1. Overview
The Customer is the data fiduciary (or, where applicable, the data controller). SMSLocal is the data processor. This DPA applies to all personal data that SMSLocal processes on the Customer's behalf through any of our messaging products — SMS, WhatsApp Business API, OTP, and AI agents.
Executing the DPA is optional for most customers; it becomes mandatory when your processing volume, industry, or enterprise procurement checklist requires one. To request an executable copy on your company paper or ours, write to dpo@smslocal.in.
2. Roles
- Customer (Data Fiduciary): determines the purposes and means of processing the personal data uploaded to, or generated within, the SMSLocal platform.
- SMSLocal (Data Processor): processes personal data only on your documented instructions, as described in the Services, this DPA, the Terms of Service, and the Privacy Policy.
- Data Principal: the individual — typically your end customer or user — to whom the personal data relates.
3. Scope of processing
Nature and purpose. To deliver messaging services requested by the Customer — sending SMS, WhatsApp, and OTP messages; routing them through operators; logging delivery status; reporting analytics; honouring DND and opt-out requests; and providing support.
Duration.For the term of the Customer's subscription, plus retention periods required by law (for example, records mandated by the Telecom Commercial Communications Customer Preference Regulations, 2018) or operational necessity (for example, delivery reports that inform billing disputes).
Categories of data principals. Your customers, leads, employees, or users to whom you send messages.
Categories of personal data. Mobile numbers, names if included in templates, message content, delivery metadata, opt-out flags, and any other fields the Customer uploads to SMSLocal as part of a campaign or API call.
4. Security measures
SMSLocal implements appropriate technical and organisational measures including:
- TLS 1.2+ encryption in transit and AES-256 encryption at rest.
- Role-based access control with least-privilege defaults.
- Audit logs for sensitive operations and API access.
- Regular third-party penetration testing [PLACEHOLDER — frequency to confirm].
- Employee background checks, confidentiality agreements, and mandatory training.
- Formal incident response runbooks and on-call rotation.
5. Sub-processors
We engage sub-processors to deliver the Services. Current categories include cloud infrastructure hosted in India, telecom aggregators and operators, the WhatsApp Business Platform, payment processors, and customer support tooling. A current list of sub-processors and their purposes is maintained in the Privacy Policy and available on request.
We will give the Customer prior notice of any new sub-processor with access to personal data. If the Customer objects on reasonable grounds, we will work in good faith to resolve the concern; where we cannot, the Customer may terminate the affected Services.
6. Cross-border transfers
SMSLocal processes personal data primarily in India. Some sub-processors — for example, the WhatsApp Business Platform — may process data outside India. Where data is transferred internationally, we rely on the mechanisms permitted under the DPDPA and applicable law and require our sub-processors to maintain equivalent safeguards.
7. Breach notification
If we become aware of a personal data breach affecting the Customer's data, we will notify the Customer without undue delay, provide information reasonably available to us, and co-operate with the Customer's and Data Protection Board notifications as required by law.
8. Data principal rights assistance
SMSLocal will provide reasonable technical and organisational assistance to help the Customer respond to requests from data principals to access, correct, erase, or port their personal data, and to honour consent withdrawal — including through self-service tools in the dashboard and, where necessary, engineering support.
9. Audits
Once per year, and additionally in the event of a material security incident, the Customer may request an audit of SMSLocal's processing of personal data. SMSLocal will reasonably satisfy most audit requests through written responses, independent certifications, or summary reports. On-site audits require at least 30 days' advance notice, a mutually agreed scope, confidentiality protections, and are conducted during business hours.
10. Return or deletion of data
On termination of the Services, SMSLocal will, at the Customer's option, delete or return all personal data processed on the Customer's behalf, except where retention is required by law. Backups are overwritten in the ordinary course and do not remain accessible after disposal.
11. Term and termination
This DPA takes effect on the later of (a) its signature by both parties or (b) the start of the Services subscription, and remains in force for as long as SMSLocal processes personal data on the Customer's behalf.
12. How to execute
Request an executable DPA by writing to dpo@smslocal.in with your company name, registered address, authorised signatory details, and your expected volume. We will return a signed copy within five business days in most cases.