Legal

Data Processing Agreement – Customer

This Data Processing Agreement (this “DPA”) forms part of the agreement (the “Principal Agreement”) between Sinch India and the Customer (as defined in the Principal Agreement) and is subject to the Principal Agreement. The contracting parties under this DPA are identical to the parties under the Principal Agreement. 

  1. Definitions. For the purposes of this DPA, capitalized terms shall have the following meanings. Capitalized terms not otherwise defined shall have the meaning given to them in the Principal Agreement.  
    1. Customer’s Personal Data” means any personal data that is processed by Sinch India on behalf of the Customer to perform the Services under the Principal Agreement. 
    2. Applicable Data Protection Laws means the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 until it is replaced by the Digital Personal Data Protection Act, 2023 once it is in effect, and the rules made therein and any regulation, order, directive, notification, judgement issued by any central, state or local government, authority, agency, court or other body having jurisdiction over the matter in question, which is applicable to the processing of personal data under this DPA.  
    3. Sinch India’s Infrastructure means (i) Sinch India’s physical facilities; (ii) hosted cloud infrastructure; and (iii) Sinch India’s corporate network and the non-public internal network, software, and hardware necessary to provide the Services and which is controlled by Sinch India; in each case, to the extent used to provide the Services. 
    4. Services” means the services provided to the Customer by Sinch India pursuant to the Principal Agreement. 
    5. The terms “Consent”, “Data Fiduciary”, “Data Principal”, “Personal Data”, “Personal Data Breach”, “Data Processor”, and “Processing” shall have the meanings ascribed to them under the Applicable Data Protection Laws. 
  1. Details and Scope of the Processing 
    1. The Processing of the Customer’s Personal Data within the scope of the Agreement shall be carried out in accordance with the following stipulations and as required according to the Applicable Data Protection Laws. The parties may amend this information from time to time, as the parties may reasonably consider it necessary to meet those requirements.  
      1. Subject matter and duration of the processing of Customer’s Personal Data: The subject matter and duration of Processing of the Customer’s Personal Data are set out in the Principal Agreement. 
      2. The nature and purpose of the processing of Customer’s Personal Data: Under the Principal Agreement, Sinch India provides certain Services such as messaging, email, voice calls and other communication Services, as further detailed in the Principal Agreement, to the Customer, which involves the processing of Personal Data. Subject to Paragraph 2(a)(iv), such processing activities include (a) providing the Services; (b) detection, prevention and resolution of security and technical issues; and (c) responding to Customer’s support requests. 
      3. The types of Customer’s Personal Data to be processed: The Customer’s Personal Data submitted to Sinch India’s network, the extent of which is determined and controlled by the Data Fiduciary in its sole discretion, may include name, email, telephone numbers, IP address and other Personal Data included in the contact lists and message or call content.  
      4. Certain permitted purposes: Notwithstanding any other provision herein, Sinch India is permitted, to retain and further process the Customer’s Personal Data processed under this DPA, in compliance with any law in force, to respond to data requests from any law enforcement, government or other regulatory authority and for certain essential functions such as, to prevent spam and fraud, for security and maintenance of its network, management of its business and compliance functions, consistent with its obligations under applicable laws.   
      5. The categories of Data Principals to whom the Personal Data relates: Senders and recipients of email; messages via various channels such as SMS, WhatsApp or RCS; voice calls or other communications. 
    2. Sinch India shall only process the Customer’s Personal Data: (i) for the purposes of fulfilling its obligations under the Principal Agreement; and (ii) in accordance with the documented instructions described in this DPA or as otherwise instructed by the Customer, in writing, from time to time. Such Customer’s instructions shall be documented in the applicable order, service description, support ticket, other written communication or as directed by Customer using the Services (such as through an API or control panel).   
    3. Where Sinch India reasonably believes that a Customer instruction is contrary to the provisions of the Principal Agreement or this DPA, or that it infringes the provisions of Applicable Data Protection Laws, it shall inform the Customer without delay. In both cases, Sinch India shall be authorized to defer the performance of the relevant instruction until it has been amended by the Customer or is mutually agreed upon by both Customer and Sinch India. 
    4. Customer is solely responsible for its utilization and management of Personal Data submitted or transmitted by the Services, including: (i) verifying Data Principal’s information such as, name, phone number or address and that they are correctly entered into the Services; (ii) reasonably notifying any Data Principal of the insecure nature of email or messaging as a means of transmitting Personal Data (as applicable); (iii) reasonably limiting the amount or type of information disclosed through the Services; and (iv) encrypting any Personal Data transmitted through the Services where appropriate or required by applicable law (such as through the use of encrypted attachments, PGP toolsets, or S/MIME). When the Customer decides not to configure mandatory encryption, the Customer acknowledges that the Services may include the transmission of unencrypted email in plain text over the public internet and open networks. Information uploaded to the Services, including message content, is stored in an encrypted format when processed by the Sinch India’s Infrastructure. 
