Data Privacy Governance
Where can I find information about data protection and privacy on the BulkSMS website?
For GDPR purposes, can you limit the transfers of data outside of the EU/EEA?
Our current technical hosting infrastructure is not able to limit the transfer of data outside of the European Union (EU) or European Economic Area (EEA). While we do host production data in Ireland, back-up logs are stored at the Teraco datacentre in Cape Town, South Africa.
For GDPR, how do you address cross-border data transfers outsider of the EU/EEA?
To address concerns about the governance of cross-border data transfers outside of the EU/EEA, we have a Data Protection Addendum (DPA) available, with Standard Contractual Clauses (SCCs), that are available for your review and signature here.
Do you have a list of sub-processors available?
Yes, we do. Please click here for our current list of sub-processors.
Data Location and Handling
Where is my data stored?
We hold our customer data in Amazon Web Services (AWS) datacentres located in Ireland. We also undertake back-ups of logs to the Teraco datacentre in Cape Town, South Africa.
What data does BulkSMS hold?
We hold personal data relating to your use of our business messaging service. This is personal identifiable information related to your BulkSMS account, what we call "Client Data”, and the personal data of your customers, employees or other parties to whom you send messages to, what we call "Message Recipient Data".
- Contact information (email, telephone number, mobile phone number, address, company)
- First and last name
- Account information (user id, username, password)
- Connection data (IP address)
Message Recipient data:
- Message recipient personal data processed on behalf of the client, identified by mobile phone number, and including recipient contact information in the message body.
What are BulkSMS’s basic data processing activities?
In fulfilling our contractual obligations to our customers, the personal data transferred will be subject to the following basic processing activities as legitimate business interests for processing client data:
- Delivery of messages
- Technical service support
- Connectivity service support
- Client data is retained for financial and reporting purposes
How long do you keep our data?
We retain your data as follows:
- Client Data is retained for the period that you use our services. When a client stops using our services, the data is deleted after 180 days.
- Message Recipient Data (specifically MT message data) is retained for 180 days, and then automatically deleted from our production system.
Data Security Measures
Do you encrypt data?
Yes, we make use of AWS EBS encryption at rest. AWS manages the keys and uses them to write and read data from the data volumes they host for us, which means that no person has the keys. Click here for more information.
Does your company have a written Disaster Recovery and Business Continuity policy?
Yes, and we are in the process of updating our Disaster Recovery and Business Continuity Policy to take into account the recent migration of our IT infrastructure to AWS.
Does your company have an Incident Management Programme, approved and overseen by management, that includes incident response and data breach plans?
Yes, we have an informal incident management programme that has been reviewed by management.
In case of a data breach that affects us, how long will it take for you to notify us?
Our standard response time is 48 hours.
Do you have a copy of a BulkSMS Brexit Plan for supporting their UK customers through the Brexit process?
We do not have a formal BulkSMS Brexit Plan document, but we do rely on the guidance of the Information Commissioner's Office (ICO). We have found the guidance of the ICO instructive for managing uncertainty surrounding data protection law before the end of the UK’s transition period with the EU on 31 December. Specifically, this ICO guidance points to the need to have Standard Contractual Clauses (SCCs) in place for any cross-border data transfer out of the UK.
If you receive a data subject request directly from data subject(s) of ours, do you have a process in place to forward such request(s) to us? If yes, within how many days do you forward such request(s) to us?
Yes, we do have a process in place to handle Data Subject Access Requests (DSARs), we would forward these requests within 24 hours or 1 working day.
If we receive a data subject request for deletion and we give you instruction to delete the data, how long will it take for data to be deleted permanently?
While this request can be acted on manually within 24 hours, the message data would be automatically deleted from our systems after 180 days.