Data Processing Agreement
Version: 1.1 · Effective Date: 25 February 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Polly Technologies FZ-LLC ("Message Polly", "Processor") and the Client identified in the applicable Order ("Controller").
This DPA applies wherever Message Polly processes personal data on behalf of Client in connection with the Platform. In the event of conflict between this DPA and the Agreement, this DPA prevails on data protection matters.
1. Definitions
"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, which may include:
- UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law, "PDPL")
- DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020), to the extent it applies to processing carried out in connection with the activities of a DIFC establishment or processing of data of DIFC-resident data subjects
- EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")
- UK General Data Protection Regulation as defined in the UK Data Protection Act 2018 ("UK GDPR")
- Singapore Personal Data Protection Act 2012 ("PDPA")
- KSA Personal Data Protection Law (Royal Decree M/19 of 1443H) ("Saudi PDPL")
- Turkish Law No. 6698 on the Protection of Personal Data ("KVKK")
- any successor, amending, or implementing legislation to the foregoing
"Controller" means the Client, who determines the purposes and means of processing Personal Data.
"Processor" means Message Polly, who processes Personal Data on behalf of the Controller.
"Personal Data" has the meaning given under Applicable Data Protection Law and includes any information relating to an identified or identifiable natural person processed by Message Polly on behalf of Client in connection with the Platform.
"Processing" has the meaning given under Applicable Data Protection Law.
"Data Subject" means the individual to whom Personal Data relates.
"Security Incident" means any actual or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA. For the avoidance of doubt, a Security Incident includes any event that creates a credible risk of the foregoing, even where full facts have not yet been confirmed. Message Polly may provide an initial notification based on available information and supplement it as additional facts become known, in accordance with Section 5.2.
"Subprocessor" means any third party engaged by Message Polly to process Personal Data on behalf of Client.
"SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission Decision of 4 June 2021 (Module Two: Controller to Processor), as may be updated or replaced by the European Commission from time to time.
"Platform Data" means any data obtained from Meta's APIs in connection with the Platform, as defined in Meta's Platform Terms.
"Business Solution Data" means data obtained through WhatsApp Business APIs, including message content, metadata, conversation data, and delivery information, as governed by Meta's WhatsApp Business Solution Terms.
2. Scope and Details of Processing
2.1 Subject matter. Message Polly processes Personal Data to provide the Platform to Client as described in the Agreement.
2.2 Duration. Message Polly processes Personal Data for the duration of the Agreement and any applicable retention periods thereafter.
2.3 Nature and purpose. The processing activities carried out by Message Polly include: receiving, storing, transmitting, and analysing Personal Data to deliver WhatsApp Business messaging, manage Meta advertising campaigns, operate first-party measurement infrastructure, and generate campaign analytics and optimisation outputs.
2.4 Categories of Personal Data. Depending on Client's use of the Platform:
- Contact identifiers: phone numbers, email addresses
- Messaging data: message content, delivery status, read receipts, opt-in/opt-out status
- Advertising and behavioural data: conversion events, pixel signals, audience identifiers, campaign interaction data
- Customer list data: any Personal Data contained in contact lists or audience uploads provided by Client
2.5 Categories of Data Subjects. Client's customers, prospects, and website visitors whose data is submitted to or collected by the Platform.
3. Controller Obligations
3.1 Controller warrants that it has a lawful basis for all Personal Data it submits to the Platform, has provided all required notices to Data Subjects, and has obtained all required consents, including for WhatsApp messaging and deployment of first-party measurement technology.
3.2 Controller is responsible for the accuracy, quality, and legality of Personal Data submitted to the Platform and for its instructions to Message Polly regarding processing.
3.3 Controller will not instruct Message Polly to process Personal Data in a manner that would violate Applicable Data Protection Law or Meta's Platform Terms.
