Guides
Start typing to search…

Data Protection Agreement

Effective Date: 1 March 2025

1. Definitions

For the purposes of this DPA:

  • "Privacy Laws" means any applicable law relating to data protection and security, including the General Data Protection Regulation (GDPR) (Regulation 2016/679) and any other national laws implementing the GDPR or similar data protection regulations.
  • "Security Directives" means all applicable security requirements as described in Appendix 1.
  • Terms such as "data controller," "data processor," "data subject," "personal data," and "processing" shall have the meanings defined under applicable Privacy Laws.

2. Introduction

2.1 Melrose Labs, as the provider of the RichChat service, processes personal data on behalf of the Customer for the provision of the Service. This DPA governs the data protection obligations between the parties to comply with applicable Privacy Laws.

3. Role of the Parties

3.1 Melrose Labs acts as a data processor when processing personal data for the provision of RichChat messaging services. The Customer acts as the data controller, determining the purpose and means of processing personal data.

3.2 In cases where Melrose Labs transmits messages directly (e.g. notifications), Melrose Labs acts as a data controller.

4. Subject Matter and Purpose of Processing

4.1 The purpose of processing personal data is to provide the RichChat service, including real-time messaging, user account management, and customer support. Processing shall be limited to the duration of the Agreement and conducted in accordance with Privacy Laws.

4.2 Personal data processed under this agreement shall not be transferred outside the EU/EEA unless adequate protection measures are implemented, such as EU Standard Contractual Clauses.

5. Duration of Processing

5.1 Personal data will be processed for the duration of the Customer's use of the RichChat service unless otherwise agreed upon in writing.

6. Type of Personal Data Processed

6.1 Personal data processed by RichChat may include:

  • Contact information (name, phone number, email address)
  • User account data (username, profile photo, preferences)
  • Communication metadata (timestamps, delivery status)
  • Device and connection data

7. Categories of Data Subjects

7.1 The categories of data subjects include:

  • RichChat users (Customers and their employees)
  • End users communicating through RichChat

8. Technical and Organisational Measures

8.1 Melrose Labs implements appropriate technical and organisational measures, including:

  • End-to-end encryption for messages and calls
  • Access controls and multi-factor authentication
  • Regular security audits and vulnerability assessments
  • Data minimisation and pseudonymisation

9. Sub-Processors

9.1 Melrose Labs may engage third-party sub-processors to assist with service provision. All sub-processors shall be bound by equivalent data protection obligations as set out in this DPA.

9.2 A list of current sub-processors is available from support@richchat.com.

10. Data Subject Rights

10.1 Melrose Labs shall assist the Customer in fulfilling data subject rights, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability

11. Data Breach Notification

11.1 In the event of a personal data breach, Melrose Labs shall notify the Customer within 36 hours of becoming aware of the breach and provide relevant details, including:

  • Nature of the breach
  • Categories and volume of affected data
  • Measures taken to mitigate the impact

12. Data Deletion and Return

12.1 Upon termination of the Agreement, Melrose Labs shall delete or return all personal data processed under this DPA unless required by law to retain certain data.

13. Audits and Inspections

13.1 The Customer may conduct audits, subject to reasonable notice and Melrose Labs' security policies. ISO 27001 and other certifications shall satisfy most audit requirements.

14. RichChat Privacy Policy

14.1 This DPA is subject to the terms outlined in the RichChat Privacy Policy, available at Privacy Policy.

15. Limitation of Liability

15.1 Each party’s liability under this DPA is subject to the limitation of liability provisions set out in the Agreement between the parties.

16. Governing Law

16.1 This DPA is governed by the laws of the United Kingdom, and any disputes shall be subject to the jurisdiction of the courts of the United Kingdom.

17. Contact Information

For any questions regarding this DPA, please contact:

Melrose Labs Ltd
The Stamp Office, Level 5 10–14 Waterloo Place Edinburgh, EH1 3EG Scotland, UK

Email: legal@melroselabs.com


Appendix 1: Technical and Organisational Measures

Melrose Labs implements the following technical and organisational measures for the RichChat service to ensure the protection of personal data:

  1. Data Encryption

    • End-to-end encryption for all messages and calls using industry-standard encryption (e.g. AES-256).
    • Encryption of data at rest and in transit.
    • Secure key management practices to protect encryption keys.

  2. Access Control

    • Role-based access controls (RBAC) ensuring the principle of least privilege.
    • Multi-factor authentication (MFA) for all system administrators and users with elevated privileges.
    • Unique user IDs and passwords for all RichChat accounts.

  3. Network and System Security

    • Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor network traffic.
    • Regular vulnerability scanning and penetration testing.
    • Segregation of production, testing, and development environments.

  4. Data Minimisation and Pseudonymisation

    • Collection of only the minimum necessary personal data for service functionality.
    • Use of pseudonymisation techniques to protect user identities when processing metadata.

  5. Monitoring and Logging

    • Real-time monitoring of system activity and access logs.
    • Audit trails for all data access, changes, and deletions.
    • Retention of logs for a minimum of six months, as required by Privacy Laws.

  6. Business Continuity and Disaster Recovery

    • Regular backups of all critical systems and data.
    • Disaster recovery plans and failover systems to ensure service continuity.
    • Periodic testing of backup restoration procedures.

  7. Data Breach Management

    • Documented incident response plan, including breach notification procedures.
    • Immediate breach detection and investigation.
    • Notification to customers within 36 hours of breach discovery.

  8. Staff Training and Awareness

    • Regular data protection and security training for all employees.
    • Confidentiality agreements for staff with access to personal data.
    • Periodic security awareness campaigns.

  9. Physical Security

    • Secure data centres with controlled access and 24/7 monitoring.
    • Environmental controls to protect hardware (e.g., fire suppression, temperature control).
    • CCTV surveillance and visitor logs for sensitive areas.

  10. Third-Party and Sub-Processor Security

    • Due diligence and risk assessment of all third-party providers.
    • Binding contractual agreements with sub-processors ensuring equivalent security standards.
    • Regular audits of sub-processors for compliance.

  11. Regular Review and Improvement

    • Annual review of security policies and procedures.
    • Continuous improvement based on emerging threats and technological advancements.
    • Documentation of all changes and updates to security controls.

Updated 1 day ago