Terms of Service

Last updated: January 2024

These terms of service set out important information regarding your rights and obligations in connection with using our service. Please read these terms of service carefully before you start using the service, as they define Dexatel’s relationship with you as you interact with our services.

Annex 1

Data Processing Agreement

DPA Annex 1

Details of Data Processing

DPA Annex 2

Sub-processors

The Processor uses certain sub-processors to assist it in providing its clients the Service as described in the Terms of Service.

A sub-processor is a third-party processor engaged by the Processor who has access or potentially will have access to the data inserted into the Service by the Controller (including personal data).

For the purposes to support the provision of the Service, the Processor uses the following sub-processors: mobile operators (e.g., Vodafone, Telefonica, Telia), messengers (WhatsApp, Viber, Google RSC), and Amazon Web Services.

DPA Annex 3

Technical & Organisational Measures

The Processor has implemented at least the following technical and organisational measures:

DPA Annex 4

Standard contractual clauses

Section I

Local Laws and Obligations in Case of Access by Public Authorities

Clause 1

Purpose and scope

a.The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

b.The Parties:
  • the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
  • the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).

c.These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

d.The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and Invariability of the Clauses

a.These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

b.These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

a.Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
  • Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
  • Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
  • Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
  • Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
  • Clause 13;
  • Clause 15.1(c), (d), and (e);
  • Clause 16(e);
  • Clause 18 - Modules One, Two, and Three: Clause 18(a) and (b); Module Four: Clause 18.

b.Paragraph (a) is without prejudice to the rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

a.Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

b.These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

c.These Clauses shall not be interpreted in a way that conflicts with the rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed upon or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the Transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

The optional docking clause will not apply.

Section II

Obligations of the Parties

Clause 8

Data Protection Safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1Instructions

(a)The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

(b)The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

(c)The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

(d)After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2Security of processing

(a)The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data, the nature, scope, context, and purpose(s) of processing, and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b)The data exporter shall assist the data importer in ensuring the appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

(c)The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3Documentation and compliance

(a)The Parties shall be able to demonstrate compliance with these Clauses.

(b)The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

This clause is intentionally left blank.

Clause 10

Data subject rights

The Parties shall assist each other in responding to inquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679

Clause 11

Redress

The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

Clause 12

Liability

(a)Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses

(b)Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c)Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d)The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(e)The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

This clause is intentionally left blank.

Section III

Local Laws and Obligations in Case of Access by Public Authorities

Clause 14

Local laws and practices affecting compliance with the Clauses

This clause is intentionally left blank.

Clause 15

Obligations of the data importer in case of access by public authorities

This clause is intentionally left blank.

SECTION IV

Final Provisions

Clause 16

Non-compliance with the Clauses and termination

(a)The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
  1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
  2. the data importer is in substantial or persistent breach of these Clauses; or
  3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e)Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply, or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Govering law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Estonia.

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of the Republic of Estonia.

Standard Contractual Clauses Appendix

Annex I

A. List of Parties

Data exporter:

Name and contact details: Dexatel OÜ, contact details designated in the Terms of Service

Signature and date: by entering into the Agreement, the data exporter is deemed to have signed these EU standard contractual clauses incorporated herein, including their Annexes, as of the effective date of the Terms of Service.

Role: processor

Data importer:

Name and contact details: Client, contact details set forth in the Client’s Account

Signature and date: by entering into the Agreement, the data exporter is deemed to have signed these EU standard contractual clauses incorporated herein, including their Annexes, as of the effective date of the Terms of Service.

Role: controller

B. Description of Transfer

Categories of data subjects whose personal data is transferred: the Controller’s employees, the Controller’s clients, and clients’ end users (including, but not limited to SMS recipients);

Categories of personal data transferred: name, username, email address, phone number;

Sensitive data transferred: no sensitive personal data is transferred;

The frequency of the transfer: continuous basis for the duration of the Agreement;

Nature and purposes of the processing: to provide the Service according to the Agreement:

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: as long as it is necessary for the provision of the Service;

For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing: the data exporter uses sub-processors, which are set forth in DPA Annex 2, to provide the Service according to the Agreement as long it is necessary for the provision of the Service.