3.4 Controller acknowledges that it is solely responsible for assessing whether its use of the Platform complies with any data localisation or residency requirements in its jurisdiction. Controller will notify Message Polly in writing if any such requirement applies so that the parties can assess whether a data residency addendum is required.
3.5 Controller acknowledges that Platform Data and Business Solution Data are subject to Meta's deletion requirements under Meta's Platform Terms. Controller will cooperate with any deletion requests initiated by Meta and will not instruct Message Polly to retain Platform Data in contravention of Meta's deletion requirements, including where Meta requests deletion for User protection purposes.
3.6 UAE PDPL Compliance. Where Controller is established in the UAE or processes Personal Data of UAE-resident Data Subjects, Controller warrants that its processing instructions to Message Polly are consistent with the UAE PDPL (Federal Decree-Law No. 45 of 2021). The obligations set out in Section 4 of this DPA are intended to satisfy Message Polly's obligations as a processor under UAE PDPL Article 14 in full. Until the UAE Data Office prescribes a specific form for processor agreements under implementing regulations, Controller and Message Polly agree to treat Section 4 as the operative UAE PDPL Article 14 processor agreement between them, supplemented by any requirements published by the UAE Data Office from time to time.
4. Processor Obligations
4.1 Instructions. Message Polly will process Personal Data only on Controller's documented instructions, as set out in the Agreement and this DPA, subject to any overriding obligations imposed by Meta's Platform Terms or Applicable Data Protection Law. If Message Polly is required by applicable law or Meta's Platform Terms to process Personal Data in a way that conflicts with Controller's instructions, it will notify Controller before processing unless prohibited.
4.2 Confidentiality. Message Polly will ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and have undergone security awareness training. Access to Personal Data is limited to personnel who require it for the purposes of providing the Platform. Message Polly will promptly revoke access upon the departure or role change of any personnel, within one (1) business day.
4.3 Security. Message Polly will implement and maintain technical and organisational measures appropriate to the risk of the processing, as further described in Schedule A.
4.4 Subprocessors. Message Polly will not engage new Subprocessors without providing prior notice to Controller. Controller provides general authorisation for Message Polly to engage Subprocessors as listed in Schedule B. Message Polly will notify Controller of any intended changes to the Subprocessor list at least fourteen (14) days in advance.
Controller may object to a new Subprocessor within fourteen (14) days of notification by notifying Message Polly in writing with reasons. If the parties cannot resolve the objection within thirty (30) days, either party may terminate the Agreement on written notice, with a full refund of prepaid Fees for the unused Subscription Period where termination is caused by Controller's legitimate objection to a new Subprocessor.
Message Polly will impose data protection obligations on all Subprocessors no less protective than those in this DPA and will ensure that Subprocessors handling Platform Data or Business Solution Data are contractually bound to comply with Meta's Platform Terms as applicable.
4.5 Data Subject Rights. Message Polly will assist Controller, by appropriate technical and organisational measures, in responding to Data Subject rights requests under Applicable Data Protection Law. Upon receiving a request directly from a Data Subject, Message Polly will promptly forward it to Controller without responding directly, unless instructed otherwise or required by law.
Message Polly will also promptly notify Controller of any communication received from Meta Platforms concerning a User's request regarding the processing of their Platform Data or Business Solution Data, including requests to exercise data subject rights, so that Controller can respond within the timeframe required by Meta's Platform Terms.
4.6 Data Protection Impact Assessments. Message Polly will provide reasonable assistance to Controller in conducting data protection impact assessments and prior consultations with supervisory authorities where required by Applicable Data Protection Law.
4.7 No Sale or Independent Use. Message Polly will not sell, rent, or otherwise transfer Personal Data, Platform Data, or Business Solution Data to any third party for that party's own purposes. Message Polly will not use such data to train, fine-tune, or improve any AI model.
4.8 Audit. Message Polly will make available to Controller, in the form of version-controlled documentation, all information reasonably necessary to demonstrate compliance with this DPA. Message Polly is also subject to audit by Meta Platforms under Meta's Platform Terms, and Controller acknowledges that compliance with Meta audit requests may require Message Polly to provide information about Controller's use of the Platform.
