This DPA has no effect, imposes no obligations, and creates no rights for either party unless and until:
Only at that point does this DPA become fully effective and enforceable between the parties.
Between:
Controller: The Enterprise Customer (the “Controller”)
Processor: MCJ GROUP FZCO, trading as APEX Messaging (“Processor”)
This Schedule forms an integral part of the Main Service Agreement (“Agreement”).
1.1. This Data Processing Agreement (“DPA”) is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR where applicable.
1.2. Under the Agreement, the Controller determines the purpose and means of processing personal data relating to message delivery services (“Personal Data”). APEX, as Processor, processes such Personal Data solely on behalf of the Controller and only for the purpose of providing CPaaS, routing, and messaging delivery services.
1.3. The parties agree that this DPA governs the processing of Personal Data by the Processor in connection with the services provided under the Agreement.
2.1. Controller: The Enterprise Customer acts as the Controller and is solely responsible for determining the purposes and legal basis of the processing.
2.2. Processor: MCJ GROUP FZCO (APEX) acts exclusively as the Processor.
2.3. The Processor shall process Personal Data only:
(a) on documented instructions from the Controller;
(b) where required to comply with applicable law; and
(c) for the purpose of delivering messaging and communication services.
2.4. If an instruction from the Controller is unlawful, impossible, or would cause the Processor to breach applicable law, the Processor shall notify the Controller and may suspend the relevant processing.
3.1. The Controller is solely responsible for:
(a) obtaining all necessary consents and ensuring a lawful basis for processing;
(b) the content of all messages, sender IDs, templates, and data provided to the Processor;
(c) compliance with marketing, spam, telecom, and data protection laws;
(d) the accuracy and legality of all Personal Data submitted;
(e) responding to Data Subject Access Requests (DSARs) and all rights under Chapter III GDPR.
3.2. The Controller shall indemnify and hold the Processor harmless against any claim, fine, loss, penalty, or damage arising from:
(a) unlawful or non-compliant content;
(b) lack of consent;
(c) misuse of Personal Data;
(d) breaches of GDPR caused by the Controller;
(e) regulatory or carrier penalties attributable to Controller activity.
4.1. The Processor shall ensure that persons authorised to process Personal Data are under an obligation of confidentiality.
4.2. Confidentiality obligations do not apply where disclosure is required by applicable law or regulatory authority.
5.1. The Processor implements appropriate technical and organisational measures in accordance with Article 32 GDPR, including:
5.2. The Processor may update its security measures from time to time to maintain compliance and align with industry standards.
6.1. The Controller grants full, unconditional authorisation for the Processor to engage any sub-processor at any time without notification.
This includes, without limitation:
6.2. The Processor shall ensure sub-processors are bound by obligations substantially similar to those under this DPA.
6.3. The Processor remains responsible for the performance of its sub-processors.
7.1. The Controller explicitly authorises the Processor to transfer Personal Data globally to any destination required for message delivery.
7.2. Such transfers may occur outside the EEA and UK as required by telecom routing, carrier interconnects, OTT provider networks, and service delivery infrastructure.
7.3. The Processor shall implement appropriate transfer safeguards under Article 46 GDPR where feasible and commercially reasonable.
7.4. The Controller acknowledges that certain routing and delivery paths inherent to SMS/OTT communications are determined by carriers and telecom networks outside the Processor’s control.
8.1. The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller’s Personal Data.
8.2. The Processor shall provide the Controller with information reasonably required to enable the Controller to comply with Articles 33 and 34 GDPR.
8.3. The Processor shall not notify supervisory authorities or data subjects directly unless legally required and instructed by the Controller.
9.1. The Processor may retain Personal Data and message logs as long as necessary for:
9.2. Upon termination, the Processor will delete or anonymise Personal Data where commercially reasonable, except where retention is required by law or for legitimate business defence purposes.
10.1. The Controller may audit the Processor only where required by applicable law.
10.2. Any audit shall:
10.3. All audit costs are borne solely by the Controller.
11.1. Processor Liability Cap:
The Processor’s total aggregate liability under this DPA and the Agreement relating to Personal Data processing shall not exceed three (3) months of fees paid by the Controller to the Processor.
11.2. Controller Liability:
The Controller’s liability is uncapped for:
(a) GDPR breaches caused by the Controller;
(b) spam, unlawful content, or marketing violations;
(c) lack of consent;
(d) regulatory fines or carrier penalties imposed due to Controller actions.
11.3. Nothing in this DPA limits liability that cannot be limited under applicable law.
12.1. Arbitration:
Any dispute arising from this DPA shall first be submitted to arbitration seated in Dubai, under rules mutually agreed at the time of dispute. No specific venue is required.
12.2. Court Jurisdiction:
If arbitration fails to resolve the dispute, the parties agree that the courts of England and Wales shall have exclusive jurisdiction.
12.3. This DPA is governed by the laws of England and Wales.
13.1. In case of conflict, this DPA prevails over the Main Agreement to the extent of the conflict regarding Personal Data.
Data Subjects:
Categories of Personal Data:
© 2025 APEX Messaging. All rights reserved.