DATA PROCESSING AGREEMENT (UK GDPR)

Version 2.1 – January 2026

1. INTRODUCTION

This Data Processing Agreement (“DPA”) forms part of the contract between Quick SMS Limited (“QuickSMS”) and its customers (“Customer”).

This DPA governs the Processing of Personal Data in connection with the provision of QuickSMS secure multi-channel messaging and communications services.

This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (“UK GDPR”) and supports QuickSMS’s Integrated Management System certified to ISO 27001, ISO 9001, ISO 14001, and ISO 45001.

2. DEFINITIONS

“Applicable Law” means UK GDPR, Data Protection Act 2018, PECR, and applicable ICO guidance.

“Personal Data”, “Processing”, “Controller”, “Processor”, and “Sub-Processor” have the meanings given in UK GDPR.

“Customer Data” means all Personal Data processed by QuickSMS on behalf of the Customer, including any Personal Data contained within message payloads.

3. ROLES OF THE PARTIES

3.1 The Customer acts as Data Controller.

3.2 QuickSMS acts as Data Processor.

3.3 Each party warrants ongoing compliance with Applicable Law and relevant regulatory guidance.

4. SUBJECT MATTER AND DURATION

4.1 Subject Matter

Processing of Personal Data for secure messaging, communications, and related platform services.

4.2 Duration

For the term of the Customer agreement and any applicable statutory retention period.

4.3 Nature and Purpose

Including:

• Message transmission and routing

• Delivery confirmation and reporting

• Platform administration

• Compliance and audit monitoring

• Security logging and diagnostics

• Analytics and service optimisation

• Technical and customer support

4.4 Types of Personal Data

Including:

• Telephone numbers

• Email addresses

• Identifiers and reference numbers

• Message content and attachments

• Authentication credentials

• System and delivery metadata

4.5 Categories of Data Subjects

Including:

• Patients

• Staff

• Service users

• Citizens

• Employees

• Customers

5. PROCESSING ON INSTRUCTIONS

5.1 QuickSMS shall process Personal Data only on documented instructions from the Customer.

5.2 Instructions include:

• Contracts and Call-Off agreements

• Platform configurations

• Written communications

• Authorised operational requests

5.3 Processing outside documented instructions is prohibited unless required by law.

5.4 Where legally required, QuickSMS shall notify the Customer unless prohibited.

6. CONFIDENTIALITY AND TRAINING

6.1 All personnel authorised to process Personal Data are subject to contractual confidentiality obligations.

6.2 Personnel receive regular data protection, information security, and compliance training in line with QuickSMS’s ISO-certified management systems.

7. SECURITY MEASURES

7.1 QuickSMS implements appropriate technical and organisational measures including:

• ISO 27001-aligned Information Security Management System

• Role-based access controls

• Encryption in transit

• Secure credential management

• Network segmentation and firewalls

• Centralised monitoring and logging

• Vulnerability assessment and penetration testing

• Incident response and recovery procedures

7.2 Security controls are reviewed annually as part of QuickSMS’s internal audit and management review processes.

7.3 Security controls align with:

• NHS DSP Toolkit

• DTAC

• DPIA governance framework

• Integrated Management System (IMS)

7.4 Detailed security documentation is available on reasonable request.

8. SUB-PROCESSING

8.1 The Customer authorises the Sub-Processors listed in Appendix A.

8.2 All Sub-Processors are subject to written agreements imposing equivalent data protection obligations.

8.3 QuickSMS remains fully liable for its Sub-Processors.

8.4 Customers shall receive not less than thirty (30) days’ notice of material changes.

8.5 Customers may object on reasonable data protection grounds.

9. INTERNATIONAL TRANSFERS

9.1 Personal Data is processed and hosted within the United Kingdom unless otherwise agreed.

9.2 International transfers shall occur only:

• On documented Customer instruction; and

• Using approved safeguards (IDTA, SCCs, adequacy decisions).

10. DATA SUBJECT RIGHTS

10.1 QuickSMS shall assist the Customer with all data subject rights requests.

10.2 Assistance shall be provided without undue delay and in any event within five (5) business days.

11. PERSONAL DATA BREACH MANAGEMENT

11.1 QuickSMS shall notify the Customer within twenty-four (24) hours of becoming aware of a Personal Data Breach.

11.2 Notifications shall include:

• Nature and scope

• Data categories affected

• Risk assessment

• Mitigation actions

11.3 Full cooperation with investigations and regulatory notifications shall be provided.

12. DATA PROTECTION IMPACT ASSESSMENTS AND DTAC

12.1 QuickSMS shall assist with:

• DPIAs

• DTAC submissions

• Regulatory reviews

12.2 Relevant technical and organisational evidence shall be supplied.

13. AUDIT AND COMPLIANCE

13.1 QuickSMS shall make available information necessary to demonstrate compliance.

13.2 The Customer may audit on reasonable notice.

13.3 Audits shall be proportionate and minimise disruption.

13.4 Independent certifications and third-party audits may be relied upon.

14. DATA RETENTION AND DELETION

14.1 On termination, the Customer may elect to:

(a) Receive a copy of Customer Data; or
(b) Require secure deletion.

14.2 Deletion shall occur within thirty (30) days unless legally required otherwise.

14.3 Statutory retention obligations shall prevail.

15. REGULATORY COOPERATION

QuickSMS shall cooperate fully with:

• The ICO

• NHS assurance bodies

• Other competent authorities

16. RECORDS OF PROCESSING

QuickSMS maintains Article 30 records of Processing activities.

17. LIABILITY

Each party is responsible for its own compliance.

Liability is governed by the main customer agreement.

18. SURVIVAL

This DPA shall survive termination for so long as Personal Data remains processed.

19. CONTACT DETAILS

Data Protection Lead
QuickSMS
Email: dataprotection@quicksms.com
Support: support@quicksms.com
Tel: +44 (0)203 740 8909

APPENDIX A
APPROVED CORE SUB-PROCESSORS