Upon at least thirty (30) days' prior written notice, no more than once per calendar year (unless a credible indication of breach exists), Message Polly will permit Controller (or an appointed third-party auditor subject to confidentiality obligations) to audit Message Polly's processing activities under this DPA. Audit costs are borne by Controller.
4.9 Meta-Requested Deletion. Where Meta Platforms requests deletion of Platform Data or Business Solution Data for User protection purposes or as otherwise permitted under Meta's Platform Terms, Message Polly will notify Controller and process such deletion within the timeframe required by Meta. Controller will cooperate with such deletion and will not issue instructions contrary to Meta's deletion requirements. Message Polly will provide Controller with written confirmation of deletion upon completion.
5. Security Incidents
5.1 Message Polly will notify Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Security Incident affecting Personal Data processed under this DPA. Where full facts are not available within 72 hours, Message Polly will provide an initial notification followed by supplementary information as it becomes known (phased notification, as permitted under GDPR Article 33(4) and equivalent provisions).
5.2 Notification will include, to the extent then known: a description of the nature of the incident; the categories and approximate number of Data Subjects and records affected; the likely consequences; and measures taken or proposed to address the incident.
5.3 Message Polly will cooperate with Controller and take reasonable steps to contain, investigate, and remediate the Security Incident. Message Polly's notification does not constitute an acknowledgement of fault or liability.
5.4 In the event that a Security Incident is caused or suspected to be caused by a Message Polly employee, contractor, or other personnel, Message Polly will: (a) promptly revoke that individual's access to all systems containing Personal Data within one (1) business day; (b) conduct an internal investigation; and (c) provide Controller with a written summary of preliminary findings within fourteen (14) days of the initial notification and a final report within forty-five (45) days, or such longer period as agreed in writing where the complexity of the investigation requires additional time.
5.5 Meta Incident Notification. Where a Security Incident involves Platform Data or Business Solution Data obtained via Meta's APIs, Message Polly is additionally required to notify Meta Platforms in accordance with Meta's Platform Terms and WhatsApp Business Solution Terms. The parties will cooperate to coordinate notifications to Meta and to affected Data Subjects. Message Polly's obligation to notify Meta does not relieve Controller of any independent notification obligations under Applicable Data Protection Law. Where notification timelines to Meta and to Controller conflict, Message Polly will prioritise the earlier deadline.
6. International Transfers
6.1 Message Polly may transfer Personal Data to and process it in jurisdictions outside the Controller's country of establishment where necessary to provide the Platform, including where Subprocessors are located internationally.
6.2 All such transfers will be subject to appropriate safeguards under Applicable Data Protection Law, including Standard Contractual Clauses for GDPR-scoped transfers and equivalent transfer mechanisms under UAE PDPL, KSA PDPL, Singapore PDPA, and KVKK.
6.3 Controller acknowledges that Platform Data and Business Solution Data may be subject to additional international transfer obligations under Meta's Platform Terms, including Meta's EEA Data Transfer provisions.
6.4 Upon request, Message Polly will provide Controller with information regarding the transfer mechanisms applicable to specific Subprocessors.
6.5 Singapore PDPA Transfers. Where Personal Data of individuals located in Singapore is processed under this DPA, Message Polly commits to protecting such data to a standard comparable to the Singapore PDPA. Where required by Controller, the parties will incorporate the Singapore PDPC Model Contractual Clauses for Cross-Border Transfers as an addendum to this DPA. Message Polly will provide the relevant documentation upon Controller's written request.
