GDPR Compliance

1. GDPR Compliance Overview

YesSMS (operated by DEADLY DIGITAL STUDIOS) is committed to protecting personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This page explains:

• How we comply with data protection law
• Our Data Processing Agreement with customers
• Your rights as a data subject
• Our security measures and sub-processors

1.1 Our Role

Under GDPR, organisations can be either a Data Controller (decides how and why data is processed) or a Data Processor (processes data on behalf of a controller).

YesSMS acts as:

• Data Controller for your account information, billing data, and our direct communications with you
• Data Processor for the contact data and message content you upload to send SMS messages to your recipients

When you use YesSMS to send messages to your customers or contacts, you are the Data Controller for their personal data. You determine the purposes and means of processing. We process that data only on your documented instructions.

1.2 Key Compliance Measures

• UK Data Residency: Primary data storage in UK/EEA data centres
• Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access, multi-factor authentication, audit logging
• Data Minimisation: We only collect data necessary to provide the service
• Retention Limits: Clear retention periods with automatic deletion
• Breach Procedures: Documented incident response with notification obligations
• ICO Registration: Registered as a data controller with the Information Commissioner's Office

2. Data Processing Agreement (DPA)

By using YesSMS, you automatically enter into this Data Processing Agreement. This DPA forms part of our Terms of Service and governs our processing of personal data on your behalf.

2.1 Subject Matter and Duration

This DPA applies to the processing of personal data by YesSMS when you use our SMS platform to send messages. The processing will continue for the duration of your use of our services and for the retention period specified in our Privacy Policy.

2.2 Nature and Purpose of Processing

We process personal data to:

• Store and manage your contact lists
• Send SMS messages on your behalf to your designated recipients
• Provide delivery reports and analytics
• Maintain logs for troubleshooting and compliance

2.3 Types of Personal Data

2.4 Categories of Data Subjects

Recipients of your SMS messages, as determined by the contact data you upload.

2.5 Our Obligations as Processor

YesSMS commits to:

1. Process only on your instructions: We will only process personal data according to your documented instructions, including transfers to third countries (unless required by law)
2. Confidentiality: Ensure all personnel processing the data are bound by confidentiality obligations
3. Security measures: Implement appropriate technical and organisational measures (see Section 5)
4. Sub-processor management: Only engage sub-processors with your authorisation and ensure they meet equivalent obligations (see Section 4)
5. Assist with data subject rights: Help you respond to requests from individuals exercising their rights
6. Assist with compliance: Help you meet obligations under Articles 32-36 GDPR (security, breach notification, DPIAs, prior consultation)
7. Data return/deletion: At your choice, delete or return all personal data after the end of services
8. Audit support: Make available information necessary to demonstrate compliance and allow for audits

2.6 Your Obligations as Controller

As the Data Controller for your recipients' data, you must:

1. Lawful basis: Ensure you have a valid legal basis to process and send messages to each recipient (consent, legitimate interest, contract, etc.)
2. Transparency: Provide appropriate privacy notices to your recipients
3. Consent management: Where relying on consent, obtain it properly and manage opt-outs
4. Data accuracy: Keep contact data accurate and up-to-date
5. Data subject requests: Handle requests from your recipients (access, deletion, etc.)
6. PECR compliance: Comply with the Privacy and Electronic Communications Regulations for electronic marketing
7. Lawful instructions: Only provide us with lawful processing instructions

2.7 Data Breach Notification

In the event of a personal data breach affecting your data, we will:

• Notify you without undue delay (and in any event within 48 hours of becoming aware)
• Provide details of the breach including categories and approximate number of data subjects affected
• Describe likely consequences and measures taken or proposed to address the breach
• Cooperate with you in meeting your notification obligations to supervisory authorities and data subjects

2.8 International Transfers

Your data is primarily processed in the United Kingdom. Where transfers outside the UK/EEA are necessary (e.g., for certain sub-processors), we ensure appropriate safeguards:

• Standard Contractual Clauses (UK SCCs / EU SCCs with UK Addendum)
• Transfers to countries with adequacy decisions
• Transfer Impact Assessments where required

3. Data Subject Rights

Under UK GDPR, individuals have the following rights regarding their personal data:

3.1 Rights of YesSMS Account Holders

If you have a YesSMS account, you can exercise these rights for your account data:

We will respond to requests within 30 days. There is no fee for most requests.

3.2 Rights of Your Message Recipients

If you receive SMS messages sent via YesSMS and want to exercise your rights:

• Contact the sender: The organisation that sent you the message is the Data Controller. Contact them directly to exercise your rights.
• Opt-out: Follow any opt-out instructions in the message, or contact the sender to be removed from their list.
• If you cannot identify the sender: Contact us at privacy@yessms.io and we will help you identify who sent the message so you can exercise your rights with them.

4. Sub-processors

We use the following categories of sub-processors to deliver our service:

All sub-processors are bound by data processing agreements that impose equivalent data protection obligations.

4.1 Sub-processor Changes

We may add or change sub-processors. We will:

• Maintain an up-to-date list available upon request
• Notify customers of new sub-processors via email at least 14 days before engagement
• Allow customers to object to new sub-processors on reasonable data protection grounds

To receive sub-processor notifications or request the current list, email: privacy@yessms.io

5. Technical and Organisational Security Measures

We implement comprehensive security measures to protect personal data:

5.1 Technical Measures

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
• Access Control: Role-based access control (RBAC), principle of least privilege
• Authentication: Strong password requirements, multi-factor authentication available
• Network Security: Firewalls, intrusion detection, DDoS protection
• Monitoring: 24/7 infrastructure monitoring, security event logging
• Vulnerability Management: Regular security scanning, penetration testing
• Backup: Regular encrypted backups with tested recovery procedures

5.2 Organisational Measures

• Policies: Documented information security and data protection policies
• Training: Regular security and privacy awareness training for all staff
• Confidentiality: All employees bound by confidentiality agreements
• Incident Response: Documented breach response and notification procedures
• Vendor Management: Due diligence and contractual protections for sub-processors
• Physical Security: Data centres with physical access controls, CCTV, 24/7 security

5.3 Certifications and Audits

Our infrastructure providers maintain industry certifications including ISO 27001 and SOC 2. We conduct regular internal security reviews and engage third-party penetration testing annually.