Messangi Data Processing Addendum
Effective Date: June 2026
This Data Processing Addendum (this “DPA”) forms part of, and is incorporated by reference into, the Messangi Terms of Service or other written agreement between the Customer and Messangi that governs the Customer’s use of the Services (the “Agreement”). This DPA is entered into by the Customer (as defined in the Agreement) and Messangi Corporation, a company organized under the laws of the State of Florida, United States, with offices at 5798 SW 68th St, Miami, Florida 33143, USA (“Messangi”).
By accepting the Agreement, or by accessing or using the Services, the Customer agrees to this DPA. Messangi is deemed to have executed this DPA on the Effective Date. No separate signature is required for this DPA to take effect, although either party may request a signed counterpart.
This DPA applies to the Processing of Personal Data by Messangi on behalf of the Customer in the course of providing the Services. In the event of a conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA governs. In the event of a conflict between this DPA and the Standard Contractual Clauses incorporated under Section 8, the Standard Contractual Clauses govern.
1. Definitions
Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.
“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: the EU General Data Protection Regulation 2016/679 (“GDPR”); the UK GDPR and the UK Data Protection Act 2018; the Swiss Federal Act on Data Protection; the California Consumer Privacy Act as amended by the California Privacy Rights Act and its regulations (“CCPA”) and other United States state privacy laws; the Mexican Federal Law on Protection of Personal Data Held by Private Parties (“LFPDPPP”); Colombian Law 1581 of 2012 and Decree 1377 of 2013; Chilean Law 19.628 as amended by Law 21.719; the Brazilian General Data Protection Law (“LGPD”); and the Peruvian Law for the Protection of Personal Data 29733.
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach” have the meanings given in the GDPR, and the equivalent terms under other Data Protection Laws (including “Business”, “Service Provider”, “personal information”, “sell” and “share” under the CCPA, and “responsable”, “encargado”, “mandatario” and “operador” under the LATAM regimes) are construed accordingly.
“Customer Personal Data” means Personal Data contained within Customer Data that Messangi Processes on behalf of the Customer under the Agreement, as described in Annex 1.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914 of 4 June 2021, as amended or replaced.
“Subprocessor” means any third party engaged by Messangi to Process Customer Personal Data in connection with the Services.
2. Roles of the Parties
For Customer Personal Data, the Customer is the Controller (or, where the Customer is itself a Processor acting for a third party Controller, a Processor) and Messangi is the Processor. Under the CCPA, the Customer is the Business and Messangi is a Service Provider. Each party complies with its obligations under Data Protection Laws applicable to it in its respective role. The Customer is responsible for the lawfulness of the Customer Personal Data and of the instructions it gives to Messangi, including for establishing and maintaining a valid legal basis and recipient consent where required.
3. Scope and Instructions for Processing
Messangi Processes Customer Personal Data only on the documented instructions of the Customer, including with regard to international transfers, unless required to do otherwise by a law to which Messangi is subject. The Agreement, this DPA (including Annex 1), the Customer’s configuration and use of the Services, and the Customer’s written instructions accepted by Messangi constitute the Customer’s complete and final instructions. Messangi will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws, unless prohibited by law from doing so.
Messangi does not sell or share Customer Personal Data and does not retain, use, or disclose Customer Personal Data for any purpose other than the specific purpose of performing the Services, or as otherwise permitted by the CCPA for a Service Provider. Messangi does not combine Customer Personal Data with Personal Data it receives from other sources, except as permitted by the CCPA. Messangi certifies that it understands and will comply with these restrictions.
Sensitive and special category data. The Services are not intended for the Processing of special category data under Article 9 of the GDPR or of protected health information governed by the United States Health Insurance Portability and Accountability Act (“HIPAA”). The Customer must not submit protected health information to the Services unless the parties have signed a separate Business Associate Agreement. Protected health information is not permitted on the standard published terms.
4. Confidentiality
Messangi ensures that personnel authorized to Process Customer Personal Data are subject to binding confidentiality obligations and access Customer Personal Data only on a need to know basis under the principle of least privilege.
5. Security
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects, Messangi implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A description of those measures is set out in Annex 2. Messangi may update its measures from time to time provided that the updated measures do not materially reduce the overall level of protection. No security program can guarantee that Personal Data will be free from every possible compromise.