6.6 KVKK — Turkish Data Subjects. Where Personal Data of individuals located in the Republic of Turkey is processed under this DPA, the following additional provisions apply:
(a) Transfer mechanism. Controller represents and warrants that it has a valid legal basis for the international transfer of Personal Data of Turkish data subjects to Message Polly under Article 9 of KVKK. Acceptable mechanisms include: (i) explicit informed consent of each Turkish data subject to the international transfer; (ii) an undertaking approved by the KVKK Board covering transfers from Controller to Message Polly; or (iii) standard contractual clauses approved by the KVKK Board, executed as a separate addendum to this DPA upon request.
(b) Controller warranties. Controller warrants that it has provided the required KVKK Article 10 Clarification Text (Aydınlatma Metni) to all Turkish data subjects whose data is submitted to the Platform, and that such text accurately discloses the international transfer to Message Polly and the transfer mechanism relied upon.
(c) Suspension. If Controller cannot demonstrate a valid KVKK transfer mechanism upon Message Polly's request, Message Polly may suspend processing of Turkish data subject Personal Data until the mechanism is confirmed, without liability.
(d) Data subject rights. Message Polly will assist Controller in responding to Turkish data subject rights requests under KVKK Articles 11–13 on the same terms as Section 4.5 of this DPA. Response deadlines are thirty (30) days from receipt of the request.
6.7 KSA PDPL Transfers. Where Personal Data of individuals located in the Kingdom of Saudi Arabia is processed under this DPA, Controller warrants that it has a valid basis for cross-border transfer under the Saudi PDPL, including either (a) explicit data subject consent to the international transfer, (b) a transfer mechanism approved by the Saudi National Data Management Office (NDMO), or (c) a contractual necessity basis where permitted. Controller will notify Message Polly of any change in available transfer mechanisms and will not submit Saudi-resident Personal Data to the Platform without a valid transfer basis in place.
7. Standard Contractual Clauses (GDPR)
7.1 Applicability. This Section 7 applies where the processing of Personal Data is subject to the GDPR or UK GDPR, including transfers of Personal Data from the European Economic Area or the United Kingdom to Message Polly or its Subprocessors in third countries.
7.2 Incorporation. The SCCs (Module Two: Controller to Processor) are incorporated into this DPA by reference and form a binding part of this Agreement as between Controller and Message Polly. The Annexes to the SCCs are set out in Schedule C.
7.3 Execution. The SCCs are not self-executing by reference alone. For any Client whose processing is subject to GDPR or UK GDPR, the parties must execute Schedule C (SCC Annexes) as a signed addendum to this DPA before any GDPR-regulated Personal Data is processed. Message Polly will provide a completed Schedule C for execution upon Client's request. No GDPR-regulated Personal Data may be submitted to the Platform until Schedule C has been duly executed by both parties.
7.4 Conflicts. In the event of conflict between the SCCs and any other provision of this DPA or the Agreement, the SCCs prevail with respect to GDPR-regulated processing.
7.5 UK and Swiss Transfers. For transfers subject to UK GDPR, the parties will execute the UK International Data Transfer Addendum (IDTA) as a supplement to the SCCs. For transfers subject to Swiss data protection law, the parties will execute the applicable Swiss transfer mechanism. Message Polly will provide the relevant documentation upon request.
8. Deletion and Return of Data
8.1 Upon termination of the Agreement, Message Polly will, within thirty (30) days of a written request:
(a) Return a copy of Personal Data to Controller in a commonly used machine-readable format;
(b) Revoke all system user access to Controller's WABA and Meta Business Manager and confirm revocation in writing; and
(c) Securely delete all copies of Business Solution Data from Message Polly's systems, except to the extent retention is required by applicable law or Meta's Platform Terms, and provide written confirmation of deletion upon request.
Controller acknowledges that as a Tech Provider, Message Polly has never held ownership or control of Controller's WABA, and that Controller retains full control of its WABA and may connect a replacement provider directly through its Meta Business Manager at any time without any action required from Message Polly.
8.2 Message Polly may retain Personal Data beyond this period only where required by applicable law, and only for as long as required. Retained data remains subject to the obligations of this DPA. Message Polly will not retain Platform Data or Business Solution Data beyond the periods permitted under Meta's Platform Terms.
