Data Processing Agreement

1. Scope and definitions

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Touchly and the customer ("Customer") and applies whenever Touchly processes personal data on Customer's behalf. Capitalized terms not defined here have the meaning given in the Terms or in the GDPR.

"Customer Personal Data" means personal data within Customer Content that Touchly processes as a processor on behalf of Customer.

2. Roles

Customer is the controller and Touchly is the processor of Customer Personal Data. Each party will comply with its obligations under applicable data protection law (including the GDPR, UK GDPR and Brazil's LGPD).

3. Subject-matter, duration and purpose

Touchly processes Customer Personal Data for the purpose of providing the Service for the duration of the subscription term and any wind-down period.

4. Categories of data subjects and personal data

Data subjects: Customer's end-customers and contacts. Personal data: identifiers (phone, email, name), contact attributes and segmentation tags, message content and metadata, opt-in/opt-out state.

5. Customer instructions

Touchly will process Customer Personal Data only on documented instructions from Customer, including those given via the Service's user interface and APIs, and as necessary to comply with applicable law.

6. Confidentiality

Personnel authorized to process Customer Personal Data are bound by confidentiality obligations and trained on data protection.

7. Security

Touchly implements technical and organizational measures appropriate to the risk, including encryption in transit and at rest, role-based access control, secret rotation, audit logging, security testing and incident response procedures, in line with Article 32 GDPR.

8. Subprocessors

Customer authorizes Touchly to engage the subprocessors listed at /subprocessors. Touchly will impose data protection obligations on subprocessors at least as protective as this DPA and remains liable to Customer for the acts and omissions of its subprocessors. Touchly will give Customer at least 30 days' prior notice of new or replacement subprocessors. Customer may object on reasonable data-protection grounds within that period; the parties will work in good faith to find a solution and, failing that, Customer may terminate the affected portion of the Service.

9. International transfers

Touchly is established in Ukraine, which is not currently the subject of a European Commission adequacy decision. Transfers of Customer Personal Data from the EEA to Touchly are made pursuant to the European Commission's Standard Contractual Clauses, Module 2 (controller-to-processor), which are incorporated into this DPA by reference. Transfers from the United Kingdom rely on the UK International Data Transfer Addendum to the EU SCCs. Transfers from Brazil rely on ANPD-approved mechanisms. Where Touchly engages subprocessors outside the EEA, equivalent transfer mechanisms apply between Touchly and that subprocessor.

10. Data subject requests

Touchly will, taking into account the nature of processing, assist Customer with appropriate technical and organizational measures to fulfil Customer's obligations to respond to data subject requests.

11. Breach notification

Touchly will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, providing the information reasonably required to meet Customer's notification obligations.

12. Audits

Touchly will make available to Customer information necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g., SOC 2 Type II when available). Where required by law, Customer may, on reasonable notice and at its cost, audit Touchly's compliance with this DPA.

13. Return or deletion

On termination of the Service, Touchly will delete or return Customer Personal Data within 60 days, unless retention is required by law. Account and billing records of the Customer itself (which Touchly processes as a controller, not as a processor) are retained per the Privacy Policy and applicable tax law. Backup copies expire on a rolling basis within 35 days, save for cross-region disaster-recovery snapshots which expire within 90 days.

14. Liability and conflict

Each party's liability under this DPA is subject to the liability cap in the Terms. In case of conflict between this DPA and the Terms, this DPA prevails on data protection matters.

15. Contact

DPA notices: [email protected].