messo

Legal

Data Processing Agreement

Last updated 2026-04-25

GDPR Article 28 DPA. Effective from your first paid invoice. Version 1.0.

Parties

Controller: the Customer (you), as identified in your Messo account.
Processor: Lifecycle Innovations Limited, operating Messo. Hong Kong (BR# 76545088), 144-151 Connaught Road West, Unit 4005, 40/F, Hong Kong.

1. Subject and duration

Processor processes Personal Data on behalf of the Controller, solely for the purpose of providing the Messo service (described in our Terms of Service). Duration: while the service is active and 90 days after termination.

2. Categories of data subjects and personal data

  • Data subjects: the Controller's customers who message the Controller's WhatsApp number, plus the Controller's own staff if granted account access.
  • Categories: phone number, message content (text, media), conversation metadata.
  • Special categories: only if Controller's customers voluntarily share them. Controller is responsible for lawful basis under Art. 9 GDPR.

3. Sub-processors

Controller authorises the following sub-processors:

  • Render — Frankfurt (EU) hosting
  • Anthropic — language-model inference (no training on Controller data)
  • Stripe — payment processing
  • Cloudflare — DNS, CDN, edge caching
  • Clerk — authentication

We notify Controller at least 30 days before adding or replacing a sub-processor; objections may be raised in writing.

4. International transfers

Controller customer data is processed in the EEA (Render Frankfurt). For ancillary transfers to Anthropic and to Lifecycle Innovations Limited (Hong Kong) for support and account-management purposes, the parties rely on the European Commission's Standard Contractual Clauses (Module 2 and Module 1) of 4 June 2021, which are incorporated into this DPA by reference.

Practical effect: message bodies stay in Frankfurt. Account metadata may be viewed from Hong Kong. Anthropic processes prompts and responses in EU regions and does not retain them for training.

5. Security measures

  • Encryption at rest (Postgres pgcrypto) and in transit (TLS 1.3)
  • Tenant-isolated database schemas; row-level access control
  • SSO + MFA-protected admin access via Clerk
  • Audit logging of admin actions, retained 12 months
  • Daily encrypted backups with 30-day retention
  • Vulnerability scanning + dependency monitoring

6. Breach notification

Processor notifies Controller without undue delay (and within 72 hours) of any confirmed personal data breach affecting Controller data, with all information reasonably necessary for Controller's own GDPR Art. 33 obligations.

7. Data subject rights

Processor assists Controller in fulfilling DSARs (access, rectification, erasure, portability, objection) by providing tenant export and deletion tools in the Settings page, and by handling requests received directly from data subjects within 5 business days.

8. Audit rights

Controller may audit Processor's compliance once per year on 30 days' notice, during business hours, at Controller's cost. Processor satisfies routine audit obligations by sharing its current SOC 2-style internal-control documentation and sub-processor list.

9. Termination

On termination, Processor deletes Controller customer data within 90 days, or returns it on Controller's written request, except as required by law (e.g. tax records).

10. Contact

For a counter-signed copy or to negotiate variations, contact [email protected].