6. Subprocessors
The Customer provides general authorization for Messangi to engage Subprocessors to Process Customer Personal Data, subject to this Section. Messangi maintains a current list of Subprocessors, available at the Messangi Subprocessor List referenced in the Agreement. Messangi imposes data protection obligations on each Subprocessor that are no less protective than those in this DPA, and Messangi remains responsible for each Subprocessor’s performance of its obligations.
Messangi will give the Customer notice of any intended addition or replacement of a Subprocessor, by updating the Subprocessor List or by other reasonable means, with sufficient time for the Customer to object. The Customer may object on reasonable data protection grounds within fifteen (15) days. If the parties cannot resolve the objection, the Customer may, as its sole remedy, terminate the affected Services.
The Customer acknowledges that delivery of messages necessarily requires transmission of recipient identifiers and message content to the messaging platforms and channel providers identified as Subprocessors in the Subprocessor List, and to the telecommunications carriers, mobile network operators, and SMS aggregators that route and deliver messaging traffic. Those carriers, mobile network operators, and aggregators Process that data for their own network, regulatory, and policy purposes, act as independent controllers of that data, and are not Subprocessors, as described in the Subprocessor List.
7. Assistance to the Customer
Taking into account the nature of the Processing, Messangi assists the Customer by appropriate technical and organizational measures, insofar as reasonably possible, to respond to requests from Data Subjects to exercise their rights, including access, rectification, erasure, restriction, portability, and objection. If Messangi receives such a request directly, it will, unless prohibited by law, promptly forward it to the Customer and not respond except on the Customer’s instructions.
Messangi provides reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, and with the Customer’s obligations to notify Personal Data Breaches, in each case taking into account the nature of Processing and the information available to Messangi.
8. International Transfers
Messangi Processes and stores Customer Personal Data primarily in the United States. Where Messangi Processes Customer Personal Data that is subject to the GDPR, the UK GDPR, or Swiss law and transfers it to a country that has not received an adequacy decision, the transfer is governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference and completed as follows:
- Module Two (Controller to Processor) applies where the Customer is a Controller, and Module Three (Processor to Processor) applies where the Customer is a Processor acting for a third party Controller.
- In Clause 7, the optional docking clause applies. In Clause 9, Option 2 (general written authorization) applies, with the notice period set out in Section 6. In Clause 11, the optional independent dispute resolution language does not apply. In Clause 17, the governing law is the law of Ireland. In Clause 18, the forum is the courts of Ireland.
- Annex I, II, and III of the SCCs are populated by Annex 1, Annex 2, and Annex 3 of this DPA respectively.
For transfers subject to the UK GDPR, the International Data Transfer Addendum issued by the United Kingdom Information Commissioner applies to and amends the SCCs. For transfers subject to Swiss law, the SCCs apply with the adaptations required by the Swiss Federal Data Protection and Information Commissioner. For transfers from LATAM jurisdictions, Messangi relies on the transfer mechanisms permitted by the applicable local law, including contractual clauses and Customer consent where required.
Data Privacy Framework. To the extent Messangi maintains a current self certification under the EU to United States, UK, and Swiss Data Privacy Framework, the Customer and Messangi may rely on that certification as an additional transfer mechanism for data within its scope. The Standard Contractual Clauses are the primary mechanism in this DPA and do not depend on that certification.
9. Personal Data Breach Notification
Messangi notifies the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification describes, to the extent known and as information becomes available, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed. Messangi provides reasonable cooperation to support the Customer’s own notification obligations to supervisory authorities and Data Subjects. Messangi’s notification is not an acknowledgment of fault or liability.
10. Audits
Messangi makes available to the Customer information reasonably necessary to demonstrate compliance with this DPA. On the Customer’s reasonable written request, no more than once per year except where required by a supervisory authority or following a Personal Data Breach, Messangi will respond to a reasonable security questionnaire or make available a summary of its most recent independent audit report or certification. Where an audit is required by Data Protection Laws and cannot be satisfied by these means, the parties will agree in advance on the scope, timing, and cost of an on site audit, conducted during business hours, subject to confidentiality, and in a manner that does not compromise the security or availability of the Services or other customers’ data.
11. Return and Deletion
On termination or expiry of the Agreement, Messangi will, at the Customer’s choice, delete or return Customer Personal Data, and delete existing copies, unless retention is required by a law to which Messangi is subject, in which case Messangi protects the data and Processes it only as required by that law. Deletion from backups occurs in the ordinary course of the backup retention cycle.
