Effective Date: March 10, 2026
This Data Processing Agreement ("DPA") is entered into between:
- You ("Controller", "Customer") — the entity using Enbbox Services, and
- SWYPE FZE (Dubai, UAE) and Digital Services LLC (Batumi, Georgia), collectively ("Processor", "Enbbox") — the providers of the Enbbox notification infrastructure platform.
This DPA supplements the Terms of Use and governs the processing of personal data by Enbbox on behalf of the Customer.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed through the Services.
- "Processing" means any operation performed on Personal Data, including collection, storage, transmission, deletion, and delivery of notifications.
- "Sub-processor" means a third party engaged by Enbbox to process Personal Data on behalf of the Customer.
- "Data Subject" means the individual whose Personal Data is processed.
- "Applicable Data Protection Law" means GDPR, UK GDPR, CCPA, and any other applicable data protection legislation.
2. Scope of Processing
2.1 Subject Matter and Purpose
Enbbox processes Personal Data solely to provide the notification delivery Services as instructed by the Customer, including:
- Delivering notifications across channels (In-App, Email, SMS, Push, Chat)
- Storing subscriber records and delivery logs
- Processing digest and workflow orchestration logic
2.2 Categories of Data
| Data Category | Examples |
|---|---|
| Subscriber identifiers | Email addresses, phone numbers, device tokens, subscriber IDs |
| Notification content | Message templates, workflow variables provided by Customer |
| Delivery metadata | Timestamps, channel, delivery status, bounce/open events |
2.3 Duration
Processing continues for the duration of the Services agreement. Upon termination, Personal Data will be deleted within 30 days, unless retention is required by law.
3. Customer Obligations
The Customer represents and warrants that:
- It has a lawful basis for processing Personal Data through the Services (e.g., consent, legitimate interest, or contract performance).
- It has provided appropriate privacy notices to Data Subjects.
- It will not instruct Enbbox to process data in violation of Applicable Data Protection Law.
4. Enbbox Obligations
Enbbox shall:
- Process Personal Data only on documented instructions from the Customer.
- Ensure that personnel with access to Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures to protect Personal Data (see Section 5).
- Assist the Customer in responding to Data Subject rights requests.
- Notify the Customer of any data breach without undue delay (see Section 7).
- Delete or return Personal Data upon termination of the Services.
5. Security Measures
Enbbox implements the following technical and organizational measures:
| Measure | Implementation |
|---|---|
| Encryption in Transit | TLS 1.3 for all API and dashboard traffic |
| Encryption at Rest | AES-256 for stored data |
| Access Control | Role-based access, API key authentication |
| Credential Security | Provider credentials encrypted with per-project keys |
| Infrastructure | Hosted on SOC 2-eligible cloud infrastructure |
| Monitoring | 24/7 automated anomaly detection and alerting |
| Backup | Regular encrypted backups with tested restoration |
6. Sub-processors
6.1 Authorization
The Customer authorizes Enbbox to engage Sub-processors for the purpose of providing the Services. Enbbox maintains a current list of Sub-processors.
6.2 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Hosting and compute | Variable |
| Stripe | Payment processing | USA / EU |
| Notification providers (as configured) | Email, SMS, Push, Chat delivery | Variable |
6.3 Changes
Enbbox will notify the Customer of any intended changes to Sub-processors at least 30 days in advance. The Customer may object to a new Sub-processor by contacting [email protected].
7. Data Breach Notification
- Enbbox will notify the Customer of any confirmed Personal Data breach without undue delay and in any event within 72 hours of becoming aware.
- The notification will include:
- Nature and scope of the breach
- Categories and approximate number of affected Data Subjects
- Likely consequences
- Measures taken or proposed to mitigate
- Enbbox will cooperate with the Customer in investigating and remediating the breach.
8. Data Subject Rights
Enbbox will assist the Customer in fulfilling Data Subject rights requests under Applicable Data Protection Law, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to data portability
- Right to restriction of processing
- Right to object
Requests should be directed to the Customer. Enbbox will respond to instructions from the Customer regarding such requests within 10 business days.
9. International Transfers
Where Personal Data is transferred outside the EEA/UK:
- Enbbox will ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.
- The Customer may request copies of relevant transfer mechanisms.
10. Audit Rights
- Enbbox will make available information necessary to demonstrate compliance with this DPA.
- Enbbox permits audits by the Customer or an independent auditor, subject to reasonable advance notice (at least 30 days) and confidentiality obligations.
- Audits shall be limited to once per calendar year unless required by a data protection authority.
11. Termination
Upon termination of the Services:
- Enbbox will cease processing Personal Data.
- At the Customer's election, Enbbox will delete or return all Personal Data within 30 days.
- Enbbox may retain copies of Personal Data only as required by applicable law.
12. Governing Law
This DPA is governed by the same law that governs the Terms of Use. For EU/EEA customers, GDPR provisions shall take precedence in the event of conflict.
13. Contact
SWYPE FZE — Dubai, UAE Digital Services LLC — Batumi, Georgia Email: [email protected]