Data Processing addendum.
The terms that govern Message.com processing personal data on behalf of customers under the GDPR, UK GDPR, and equivalent regimes. Effective on signup or counter-signature.
01Scope and order of precedence
This Data Processing Addendum (the "DPA") forms part of the agreement between Message.com LLC ("Message," the Processor) and the Customer (the Controller) under which Message provides the Message platform (the "Service").
This DPA applies to the extent Message processes Personal Data on behalf of the Customer in the course of providing the Service. It supplements the Terms of Service. In the event of a conflict between this DPA and the Terms, this DPA controls with respect to data protection only.
By signing up for the Service, ticking a DPA acceptance box during onboarding, or signing a counter-signed copy of this DPA, the Customer is bound by these terms. A counter-signed PDF is available on request from [email protected].
02Definitions
Terms used but not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act ("CCPA") as amended by the CPRA, or the Brazilian LGPD, as applicable. Specifically:
- Personal Data means any information relating to an identified or identifiable natural person processed by Message on behalf of the Customer through the Service.
- Processing has the meaning in Article 4(2) GDPR.
- Sub-processor means any third party engaged by Message to process Personal Data on behalf of the Customer. The current list is at /legal/sub-processors.
- Data Subject means the individual to whom the Personal Data relates.
- Standard Contractual Clauses ("SCCs") means the European Commission's 2021 SCCs (Decision 2021/914), incorporated by reference into this DPA.
03Roles and processing scope
The Customer is the Controller of Personal Data submitted to the Service. Message is the Processor and processes Personal Data only on documented instructions from the Customer, including with respect to transfers of Personal Data to a third country or an international organisation.
Where the Customer collects data from end users (visitors, callers, ticket submitters) and routes it into the Service, those individuals are the Data Subjects under this DPA. Where Message processes Personal Data of the Customer's own staff (account holders, agents, administrators) for the purposes of providing the Service, Message acts as a Controller; that processing is governed by the Privacy Policy, not this DPA.
The categories of Data Subjects, types of Personal Data, special categories of data (if any), nature and purpose of processing, and processing duration are set out in Annex I below.
04Processor obligations
Message will:
- Process Personal Data only on the Customer's documented instructions, including via the Service's configuration controls. Message will inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.
- Ensure that personnel authorised to process Personal Data have committed to confidentiality and have completed annual data protection training.
- Implement and maintain the technical and organisational measures described in Annex II.
- Engage Sub-processors only on the conditions set out in section 6.
- Assist the Customer with the security, breach notification, data protection impact assessment, and Data Subject rights obligations imposed on the Customer by the GDPR.
- At the Customer's choice, delete or return all Personal Data after the end of the provision of the Service, save where retention is required by law.
- Make available to the Customer the information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, as set out in section 9.
05Security of processing
Message implements the technical and organisational measures set out in Annex II and in the Data Security Policy. These include AES-256 encryption at rest, TLS 1.2+ in transit, role-based access controls with least-privilege defaults, mandatory MFA for production access, quarterly access reviews, encrypted backups with 30-day retention, and continuous vulnerability scanning.
Personnel access to Personal Data is limited to what is necessary to provide the Service. All access is logged and reviewed quarterly. Production database queries by Message engineers are recorded in an immutable audit log retained for at least one year.
06Sub-processors
The Customer authorises Message to engage Sub-processors to process Personal Data on its behalf, provided that Message:
- Maintains a current list of Sub-processors at /legal/sub-processors and notifies the Customer of any intended addition or replacement at least 30 days in advance.
- Imposes contractual obligations on each Sub-processor that are no less protective than this DPA.
- Remains liable to the Customer for the acts and omissions of each Sub-processor.
The Customer may object to a new Sub-processor by emailing [email protected] within 30 days of the notice. If the parties cannot agree a resolution, the Customer may terminate the affected portion of the Service on 30 days' written notice and receive a pro-rated refund for the unused balance.
07International data transfers
Customer data is hosted by default in the United States (DigitalOcean SFO3 and NYC3 regions) and the European Union (DigitalOcean FRA1 region) at the Customer's election. Where Personal Data is transferred from the EEA, the UK, or Switzerland to a third country without an adequacy decision, the transfer is governed by the SCCs, incorporated by reference into this DPA.