12. Liability and Relationship to the Agreement
Each party’s liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not increase the aggregate liability of either party beyond the limits stated in the Agreement, except to the extent required by Data Protection Laws or by the Standard Contractual Clauses.
13. Term, Governing Law, and Precedence
This DPA takes effect on the Effective Date and continues for as long as Messangi Processes Customer Personal Data under the Agreement. This DPA is governed by the law and subject to the forum stated in the Agreement, except that the Standard Contractual Clauses are governed by the law and forum stated in Section 8 for the portions they govern. The order of precedence is: the Standard Contractual Clauses, then this DPA, then the Agreement, in each case only with respect to the Processing of Personal Data.
Annex 1. Details of Processing
Subject matter. Messangi’s provision of the multichannel messaging and customer engagement Services described in the Agreement.
Duration. For the term of the Agreement and any period during which Messangi Processes Customer Personal Data.
Nature and purpose. Transmission, routing, queuing, delivery, storage, logging, reporting, and support relating to messages and campaigns submitted by the Customer across SMS, WhatsApp, RCS, email, and mobile wallet channels, and operation of the related web console and REST API.
Categories of Data Subjects. The Customer’s end recipients and contacts, and the Customer’s authorized administrative users.
Categories of Personal Data. Recipient and user identifiers such as mobile telephone numbers and email addresses; message content submitted by the Customer; delivery and engagement metadata such as timestamps, routing, and delivery receipts; and account and contact details of administrative users. The Customer controls and is responsible for the content it submits and must not submit special category data or protected health information except as permitted under Section 3.
Frequency and nature of transfer. Continuous, as necessary to provide the Services.
Competent supervisory authority (SCCs). Where Module Two or Three applies, the supervisory authority of the EU member state in which the Customer or its EU representative is established, or as otherwise determined under Clause 13 of the SCCs.
Annex 2. Technical and Organizational Measures
HOLD FOR PUBLICATION. This Annex makes specific representations about Messangi’s security measures and is incorporated into the Standard Contractual Clauses as Annex II. Do not publish until the CTO confirms in writing that each statement below is accurate for the in scope systems as of the publication date, with particular attention to encryption at rest of secrets, key management, and vulnerability scanning coverage of the affected service, and A2 Legal has cleared this Annex against the INC-2026-05-001 findings. Do not strengthen these statements beyond what the operational record supports.
This Annex describes the measures Messangi maintains. It is descriptive and does not constitute a warranty of absolute security.
Hosting and segregation. The platform is hosted on Amazon Web Services within a virtual private cloud segmented into public and private subnets. Customer environments are logically segregated through separate database users, schemas, and connection strings. Dedicated isolated environments are available for customers with data residency requirements.
Encryption. Storage is encrypted at rest using AES 256 with keys managed in AWS Key Management Service. External interfaces use TLS version 1.2 or 1.3 in transit. Carrier connections use encrypted tunnels.
Access control. Administrative access requires a corporate managed device, an authenticated VPN session with multi factor authentication, and single sign on with role based access control under the principle of least privilege. Access rights are reviewed on a quarterly basis. Joiner, mover, and leaver processes govern provisioning and timely deprovisioning.
Network and application controls. The platform uses a web application firewall, managed distributed denial of service protection, stateful security groups, and load balancing with TLS termination across availability zones.
Monitoring and vulnerability management. The platform uses continuous monitoring and threat detection, automated vulnerability assessment, dependency advisory monitoring, container image scanning, and periodic penetration testing. Identified vulnerabilities are remediated on timelines based on severity.
Change management. Changes to production follow a documented process with code review, approval, deployment through a controlled pipeline with an audit trail, and post deployment verification.
Backup and resilience. Production databases are backed up on a documented schedule, backups are encrypted and geographically separated, and restoration is tested on a documented cadence. The platform is deployed across multiple availability zones with failover for customer facing endpoints.
Incident response. Messangi maintains an incident response plan governing triage, containment, eradication, recovery, and post incident review, and notifies affected parties in accordance with the applicable contractual and regulatory requirements.
Annex 3. Subprocessors
The current list of Subprocessors that Process Customer Personal Data is maintained in the Messangi Subprocessor List referenced in the Agreement and published by Messangi. The categories of Subprocessors include cloud infrastructure, message delivery and channel providers, and customer support tooling, as described in that list.
