top of page

Data Processing

Agreement

1. Introduction

This Data Processing Agreement ("Agreement") forms part of the Service Agreement between Quick SMS Limited ("Processor" for UK and European Clients) or Quick SMS Middle East ("Processor" for UAE Clients) and the Client ("Controller"), collectively referred to as the "Parties".

QuickSMS provides telecommunications messaging services, including SMS, WhatsApp, RCS Messaging, and related communication channels, via secure APIs and web interfaces. QuickSMS acts solely as a Processor on behalf of the Controller and does not monitor, influence, or control the content of messages transmitted.

2. Definitions

Terms such as "Personal Data," "Processing," "Controller," "Processor," "Data Subject," "Subprocessor," and "Special Category Data" have the meanings set out in the UK GDPR, EU GDPR, and UAE PDPL.

3. Roles and Responsibilities

  • The Client is the Controller, determining the purposes and means of Processing.

  • QuickSMS is the Processor, Processing Personal Data strictly on the documented instructions of the Controller.

  • QuickSMS does not inspect, modify, or make decisions regarding message content or recipients.

4. Nature, Purpose, and Duration of Processing

  • Nature: Transmission of mobile communications via secure telecommunications networks.

  • Purpose: Delivery of SMS, WhatsApp, and RCS messages as instructed by the Controller.

  • Duration: For the term of the Services Agreement, and as otherwise required by applicable law or contractual obligations.


QuickSMS’s Services are regionally structured to ensure that data for UK and European Clients remains hosted within the United Kingdom, and data for UAE Clients remains hosted within the United Arab Emirates.

 

5. Categories of Personal Data and Data Subjects

  • Personal Data: Mobile phone numbers, metadata (e.g., timestamps, delivery status), message content (if classified as Personal Data).

  • Data Subjects: End users, customers, patients, or employees as determined by the Controller.


Special Category Data Warning:
Where Controllers transmit Special Category Data (e.g., health data), Controllers acknowledge their responsibility for ensuring lawful bases and appropriate safeguards.

6. Compliance with Applicable Laws

QuickSMS shall comply with all applicable data protection laws including, but not limited to:
 

United Kingdom:

  • United Kingdom General Data Protection Regulation ("UK GDPR")

  • Data Protection Act 2018 ("DPA 2018")

 

European Union:

  • Regulation (EU) 2016/679 ("EU GDPR")

 

United Arab Emirates:

  • Federal Decree Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL")

  • Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (where applicable)

  • Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021 (where applicable)

  • Federal Law No. 6 of 2023 on Public Procurement (where applicable to data processing activities)

Healthcare Sector (where applicable):

  • NHS Data Security and Protection Toolkit (DSPT) Standards

  • NHS Confidentiality Code of Practice

  • Caldicott Principles

  • Any other applicable healthcare information governance regulations.


Where there is a conflict between any applicable laws, the stricter standard of protection for Personal Data shall apply.

7. Subprocessors

 

QuickSMS engages the following approved Subprocessors:

 

  • Rackspace – Lon5 DataCentre, London, UK (Hosting)

  • Serving Hosting – Internet City, Dubai, UAE (Hosting)

  • MNOs (Mobile Network Operators) – various, country-specific (Message Delivery)

  • Meta – WhatsApp messaging infrastructure (Local and International)

  • Google – RCS Messaging infrastructure (Local and International)


Sub processors are contractually bound to equivalent obligations regarding data protection and security. The Controller authorises these sub processors by entering into this Agreement.

8. Technical and Organisational Measures

 

QuickSMS maintains robust technical, organisational, and procedural measures to protect Personal Data, consistent with the highest international standards.

Security Certifications Held:

  • ISO/IEC 27001:2022 Certification (Information Security Management System, UKAS Accredited)

  • ISO 9001:2015 Certification (Quality Management System, UKAS Accredited)

  • SO 14001:2015 Certification (Environmental Management System, UKAS Accredited)

  • ISO 45001:2018 Certification (Occupational Health and Safety Management System, UKAS Accredited)

  • Cyber Essentials Certification

  • Cyber Essentials Plus Certification


Key Security Controls:

  • End-to-end encryption: TLS 1.2+ for data in transit, AES-256 for data at rest.

  • Role-Based Access Control (RBAC) with strict least privilege enforcement.

  • 24/7 system monitoring for unauthorised access and anomalies.