8.3 Upon completion of deletion, Message Polly will provide written confirmation to Controller upon request.
9. Governing Law and Jurisdiction
This DPA is governed by the laws of the Dubai International Financial Centre (DIFC), including DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020) to the extent it applies to processing carried out in connection with the activities of a DIFC establishment or processing of data of DIFC-resident Data Subjects. Where DIFC Data Protection Law 2020 applies, the parties will comply with its specific requirements, including any registration or notification obligations to the DIFC Commissioner of Data Protection.
Disputes arising under this DPA are subject to the exclusive jurisdiction of the DIFC Courts, consistent with the Agreement, subject to the pre-litigation escalation process in Section 11.10 of the Agreement.
Section 7 (Standard Contractual Clauses) is governed by the law specified in the applicable SCCs for GDPR-regulated processing, which takes precedence over this governing law clause solely with respect to GDPR-regulated transfers.
10. General
10.1 Order of precedence. In the event of conflict, the following order of precedence applies:
- SCCs (for GDPR and UK GDPR processing, mandatory and non-derogable)
- This DPA (for all data protection matters)
- Meta's Platform Terms and WhatsApp Business Solution Terms (for operational matters relating to Platform Data and Business Solution Data)
- The Agreement (for all other matters)
Meta's Platform Terms govern operational obligations relating to Meta's APIs. They do not override mandatory data protection instruments including the SCCs.
10.2 Severability. If any provision of this DPA is unenforceable, it will be modified to the minimum extent necessary, and the remaining provisions continue in full force.
10.3 Entire agreement on data protection. This DPA, together with its Schedules, constitutes the entire agreement between the parties regarding the processing of Personal Data under the Agreement, subject to Meta's Platform Terms and WhatsApp Business Solution Terms where applicable.
10.4 EU/EEA and UK Representative. Where Message Polly's processing is subject to GDPR or UK GDPR by virtue of offering services to Data Subjects in the EU/EEA or UK, Message Polly will maintain an appointed representative in the EU/EEA (pursuant to GDPR Article 27) and in the UK (pursuant to UK GDPR Article 27) as required. Details of the appointed representative(s) are available upon request from privacy@messagepolly.com and will be published in Message Polly's Privacy Policy.
Schedule A — Technical and Organisational Security Measures
Message Polly implements the following measures, reviewed and updated on a risk basis:
Access Control
- Role-based access controls limiting Personal Data access to authorised personnel
- Multi-factor authentication for all production system access
- Principle of least privilege enforced across infrastructure
- Formal access revocation process upon employee or contractor departure or role change, executed within one (1) business day
Encryption
- Encryption of Personal Data in transit using TLS 1.2 or higher
- Encryption of Personal Data at rest
Infrastructure Security
- Hosting on enterprise-grade cloud infrastructure with ISO 27001 or SOC 2 certified data centres
- Network segmentation and firewall controls
- Intrusion detection monitoring
- Technical separation of Platform Data and Business Solution Data by Client to ensure no cross-Client data access or commingling
Operational Security
- Formal information security policies
- Security awareness training for all personnel with access to Personal Data prior to being granted access and on an annual basis thereafter
- Vulnerability management and patch processes
- Background screening for personnel with access to production systems and Personal Data
Incident Response
- Documented Security Incident response plan covering external breaches, insider threats, and Meta-reportable incidents
- Defined escalation and notification procedures consistent with Section 5, including parallel notification to Meta where Platform Data or Business Solution Data is involved
- Post-incident review process
Data Minimisation and Retention
- Processing limited to what is necessary for the Platform
- Automated deletion in accordance with retention schedules in the Agreement and Meta's Platform Terms
Schedule B — Authorised Subprocessors
Message Polly engages the following categories of Subprocessors:
| Category | Purpose | Named Provider(s) | Location |
|---|---|---|---|
| Cloud infrastructure — analytics | ClickHouse analytics database | ClickHouse Cloud (AWS) | UAE (me-central-1) |
| Cloud infrastructure — general | Hosting, storage, and compute | Amazon Web Services (AWS) | Singapore (ap-southeast-1) |
| AI infrastructure provider | Model inference for Polly | Amazon Web Services — Bedrock | USA (us-east-1, Northern Virginia) |
| Payment processor | Billing and subscription management | [To be populated] | [Region] |
| Analytics provider | Website and platform analytics | [To be populated] | [Region] |
| Communication provider | Transactional email and notifications | [To be populated] | [Region] |
| Meta Platforms | Advertising API and WhatsApp Business API | Meta Platforms, Inc. / Meta Platforms Ireland Ltd | USA / Ireland |
All Subprocessors handling Platform Data or Business Solution Data are contractually required to comply with Meta's Platform Terms and WhatsApp Business Solution Terms as applicable to their role.
