GDPR Compliance at BulkSMSHub

Our GDPR Compliance Framework

Lawful Basis for Processing

BulkSMSHub processes personal data under the following lawful bases per GDPR Article 6:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the platform services you have contracted for.
• Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, platform improvement and B2B marketing communications.
• Legal Obligation (Art. 6(1)(c)): Tax records, financial reporting and compliance with court orders.
• Consent (Art. 6(1)(a)): Marketing communications to individuals (newsletter, promotional emails). Consent is recorded with timestamp and can be withdrawn at any time.

Data Processing Agreement (DPA)

Under GDPR Article 28, when BulkSMSHub processes personal data on your behalf (as your data processor), you must have a valid Data Processing Agreement in place. Our DPA:

• Includes all mandatory Article 28(3) clauses
• Covers sub-processor disclosure and management
• Includes Standard Contractual Clauses (SCCs) for international data transfers
• Specifies technical and organisational security measures
• Provides for data breach notification within 24 hours of discovery

To request a signed DPA, email dpo@bulksmshub.com with your company name and registered address. Enterprise customers can also access the DPA directly from the platform dashboard under Account Settings > Legal.

International Data Transfers

BulkSMSHub transfers data internationally where necessary to provide our global services. All transfers from the EEA/UK are safeguarded by:

• Standard Contractual Clauses (SCCs): European Commission-approved SCCs incorporated into our DPA for all sub-processors outside the EEA.
• UK International Data Transfer Agreement (IDTA): For UK-specific requirements post-Brexit.
• Adequacy Decisions: For transfers to countries recognised as having adequate data protection (Singapore — partial adequacy under review).
• Transfer Impact Assessments (TIAs): Conducted for all high-risk transfers, available on request from our DPO.

Sub-Processors

We maintain a register of all sub-processors used to deliver our services. Key sub-processors include: Amazon Web Services (EU data centres), Google Cloud Platform, Stripe (payment processing), SendGrid (email delivery), Cloudflare (CDN and security). The full sub-processor list is available to customers under a signed DPA.

We provide 30 days advance notice of any new sub-processors, giving customers the right to object.

Data Subject Rights Management

BulkSMSHub provides tools to help you fulfil GDPR data subject rights on behalf of your end customers:

• Right to Access: Export all data for a specific contact number or email via the dashboard or API.
• Right to Erasure: Delete all data for a specific contact, including message history and opt-in records.
• Opt-Out Suppression: Automatically suppress opted-out contacts from future campaigns.
• Data Portability: Export contact lists and campaign data in CSV/JSON format.
• Consent Management: Record, store and manage consent with timestamps for audit purposes.

Security Measures (GDPR Article 32)

• AES-256 encryption at rest for all data
• TLS 1.3 for all data in transit
• Role-based access control and MFA enforced for all platform access
• Regular penetration testing by independent security firms
• 24/7 security monitoring and incident response
• Data breach notification within 24 hours of discovery, GDPR Article 33 compliance within 72 hours

Data Protection Officer

Our appointed DPO can be contacted at: