This Data Processing Addendum ("DPA") forms part of the Terms of Service or other agreement between GatewayHost ("Processor", "we", "us") and the customer ("Controller", "you") for the provision of messaging gateway services.
This DPA applies where and to the extent we process Personal Data on your behalf in connection with providing the Service.
1. Definitions
- "Data Protection Laws" means all applicable laws relating to data protection, including GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy regulations.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "Personal Data" means any information relating to an identified or identifiable natural person that we process on your behalf in connection with the Service.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
- "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Security Incident" means any unauthorized access to, or acquisition, use, or disclosure of Personal Data.
2. Scope and Roles
2.1 Controller and Processor
For the purposes of this DPA:
- You are the Controller of Personal Data processed through the Service
- We are the Processor acting on your behalf
2.2 Your Responsibilities
As Controller, you are responsible for:
- Ensuring lawful bases for processing Personal Data
- Providing notice to Data Subjects about data processing
- Obtaining necessary consents where required
- Ensuring Personal Data you provide is accurate and lawful
- Complying with Data Protection Laws applicable to Controllers
2.3 Our Responsibilities
As Processor, we will:
- Process Personal Data only on your documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate security measures
- Assist you in meeting your obligations under Data Protection Laws
- Delete or return Personal Data upon termination
3. Processing Details
3.1 Subject Matter
Processing of Personal Data in connection with the provision of our messaging gateway service built on the XMTP network.
3.2 Duration
For the term of the Agreement plus any data retention period required by law or specified in this DPA.
3.3 Nature and Purpose
| Purpose | Description |
|---|---|
| Message Transmission | Routing messages through the XMTP network |
| Account Management | Managing user accounts and access |
| Service Operation | Logging, monitoring, and maintaining the Service |
| Billing | Processing payments and invoicing |
| Support | Responding to support requests |
3.4 Categories of Data Subjects
- Your employees and authorized users
- Your end users and customers
- Message recipients
3.5 Categories of Personal Data
| Category | Data Types |
|---|---|
| Account Data | Email addresses, names, organization names |
| Technical Data | IP addresses, user agents, device information |
| Usage Data | API logs, message metadata (sender/recipient identifiers, timestamps) |
| Billing Data | Payment information (processed by third-party payment provider) |
3.6 Special Categories of Data
We do not intentionally process special categories of Personal Data (sensitive data). You must not submit sensitive data to the Service unless explicitly agreed in writing.
3.7 End-to-End Encryption Notice
Important: Messages transmitted through our Service are end-to-end encrypted using the XMTP protocol's Messaging Layer Security (MLS). We cannot access, read, or process the content of encrypted messages. This DPA applies to metadata and account information only, not to encrypted message content.
4. Data Processing Instructions
4.1 Documented Instructions
We will process Personal Data only in accordance with:
- This DPA
- The Agreement
- Your written instructions
We will inform you if we believe an instruction infringes Data Protection Laws.
4.2 Lawful Instructions
You warrant that your instructions for processing Personal Data comply with Data Protection Laws and do not require us to violate any law.
5. Security Measures
5.1 Technical and Organizational Measures
We implement and maintain appropriate security measures, including:
Technical Measures:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Access controls and authentication
- Network security and firewalls
- Intrusion detection systems
- Regular security testing
Organizational Measures:
- Security policies and procedures
- Employee security training
- Background checks for personnel with data access
- Incident response procedures
- Business continuity planning
5.2 Security Assessment
Upon request and subject to confidentiality obligations, we will provide:
- Security certifications and audit reports
- Completed security questionnaires
- Documentation of our security practices
6. Sub-processors
6.1 Authorized Sub-processors
You authorize us to engage Sub-processors to process Personal Data. Our current Sub-processors are listed below.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Cloud hosting, CDN, security | United States |
| Vercel Inc. | Application hosting | United States |
| Stripe, Inc. | Payment processing | United States |
| PostHog, Inc. | Product analytics | United States (EU data hosted in EU) |
| Neon Inc. | Database hosting | United States |
| Sentry | Error monitoring | United States |
| XMTP Network | Decentralized message routing | Decentralized (various jurisdictions) |
6.2 Sub-processor Obligations
We will:
- Enter into written agreements with Sub-processors imposing data protection obligations substantially similar to this DPA
- Remain liable for Sub-processors' compliance with their obligations
- Conduct appropriate due diligence on Sub-processors
6.3 Changes to Sub-processors
We will notify you of any intended changes to Sub-processors at least 30 days in advance. You may object to a new Sub-processor on reasonable grounds related to data protection within 14 days of notification. If we cannot accommodate your objection, you may terminate the affected services.