A current named Subprocessor list, including data processing regions, is available to Clients upon written request to privacy@messagepolly.com.
Schedule C — Standard Contractual Clauses Annexes
This Schedule must be completed and executed as a signed addendum between Message Polly and each Client whose processing is subject to GDPR or UK GDPR. It is not operative until signed by both parties. No GDPR-regulated Personal Data may be submitted to the Platform until this Schedule has been duly executed.
Annex I — Details of the Transfer
A. List of Parties
Data exporter (Controller):
| Field | Detail |
|---|---|
| Name | [Client legal name] |
| Registration number | [Client registration number] |
| Address | [Client registered address] |
| Contact person | [Name, title, email of data protection contact] |
| Activities relevant to transfer | As set out in the Agreement and this DPA |
| Signature and date | [To be executed] |
| Role | Controller |
Data importer (Processor):
| Field | Detail |
|---|---|
| Name | Polly Technologies FZ-LLC |
| Registration number | DIC Licence No. 106526 |
| Address | HD20C, First Floor, In5 Tech, Dubai Internet City, Dubai, UAE |
| Contact person | privacy@messagepolly.com |
| Activities relevant to transfer | As set out in the Agreement and this DPA |
| Signature and date | [To be executed] |
| Role | Processor |
B. Description of Transfer
| Field | Detail |
|---|---|
| Categories of data subjects | Client's customers, prospects, and website visitors whose Personal Data is submitted to or collected by the Platform |
| Categories of personal data | Contact identifiers (phone numbers, email addresses); messaging data (message content, delivery status, opt-in/opt-out records); advertising and behavioural data (conversion events, audience signals, campaign interaction data); customer list data submitted by Client |
| Special categories (if applicable) | None, unless Client submits special category data, which requires prior written consent from Message Polly and execution of a special category processing addendum |
| Frequency of transfer | Continuous, for the duration of the Agreement |
| Nature of processing | Receiving, storing, analysing, transmitting, and generating outputs from Personal Data to provide the Platform services as described in the Agreement |
| Purpose of transfer | Delivery of WhatsApp Business messaging campaigns; management of Meta advertising campaigns; first-party conversion measurement; campaign analytics and optimisation |
| Retention period | As specified in the DPA Section 8 and Schedule A |
C. Competent Supervisory Authority
The competent supervisory authority is determined by Controller's EU/EEA Member State of main establishment. For EEA Controllers: the supervisory authority of the Member State of main establishment. For UK Controllers: the Information Commissioner's Office (ICO).
Annex II — Technical and Organisational Measures
Incorporates Schedule A of this DPA in full by reference.
Annex III — List of Subprocessors
Incorporates Schedule B of this DPA in full by reference, as updated from time to time in accordance with Section 4.4.
Polly Technologies FZ-LLC
HD20C, First Floor, In5 Tech
Dubai Internet City
Dubai, United Arab Emirates
privacy@messagepolly.com