the relevant data controller guarantees that the conditions listed in this Section 4.1 are met.
4.2 Compliance. You are solely responsible for (a) ensuring that you comply with the Data Protection Laws applicable to your use of the Services and to your own processing of Customer Personal Data, (b) making an independent assessment whether the technical and organisational measures of the Services meet your requirements, and (c) implementing and maintaining privacy and security measures for components that you provide or control (including but not limited to passwords, devices used with the Services and Customer Applications).
5. Security
5.1 Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement and maintain appropriate technical and organisational security measures to protect Customer Personal Data from Personal Data Breaches and to preserve the security, integrity, availability, resiliency and confidentiality of the Customer Data our systems use for processing Customer Personal Data. The security measures applied by us are described in Appendix II.
5.2 Updates to Security Measures. You are responsible for reviewing the information made available by us relating to Customer Personal Data security and making an independent assessment as to whether such information meets your requirements and legal obligations under Data Protection Laws. You acknowledge that the security measures are subject to technical progress and development, and that we may update or modify our security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Customer Personal Data.
5.3 Access Controls. We apply the principles of “need to know “and “least privilege” ensuring that access to Customer Personal Data is limited to those Personnel required for the provisioning of the Services and in line with the Agreement, including this DPA.
5.4 Confidentiality of Processing. We will ensure that any person or party who is authorised by us to process Customer Personal Data (including our personnel, agents and Sub-processors) are informed of the confidential nature of such Customer Personal Data and will be under an appropriate obligation of confidentiality (whether a contractual or statutory duty) that survives termination of their engagement.
5.5 Personal Data Breach Response and Notification. Upon becoming aware of a Personal Data Breach, we will without undue delay (i) notify you, (ii) investigate the Personal Data Breach, (iii) provide timely information relating to the Personal Data Breach as it becomes known or as it is reasonably requested by you, and (iv) take commercially reasonable steps to mitigate the effects and prevent recurrence of the Personal Data Breach.
6. Assistance
6.1 Data Protection Assistance. We shall provide you with reasonably requested assistance in order to allow you to comply with your obligations under the Data Protection Laws, including the notification of a Personal Data Breach, assessing the appropriate level security of processing, and assisting you with the performance of a relevant data protection impact assessment.
6.2 Assistance with Rights of Data Subjects. We will provide you with reasonable assistance in order to allow you to comply with your obligations to data subjects who exercise their rights under the Data Protection Laws by making available technical and organisational measures via your account. For the avoidance of doubt, you as the data controller are responsible for processing any request or complaint from data subjects with respect to the Customer Personal Data of a data subject.
7. Disclosure and Disclosure Requests
7.1 Limitations on Disclosure and Access. We will not provide access to or disclose Customer Personal Data except (i) as directed by you, (ii) as set out in the Agreement and this DPA, or (iii) as required by law.
7.2 Disclosure Requests. We will notify you as soon as reasonably possible if we receive a request from a governmental or regulatory body to disclose Customer Personal Data, unless such notice is prohibited by law. We will handle disclosure requests in accordance with the disclosure request policy available at https://bird.com/legal/disclosure-requests.
8. Sub-processors
8.1 List of Current Sub-processors. You agree to the engagement of the Sub-processors listed at MessageBird's overview of Processors and Subprocessors under the header “End User Personal Data”, which contains a procedure for you to subscribe to notifications of changes to our use of Sub-processors. If you subscribe to such notifications, and taking into account Section 8.3 of this DPA, we will share details of any change in Sub-processors as soon as reasonably possible.
8.2 Appointment of Sub-processors. By means of this DPA, you provide a general written authorization to us to engage Sub-processors for the processing of Customer Personal Data, subject to Section 8.3 of this DPA and the following requirements:
We will restrict access to Customer Personal Data by Sub-processors to what is strictly necessary to provide the services specified in the sub-processor agreement;
We will agree upon data protection obligations with the Sub-processor that are substantially the same as the obligations under this DPA; and
We remain liable to you under this DPA for the performance of the data protection obligations of the Sub-processor.
