Data Processing Addendum

Last updated: 21 May 2026

1. Introduction and Application

This Data Processing Addendum (“DPA“) forms part of the agreement between ValueText Pvt Ltd (“ValueText“, “we“, “us“, “our“) and the customer identified in the applicable Order Form (“Customer“, “you“, “your“) (together, the “Agreement“) and governs the processing of personal data by ValueText on behalf of Customer in connection with the Service.

This DPA is incorporated by reference into the Agreement. In the event of any conflict between this DPA and the Terms of Service or the Order Form in respect of the processing of personal data, this DPA prevails.

This DPA applies where, and only to the extent that, ValueText processes personal data on behalf of Customer as a data processor in connection with the provision of the Service. ValueText’s processing of personal data as a data controller (for example, in respect of Customer’s billing contacts or website visitors) is governed by our Privacy Policy and is not within the scope of this DPA.

2. Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given in the Terms of Service.

“Applicable Data Protection Law” means all data protection and privacy laws applicable to the processing of Customer Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“), the UK GDPR and the Data Protection Act 2018 (“UK GDPR“), the California Consumer Privacy Act and California Privacy Rights Act (“CCPA“), and any other applicable laws regulating the processing of personal data.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” and related terms have the meanings given in Applicable Data Protection Law.

“Customer Personal Data” means Personal Data contained within Customer Data, as defined in the Terms of Service, that ValueText processes on behalf of Customer in providing the Service.

“Direct Mode” means the architectural model in which messages transmitted through the Service flow directly between Customer’s Salesforce organisation and the underlying messaging provider, without transiting ValueText infrastructure.

“Pass-Through Mode” means the architectural model in which messages transmitted through the Service transit ValueText infrastructure briefly for delivery processing before being deleted in accordance with Section 6.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.

“Standard Contractual Clauses” or “SCCs” means (a) for transfers from the European Economic Area, the standard contractual clauses adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021, and (b) for transfers from the United Kingdom, the International Data Transfer Addendum issued by the UK Information Commissioner’s Office, in each case as updated or replaced from time to time.

“Subprocessor” means a third party engaged by ValueText to process Customer Personal Data on ValueText’s behalf in connection with the Service.

3. Roles of the Parties

3.1 Controller and Processor. With respect to Customer Personal Data processed under this DPA, Customer is the Controller and ValueText is the Processor. Where Customer is itself a Processor acting on behalf of a third-party Controller, Customer warrants that it has the authority of that Controller to engage ValueText as a Subprocessor, and ValueText is a Subprocessor of that Controller.

3.2 Controller responsibilities. Customer is responsible for: (a) ensuring it has a valid lawful basis under Applicable Data Protection Law for the processing of Customer Personal Data; (b) providing all notices and obtaining all consents required from Data Subjects; (c) the accuracy, quality, and legality of Customer Personal Data; and (d) Customer’s compliance with Applicable Data Protection Law generally.

3.3 Processor obligations. ValueText will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country, unless required to do so by law to which ValueText is subject. Customer’s instructions are deemed to consist of: (a) processing necessary to provide the Service in accordance with the Agreement; (b) processing necessary to comply with this DPA; and (c) any additional written instructions agreed between the parties.

3.4 Notification of unlawful instructions. If ValueText believes that an instruction from Customer infringes Applicable Data Protection Law, ValueText will notify Customer without undue delay.

4. Subject Matter, Duration, and Nature of Processing

This Section sets out the elements required under GDPR Article 28(3) and equivalent provisions of Applicable Data Protection Law.

4.1 Subject matter of the processing. The provision of the Service to Customer under the Agreement, including the transmission, routing, and delivery of messages on Customer’s behalf.

4.2 Duration of the processing. The duration of the Agreement, plus any period thereafter during which ValueText is required to retain Customer Personal Data under Applicable Data Protection Law. Section 11 sets out specific deletion obligations on termination.

4.3 Nature and purpose of the processing. Processing Customer Personal Data as necessary to provide the Service, including the transmission of messages between Customer’s Salesforce organisation and message recipients via the relevant messaging provider, recording delivery status, and supporting Customer’s use of the Service.

4.4 Categories of Customer Personal Data. Customer Personal Data processed under this DPA may include:

(a) Identifiers of message recipients: phone numbers, WhatsApp identifiers, names where included.