  1. Data Fiduciary and Data Processor 
    1. For the purposes of this DPA, the Customer is the Data Fiduciary of the Customer’s Personal Data and Sinch India is the Data Processor of such data, except when the Customer acts as a Data Processor of the Customer’s Personal Data, in which case Sinch India is a sub-processor.  
    2. Sinch India shall at all times have in place an officer who is responsible for assisting the Customer: (i) in responding to inquiries concerning the Processing of Personal Data received from the Data Principals; and (ii) in completing all legal information and disclosure requirements which apply and are associated with data Processing. Such assistance may be requested at dpo@sinch.com and at indialegal@sinch.com, as may be required. 
    3. The Customer warrants that: 
      1. The Processing of Customer’s Personal Data is based on legal grounds for Processing, as may be required by Applicable Data Protection Laws and that it has made and shall maintain throughout the term of the Principal Agreement all necessary rights, permissions, registrations and Consents in accordance with and as required by Applicable Data Protection Laws with respect to Processing of Customer’s Personal Data under this DPA and the Principal Agreement;  
      2. it is entitled to and has all the necessary rights, permissions and Consents to transfer the Customer’s Personal Data to Sinch India and otherwise permit Sinch India to process the Customer’s Personal Data on its behalf, so that Sinch India may lawfully use, process and transfer the Customer’s Personal Data in order to carry out the Services and perform Sinch India’s rights and obligations under this DPA and the Principal Agreement; 
      3. it will inform its Data Principals about its use of a Data Processor in Processing their Personal Data, to the extent required under Applicable Data Protection Laws;  
      4. it will respond, to the extent reasonably practicable, to enquiries by Data Principals regarding the Processing of their Personal Data, within timelines as prescribed under Applicable Data Protection Laws, and to give appropriate instructions to Sinch India in a timely manner; and 
      5. It will comply with the provisions and obligations imposed on it by the Applicable Data Protection Laws and shall procure that its employees and sub-processors observe the provisions of the Applicable Data Protection Laws, in relation to the Customer’s Personal Data.  
  1. Confidentiality 
    1. Sinch India shall ensure that each of its, and sub-processors’ personnel that is authorized to process the Customer’s Personal Data, are subject to confidentiality undertakings or professional or statutory obligations of confidentiality and are trained in the relevant security and data protection requirements. Provided that Sinch India may disclose the  Customer’s Personal Data to the extent such disclosure is required: (a) by applicable law or regulation; (b) pursuant to a valid and binding order of a court or any authority; or (c) to assert or defend legal claims. In such cases, the Data Processor shall, to the extent permitted by law, promptly notify the Data Fiduciary of the request or requirement, and shall cooperate with the Data Fiduciary in taking steps to oppose, limit, or seek confidential treatment of such disclosure, where appropriate. 
  1. Technical and Organizational Measures 
    1. Sinch India shall, in relation to the Customer’s Personal Data, (a) take and document reasonable and appropriate measures, as described in Annex 1, in relation to the security of Sinch India’s Infrastructure and the software and platforms used to provide the Services as described in the Principal Agreement, and (b) on reasonable request at the Customer’s cost, assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Applicable Data Protection Laws. 
    2. Sinch India’s internal operating procedures shall comply with the specific requirements of an effective data protection management.  
  1. Data Principal Requests 
    1. Sinch India may provide specific tools in order to assist customers in replying to requests received from Data Principals, on a best effort basis. These include our APIs and interfaces to search event data, suppressions, and retrieve message content. When Sinch India receives a complaint, inquiry or request (including requests made by Data Principals to exercise their rights pursuant to Applicable Data Protection Laws) related to the Customer’s Personal Data directly from Data Principals, Sinch India will notify the Customer. Taking into account the nature of the Processing, Sinch India shall assist the Customer, by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising such Data Principals’ rights. 
  1. Personal Data Breaches 
    1. Sinch India shall notify the Customer without undue delay, once Sinch India becomes aware of a Personal Data Breach affecting the Customer’s Personal Data. Sinch India shall, taking into account the nature of the Processing and the information available to Sinch India, use commercially reasonable efforts to provide the Customer with sufficient information to allow the Customer, at the Customer’s cost, to meet any obligations to report or inform regulatory authorities, Data Principals and other entities of such Personal Data Breach to the extent required under Applicable Data Protection Laws. 
