1. Parties
This Data Processing Addendum (“DPA”) is entered into between:
- MicroTelecom Systems LLC, together with its subsidiaries and affiliated entities (collectively, “MicroTelecom”), acting as a Data Processor; and
- The customer entity that has entered into the Agreement governing the use of the Services (“Customer”), acting as the Data Controller.
This DPA applies automatically to each Customer that accesses or uses the Services under the Agreement and processes Personal Data through the Services.
2. Definitions
Capitalized terms not defined in this DPA have the meanings given in the Agreement.
- “Agreement” means the MicroTelecom software license and services agreement, order form, statement of work, or other written/electronic agreement governing the Services.
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined under GDPR/UK GDPR or other applicable data protection laws.
- “Customer Data” means Personal Data processed by MicroTelecom on behalf of Customer in connection with the Services.
- “Processing”, “Controller”, “Processor”, “Data Subject”, and “Personal Data Breach” have the meanings given in applicable data protection laws (including GDPR and UK GDPR).
- “Subprocessor” means a third party appointed by MicroTelecom to process Customer Data to support delivery of the Services.
- “Data Protection Laws” means laws and regulations applicable to the processing of Personal Data under the Agreement, including (as applicable) GDPR and UK GDPR.
3. Scope and Relationship to the Agreement
This DPA applies where MicroTelecom processes Customer Data as a Processor on behalf of Customer in connection with SaaS Services. MicroTelecom will process Customer Data only as necessary to provide the Services and in accordance with Customer’s documented instructions.
This Data Processing Addendum is incorporated into the Agreement by reference for SaaS Deployments. In the event of a conflict between this DPA and the Agreement regarding the Processing of Customer Data, this DPA controls.
The details of Processing (subject matter, duration, nature, purpose, types of Customer Data, and categories of Data Subjects) are set out in Annex 1.
4. Roles and Responsibilities
- Determines the purposes and means of Processing of Customer Data.
- Ensures it has a lawful basis to collect, use, and disclose Customer Data to MicroTelecom.
- Provides documented instructions for Processing.
- Is responsible for responding to Data Subject requests unless otherwise required by law.
- Processes Customer Data only on documented instructions from Customer (including as configured via the Services).
- Implements appropriate technical and organizational measures to protect Customer Data.
- Ensures authorized personnel are bound by confidentiality obligations.
- Engages Subprocessors consistent with Section 7 of this DPA.
5. Customer Instructions
Customer instructs MicroTelecom to process Customer Data for the purpose of providing and supporting the Services, including as initiated through Customer’s use and configuration of the Services, and as further described in the Agreement and Annex 1.
Any Processing outside the scope of these instructions requires a mutually agreed written amendment or other written instruction accepted by MicroTelecom.
6. Confidentiality
MicroTelecom will ensure that any person authorized to process Customer Data is subject to appropriate confidentiality obligations (statutory or contractual).
7. Subprocessors
Customer authorizes MicroTelecom to appoint Subprocessors to support delivery of the Services. MicroTelecom will impose data protection obligations on Subprocessors that are no less protective than those set out in this DPA, to the extent applicable to their services.
A current list of Subprocessors engaged in connection with the Services is available to Customer upon request.
MicroTelecom remains responsible for the performance of its Subprocessors to the extent required by Data Protection Laws.
8. Security Measures
MicroTelecom will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure, consistent with applicable Data Protection Laws (including GDPR Article 32 concepts).
A description of baseline security measures is provided in Annex 2. Customer acknowledges that security is a shared responsibility and that Customer is responsible for its own user access controls, credentials, and configurations within the Services.
9. Personal Data Breach Notification
Upon becoming aware of a confirmed Personal Data Breach affecting Customer Data, MicroTelecom will notify Customer without undue delay and, in any event, within 48 hours of confirmation, and will provide information reasonably necessary to assist Customer in meeting breach notification obligations, taking into account the information available to MicroTelecom.
Customer is responsible for determining whether notification to supervisory authorities, regulators, or Data Subjects is required, and for carrying out such notifications.
10. Data Subject Requests and Cooperation
Taking into account the nature of the Processing, MicroTelecom will provide reasonable assistance to Customer to enable Customer to respond to requests by Data Subjects to exercise their rights under applicable Data Protection Laws.
Where MicroTelecom receives a request directly from a Data Subject relating to Customer Data, MicroTelecom will (to the extent permitted by law) refer the Data Subject to Customer.
11. DPIAs and Prior Consultation
Where required by Data Protection Laws, MicroTelecom will provide information reasonably necessary to assist Customer in completing data protection impact assessments (DPIAs) and/or prior consultations with supervisory authorities, to the extent such information is within MicroTelecom’s control and relates to the Services. Additional assistance beyond providing existing documentation may be provided on a time-and-materials basis if requested by Customer.