7. Data Subject Rights
7.1 Assistance with Requests
We will assist you in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
7.2 Direct Requests
If we receive a request directly from a Data Subject regarding your data, we will:
- Promptly notify you (unless prohibited by law)
- Not respond to the request except to acknowledge receipt
- Direct the Data Subject to contact you
7.3 Timeframes
We will provide reasonable assistance within timeframes that allow you to meet your obligations under Data Protection Laws.
8. Security Incidents
8.1 Notification
We will notify you of any Security Incident without undue delay, and in any event within 72 hours of becoming aware of the incident.
8.2 Incident Details
Our notification will include, to the extent known:
- Description of the nature of the incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Name and contact details of our data protection contact
- Description of likely consequences
- Description of measures taken or proposed to address the incident
8.3 Cooperation
We will:
- Cooperate with your investigation of the incident
- Take reasonable steps to mitigate the effects
- Assist you in notifying Data Subjects and supervisory authorities as required
8.4 Exclusions
An incident affecting only end-to-end encrypted message content that we cannot access does not constitute a Security Incident for purposes of this DPA.
9. Data Protection Impact Assessments
Upon request, we will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Data Protection Laws.
10. International Data Transfers
10.1 Transfer Mechanisms
For transfers of Personal Data from the EEA, UK, or Switzerland to countries without adequate protection:
- We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
- We implement supplementary measures where appropriate
- We will inform you of any changes to transfer mechanisms
10.2 Standard Contractual Clauses
The EU SCCs (Commission Decision 2021/914) are incorporated by reference:
- Module Two (Controller to Processor) applies
- Annex I, II, and III are completed as set forth in this DPA
10.3 UK and Swiss Transfers
For UK transfers, we rely on the UK International Data Transfer Addendum. For Swiss transfers, we apply the SCCs as recognized by the Swiss Federal Data Protection Authority.
11. Audits
11.1 Audit Rights
Upon reasonable written notice (at least 30 days), you may:
- Request relevant documentation demonstrating compliance
- Conduct or commission an audit of our data processing activities
11.2 Audit Scope
Audits are limited to:
- Processing activities covered by this DPA
- Facilities and systems used to process your Personal Data
- Our compliance with this DPA and Data Protection Laws
11.3 Audit Procedures
- Audits will be conducted during normal business hours
- Audits must not unreasonably disrupt our operations
- You bear the costs of any audit you conduct
- Auditors must be bound by confidentiality obligations
- We may require auditors to execute non-disclosure agreements
11.4 Alternative Evidence
We may satisfy audit requests by providing:
- Third-party audit reports (SOC 2, ISO 27001)
- Certifications from independent auditors
- Responses to reasonable security questionnaires
12. Data Deletion and Return
12.1 Upon Termination
Upon termination of the Agreement, at your election we will:
- Return Personal Data to you in a standard format; or
- Delete Personal Data and certify deletion in writing
12.2 Retention Exceptions
We may retain Personal Data as required by law, subject to:
- Continued protection under this DPA
- Processing only for the legally required purpose
- Deletion when no longer legally required
12.3 Timeframes
We will complete deletion or return within 30 days of your request, unless a longer period is required by law.
13. Liability
13.1 Liability Caps
Our liability under this DPA is subject to the liability limitations in the Agreement.
13.2 Indemnification
Each party agrees to indemnify the other for damages resulting from its breach of this DPA or Data Protection Laws.
14. General Provisions
14.1 Conflicts
In case of conflict between this DPA and the Agreement regarding data protection matters, this DPA prevails.
14.2 Amendments
This DPA may be amended to reflect changes in Data Protection Laws or our data processing activities. Material changes will be notified with reasonable advance notice.
14.3 Severability
If any provision of this DPA is found unenforceable, the remaining provisions remain in effect.
14.4 Governing Law
This DPA is governed by the same law that governs the Agreement, except that the SCCs are governed by the law of the EU Member State specified therein.
15. Contact
For questions about this DPA:
Data Protection Contact: dpo@gatewayhost.dev
Legal Inquiries: legal@gatewayhost.dev
By executing the Agreement, you and GatewayHost agree to be bound by this Data Processing Addendum.