1. Parties and Scope
This Data Processing Agreement (“DPA”) is entered into between you, the customer (“Controller”) and Sibilis Inc., operator of Relayion (“Processor”). It applies to all personal data that Sibilis Inc. processes on your behalf in connection with the Relayion Service.
This DPA forms part of and is subject to the Relayion Terms of Service. Capitalised terms not defined here have the meanings given in the Terms of Service. This DPA takes effect on the date you accept the Terms of Service and remains in force for as long as Sibilis Inc. processes personal data on your behalf.
2. Roles
You are the Controller: you determine the purposes and means of processing personal data belonging to your end users (recipients, customers, staff, or other individuals whose phone numbers and messages you submit through the API).
Sibilis Inc. is the Processor: we process that personal data solely on your documented instructions, except where required to operate, secure, or comply with legal obligations relating to the Service, and in accordance with this DPA.
3. Scope of Processing
We process personal data for the following purposes and no others:
- Routing outbound SMS to the recipient phone numbers you specify.
- Receiving inbound SMS from those numbers and delivering them to your webhook.
- Storing message records for the retention period configured by you in account settings. If no retention window is configured, records are retained until account termination.
- Providing message status and delivery events via webhooks and the API.
- Tracking webhook delivery attempts (event type, target URL, delivery status, and timestamp) for retry and audit purposes. Webhook payloads are not written to logs.
The categories of personal data processed are: phone numbers (recipient and sender), message body text, Android ID and device name for paired devices, SIM slot index and SIM phone numbers, and device-level metadata including timestamps.
The data subjects are your end users: any individuals whose phone numbers or messages you pass through the API.
4. Sub-Processors
We use carefully selected third-party infrastructure providers to operate the Service. These include providers for transactional email delivery, API hosting and database storage, website and console hosting, and content delivery and reverse proxy services.
These providers process personal data only to the extent necessary to deliver their specific service and are bound by appropriate data protection obligations.
A current list of sub-processors is available on request to verified customers. We may require reasonable verification of customer identity or legitimate business purpose before providing this information. Requests should be directed to hello@relayion.com.
We will provide at least 30 days’ advance notice of any changes to our sub-processor arrangements. If you object to a new sub-processor on reasonable grounds, contact us at hello@relayion.com within that notice period.
5. Security Measures
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These include:
- TLS encryption for all data in transit between your systems, our API, and the Android device.
- Encryption at rest for database storage within our infrastructure environment.
- Encrypted backups stored separately from primary storage within our hosting infrastructure.
- Access controls and role-based permissions for internal staff.
- API key hashing. Plaintext keys are never stored.
- HMAC-SHA256 webhook signature verification.
- Rate limiting on all authentication endpoints.
Persons authorised to process personal data on Sibilis Inc.’s behalf are subject to appropriate confidentiality obligations.
For a full description of our security practices, see the Security page.
6. Data Breach Notification
In the event of a confirmed personal data breach affecting data we process on your behalf, we will notify you without undue delay and within 72 hours of confirming a qualifying security incident, to the extent reasonably practicable. The notification will include a description of the breach, the categories of data affected, and the measures taken or proposed to address it.
Where legally permitted, we will notify you of binding third-party requests for disclosure of personal data processed on your behalf.
7. Data Subject Rights
If one of your end users exercises a data subject right (access, deletion, correction, or portability) in relation to data we hold on your behalf, you are responsible for responding to that request. We will provide reasonable technical assistance where feasible and where the request relates to data stored in the Service.
8. Cross-Border Data Transfers
Our primary infrastructure is currently hosted in Singapore. We may also process or store personal data in other jurisdictions as necessary to operate the Service. When this occurs, we take reasonable technical, contractual, and organisational measures to protect personal data consistent with this DPA and applicable legal requirements.
9. Audit Rights
You may request available documentation of our security practices, summary audit materials if maintained, or reasonable written information about our data processing activities. Requests should be directed to hello@relayion.com.
Full Controller-side audits may be conducted by prior written agreement with Sibilis Inc., conducted in a non-disruptive manner during normal business hours, limited to once per calendar year, and at the Controller’s expense.
10. Data Deletion on Termination
Upon termination of your account or this DPA, we will delete or anonymise all personal data processed on your behalf within 30 days, unless retention is required by applicable law. Upon request made within 30 days of account closure, we will provide a data export prior to deletion.
11. Governing Law
This DPA is governed by the laws of the Republic of the Philippines. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the Philippine courts.
12. Contact
Questions about this DPA or data processing practices should be directed to hello@relayion.com.