  1. Data Protection Impact Assessments 
    1. Sinch India shall, taking into account the nature of the Processing and the information available, provide reasonable assistance to the Customer, at the Customer’s cost and during business hours, with any data protection impact assessments and prior consultations with supervisory authorities or other competent regulatory authorities as required for the Customer to fulfill its obligations under Applicable Data Protection Laws.  
  1. Audits 
    1. Sinch India shall make available to the Customer on reasonable prior written notice of thirty (30) working days, information that is reasonably necessary to demonstrate compliance with this DPA pertaining to the Services.  
    2. Customer, or a mandated third-party auditor, may, upon prior written reasonable request, conduct an inspection in relation to the Processing of the Customer’s Personal Data by Sinch India and to the extent necessary according to Applicable Data Protections Laws, without interrupting Sinch India’s business operations and ensuring confidentiality. 
    3. The audit right as described in Paragraph 9 (b) above will become applicable for the Customer, in case Sinch India has not provided sufficient evidence of its compliance with the provisions of this DPA. Sufficient evidence includes providing either: (i) a certification as to compliance with ISO 27001or other standards implemented by Sinch India (scope as defined in the certificate); or (ii) an audit or attestation report of an independent third party.  
    4. An audit or inspection as described within this Paragraph 9 shall be carried out at the Customer’s cost and expense, during business hours, and requires a prior written notice by the Customer of at least thirty (30) days.  
  1. Return or Destruction of the Customer’s Personal Data 
    1. The Customer may, by written notice to Sinch India no later than at the time of termination of the Principal Agreement, request the return and/or certificate of deletion of any or all copies of the Customer’s Personal Data in the control or possession of Sinch India. Sinch India shall provide a copy of the Customer’s Personal Data in a form that can be read and processed further.  
    2. Following termination of the Principal Agreement, Sinch India shall delete all Personal Data processed pursuant to this DPA, unless Customer requests the return of Personal Data as described in Paragraph 10 (a) above. This provision shall not affect potential statutory duties of the parties to preserve records for retention periods set by law, statute or contract.  
    3. Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Principal Agreement shall be borne by the Customer. 
  1. Data Transfers 
    1. Customer acknowledges and agrees that, in connection with the performance of the Services under the Principal Agreement, Sinch India may transfer Personal Data within its company group. These transfers are necessary to provide the Services globally. 
    2. Whenever Personal Data is processed outside the country where the contracted Sinch India legal entity is established, Sinch India will ensure compliance with Applicable Data Protection Laws and this DPA.   
  1. Sub-processing 
    1. The Customer hereby gives a general authorization to Sinch India to appoint sub-processors in accordance with this Paragraph 12. Sinch India will ensure that sub-processors are bound by written agreements that require them to provide at least the level of data protection required of Sinch India by this DPA. The Customer also gives Sinch India a specific authorization to continue to use those sub-processors already engaged on the date of this DPA, as referenced in Paragraph 12 (b).  
    2. The current sub-processors for the Services are set out at https://www.sinch.com/data-protection-agreement/sub-processors/ (“Sub-processor List”). Provided that the Customer subscribes to notifications of new sub-processors through the subscription mechanism found at https://www.sinch.com/data-protection-agreement/sub-processors/, Sinch India shall notify the Customer, through such mechanism of any intended changes concerning the addition or replacement of any sub-processor. If, within ten (10) business days of receipt of that notice, the Customer notifies Sinch India in writing of any objections on reasonable grounds to the proposed appointment, Sinch India shall not appoint that proposed sub-processor until reasonable steps have been taken to address the objections raised by the Customer and the Customer has been provided with a reasonable written explanation of the steps taken. If Sinch India and the Customer are not able to resolve the appointment of a sub-processor within a reasonable period, either party shall have the right to terminate the Principal Agreement for cause.  
    3. Sinch India shall be responsible for the acts and omissions of any sub-processors as it is to the Customer for its own acts and omissions in relation to the matters provided in this DPA.  
  1. Governing law and jurisdiction 
    1. The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.  
    2. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.  
  1. Order of precedence 
    1. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail. 
  1. Severance 
    1. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible, if this is not possible, then (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. 
  1. Termination 
    1. This DPA will terminate contemporaneously and automatically with the termination of the Principal Agreement.  