(b) Message content: the body and any attachments of messages Customer chooses to send through the Service.

(c) Delivery metadata: timestamps, delivery status codes, sender identifiers.

(d) User account data: identifiers of Customer’s users who operate the Service.

Customer determines, controls, and is responsible for the specific Personal Data included in messages sent through the Service.

4.5 Categories of Data Subjects. Data Subjects whose Personal Data is processed under this DPA may include:

(a) Customer’s contacts, leads, prospects, candidates, clients, patients, members, donors, employees, or other individuals to whom Customer sends messages.

(b) Customer’s own users of the Service.

(c) Any other Data Subjects whose Personal Data Customer chooses to include in messages.

5. ValueText’s Processing Obligations

5.1 Confidentiality. ValueText will ensure that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality.

5.2 Security measures. ValueText will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing, including the measures set out in Annex 1 (Technical and Organisational Measures) to this DPA.

5.3 Assistance to Customer. Taking into account the nature of the processing, ValueText will assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer’s obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

5.4 Assistance with Customer compliance. ValueText will assist Customer in ensuring compliance with Customer’s obligations under Articles 32 to 36 of GDPR (and equivalent provisions of UK GDPR and other Applicable Data Protection Law) taking into account the nature of the processing and the information available to ValueText.

5.5 Personnel and access. ValueText will limit access to Customer Personal Data to personnel who require such access to provide the Service. ValueText personnel may access Customer’s Salesforce organisation only where Customer has explicitly granted such access for support, onboarding, or configuration purposes, and only for the duration and scope of the specific request.

6. Processing Architecture

6.1 Two architectural modes. ValueText operates the Service under one of two architectural modes for the processing of messages: Direct Mode and Pass-Through Mode.

6.2 Direct Mode. In Direct Mode, messages flow directly between Customer’s Salesforce organisation and the underlying messaging provider. Customer Personal Data does not transit ValueText infrastructure in Direct Mode.

6.3 Pass-Through Mode. In Pass-Through Mode, messages transit ValueText infrastructure briefly for delivery processing. ValueText will delete Customer Personal Data processed in Pass-Through Mode within 60 seconds of completion of processing. ValueText does not retain copies, backups, or archives of messages processed in Pass-Through Mode.

6.4 Default mode. Unless the Order Form specifies otherwise, the Service operates in Pass-Through Mode. Customer may request operation in Direct Mode by agreement set out in the Order Form, subject to technical feasibility.

6.5 No persistent storage. In neither mode does ValueText maintain persistent storage of message content, attachments, or recipient identifiers outside of Customer’s Salesforce organisation.

7. Subprocessors

7.1 General authorisation. Customer provides general authorisation for ValueText to engage Subprocessors to process Customer Personal Data, subject to the conditions in this Section 7.

7.2 Current Subprocessors. As at the date of this DPA, ValueText engages the following Subprocessors in connection with the Service:

The current list of Subprocessors is maintained at https://valuetext.io/subprocessors/ and is updated in accordance with this Section 7.

7.3 Notification of changes. ValueText will provide Customer with at least 60 days’ prior written notice (which may be by email or by updating the Subprocessor list page) of the addition or replacement of any Subprocessor processing Customer Personal Data. Customer may subscribe to notifications of Subprocessor changes by emailing info@valuetext.io.

7.4 Right to object. Customer may object to the engagement of a new Subprocessor on reasonable grounds related to data protection by notifying ValueText in writing within the 60-day notice period. If Customer objects, ValueText will use reasonable efforts to make available a change to the Service that avoids the use of the proposed Subprocessor in respect of Customer Personal Data. If ValueText is unable to make such a change within a reasonable period, Customer may terminate the affected Order Form by written notice and receive a pro-rata refund of prepaid but unused licence Fees from the effective date of termination.

7.5 Subprocessor obligations. ValueText remains fully liable to Customer for the performance of each Subprocessor’s obligations, subject in all cases to the limitations of liability set out in the Terms of Service Section 12.

8. International Transfers

8.1 ValueText location. ValueText is established in India. Customer Personal Data may therefore be transferred to and processed in India and, via Subprocessors, in the United States and other jurisdictions.

8.2 Transfer mechanisms. Where ValueText transfers Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority, the transfer is subject to appropriate safeguards under Applicable Data Protection Law.

