Legal · GDPR

Data Processing Agreement

Last updated: May 30, 2026

Required for EU/UK customers under GDPR Article 28. Incorporates EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

GDPR Art. 28UK GDPREU SCCs (2021)UK IDTAUS State Privacy Laws

1. Scope and Roles

This Data Processing Agreement (“DPA”) forms part of the Master Service Agreement between My Country Mobile Pte Ltd, operating as My Country Mobile (“Processor”), and the Customer (“Controller”). It applies where MCM processes Personal Data on the Controller's behalf in providing the Services. For some data (e.g., CPNI and call-routing required by law), MCM may act as an independent controller.

2. Definitions

“Personal Data,” “processing,” “data subject,” “controller,” and “processor” have the meanings in applicable data-protection law (including the GDPR and UK GDPR). “Data Protection Laws” means all laws applicable to the processing, including the GDPR, UK GDPR, and US state privacy laws.

3. Processing Details (Annex 1)

Subject matter

Provision of cloud communications Services.

Duration

Term of the MSA plus legally required retention.

Nature and purpose

Routing, delivery, storage, and billing of voice/messaging and related support.

Types of Personal Data

Contact identifiers, phone numbers, call/message metadata, account data, and any content the Controller transmits.

Categories of data subjects

Controller's personnel, end users, and called/calling parties.

4. Processor Obligations

MCM will:

a

Process Personal Data only on the Controller's documented instructions, including for transfers, unless required by law (in which case it will inform the Controller unless legally prohibited).

b

Ensure persons authorized to process are bound by confidentiality.

c

Implement appropriate technical and organizational security measures (Annex 2).

d

Respect the conditions for engaging sub-processors (Section 5).

e

Assist the Controller, as far as possible, with data-subject requests.

f

Assist the Controller with security, breach notification, and data-protection impact assessments.

g

Delete or return Personal Data at the end of the Services, subject to legal retention.

h

Make available information necessary to demonstrate compliance and allow for audits (Section 7).

5. Sub-Processors

The Controller authorizes MCM to engage the sub-processors listed in the Sub-processor List. MCM will impose data-protection obligations on each sub-processor no less protective than this DPA and remains responsible for their performance. MCM will give notice of intended changes to sub-processors and allow the Controller to object on reasonable data-protection grounds.

6. Data Subject Rights and Breach

MCM will promptly notify the Controller of any request it receives from a data subject and will not respond except on the Controller's instruction or as legally required.

MCM will notify the Controller without undue delay after becoming aware of a Personal Data breach and provide information reasonably required for the Controller's notification obligations.

7. Audit

MCM will make available information necessary to demonstrate compliance and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable notice and subject to confidentiality, no more than once per year except where required by a supervisory authority or following a breach.

8. International Transfers

ℹ️ Where processing involves transfer of Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (2021) and, for UK data, the UK International Data Transfer Addendum, completed as set out in the GDPR Transfer Pack.

9. US State Privacy Laws

To the extent US state privacy laws apply, MCM acts as a “service provider”/“processor,” will not “sell” or “share” Personal Data or retain, use, or disclose it outside the direct business relationship or as permitted by law, and will comply with applicable obligations.

10. General

This DPA prevails over conflicting terms of the MSA regarding the processing of Personal Data. Liability is subject to the limitations in the MSA. It is governed by the law of the MSA except where Data Protection Laws require otherwise.

Annex 2 — Security Measures

⚠️ The security measures below are a summary. Expand to match MCM's actual implemented controls before publication.
🔐

Access controls and least privilege

🔒

Encryption in transit

🌐

Network and application security

📋

Logging and monitoring

👥

Personnel confidentiality and training

🤝

Vendor management

🚨

Incident response

💾

Backup and recovery