Data Processing Addendum (DPA)

1. Purpose

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between DirectLine.Solutions (“Processor”) and the business customer (“Controller”). It governs the processing of Personal Data by Processor on behalf of Controller in connection with the DirectLine platform.

2. Definitions

• Controller: the business customer using DirectLine.
• Processor: DirectLine.Solutions.
• Personal Data: information relating to an identified or identifiable natural person.
• Processing: any operation performed on Personal Data (collection, storage, transmission, deletion).

3. Roles of the Parties

• Controller determines purposes and means of processing.
• Processor acts solely on Controller instructions to provide the service.
• Processor does not independently market to end customers using Controller data.

4. Nature & Purpose of Processing

Processor processes Personal Data solely to provide the service, including email/SMS/MMS delivery, campaign analytics, compliance logging, subscription gating, and optional AI image processing.

5. Categories of Data Subjects

• Customers of the Controller (end recipients).
• Business account users (Controller staff).
• Website visitors (site operation/security).

6. Types of Personal Data

• Contact identifiers: email address, phone number.
• Consent and preference metadata: opt-in status, timestamps, allowed channels.
• Engagement metadata: delivery status, opens/clicks (if enabled), unsubscribe events.
• Account and billing identifiers (no raw card data stored by Processor).

Controller agrees not to upload special category (sensitive) data unless expressly agreed in writing.

7. Processor Obligations

• Process Personal Data only on documented instructions from Controller.
• Implement appropriate technical and organizational safeguards.
• Ensure confidentiality obligations for personnel.
• Assist Controller with data subject requests where required by law.
• Notify Controller of personal data breaches without undue delay.
• Delete/return data upon termination where feasible (subject to legal retention).

8. Security Measures

DirectLine uses safeguards designed for SaaS operations, including encrypted transport, access controls, logging, and cloud security practices.

9. Subprocessors

Processor may use subprocessors to deliver the service, including:

• Stripe (payments)
• SendGrid (email delivery)
• Twilio (SMS/MMS delivery)
• Google Firebase / Google Cloud (auth, storage, database, infrastructure)
• AI processing services (image enhancement/analysis where enabled)

10. International Transfers

Personal Data may be processed in jurisdictions where Processor and subprocessors operate (including the United States). Where required, Processor will rely on lawful transfer mechanisms such as Standard Contractual Clauses and apply appropriate safeguards.

11. Data Subject Rights Assistance

Processor will reasonably assist Controller in fulfilling data subject requests where required by law. Controller remains responsible for responding to end users as Controller.

12. Breach Notification

Processor will notify Controller without undue delay after becoming aware of a personal data breach, and provide information reasonably available to support mitigation.

13. Audits

Controller may request information reasonably necessary to demonstrate compliance. Processor may satisfy audit requests by providing written security documentation and attestations. On-site audits require mutual agreement.

14. Deletion / Return

Upon termination, Processor will delete or anonymize Personal Data where feasible, subject to legal and operational retention (e.g., billing and compliance logs).

15. Limitation of Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service.

16. Contact

Email: privacy@directline.solutions