12. Audits and Compliance Information
Upon reasonable written request, MicroTelecom will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, taking into account the nature of the Services and confidentiality/security constraints.
Any on-site audit (if applicable) must be: (a) scheduled at least 30 days in advance; (b) conducted during normal business hours; (c) limited to systems relevant to Customer Data; (d) subject to confidentiality; and (e) not more than once per 12-month period unless required by a competent supervisory authority. If an audit requires material engineering or operational effort beyond standard documentation, MicroTelecom may charge reasonable fees.
13. International Transfers
Customer acknowledges that Customer Data may be processed in countries outside Customer’s country of establishment. Where Data Protection Laws restrict international transfers, the parties will rely on an appropriate transfer mechanism, such as:
- EU GDPR transfers: the European Commission’s Standard Contractual Clauses (SCCs) adopted under Commission Implementing Decision (EU) 2021/914, as applicable.
- UK GDPR transfers: the UK ICO International Data Transfer Addendum to the EU SCCs and/or the UK International Data Transfer Agreement (IDTA), as applicable.
If required, the parties will complete and execute the relevant SCC module(s) and/or UK Addendum tables using the information in Annex 1 and Annex 2.
14. Return or Deletion of Customer Data
Upon termination or expiration of the Agreement, MicroTelecom will, at Customer’s election and where supported by the Services, return or delete Customer Data within 30 days, unless retention is required by applicable law.
Customer acknowledges that residual copies may persist in backups for a limited period consistent with MicroTelecom’s backup retention policies, provided such copies are protected from further processing and deleted in the ordinary course.
15. Term
This DPA remains in effect for the term of the Agreement and for so long as MicroTelecom processes Customer Data on behalf of Customer.
16. Liability
Each party’s liability arising out of or relating to this DPA is subject to the exclusions and limitations of liability set forth in the Agreement, unless otherwise prohibited by applicable law.
17. Order of Precedence
In the event of conflict, the order of precedence is: (1) applicable SCCs/UK transfer addendum (if executed), then (2) this DPA, then (3) the Agreement, solely with respect to Processing of Customer Data.
Annex 1 – Details of Processing (GDPR Article 28(3))
| Subject Matter | Provision of MTPOS SaaS Services and related support/professional services as described in the Agreement. |
|---|---|
| Duration | For the term of the Agreement, plus any post-termination return/deletion period described in this DPA. |
| Nature of Processing | Hosting, storage, transmission, retrieval, viewing, reporting, and other processing necessary to provide and secure the Services; customer support and troubleshooting as requested by Customer. |
| Purpose(s) | To provide, maintain, support, and secure the Services; to perform obligations under the Agreement; and to process as initiated by Customer users within the Services. |
| Categories of Data Subjects |
|
| Categories of Personal Data |
Exact fields depend on Customer’s configuration and usage.
|
| Special Categories of Data | Not intended to be processed. Customer will not provide special category data unless specifically agreed in writing and supported by the Services. |
| Processing Locations | United States or as required to provide the Services. |
Annex 2 – Technical and Organizational Measures (TOMs)
This is a baseline description. Measures may evolve as MicroTelecom updates its security program.
- Role-based access controls for administrative systems
- Least-privilege access and periodic access reviews
- Multi-factor authentication for privileged access (where supported)
- Segregation of environments (e.g., production vs. non-production)
- Encryption in transit (TLS) for service endpoints
- Encryption at rest for hosted storage where supported by infrastructure
- Key management controls consistent with cloud platform capabilities
- Centralized logging for security and operational events
- Monitoring/alerting for service health and anomalous activity (where implemented)
- Audit trails for key administrative actions (where supported)
- Routine patching of infrastructure components within MicroTelecom’s control
- Vulnerability management processes aligned to risk and severity
- Secure SDLC practices for service updates (as applicable)
- Backup processes for hosted systems (as applicable)
- Disaster recovery procedures appropriate to the service tier
- Incident response procedures and escalation paths
- For cloud infrastructure: data center controls provided by the underlying cloud provider
- For MicroTelecom offices: reasonable administrative and physical safeguards
Annex 3 – Subprocessors
MicroTelecom maintains a current list of Subprocessors and will provide it upon request.
| Subprocessor | Service Provided | Processing Location(s) |
|---|---|---|
| Microsoft Azure | Cloud infrastructure hosting | United states |
| SendGrid | Transactional email delivery | United States |
| Twilio | SMS and text message delivery | United States |
| MicroTelecom Consulting LLP | Technical and customer support services | India |
Acceptance and Binding Effect
This Data Processing Addendum is incorporated into and forms part of the Agreement. By accessing or using the Services, executing an Order Form, or otherwise agreeing to the Agreement, Customer is deemed to have accepted this DPA in full, without the need for a separate signature.