legal

legal

legal


Ciptex – Data Processing Agreement


Revision Date: 26th June 2025

This Data Processing Addendum (DPA) applies to Software Services provided by Ciptex to the Customer, and forms part of an agreement entered into between Ciptex and the Customer pursuant to the Ciptex Terms and Conditions V2.0 (Terms and Conditions).  This DPA applies in respect of personal data which is processed by Ciptex on behalf of the Customer in the provision of the Services. Defined terms shall have the meaning given in the Terms and Conditions unless otherwise defined herein.  In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail.


1. Definitions

1.1. The following definitions shall have the following meanings in this DPA.

Communications Usage Data shall have the meaning set out in Schedule 2 to this DPA.

Customer Account Data: personal data that relates to the Customer's account, including the names and contact information of individuals authorised by the Customer to access or use the Customer's account for the Software Services, and billing information of individuals that the Customer has associated with its account. In respect of the Twilio Services, Customer Account Data also includes any personal data that Twilio may need to collect for the purpose of identity verification (including any multi-factor authentication provided in connection with the Customer’s account), or Subscriber Records.

Customer Content: means: (a) personal data exchanged as a result of using the Software Services, such as text message bodies, voice and video media, images, email bodies, email recipients, sound, and, where applicable, details the Customer submits to the Software Services from its designated software applications and services; and (b) data stored on the Customer's behalf such as communication logs within the Software Services or marketing campaign data that the Customer has uploaded to the Software Services.

Customer Data: has the meaning given in the Terms and Conditions, and shall include Customer Account Data, Customer Usage Data, Customer Content, and any other data provided by the Customer or its End Users in connection with its use of the Services.

Data Protection Legislation: means all applicable data protection and privacy legislation in force from time to time, including the UK GDPR, the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018), and any applicable law or regulation which supersedes or replaces the foregoing in the United Kingdom.

Data Subject Request: a request from a data subject to exercise the data subject's rights under and in accordance with the Data Protection Legislation, including requests for access to personal data, rectification or erasure of personal data, restrictions of processing personal data, and portability of personal data.

Sub-processor: any third party processor engaged by Ciptex to process Customer Personal Data as a sub-processor, as set out in the Sub-processor List.

Sub-processor List: the Sub-processor list on the Ciptex website, which may be updated or amended by Ciptex from time to time.

Subscriber Records: shall have the meaning set out in Schedule 1 to this DPA.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
The Terms controller, processor, personal data, data subject, data protection impact assessment and personal data breach shall each have the meanings set out in the Data Protection Legislation.


2. General

2.1. Ciptex is a supplier of Services and a reseller of the Third Party Services.

2.2. The parties acknowledge that certain Customer Account Data and Customer Usage Data is processed by Ciptex or its Third Party Providers as a controller, and paragraph 4 shall not apply to any data which Ciptex or its Third Party Providers processes as a controller. Ciptex and its Third Party Providers may process such Customer Account Data and Customer Usage Data as independent controllers.
2.3. The types of Customer Data that may be processed by Ciptex, or by a Third Party Provider, as a processor, in providing the Services, and the purposes for which such Customer Data shall be processed, are set out or referred to in Schedule 1 to this DPA. The Customer agrees to the processing of Customer Data in accordance with the Customer's instructions as set out in this DPA, and as otherwise necessary to provide the Services to the Customer.


3. Customer's obligations

3.1. The Customer shall comply with all applicable Data Protection Legislation in its use of the Software Services, and the processing of Customer Data using the Software Services.

3.2. It shall be the Customer's responsibility to ensure:

(a) that the Customer has a lawful basis and has all necessary and appropriate consents and notices in place, to enable Ciptex and its Third Party Providers to process the Customer Personal Data in the manner envisaged by the Agreement and this DPA, and the processing of Customer Personal Data by Ciptex and Third Party Providers in accordance with this DPA will not infringe any Data Protection Legislation;

(b) the accuracy and integrity of the Customer Data;

(c) that its instructions comply with applicable Data Protection Legislation.