  • Regular independent audits, vulnerability assessments, and penetration tests.

  • Secure data hosting within ISO 27001, ISO 22301, and PCI-DSS certified UK and UAE data centres.

  • Incident Response Plan tested bi-annually for breach preparedness.

  • Secure Data Disposal aligned with NIST 800-88 standards.


Data Residency and Hosting


QuickSMS ensures:

  • -UK and European Clients: Data is hosted exclusively on UK-based servers in London.

  • UAE Clients: Data is hosted exclusively on UAE-based servers in Dubai.


QuickSMS does not transfer Personal Data outside of its assigned region unless required by law or explicitly authorised by the Controller.

Operational Evidence of Compliance


QuickSMS maintains and operates detailed supporting documentation as part of its Information Security Management System (ISMS) and Data Protection Compliance Framework, including but not limited to:

 

  • Data Protection Impact Assessment (DPIA) Registers

  • Data Breach Notification and Incident Response Records

  • Data Subject Rights Request (DSR) Logs

  • Supplier and Subprocessor Due Diligence Assessments

  • Data Retention and Secure Disposal Registers

  • Internal Audit Records and Penetration Testing Reports


These documents are available for review by the Controller upon reasonable request, subject to confidentiality and security obligations.

9. Assistance to the Controller

QuickSMS shall assist the Controller with:

 

  • Responding to Data Subject Rights Requests (SARs, erasure, objection, etc.).

  • Conducting Data Protection Impact Assessments (DPIAs) where relevant.

  • Ensuring appropriate security of processing.

  • Incident management and breach notification support.

10. Data Breach Notification

QuickSMS will notify the Controller without undue delay, and within 24 hours of becoming aware of a Personal Data Breach.

 

  • Notification will include:

  • Nature of the breach.

  • Data affected.

  • Potential consequences.

  • Mitigation and remediation measures.


QuickSMS will support the Controller in any regulatory notifications, including to the ICO (UK) or healthcare-specific regulators (e.g., NHS England).

11. Data Transfers and Data Residency

  • QuickSMS ensures that all data processing and storage are regionally contained as follows:

  • UK and European Clients: All Personal Data is hosted exclusively in UK-based servers located within ISO 27001, ISO 22301, and PCI-DSS certified data centres.

  • UAE Clients: All Personal Data is hosted exclusively within UAE-based servers located in ISO-certified data centres within the United Arab Emirates.

  • Any onward international transfer of Personal Data will only occur where appropriate safeguards (e.g., Standard Contractual Clauses (SCCs), International Data Transfer Agreements (IDTAs)) have been implemented and where permitted by applicable data protection laws.

12. Confidentiality

  • All QuickSMS personnel and subprocessors are bound by strict confidentiality obligations.

  • Confidentiality survives termination of this Agreement.

13. Data Retention and Deletion

 

Upon termination or at the Controller’s request:

 

  • Personal Data shall be deleted securely in accordance with NIST 800-88 standards.

  • QuickSMS will confirm deletion in writing.

  • Retained backups will also be securely destroyed once no longer required.

14. Audits and Inspections

  • The Controller has the right to audit QuickSMS’s compliance with this Agreement.

  • Audits will be subject to reasonable notice and confidentiality requirements.

15. Liability

  • Each Party remains liable for its respective obligations under applicable data protection laws.

  • QuickSMS’s liability is subject to the limitations set out in the main Service Agreement.

16. Term and Termination

 

This Agreement shall remain in effect for the duration of the Services Agreement between the Parties, and thereafter as necessary to comply with applicable laws.

17. Contact Details

Processor for UK and European Clients:
Quick SMS Limited
Registered Address: 54 Bath Street, St Helier, Jersey, JE1 1FW, Channel Islands
Company Number: 133441
Jersey Information Commissioner Registration Number: 100618
Data Protection Contact: Data Protection Officer
Email: dpa@quicksms.com

Processor for UAE Clients:
Quick SMS Middle East
Registered Address: 14th Floor, South Tower, Dubai Science Park, Dubai Internet City, Dubai, United Arab Emirates, 106427
Data Protection Contact: Data Protection Officer
Email: dpa@quicksms.com

Controller:
The Client, as identified in the main Supply Agreement.
(Contact details to be maintained by the Controller.)

Download Data Processing Agreement

Healthcare Data Processing Addendum

bottom of page