9. Cross Border Transfers of Customer Personal Data
9.1 Transfers of Customer Personal Data. We may transfer Customer Personal Data on the condition that all appropriate safeguards required by Data Protection Laws are in place. This may include a prior data transfer impact assessment, the adoption, monitoring and evaluation of supplementary technical, organisational and legal measures, enforceable data subject rights, and that effective legal remedies for data subjects are available.
9.2 Sub-processor Standard Contractual Clauses. Unless an adequacy decision or alternative transfer mechanism applies, we have entered into and shall maintain Standard Contractual Clauses with Sub-processors (including our Affiliates) located outside the EEA, subject to the terms set out in Section 9.1 of this DPA.
9.3 Transfer Mechanisms for Customer Personal Data Transfers. To the extent your use of the Services requires a cross border data transfer mechanism to lawfully export Customer Personal Data from a jurisdiction (e.g. the EEA, California, Singapore, Switzerland, or the United Kingdom) to us located outside of that jurisdiction this section will apply. If, in the performance of the Services, Customer Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies to this DPA is transferred to MessageBird located in countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the parties to the extent such transfers are subject to the Data Protection Laws.
9.3.1 The parties agree that the Standard Contractual Clauses will apply to Customer Personal Data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to a MessageBird entity located in a country outside the EEA or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data.
9.3.1.1 When you are acting as a data controller and MessageBird is a data processor the EU Controller-to-Processor (Module Two) of the Standard Contractual Clauses will apply to any such transfer of Customer Personal Data from the EEA. When you are acting as a data processor and MessageBird is a sub-processor the Processor-to-Processor (Module Three) of the Standard Contractual Clauses will apply to any such transfer of Customer Personal Data from the EEA.
9.3.1.2 MessageBird will be deemed the data importer and you will be deemed the data exporter under the Standard Contractual Clauses. Each party’s signing of this DPA, will be treated as signing of the applicable Standard Contractual Clauses, which will be deemed incorporated into this DPA. Details required under Annex 1 and Annex 2 to the Standard Contractual Clauses are available in Appendix I and Appendix II to this DPA. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail solely with respect to a transfer of Customer Personal Data from the EEA.
9.3.1.3 Where the Standard Contractual Clauses require the parties to choose between optional clauses and to input information, the parties have done so as set out below:
i. The Optional Clause 7 “Docking clause” shall not be adopted.
ii. For Clause 9 “Use of sub-processors”, the parties elect the following option: “Option 2 General written authorisation: the data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 business days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).”
iii. For Clause 11 (a) “Redress”, the parties do not adopt the Option.
iv. For Clause 17 “Governing law”, the parties elect the following option: “Option 1. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Netherlands.”
v. For Clause 18 (b) “Choice of Forum and Jurisdiction”: “The Parties agree that those shall be the courts of the Netherlands.”
9.3.2 The parties agree that the UK Standard Contractual Clauses will apply to Customer Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to a MessageBird entity located in a country outside the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data.
10. Audit
10.1 Audit Report. Our communication platform shall be regularly audited against the ISO 27001:2013 standard (or equivalent). The audit may, in our sole discretion, be an internal audit, or an audit performed by a third party. Upon written request, we will provide you with a summary of the audit report(s) (“Audit Report”), so that you can verify our compliance with the audit standards and this DPA. Such Audit Reports, as well as any conclusions or findings specified therein, are our Confidential Information.
10.2 Customer information requests. We will make available to you all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA. We will provide written responses to reasonable requests for information made by you, including responses to information security and audit questionnaires that are reasonable in scope and necessary to confirm compliance with this DPA, provided that you (i) have first made a reasonable effort to obtain the requested information from the Documentation, Audit Reports and other information provided or made public by us, and (ii) will not exercise this right more than once per year, unless a Personal Data Breach or significant change in our processing activities in relation to the Services require that an additional questionnaire is executed. All responses provided are our Confidential Information.