ANNEX 1 

INFORMATION SECURITY – TECHNICAL AND ORGANIZATIONAL MEASURES 

The Technical and Organizational Measures included within this Annex are measures that are applicable to the Service(s) provided by Sinch India. If necessary, for the Service, Sinch India may include further Technical and Organizational measures in the Principal Agreement or Service.

  1. Inventory of information and other associated assets    
    An inventory of information and other associated assets, including owners, is developed and maintained.  An asset owner has been appointed for every asset within the inventory according to the asset tagging policy.   
  1. Authentication information  
    The allocation and management of authentication information is controlled by a management process, which includes advising personnel on the appropriate handling of authentication information.     
    In particular, Sinch India:   
    1. Do not limit the permitted characters that can be used.  
    2. Password minimum 16 characters    
    3. Do not use secret questions as a sole password reset requirement     
    4. Require email verification of a password change request    
    5. Require the current password in addition to the new password during password change  
    6. Verify newly created passwords against common password lists or leaked password databases   
    7. Check existing user passwords for compromise regularly     
    8. Memorized secrets must be salted and hashed using a suitable one-way key derivation function.       
    9. Enforce appropriate account lockout and brute-force protection on account access, max 5 failed logins, then lock for 30 mins     
    10. The last 24 passwords must not be reused     
    11. 365-day password change    
    12. Guest network passwords if low risk can be set to never expire if following the password length requirement (min 16 characters)    
    13. MFA & SSO used in all use cases. 
  1. Access rights   
    Access rights to information and other associated assets are provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.   
    In particular, in Sinch India:  
    1. Access rights are reviewed quarterly.      
    2. User accounts inactive for over 90 days are disabled    
    3. Quarterly access reviews should be performed for all offices’ access systems to check that users’ access rights are still valid.   
  1. ICT readiness for business continuity  
    ICT readiness is planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.    
    In particular, in Sinch India: 
    1. All Business Units have one or more Disaster Recovery Plans specifically aligned with the product offering.     
    2. The DRP is tested annually through the use of Incident Simulation.   
  1. Information security awareness, education and training  
    Personnel of the organization and relevant interested parties receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.  
    In particular, in Sinch India:  
    1. All employees completed within 3 weeks of starting date   
    2. All employees have carried out ISA training during the last 12 months   
    3. The content of the ISA training is updated every 12 months   
  1. Capacity management  
    The use of resources is monitored and adjusted in line with current and expected capacity requirements.    
  1. Protection against malware    
    Protection against malware is implemented and supported by appropriate user awareness.  All endpoint devices should have EDR Endpoint detection. 
  1. Management of technical vulnerabilities  
    Information about technical vulnerabilities of information systems in use is obtained, Sinch India’s exposure to such vulnerabilities is evaluated, and appropriate measures are taken.    
    In particular, in Sinch India:  
    1. Vulnerability Scan every 7 days.     
    2. Apply security patches to all components of the application stack with a severity score higher than “Medium“ as determined by the issuer of the patch within one month (30 days) after release 
    3. Pen test every 12 months, black box manual. 
  1. Configuration Management   
    Configurations, including security configurations, of hardware, software, services and networks is established, documented, implemented, monitored and reviewed against the following standards: NIST 800-53 and CIS Controls. 
  1. Information Backup  
    Backup copies of information, software and systems are maintained and regularly tested in accordance with the agreed topic-specific policy on backup.   
    The backup routine at least specifies:  
    1. Backup intervals (minimum weekly)     
    2. Retention requirements     
    3. Location for backup storage      
    4. Extent of backup (e.g. data, configurations, full system backup)     
    5. Backup strategy (e.g. online versus offline, number of backups, relation between full and incremental backup)     
    6. Backup restore tests shall be performed at least quarterly for business-critical systems and at least annually for all others, and the tests    
  1. Monitoring activities  
    Networks, systems and applications are monitored for anomalous behaviour and appropriate actions are taken to evaluate potential information security incidents.  Networks, systems and applications are monitored for anomalous and malicious behaviour in order to detect potential security incidents.      
  1. Network Security  
    Networks and network devices are secured, managed and controlled to protect information in systems and applications.  
    For instance, Sinch India:  
    1. Encrypt data at rest on servers, applications, and databases (AES256 Minimum). Encrypt data in transit (TLS 1.2 or higher).    
    2. Appropriate logging and monitoring to enable recording and detection of actions that can affect, or are relevant to, information security, including EDR.     
    3. Product owners must maintain up-to-date documentation, including network diagrams and configuration files of devices (e.g. routers, switches).     
    4. Restrict and filter systems’ connection to the network, both incoming and outgoing, e.g. using firewalls to minimize exposed assets both internally and externally.     
    5. Hardening of network devices. 
    6. Segregating network administration channels from other network traffic.    
    7. Temporarily isolating critical subnetworks (e.g. with drawbridges) if the network is under attack.    
  1. System life cycle management
    Rules for the secure development of software and systems are established and applied.   
    For instance, in Sinch India: 
    1. The system is designed in a secure way, utilizing threat modelling as required.      
    2. There is a plan to maintain the system in line with the vulnerability management control.    
    3. There is an owner of the system.     
    4. There is a plan to replace the system (zero legacy policy).  
  1. Security testing in development and acceptance  
    Security testing processes are defined and implemented in the development life cycle.   
    1. SAST and vulnerability & secrets detection scans in CICD pipelines. If possible DAST. 
    2. No critical or high vulnerabilities remediated before being available for customers.     
    3. Securely manage network infrastructure.   
    4. All projects follow Product Release Security Checklists.     
  1. Measures for ensuring physical security of locations at which Personal Data are processed  
    Physical and environmental security measures have been implemented within Sinch India. For instance, in Sinch India: 
    1. Security perimeters are defined and used to protect areas that contain information and other associated assets. 
    2. Secure areas are protected by appropriate entry controls and access points. 
    3. Physical security for offices, rooms and facilities is designed and implemented. 
    4. Premises are continuously monitored for unauthorized physical access. 
    5. Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure, is designed and implemented. 
    6. Security measures for working in secure areas are designed and implemented. 
    7. Clear desk rules for papers and removable storage media, and clear screen rules for information processing facilities are defined and appropriately enforced. 
    8. Equipment is sited securely and protected. 
    9. Off-site assets are protected. 
    10. Storage media is managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements. 
    11. Information processing facilities are protected from power failures and other disruptions caused by failures in supporting utilities. 
    12. Cables carrying power, data or supporting information services are protected from interception, interference or damage. 
    13. Equipment is maintained correctly to ensure the availability, integrity and confidentiality of information. 
    14. Items of equipment containing storage media are verified to ensure that any sensitive data and licensed software have been removed or securely overwritten prior to disposal or re-use. 

