Skip to content

DRAFT — for layout only. Must be reviewed and finalized by qualified legal counsel before launch.

Legal / DPA

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the Customer ("Controller") and mittis.ai LLC ("Mittis," "Processor") and governs Mittis's processing of personal data on the Customer's behalf in connection with the service.

Last updated: June 12, 2026Entity: mittis.ai LLC

1. Roles & scope

For personal data that Mittis processes on the Customer's behalf through the service (“Customer Personal Data”), the Customer is the Controller and Mittis is the Processor. Where Mittis determines the purposes and means of processing its own business data (for example, account and billing information), Mittis acts as a Controller as described in its Privacy Policy. This DPA applies to the extent applicable data protection laws (such as the GDPR, UK GDPR, and CCPA/CPRA) govern the processing.

2. Processing details

  • Subject matter: provision of A2P messaging services.
  • Duration: the term of the agreement, plus any retention period described herein.
  • Nature & purpose: transmitting, routing, delivering, and reporting on messages, and related platform functions.
  • Categories of data subjects: the Customer's contacts and end users.
  • Categories of personal data: phone numbers, message content and metadata, consent/opt-out status, and delivery records.

3. Processor obligations

  • Process Customer Personal Data only on documented instructions from the Controller, including as set out in the agreement and this DPA, unless required by law.
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (Section 6).
  • Assist the Controller, taking into account the nature of processing, with data-subject requests and with security, breach-notification, and impact-assessment obligations.
  • At the Controller's choice, delete or return Customer Personal Data at the end of the service, except where retention is required by law.

4. Sub-processors

The Customer authorizes Mittis to engage sub-processors to provide the service. Mittis imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for their performance. Current categories of sub-processors include:

  • Telecommunications carriers & aggregators — to deliver messages across networks.
  • The Campaign Registry — to register A2P brands and campaigns.
  • Cloud infrastructure & hosting providers — to run and store the service.
  • Payment processors — to handle billing.
  • Operational tooling — for logging, monitoring, and support.

Mittis maintains a current list of named sub-processors and will provide a mechanism to notify Controllers of changes and to object on reasonable data-protection grounds. Request the list at legal@mittis.ai.

5. Data-subject requests

Mittis will, taking into account the nature of the processing, provide reasonable assistance to enable the Controller to respond to requests from data subjects to exercise their rights. Where a data subject contacts Mittis directly, Mittis will refer them to the relevant Controller.

6. Security measures

Mittis maintains a security program appropriate to the risk, including:

  • Encryption of personal data in transit;
  • Access controls and the principle of least privilege;
  • Network security, logging, and monitoring;
  • Regular review of security practices and vendor risk;
  • Personnel confidentiality and security training.

7. Personal data breach

Mittis will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and will provide information reasonably necessary for the Controller to meet its breach-notification obligations.

8. International transfers

Where Customer Personal Data is transferred across borders in a manner requiring a transfer mechanism, the parties will rely on an appropriate safeguard such as the Standard Contractual Clauses or UK Addendum, which are incorporated by reference where applicable.

9. Audits

Mittis will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality and security conditions.

10. Liability & order of precedence

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA controls.

11. Contact

For DPA execution, the sub-processor list, or security questions, contact legal@mittis.ai or security@mittis.ai.