10.3 Customer Audit. If an Audit Report provided by us to you gives you substantiated reasons to believe that we are in breach of our obligations under this DPA, related to the Customer Personal Data provided by you, we will allow an independent and qualified third party auditor appointed by you and approved by us, to audit the relevant applicable Personal Data processing activities, provided that to the greatest extent permitted under applicable law, the following requirements are met:
You shall give us at least sixty (60) days reasonable advance notice before exercising the right to audit;
The auditor agrees to market standard confidentiality obligations with us;
You and the auditor take measures to minimise disruption to our business operations;
The audit will be carried out during regular business hours;
We shall not be obliged to provide access to customer data of other customers or systems not involved in the provision of the Services; and
You shall pay for all costs of the audit.
11. Deletion and Return of Customer Personal Data
Upon termination or expiration of the Agreement, we will (at your election) delete or return to you all Customer Personal Data (including copies) in our possession or control, save that this requirement will not apply to the extent we are required by law to retain some or all of the Customer Personal Data. If you instruct us to delete Customer Personal Data, Customer Personal Data archived on our back up systems will be protected from further processing, and deleted when the required retention period has passed.
12. Customer Affiliate Communication and Rights
The entering into this DPA in the name and on behalf of a Customer Affiliate as set out in Section 1.2 constitutes a separate DPA between us and that Customer Affiliate, subject to the following:
12.1. Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with us under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Customer Affiliates.
12.2 Rights of Customer Affiliates. Where a Customer Affiliate becomes a party to the DPA with us, it shall to the extent required under Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
(i) Unless Data Protection Laws require the Customer Affiliate to exercise a right or seek a remedy under this DPA against MessageBird directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Customer Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Customer Affiliate individually but in a combined manner for itself and all of its Customer Affiliates together.
(ii) The parties agree that the Customer that is the contracting party to the Agreement shall, when an on-site audit of the procedures relevant to the protection of Customer Personal Data is being carried out on its behalf as set forth in Section 10.3 of this DPA, take all reasonable measures to limit any impact on us by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Customer Affiliates in one single audit.
For clarity, a Customer Affiliate does not become a contracting party to the Agreement.
13. California Consumer Privacy Act.
To the extent it is applicable, we make the following additional commitments to you with respect to processing of Customer Personal Data within the scope of the CCPA.
13.1 Our Obligations Under U.S. Data Protection Laws. The terms “business purpose,” “commercial purpose,” “consumer,” “sell,” and “share” as used in this Section 13.1 have the meanings given to them in the CCPA. Insofar as applicable, we shall comply with the CCPA and treat all Customer Personal Data subject to the CCPA and other applicable U.S. Data Protection Laws (“U.S. Personal Data”) in accordance with the provisions of the CCPA and other U.S. Data Protection Laws. With respect to U.S. Personal Data, we are a service provider under the CCPA and a data processor under other U.S. Data Protection Laws. We shall not sell U.S. Personal Data. We shall not retain, use or disclose any U.S. Personal Data (i) for any purpose other than the business purposes specified in the Agreement (including retaining, using or disclosing U.S. Personal Data for a commercial purpose other than the business purpose specified in the Agreement or as otherwise permitted by the CCPA or applicable laws); or (ii) outside the direct business relationship with you and us.
13.2 Customer Obligations. You represent and warrant that you have provided notice to the End-User that the Personal Data is being used or shared in accordance with applicable Data Protection Laws. You are responsible for compliance with the requirements of the Data Protection Laws to the extent applicable to you as a data controller.
14. Governing Law and Dispute Resolution. Any dispute, claim, or controversy (“Disputes”) arising out of or related to this DPA shall be governed by and construed in accordance with the laws of the Netherlands. Each Party agrees that the competent courts of Amsterdam will have exclusive jurisdiction to settle any Disputes arising out of or related to this DPA.