1. Definitions
Terms used in this DPA, such as “personal data”, “processing”, “controller”, “processor”, and “data subject”, have the meaning given in applicable data protection laws (including the GDPR, UK GDPR, and India's DPDP Act, as applicable).
2. Roles
The Controller is the entity that determines the purposes and means of processing personal data. SpeedIQ acts as a Processor on behalf of the Controller for personal data uploaded into the Services (contacts, subscribers, message recipients, conversation history).
SpeedIQ acts as a Controller for personal data about the Controller's account administrators and team members (their names, emails, login credentials), as described in our Privacy Policy.
3. Scope of processing
Subject matter: Provision of the SpeedIQ messaging platform.
Duration:For the term of the Controller's subscription, plus any retention period required by law.
Nature & purpose: Hosting, transmission, analytics, authentication, fraud prevention, and customer support — all to enable the Controller to send messages and manage conversations with its end-users.
Categories of personal data:
- Contact identifiers (name, phone number, email).
- Message content (templates, campaign bodies, conversation messages, media attachments).
- Engagement metadata (delivery status, opens, clicks, opt-out events).
- Custom fields the Controller chooses to upload.
Categories of data subjects:The Controller's end-users (customers, subscribers, leads) and the Controller's team members.
4. Processor obligations
SpeedIQ undertakes to:
- Process personal data only on the Controller's documented instructions, including with regard to transfers, unless required by law to do otherwise.
- Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (see Section 6).
- Assist the Controller in responding to data subject rights requests.
- Notify the Controller without undue delay of any personal data breach (and in any case within 72 hours of becoming aware).
- On termination of the Services, delete or return personal data as instructed by the Controller, subject to any retention obligations.
- Make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as required.
5. Sub-processors
The Controller authorizes SpeedIQ to engage the following sub-processors. We commit to a written agreement with each sub-processor imposing equivalent data protection obligations.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, storage | US / EU |
| Vercel | Application hosting, edge compute | Global |
| Stripe | Payment processing, billing | US / EU / IN |
| Meta (WhatsApp Cloud API) | WhatsApp message delivery | Global |
| Twilio | SMS message delivery | US / Global |
| Resend | Transactional & marketing email delivery | US / EU |
| Google (OAuth) | Authentication via Google sign-in | Global |
We will notify the Controller of any intended changes to the list of sub-processors at least 30 days in advance, giving the Controller the opportunity to object on reasonable grounds.
6. Security measures
We implement and maintain measures including:
- Encryption. TLS 1.2+ for data in transit; encrypted at rest on Supabase storage.
- Access controls. Role-based access with principle of least privilege; multi-factor authentication for staff accounts.
- Row-level security. All customer-scoped database tables enforce RLS so users cannot read or write data outside their project.
- Webhook integrity. HMAC signature verification on all inbound webhooks (Stripe, Resend, Twilio, Meta).
- Auditability. Application and infrastructure logs retained for a minimum of 90 days.
- Vulnerability management. Regular dependency scanning, security patching, and penetration testing.
- Backups. Daily automated backups with point-in-time recovery for the primary database.
- Incident response. Documented incident response plan with named on-call responders.
7. International transfers
Where personal data is transferred from the EU/UK/Switzerland to a country not deemed adequate, the parties rely on the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) and equivalent UK and Swiss mechanisms. These are deemed incorporated into this DPA by reference.
For transfers under India's DPDP Act, transfers are made only to jurisdictions permitted by the Government of India and subject to appropriate safeguards.
8. Data subject rights
The Controller is responsible for responding to data subject requests (access, rectification, erasure, etc.) regarding the personal data it uploads to SpeedIQ. We provide functionality in the dashboard (contact deletion, export) and will assist the Controller with requests where reasonably required.
9. Audit
The Controller may request a copy of relevant third-party audit reports (such as SOC 2, ISO 27001, where available) once per year, on reasonable notice and subject to confidentiality. On-site audits are available for enterprise Controllers on the Business plan, subject to reasonable notice and at the Controller's expense.
10. Return & deletion
On termination of the Services, the Controller may export its data via the dashboard. After the export window (30 days post-termination), we delete personal data from the production systems. Backups age out on a rolling 30-day basis.
11. Liability
The liability provisions in the main Terms of Service apply to this DPA. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law.
12. Contact
Data protection: dpo@speediq.app
Security: security@speediq.app