8.3 Standard Contractual Clauses. Where required by Applicable Data Protection Law, the Standard Contractual Clauses are incorporated by reference into this DPA. For transfers from the EEA, Module 2 (Controller to Processor) of the SCCs applies where Customer is a Controller, and Module 3 (Processor to Subprocessor) applies where Customer is a Processor. For transfers from the United Kingdom, the UK International Data Transfer Addendum applies in conjunction with the SCCs.

8.4 SCC parameters. For the purposes of the SCCs:

(a) The data exporter is Customer, and the data importer is ValueText.

(b) The categories of Data Subjects and Personal Data are those set out in Section 4.

(c) The frequency of transfer is continuous, for the duration of the Agreement.

(d) The nature of the processing is as described in Section 4.

(e) The competent supervisory authority is the supervisory authority of the EEA Member State or the United Kingdom in which Customer is established.

(f) The governing law and forum of the SCCs is the law of Ireland (for EEA transfers) and the law of England and Wales (for UK transfers), unless otherwise required by Applicable Data Protection Law.

8.5 Conflict. In the event of a conflict between the SCCs and any other provision of this DPA or the Agreement, the SCCs prevail in respect of the international transfer.

9. Personal Data Breach Notification

9.1 Notification to Customer. ValueText will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

9.2 Content of notification. The notification will, to the extent the information is available at the time of notification, describe:

(a) the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected, and the categories and approximate number of Personal Data records affected;

(b) the likely consequences of the Personal Data Breach;

(c) the measures taken or proposed to address the Personal Data Breach and mitigate its possible adverse effects;

(d) a contact point at ValueText for further information.

9.3 Subsequent information. Where it is not possible to provide all required information at the time of notification, ValueText will provide the remaining information in phases as it becomes available, without undue further delay.

9.4 Scope of notification obligation. This Section 9 applies to Personal Data Breaches caused by, or affecting, ValueText’s processing of Customer Personal Data. Incidents affecting Customer’s own Salesforce environment that are not caused by ValueText fall under the contractual relationship between Customer and Salesforce.

10. Audit Rights

10.1 Right to audit. Customer may, no more than once in any 12-month period, audit ValueText’s compliance with this DPA, subject to the conditions in this Section 10.

10.2 Conditions. An audit under Section 10.1:

(a) must be requested by Customer in writing with at least 30 days’ advance notice;

(b) must be conducted by an independent auditor mutually agreed by the parties, who is bound by appropriate confidentiality obligations;

(c) must be conducted during normal business hours, in a manner that does not unreasonably interfere with ValueText’s business operations;

(d) is limited to information and systems necessary to verify ValueText’s compliance with this DPA;

(e) must not require ValueText to disclose information about other customers, ValueText’s confidential business information, or information whose disclosure would breach ValueText’s legal obligations;

(f) is conducted at Customer’s expense, including ValueText’s reasonable costs of supporting the audit.

10.3 Audit reports. ValueText may satisfy any audit requirement under this Section 10 by providing Customer with copies of relevant third-party audit reports, certifications, or attestations that ValueText has obtained, where these reasonably address the scope of Customer’s audit request.

10.4 Findings. Customer will share the findings of any audit with ValueText promptly. The parties will discuss any remediation in good faith.

10.5 Regulator audits. Nothing in this Section limits Customer’s rights or ValueText’s obligations to cooperate with audits or investigations conducted by a competent data protection authority.

11. Return and Deletion of Customer Personal Data

11.1 During the Agreement. Customer Personal Data resides in Customer’s Salesforce organisation throughout the term of the Agreement. Customer controls access, retention, and deletion of Customer Personal Data within its Salesforce organisation.

11.2 On termination or expiry. On termination or expiry of the Agreement:

(a) Customer Personal Data within Customer’s Salesforce organisation remains under Customer’s control. ValueText takes no action to return or delete this data, because ValueText does not hold it.

(b) Customer may uninstall the Managed Package at any time, which removes ValueText’s access to Customer’s Salesforce organisation.

(c) ValueText does not retain Customer Personal Data following termination or expiry. Any transient processing data held under Pass-Through Mode has already been deleted in accordance with Section 6.3.

11.3 Mandatory retention. Where ValueText is required by Applicable Data Protection Law or other legal obligation to retain certain data following termination, ValueText will inform Customer of the requirement, retain only the minimum data necessary, and apply appropriate confidentiality and security measures for the duration of the retention.