4. Processing obligations

4.1. Ciptex shall, in relation to any Customer Data processed by Ciptex on the Customer's behalf, in connection with the performance by Ciptex of its obligations under the Agreement:

(a) process that Customer Data only to the extent necessary to perform Ciptex’s  obligations under the Agreement, and in accordance with the Customer's instructions, as set out in this DPA, unless otherwise required by law, regulation, court of competent jurisdiction or any other governmental or regulatory body;

(b) require all personnel who have access to and/or process Customer Data to keep the Customer Data confidential;

(c) provide reasonable cooperation to the Customer, at the Customer's request and cost, in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, impact assessments and consultations with supervisory authorities or regulators;

(d) notify the Customer without undue delay on becoming aware of a personal data breach affecting Customer Data processed by Ciptex under this DPA;

(e) maintain records and information regarding its processing activities in relation to Customer Data to demonstrate its compliance with this DPA.

4.2. Ciptex shall put in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected. The Customer is responsible for reviewing information provided in connection with security and making an independent assessment as to whether the Software Services meet the Customer's requirements and legal obligations. The Customer is also responsible for configuring the Software Services and using features and functionalities made available in respect of the Software Services, to maintain appropriate security in light of the nature of Customer Data processed by the Customer in its use of the Software Services.

4.3. In respect of Data Subject Requests, there are a number of self-service features via the Twilio Services, including the ability to delete, obtain a copy of, or restrict use of Customer Data. The Customer may use such self-service features in responding to Data Subject Requests. Ciptex shall, at the Customer's request and cost, where the Customer is not able to fulfil such request via the Software Services, provide reasonable assistance in responding to a Data Subject Request.


5. Sub-processors

5.1. The Customer provides a general authorisation for Ciptex to engage sub-processors in the provision of the Services, and consents to the Sub-processors listed in the Sub-Processor List. Such Sub-processors shall be subject to a written contract on terms which are substantially equivalent to those contained in paragraph 4 above.

5.2. Ciptex shall notify the Customer by email of any intended changes, additions to, or replacements of its Sub-processors, and where Ciptex provides a mechanism on its website to allow the Customer to subscribe for notifications by email of new Sub-processors, it shall send the notifications to such email address. When notifying the Customer of any changes to the Sub-processors, Ciptex shall provide the Customer with the opportunity to object to such changes on information security grounds or reasonable grounds relating to data protection. In such an event, Ciptex may work with the Customer to consider commercially reasonable alternative solutions but if the parties cannot agree a resolution, or Ciptex cannot offer an alternative solution, within 90 days from the date of Ciptex’s receipt of the Customer's written objection, the Customer may discontinue the affected Services, without prejudice to any fees paid by the Customer for such Services. If the Customer has not objected to any such changes within a period of 14 days of the date of notification of the changes, the Customer shall be deemed to have accepted such changes.


6. Audits

6.1. The Supplier shall allow for audits by the Customer's designated auditor of Ciptex’s procedures relevant to the processing of Customer Data, or Ciptex may provide to the Customer a copy of an audit report carried out by an independent third party security professional, where such a report is available and subject to reasonable confidentiality controls, which the Customer agrees shall satisfy the Customer's right to request an audit under this paragraph 6.1. The Customer acknowledges that in respect of any audit requested by the Customer under this paragraph 6.1:

(a) such audit shall be subject to any reasonable requirements or security restrictions that Ciptex may impose to safeguard Ciptex’s systems, data held on Ciptex’s systems, and to avoid unreasonable disruption to Ciptex’s business and operations, and shall be restricted to data relevant to the Customer;

(b) no more than one audit shall be requested in a 12 month period;

(c) the Customer shall reimburse Ciptex for time it expends in respect of such audit, at Ciptex’s then current professional services rates;

(d) before the commencement of any audit, the parties shall mutually agree on the scope, timing and duration of the audit, and such audit shall be carried out at the Customer's own cost; and

(e) the Customer shall be obliged, to the extent permitted by law, to keep any information generated by such audit confidential.


7. Data transfers

7.1. The use of the Services may involve the transfer of Customer Data outside of the Customer’s jurisdiction. The jurisdictions in which Customer Data is processed, and the Services to which such processing relate, is set out in the Sub-processor List.


8. Liability

8.1. The Supplier's liability under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in clause 12 of the Terms and Conditions.