Sinch India has also applied for an Information Security Management System (ISMS), according to ISO/IEC 27001:2022. 

  1. Measures for ensuring limited data retention   
    Measures to ensure limited Personal Data retention have been implemented.  
    For instance, Sinch India:  
    1. Established a data retention policy, which clearly defines the specific types of data that will be collected, how long it will be retained, and when it will be deleted. 
    2. Implemented automated deletion processes.  
    3. Regularly reviews and updates the retention policy. 
    4. Limits data collection to only what is necessary for specific business purposes. 
    5. Trains employees on data retention. 
    6. Regularly reviews and monitors data retention 
    7. Uses encryption to protect data that is retained, to reduce the risk of unauthorized access or disclosure.   
  1. Measures for ensuring accountability  
    Appropriate technical and organisational measures have been implemented to meet the requirements of accountability.  
    For instance, Sinch India:   
    1. Adopted and implemented data protection policies. 
    2. Took a ‘data protection by design and default’ approach.   
    3. Put written contracts in place with organisations that process Personal Data on Sinch India’s behalf. 
    4. Documented its processing activities. 
    5. Carried out data protection impact assessments. 
    6. Appointed a Group DPO  
  1. Measures for allowing data portability and ensuring erasure   
    Measures to allow the exercise of Data Principal rights are implemented within Sinch India. 
    For instance, Sinch India:  
    1. Erases Personal Data from back-up systems as well as live systems where necessary, and it clearly tells the individual what will happen to their data. 
    2. Contacts each recipient to inform them about the erasure, if the Personal Data is disclosed to others, unless this is impossible or involves disproportionate effort. If Personal Data has been made public in an online environment, the organisation takes reasonable steps to tell other Data Fiduciaries, if they are Processing it, to erase links to, copies or replication of that data. 
    3. Informs the Data Principal which third parties have received the Personal Data whenever requested. 
    4. Provides Personal Data in a structured, commonly used and machine-readable format, where requested. Where possible and if an individual requests it, the organisation can directly transmit the information to another organisation. 
  1. Measures for ensuring data minimisation   
    Measures to minimize the amount of data processed are implemented.  
    For instance, for each Processing activity, Sinch India:  
    1. Implemented measures that ensure that the collection of Personal Data is adequate, relevant and strictly limited to what is necessary in relation to the purposes for which it is processed.  
    2. Has assessed that it cannot achieve the purposes of its Processing activity with less privacy invasive data (e.g. working with less granular data) or intrusive process (i.e. using less intrusive means). 
    3. Documented the requirement for each data field in relation to the purpose.