APPENDIX No. 2: PERSONAL DATA PROCESSING AGREEMENT (DPA)

Concluded between the Customer (as the Data Controller) and the Provider (as the Processor).

1. Purpose and scope of entrustment

The Controller entrusts the Processor with the processing of personal data for the purpose and to the extent necessary to perform the Main Agreement, i.e. the automated sending of SMS messages via API and VoIP systems.
Categories of data: phone numbers of end recipients, optionally first names, surnames or other data contained in the content of SMS messages.
Categories of persons: the Controller's customers, contractors or end users.

The Processor undertakes to process data solely on the documented instruction of the Controller (which includes, among other things, a technical send order via API/VoIP).
The Processor implements appropriate technical and organizational measures ensuring a level of security appropriate to the risk (HTTPS/VPN connection encryption, server access control systems, password procedures).
All persons authorized to process data on the Processor's side are obliged to maintain confidentiality.

The Controller gives general consent to the Processor's use of the services of other processors (domestic and international GSM operators for the technical delivery of SMS). A list of technical subprocessors is available at the Customer's request.

The DPA is in force for the term of the Main Agreement. After its termination, the Processor permanently deletes the entrusted data from the system's working databases, unless legal provisions require their further retention.
The Processor's liability for breach of the DPA is subject to the same monetary limitations as defined in Chapter III of the Main Terms and Conditions.