12. Data Subject Requests

12.1 Forwarding requests. If ValueText receives a request from a Data Subject relating to Customer Personal Data, ValueText will, without undue delay, forward the request to Customer. ValueText will not respond to the request directly, except to confirm receipt and direct the Data Subject to Customer.

12.2 Assistance. Taking into account the nature of the processing and the information available to ValueText, ValueText will provide reasonable assistance to Customer in responding to Data Subject requests, including by providing relevant information or technical support, to the extent Customer is unable to fulfil the request independently using the Service.

12.3 Cost. Assistance under Section 12.2 is provided at no additional cost to Customer for routine requests. ValueText reserves the right to charge for assistance with requests that require disproportionate or repeated effort, on the basis of ValueText’s standard professional services rates.

13. Liability

The limitation of liability in the Terms of Service applies to each party’s liability arising under or in connection with this DPA in the same manner as it applies to liability under the Terms of Service. For the avoidance of doubt, this DPA does not give rise to a separate liability cap and is included within the single aggregate liability cap set out in the Terms of Service.

14. Governing Law

This DPA is governed by the same governing law as the Agreement. In the event of a conflict between this DPA and the SCCs in respect of the law governing an international transfer, the SCCs prevail in respect of that transfer.

15. General

15.1 Entire DPA. This DPA constitutes the entire agreement between the parties in respect of the processing of Customer Personal Data under the Agreement and supersedes any previous data processing terms.

15.2 Order of precedence. In the event of a conflict between this DPA and the Terms of Service in respect of the processing of Personal Data, this DPA prevails. In the event of a conflict between this DPA and an Order Form in respect of the processing of Personal Data, the Order Form prevails to the extent permitted under Section 14.2 of the Terms of Service.

15.3 Updates. ValueText may update this DPA from time to time to reflect changes in Applicable Data Protection Law or to improve the protections it provides. Material updates that reduce the protections of Customer Personal Data require Customer’s prior written consent. Other updates take effect on publication at https://valuetext.io/data-processing-addendum/.

15.4 Incorporation. This DPA is incorporated by reference into every Order Form executed between the parties after the effective date of this DPA. For Order Forms executed before the effective date of this DPA, this DPA applies on Customer’s written acceptance or on Customer’s continued use of the Service for more than 30 days after notification.

Annex 1 — Technical and Organisational Measures

ValueText implements the following technical and organisational measures to ensure the security of Customer Personal Data.

Encryption

• Data in transit is encrypted using industry-standard protocols (TLS 1.2 or higher).
• Authentication tokens are stored using cryptographic hashing.

Access controls

• Personnel access to ValueText systems is governed by role-based access controls and the principle of least privilege.
• Access to Customer’s Salesforce organisation is granted only where Customer has explicitly authorised access for specific support, onboarding, or configuration purposes, and is limited to the duration and scope of the specific request.
• Access logs are maintained and reviewed.

Pass-Through Mode safeguards

• Messages processed in Pass-Through Mode are held only in memory or in transient queues for the duration of delivery processing.
• Messages are deleted within 60 seconds of processing completion, with no backups or archives created.
• No persistent storage of message content occurs in Pass-Through Mode.

Infrastructure security

• ValueText infrastructure is hosted on Amazon Web Services, which provides physical and environmental security controls.
• Production environments are segregated from development and testing environments.
• Network security includes firewalls and intrusion detection.

Personnel

• ValueText personnel are bound by written confidentiality obligations.
• Personnel handling Customer Personal Data receive training on data protection responsibilities.
• Access privileges are reviewed and revoked promptly on personnel role changes or departure.

Incident response

• ValueText maintains a documented incident response procedure for Personal Data Breaches.
• Incidents are logged, investigated, and reviewed.

Business continuity

• ValueText maintains backup and disaster recovery procedures for its operational systems.
• These procedures do not include Customer Personal Data, because Customer Personal Data is not persistently stored on ValueText infrastructure.

Annex 2 — Subprocessors

A current list of authorised Subprocessors processing Customer Personal Data is published at:

https://valuetext.io/subprocessors/

The page lists, for each Subprocessor:

• the Subprocessor’s legal name and country of establishment;
• the processing activity performed; and
• the date of engagement.

As at the date of this DPA, the authorised Subprocessors are: