Data Processing Agreement

Introduction

The Nineteen58 Data Processing Plan defines how user and business data is collected, processed, stored, transferred, and deleted, ensuring full compliance with GDPR, POPIA, and SOC 2 standards. This structured approach to data lifecycle management upholds user privacy, security, and transparency while ensuring that all data processing activities align with legal requirements and industry best practices. This plan outlines the data governance framework, including data classification, processing methods, security measures, third-party data handling, and user consent management. It ensures that all processing activities are documented, auditable, and compliant with applicable regulations, balancing operational efficiency with stringent privacy safeguards.

Scope and Classification

The scope of this plan covers all data processed within Nineteen58’s infrastructure, including three main classifications of data. Personal Data includes details provided by users, such as names, email addresses, and phone numbers, as well as automatically collected metadata like IP addresses and device information. Business Data includes customer transactions, contracts, and service usage history to ensure compliance with service agreements and financial regulations. Lastly, Sensitive Data, which covers authentication credentials, financial records, and other confidential information, is encrypted and access-restricted.

Plan

1. Data Collection and Processing Methods

Nineteen58 employs several methods for data collection and processing. Data is collected directly from users through web applications, sign-ups, and AI-driven interactions. Additionally, automated collection takes place using system logs, API transactions, and monitoring tools, all while adhering to GDPR-compliant data minimization standards. Lastly, the company utilizes third-party data sources, retrieving specific data through integrations with third-party APIs, which include the WhatsApp API and AI-driven communication services.

All user and business data is securely stored in AWS data centers, ensuring GDPR compliance. Additionally, cloud-based infrastructure provides scalable and resilient processing power for application hosting and compute services. Any external services that process data on behalf of Nineteen58 must meet security and compliance standards.

2. User Consent and Legal Basis for Processing

Nineteen58 ensures transparent and lawful data processing by adhering to strict consent policies. Explicit user consent is required before collecting any personal data, using clear opt-in mechanisms. Data subjects have the right to access, modify, delete, or export their data, and all requests are fulfilled within 30 days, as mandated by GDPR. Additionally, retention policies prevent indefinite data storage; personal data is retained only as long as necessary for service fulfillment, with automatic deletion of inactive user records after a defined period.

3. Data Security and Access Control

Ensuring the confidentiality, integrity, and availability of data is central to Nineteen58’s data processing strategy. Data security and access control is ensured through multiple measures. Encryption standards, including AES-256 encryption for stored data and TLS 1.2/1.3 encryption for data in transit, protect data from unauthorised access. Role-Based Access Control (RBAC), enforced through a secure authentication system and Row-Level Security (RLS), ensures that only authorized personnel can access sensitive data based on their organizational roles and permissions. API Security, utilizing OAuth 2.0 and JWT-based API access control, prevents unauthorized data access and ensures secure third-party interactions. Additionally, data anonymization and minimization techniques are employed, where personally identifiable information (PII) is pseudonymized or anonymized to reduce data exposure.

4. Cross-Border Data Transfers and Compliance

To maintain compliance with global data protection laws, Nineteen58 applies strict cross-border data transfer controls. Primary storage remains within AWS’s European data centers, ensuring GDPR alignment. Data transfers to US-based infrastructure require Standard Contractual Clauses (SCCs) to maintain legal compliance. Additionally, third-party integrations must meet Nineteen58’s security and compliance requirements, with contractual obligations ensuring adherence to strict data processing standards.

5. Data Retention and Deletion Policy

Nineteen58 has a data retention and deletion policy that ensures data is only stored as long as necessary. Short-term storage applies to actively used data. Archival storage is used for business-critical data that is retained for regulatory or continuity purposes, and this data is subject to strict access controls. Data deletion procedures include a process for users to request deletion of their personal data, which is completed within 30 days, and automated deletion mechanisms that purge expired or unnecessary records from the system.

6. Third-Party Data Processors and Compliance

Nineteen58 enhances platform functionality by working with external service providers that meet strict security and compliance criteria. For example, the WhatsApp API handles AI-driven customer interactions, while AI Voice and Automation APIs process voice and workflow automation tasks. Third-party vendors are contractually obligated to comply with Nineteen58’s data security policies and applicable regulations.

7. Incident Response and Breach Notification

A structured incident response plan ensures swift and transparent action in the event of a security breach. Automated monitoring detects unauthorized data access and suspicious processing anomalies, and security breaches are reported within 72 hours to comply with GDPR requirements. Data loss prevention strategies, such as encrypted backups, failover mechanisms, and disaster recovery plans, minimize downtime and ensure business continuity.

8. Compliance Audits and Policy Review

Regular audits and reviews ensure that Nineteen58’s data processing activities remain compliant with legal and regulatory requirements. Internal data audits verify adherence to processing policies and best practices. Annual compliance audits ensure full alignment with GDPR, POPIA, and SOC 2 standards. Policy updates are made in response to evolving security threats and regulatory changes.

Conclusion

The Nineteen58 Data Processing Plan establishes a transparent, compliant, and security-focused approach to managing data across its lifecycle. Through robust encryption, access controls, and retention policies, we ensure that all data is processed lawfully and securely.

By maintaining strict compliance with GDPR, POPIA, and SOC 2, implementing user consent mechanisms, and enforcing third-party security requirements, Nineteen58 upholds the highest standards of data protection and privacy. Continuous monitoring, audits, and policy reviews ensure that our data governance practices remain aligned with evolving regulatory and security landscapes.

Our commitment to data integrity, security, and transparency reinforces the trust placed in us by our users and partners, ensuring that all data processing activities are conducted with the highest level of responsibility and due diligence.

Contact Information

For any questions or concerns regarding this Data Processing Agreement, please contact our Data Protection Officer.