Schedule 1 to the DPA


In this Schedule, the following terms shall have the following meanings:

Communications Usage Data shall mean electronic communications metadata processed by Twilio for the purpose of transmitting, distributing, or exchanging Customer Content through communications networks, including (a) utilising phone numbers used to transmit Customer Content either through the public switched telephone network or other communications network; (b) data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing the Services, and the date, time, duration and the type of communication; and (c) activity logs used to identify the source of service requests, optimise and maintain performance of the Twilio Services, and investigate and prevent system abuse.

Subscriber Data means Customer Account Data containing proof of identification and proof of physical address necessary for Twilio to provide Customer or Customer’s End Users with phone numbers in certain countries.

Twilio means the provider the Twilio Services, being Twilio Ireland Limited or its Affiliates.

Twilio Data Protection Addendum means the Twilio data protection addendum applicable to the Twilio Services, as set out at Data Protection Addendum | Twilio, as may be updated or amended by Twilio from time to time.


Part 1

Personal data processed by Ciptex or its Third Party Providers as a processor

Categories of data subjects and categories of personal dataThe following categories of Customer Personal Data may be processed by Ciptex or its Third Party Providers, as a processor or Sub-processor, under this Agreement:

Customer Account Data (as defined above) of Customer’s End Users

Customer Usage Data (as defined above) of Customer’s End Users

In respect of the Twilio Services, please refer to the Twilio Data Processing Addendum for further details of the categories of data subjects and categories of personal data processed by Twilio in the provision of the Twilio Services.


Purposes of processing

Ciptex and Third Party Providers may process Customer Data as a processor, for the purposes of providing the Services.

Ciptex and Third Party Providers may process certain Customer Data, as an independent controller, for the purposes set out in Part 2 of this Schedule.


Duration of processing

The Customer Data which is processed by Ciptex as a processor may be processed for as long as required in order to provide the Customer with the Services.

The period for which Twilio may process Customer Data is set out in the Twilio Data Processing Addendum.


Part 2

Personal data which may be processed by Ciptex or its Third Party Providers as a controller 
The Customer acknowledges that Ciptex or its Third Party Providers may process Customer Account Data as a controller, for the following purposes:

1 to manage billing, Customer’s account and its relationship with the Customer, including Know-Your-Customer (KYC) and identity verification required to access or use the Services;

2. to carry out its core business operations, such as accounting and auditing, and to prevent, detect, or investigate security incidents and manage the security of the Software Services;

3 to prevent, detect or investigate abuse or misuses of the Services or breach of an applicable Acceptable Use Policy, or to assist telecommunications providers, regulators, or law enforcement agencies with combatting fraud or illegal activities;

4 for business analytics,  internal reporting, financial reporting, and to develop and improve products and services and improve the performance, functionality or security of the Services;

5 to comply with its legal and regulatory obligations, including to maintain Subscriber Records; and

6 to provide the Support Services.

The Customer acknowledges and agrees that in respect of the Twilio Services, Twilio is an independent controller of: (i) Communications Usage Data, which is processed by Twilio in order to; and (ii) Customer Content, which is processed by Twilio to the extent necessary to:

(a)   carry out the necessary functions as an electronic communications service provider, including for accounting, tax, billing, audit and compliance purposes, to provide, optimise and maintain the Services, and to prevent, detect or investigate security incidents and manage the security of the Twilio Services;
(b)   prevent, detect and investigate abuse or mises of the Twilio Services, including spam, fraud, illegal activities and/or breach of the Twilio Acceptable Use Policy, or to assist telecommunications providers, regulators or law enforcement agencies with combatting spam, fraud or illegal activities;
(c)   comply with Twilio’s legal and regulatory obligations, including to maintain Subscriber Records, communications industry codes of conduct, and contractual commitments to telecommunications providers;
(d)   develop and improve new products and services and improve the performance, functionality, safety and security of the Twilio Services; and
(e)   anonymise, de-identify, or aggregate Communications Usage Data such that it does not identify Customer, End Users or any data subject.
Where required by applicable law or regulation, Subscriber Records may be shared with local telecommunications providers, which provide local connectivity services, or local government authorities.