Data Processing Agreement

Between the Customer and My Country Mobile Pte Ltd for the FloatChat Service.

Effective: May 20, 2026  |  Version: v2.0 — BYOC Twilio model — DRAFT for legal review

Parties

This Data Processing Agreement ("DPA") is entered into between the customer entity identified in the Order Form or sign-up ("Customer") and My Country Mobile Pte Ltd, with registered office at 8 Temasek Boulevard #32-01 Suntec Tower Three, Singapore 038988 (Singapore Company Registration No. 201535142E) ("Provider"). If you are a customer in India, a different DPA applies with our India operating entity.

1. How this DPA fits with the rest of the agreement

This DPA forms part of the master agreement between the Parties for the FloatChat service (Terms of Service, Order Form, and other documents — together the "Agreement"). If anything in this DPA conflicts with the Agreement on matters of personal-data processing, this DPA controls.

2. Definitions

• "Applicable Data Protection Law" — GDPR, EU ePrivacy Directive, CCPA/CPRA + other US state privacy laws, Singapore PDPA, and equivalents.
• "Customer Personal Data" — personal data Provider processes on Customer's behalf in providing the Service.
• "Data Subject", "Personal Data", "Process / Processing", "Controller", "Processor", "Personal Data Breach" — have the meanings given in GDPR.
• "Restricted Transfer" — a transfer of personal data to a country outside the EEA, UK, or Switzerland that is not the subject of an adequacy decision.
• "Sub-processor" — a third party Provider engages to process Customer Personal Data.
• "Standard Contractual Clauses" or "SCCs" — the EU Commission's Implementing Decision 2021/914 (modular SCCs).
• "UK Addendum" — the UK ICO International Data Transfer Addendum, version B1.0 or successor.
• "BYOC" — Bring Your Own Carrier/Twilio: a customer-supplied account that the Customer connects to FloatChat for voice/SMS.

3. Roles and scope

4. Subject matter, duration, nature, purpose

5. Provider's obligations as Processor

When acting as a Processor, Provider will:

• Process Customer Personal Data only on Customer's documented instructions.
• Ensure personnel are bound by confidentiality obligations.
• Implement and maintain the technical and organizational measures in Annex II.
• Engage Sub-processors only in accordance with Section 8.
• Assist Customer in responding to Data Subject requests.
• Assist Customer in ensuring compliance with security, breach notification, DPIAs, and prior consultations.
• Delete or return Customer Personal Data at the end of services.
• Make available information to demonstrate compliance and allow audits per Section 9.

6. Provider's obligations as Controller

When Provider acts as a Controller (service administration, billing, anonymized improvement), Provider will:

• Process personal data lawfully, fairly, and transparently.
• Identify and document a lawful basis for each processing activity.
• Maintain a privacy notice (the FloatChat Privacy Policy).
• Honor Data Subject rights directly.
• Maintain a RoPA under GDPR Article 30 where required.

7. Security

Provider will implement the measures in Annex II appropriate to the risk. Provider will notify Customer without undue delay and within 48 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data.

8. Sub-processors

Customer authorizes Provider to engage the Sub-processors listed at floatchat.com/subprocessors. Provider will give Customer at least 30 days' prior notice of any new Sub-processor. Customer may object on reasonable data-protection grounds within 30 days.

Provider will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and Provider remains liable for the acts and omissions of its Sub-processors.

9. Audits

Provider will respond to reasonable written audit requests. Provider may satisfy this obligation by making available recent third-party audit reports (SOC 2 Type II, ISO 27001). Audits during business hours, no more than once per 12 months (except in case of Personal Data Breach or regulator request).

10. International data transfers

The Parties acknowledge that Provider and Sub-processors are located outside the EEA or UK. The Parties agree:

• For Restricted Transfers under the GDPR: EU SCCs Module 2 or Module 3 apply, with the populated Annexes at the end of this DPA.
• For Restricted Transfers from the UK: UK IDTA Version B1.0 (or successor) applies.
• For Restricted Transfers from Switzerland: SCCs as adapted by the Swiss FADP guidance.
• Provider has carried out a Transfer Impact Assessment for each Restricted Transfer.
• Where the EU SCCs and this DPA conflict, the SCCs prevail.

11. Data Subject rights

Provider will assist Customer in responding to Data Subject requests by providing self-service tools (export, deletion, correction). If a Data Subject contacts Provider directly, Provider will redirect them to Customer.

12. Liability

Each Party's total liability under this DPA, the SCCs, and the UK Addendum is subject to the limitations in the Agreement, except where the law prohibits limitation.

13. Term and end of services

This DPA applies for as long as Provider processes Customer Personal Data. On end of services, Provider will delete or return all Customer Personal Data within 30 days.

14. Updates

Provider may update this DPA to reflect changes in applicable law. Material changes notified at least 30 days in advance.

Annex I — Description of the processing

Annex II — Technical and organizational security measures

Access control

• Role-based access control with least-privilege.
• MFA for all production and administrative access.
• Quarterly access reviews and immediate revocation on role change or termination.

Encryption

• TLS 1.2+ for data in transit.
• AES-256 for data at rest, hardware-backed key management.
• Key rotation at least annually.

Network and infrastructure

• Hardened cloud infrastructure (DigitalOcean NYC3 — application hosting; Vercel — marketing website) with network segmentation.
• Web application firewall and DDoS protection.
• Continuous vulnerability scanning; annual penetration testing.

Operations and monitoring

• Centralized logging retained at least 180 days.
• 24x7 security monitoring with documented incident response runbooks.
• Change management: peer review, automated tests, staged rollouts.

Personnel and physical

• Background checks at hire.
• Confidentiality obligations in all agreements.
• Annual security and privacy training.
• Physical security inherited from cloud providers (SOC 2 / ISO 27001).

Data lifecycle

• Data classification standards.
• Default-deny for data egress.
• Documented retention and deletion processes.
• Backups encrypted, geographically separated, tested annually.

Governance

• Designated privacy and security leads.
• Sub-processor due diligence and annual reassessment.
• Documented business continuity and disaster recovery, tested annually.
• Incident response: 48h to Customer; 72h to supervisory authorities under GDPR.

Annex III — Authorized Sub-processors

The current list is maintained at floatchat.com/subprocessors. Current list (as of effective date):

Provider will give 30 days' prior notice of any new Sub-processor by updating the page and notifying subscribers.

Customer-supplied integrations (Bring Your Own Twilio). Where Customer connects its own Twilio account or any other third-party service for voice, SMS, email, or other capabilities, the operator of that account is the Customer (or its chosen vendor) — not Provider. Twilio in that case is the Customer's own processor under a separate agreement between Customer and Twilio. Provider is neither a Sub-processor of, nor a recipient of personal data from, Customer's Twilio account, except as transiently passed through the chat widget at Customer's direction. Customer is solely responsible for the compliance of its own Twilio (or equivalent CPaaS) usage with TCPA, 10DLC, EU ePrivacy, UK PECR, and other applicable telecom laws.

Signatures

Each party signs below through an authorized representative.