Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between Amargi Creative (the Processor) and the customer subscribing to Amargi Reach or any other Amargi product (the Controller), and forms part of the Terms of Service.

This page is the standard template. The executed version is signed alongside the commercial contract; a countersigned copy is available on request to contracts@amargicreative.com.

1. Definitions

Capitalised terms not defined here have the meaning given in the General Data Protection Regulation (EU) 2016/679 ("GDPR") or the Terms of Service.

• Personal Data — information relating to an identified or identifiable natural person processed by Amargi Creative on behalf of the Customer (contact names, phone numbers, email addresses, message contents, etc.).
• Sub-processor — a third party engaged by Amargi Creative to process Personal Data on behalf of the Customer.

2. Scope and roles

The Customer is the Controller of Personal Data uploaded to or generated through Amargi Reach. Amargi Creative is the Processor and processes Personal Data only on documented instructions from the Customer (as defined in the ToS and any usage of the API or admin panel).

3. Categories of data subjects and data

• Data subjects: the Customer's end users, and the Customer's own employees who use the admin panel.
• Contact identifiers: name, phone number, email address, WhatsApp ID, Instagram handle.
• Communication content: message bodies (text, media, locations, contacts shared in messages), template names, response timestamps.
• Operational metadata: delivery status, read receipts, conversation state, quality ratings, opt-in / opt-out records.
• Authentication data: hashed passwords (Argon2id), TOTP secrets (AES-encrypted at rest), session identifiers.

Amargi Creative does not ask the Customer to upload, and does not knowingly process, any GDPR Art. 9 special-category data (health, biometrics, political opinions, etc.). The Customer is responsible for ensuring it does not transmit such data through the products.

4. Duration

Personal Data is processed for the duration of the Customer's subscription. Upon termination, Personal Data is deleted within 30 days from primary storage and within 90 days from backups.

5. Processor obligations

Amargi Creative will:

1. Process Personal Data only on the Customer's documented instructions, and notify the Customer if any instruction violates applicable law.
2. Ensure personnel authorised to process Personal Data have committed to confidentiality.
3. Implement appropriate technical and organisational measures (see Section 8).
4. Assist the Customer in fulfilling data subject rights (see Section 7).
5. Notify the Customer within 48 hours of becoming aware of a Personal Data breach affecting their data.
6. On termination, delete or return all Personal Data, at the Customer's choice.

6. Sub-processors

The Customer authorises Amargi Creative to engage the sub-processors listed at /legal/subprocessors. Amargi Creative will notify the Customer at least 30 days before adding or replacing a sub-processor. The Customer may object on reasonable data-protection grounds; if unresolved, the Customer may terminate the affected service with a pro-rata refund of pre-paid fees.

7. Data subject rights

Amargi Reach provides programmatic endpoints that allow the Customer to fulfil data subject requests directly:

• Access / portability: POST /api/v1/privacy/export returns a machine-readable archive of the requested contact's conversations, messages, and metadata.
• Erasure: POST /api/v1/privacy/delete-contact initiates a deletion job (primary copies within 24 hours, backups at the next retention rotation ≤30 days).
• Rectification / restriction / objection: surfaced in the admin panel under the contact's profile.

If a data subject contacts Amargi Creative directly, we forward the request to the Customer within 5 business days and assist (without independent action) as directed.

8. Technical and organisational measures

Full details in the Privacy Posture document. Summary:

• TLS 1.2+ for all public endpoints; automatic Let's Encrypt cert rotation; HSTS preload-eligible headers.
• Postgres on encrypted block storage; high-sensitivity fields (Meta access tokens, TOTP secrets, OAuth refresh tokens) AES-256 encrypted with keys in a secret resolver.
• Tenant isolation via row-level partner_id filters; RBAC; least privilege for operator accounts.
• Argon2id password hashing with server-side pepper; TOTP 2FA available; short-lived access tokens + rotating refresh tokens.
• Audit logging of every administrative action; 12-month minimum retention.
• X-Hub-Signature-256 verification on every inbound provider webhook.
• Daily encrypted backups to off-host storage, 30-day retention, quarterly restore drill.

9. Audits

Once per calendar year with 30 days' notice, the Customer may request a security audit. Amargi Creative will satisfy this by providing the most recent SOC 2 / ISO 27001 report under NDA (if available), completing a documented questionnaire (CAIQ, VSA-Full) within 30 days, or permitting a remote audit at the Customer's expense by a mutually-agreed independent auditor.

10. International transfers

Personal Data of EU/UK data subjects transferred outside the EU/UK is governed by the EU Standard Contractual Clauses (Module 2 — Controller to Processor, June 2021 version), incorporated by reference. Sub-processors in third countries are bound by equivalent SCCs.

11. Liability

Liability for breaches of this DPA is capped at the limits in the underlying Terms of Service, except as permitted by applicable law.

12. Governing law

This DPA is governed by the laws of the Hashemite Kingdom of Jordan. For EU/UK data subjects, GDPR (or UK GDPR) applies as the substantive data-protection regime regardless of governing law.

13. Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to Personal Data processing. In the event of conflict between this DPA and the EU Standard Contractual Clauses, the SCCs prevail.

Contact

Data protection inquiries, breach notifications, DPA execution requests: contact@amargicreative.com. Commercial contract questions: contracts@amargicreative.com.