The Module 2 SCCs (Controller to Processor) apply where the Customer is the Controller and Message is the Processor. The Module 3 SCCs (Processor to Sub-processor) apply downstream of Message. For UK transfers, the UK International Data Transfer Addendum to the SCCs applies. For Swiss transfers, the Swiss FDPIC's recognition of the SCCs applies with the modifications listed at /legal/international-data-transfer.
08Personal data breach notification
Message will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notice will include, to the extent then known:
- The nature of the breach, the categories and approximate number of Data Subjects and records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to be taken to address the breach and to mitigate its effects.
Breach notices are sent to the security contact registered in the Customer's workspace. Customers must keep this contact current.
09Data subject rights and DPIA assistance
Message will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).
The Service provides self-service controls for the Customer to action most rights requests directly. Where Message is asked to assist a Data Protection Impact Assessment under Article 35, or a prior consultation with a supervisory authority under Article 36, Message will provide the technical detail reasonably required at no additional charge for up to two requests per calendar year.
10Audit rights
Once per calendar year, the Customer (or an independent auditor mandated by the Customer and not in a competitive relationship with Message) may audit Message's compliance with this DPA. Audits are conducted at the Customer's expense, on at least 30 days' written notice, during normal business hours, and in a manner that does not interfere with Message's operations or the confidentiality of other customers' data.
As a first step, Message will make available the most recent SOC 2 Type II report and ISO 27001 certificate to the Customer under NDA. Where these reports answer the Customer's questions, the audit right is satisfied for that year.
11Return and deletion of data
Within 30 days of the end of the provision of the Service, Message will, at the Customer's choice, delete or return all Personal Data and delete existing copies, unless retention is required by law. The Customer may export Personal Data at any time during the term of the Service through the data export endpoints in the Settings dashboard or the REST API.
Backups containing Personal Data are retained for 30 days and are overwritten on the standard rotation schedule. Personal Data on archival or audit logs subject to legal retention will be retained for the period required by law and deleted at the end of that period.
12Annex I: Processing details
Categories of Data Subjects
- The Customer's end users (website visitors, callers, ticket submitters, app users).
- The Customer's staff (account holders, agents, administrators, supervisors).
- Authorised representatives of vendors and partners interacting with the Customer through the Service.
Categories of Personal Data
- Identifiers: name, email address, phone number, account username, IP address, device fingerprint.
- Communications content: message body, attachments, call recordings (where enabled), call transcripts, voicemails.
- Behavioural: pages visited, chat events, conversation tags, timestamps, conversation outcome.
- Commerce: order ID, order status, refund amount, subscription state (when integrated with Shopify, WooCommerce, Stripe, etc.).
- Optional metadata: any custom attribute set by the Customer through the API.
Special categories
The Service is not configured by default to process special categories of Personal Data (Article 9 GDPR). The Customer must not submit special-category data unless an addendum has been signed authorising HIPAA-aligned processing.
Nature and purpose of processing
Processing for the purposes of providing the Service: storing, retrieving, displaying, searching, transforming, transmitting, and where the Customer has enabled AI features, embedding and generating responses grounded in the Customer's own knowledge base.
Duration of processing
The term of the Service, plus the deletion window in section 11.
13Annex II: Technical and organisational measures
Detailed measures are set out in the Data Security Policy. Summary:
- Encryption at rest (AES-256) and in transit (TLS 1.2+).
- Role-based access controls with least-privilege defaults; MFA mandatory for production access.
- Quarterly access reviews; immutable audit log retained for one year.
- Encrypted backups with 30-day retention, restored monthly to validate integrity.
- Static and dynamic vulnerability scanning on every commit; quarterly penetration tests by an independent firm.
- Network isolation between customer workspaces at the database row level (Postgres RLS).
- Incident response plan with named on-call rotation and 30-minute paging SLA.
- Annual SOC 2 Type II audit; ISO 27001 certification.
Have your DPO review the DPA?
Email [email protected] with redlines or sign-off. Two business days, every time.
Start free trial →