Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service between Mariza Katsantoni, sole proprietor trading as BIGG AI / Messagio ("Processor", "Messagio", "we") and the customer identified in the Messagio account ("Controller", "Customer", "you"). It reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Regulation (EU) 2016/679 ("GDPR") and applicable EU Member State data protection laws.

By clicking "I accept" during onboarding (or continuing to use the Service after this DPA has been presented), you enter into this DPA on behalf of yourself or the entity you represent.

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject" and "Supervisory Authority" have the meanings given in Article 4 GDPR.

"Customer Personal Data" means Personal Data that Messagio Processes on behalf of Customer in connection with the Service.

2. Roles & Scope

The parties acknowledge and agree that:

Customer is the Controller of Customer Personal Data;
Messagio is the Processor acting on Customer's documented instructions;
Where Messagio processes account/billing data of Customer's staff, Messagio acts as an independent Controller (see our Privacy Policy);
Where Customer Personal Data is processed for fraud prevention, security, or legal compliance, Messagio may also act as a Controller to the extent required by law.

3. Details of Processing

Subject matter	Provision of the Messagio multi-channel messaging SaaS platform and related AI features.
Duration	For the term of the Subscription plus the retention periods set out in Section 8.
Nature & purpose	Hosting, storing, routing, displaying, analysing and enabling responses to end-user messages; providing AI-assisted suggestions/replies; generating analytics; billing; security and abuse prevention.
Categories of Data Subjects	Customer's staff/agents; Customer's end users (visitors, contacts, customers of Customer) contacting via any integrated channel.
Categories of Personal Data	Name, email, phone, messaging-platform identifiers (Facebook PSID, Instagram ID, WhatsApp number, Telegram ID, Viber ID), IP address, device/browser metadata, message content, attachments, order/customer references when connected to e-commerce bridges, conversation metadata (timestamps, channel, agent), AI interaction logs.
Special categories	Not intentionally processed. Customer must not submit special categories of data (Art. 9 GDPR) or criminal-offence data (Art. 10 GDPR) without prior written agreement.

4. Controller's Instructions

Messagio Processes Customer Personal Data only on the documented instructions of Customer, including (a) as described in the Terms, this DPA and the Service's configuration options, and (b) to comply with applicable law, in which case Messagio will inform Customer of the legal requirement before Processing unless prohibited by law.

Messagio will immediately inform Customer if, in its opinion, an instruction infringes applicable data protection law.

5. Confidentiality & Personnel

Messagio ensures that personnel authorised to Process Customer Personal Data are bound by confidentiality obligations and receive appropriate training.

6. Security Measures (Art. 32 GDPR)

Messagio implements and maintains appropriate technical and organisational measures, including:

Encryption in transit (TLS 1.2+) and at rest for database and backup storage;
Role-based access control with least-privilege and per-tenant isolation;
Strong authentication for administrative access (SSH keys, password policies); JWT-based user authentication;
Network segmentation, firewall rules, and reverse proxy hardening;
Dedicated VM hosted in Google Cloud europe-west3 (Frankfurt, Germany);
Automated and manual backups; backup integrity testing;
Centralised logging and monitoring; PM2 process supervision;
Routine patching of operating system and dependencies;
Secret management via environment variables and database-stored per-tenant API keys (never in source code);
Segregation of production and development environments;
Incident response procedures and breach notification process;
Secure software development practices (code review, dependency scanning).

7. Sub-processors

Customer provides general written authorisation for Messagio to engage Sub-processors to Process Customer Personal Data, subject to the conditions of this Section. A current list is available at /legal/subprocessors.html.

Messagio will:

Impose on each Sub-processor data protection obligations no less protective than those in this DPA;
Give Customer at least 30 days' prior notice of any intended additions or replacements (by email and/or in-app notification);
Allow Customer to object on reasonable data protection grounds; if the objection cannot be resolved, Customer may terminate the affected Service and receive a pro-rata refund of pre-paid fees for the unused period;
Remain fully liable to Customer for the acts and omissions of Sub-processors.

8. Data Retention & Deletion

Conversations & messages: retained for the duration of the Subscription and for up to 12 months after account closure, after which they are irreversibly deleted, unless a longer period is required by law.
Billing & invoicing records: retained for 10 years as required by Greek tax law.
Security logs: typically retained for up to 12 months.
AI usage logs: retained for up to 12 months for abuse prevention, debugging and billing reconciliation.
On termination, Customer may export data within 30 days via the Service's data-export function (Settings → Privacy & Data) or by contacting hello@bigg.gr.

9. International Data Transfers

Personal Data is primarily stored in the EU (Google Cloud europe-west3, Frankfurt). Where transfers to third countries occur (e.g. via Sub-processors such as OpenAI, Anthropic, Stripe, Meta, Google), Messagio ensures lawful transfer mechanisms under Chapter V GDPR, including:

The EU-U.S. Data Privacy Framework (where the recipient is certified under the DPF);
Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914); and/or
Additional safeguards following a transfer impact assessment.

10. AI Processing

Where Customer enables AI features, message content and relevant context may be sent to AI providers (OpenAI, Anthropic) for inference only. Messagio contractually requires that Customer Personal Data is not used to train provider models. AI providers act as Sub-processors. See our AI Disclosure.

11. Assistance to Controller

Taking into account the nature of the Processing, Messagio will assist Customer, by appropriate technical and organisational measures and insofar as possible, to fulfil Customer's obligations to respond to Data Subject requests under Chapter III GDPR, including access, rectification, erasure, restriction, portability and objection. Messagio provides in-product tools (export and deletion) to facilitate most requests.

Messagio will also assist Customer in ensuring compliance with Articles 32-36 GDPR, including security, breach notification, data protection impact assessments and prior consultation with Supervisory Authorities, taking into account the information available to Messagio.

12. Personal Data Breach

Messagio will notify Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the information required by Article 33(3) GDPR to the extent known, and will cooperate with Customer in investigating and remediating the breach. Notification will be sent to the email address on the account; Customer is responsible for keeping this address current.

13. Audits

Messagio makes available to Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR, including via policies, documentation and, where applicable, third-party certifications or audit reports. Customer (or an independent auditor mandated by Customer and approved by Messagio, bound by confidentiality) may conduct an audit no more than once per 12 months, on at least 30 days' prior written notice, during business hours, in a manner that does not disrupt the Service, and at Customer's cost, except where the audit reveals material non-compliance.

14. Return or Deletion on Termination

Within 30 days of termination of the Subscription, Customer may export Customer Personal Data. After the retention periods in Section 8 expire, Messagio will delete or anonymise Customer Personal Data, unless retention is required by applicable law. Messagio will, on written request, certify deletion.

15. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except that nothing in the Terms limits either party's liability to Data Subjects under Article 82 GDPR or to Supervisory Authorities for administrative fines.

16. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service or any order form, this DPA prevails with respect to the Processing of Personal Data. For Standard Contractual Clauses (where executed between the parties), the SCCs prevail over this DPA.

17. Governing Law & Jurisdiction

This DPA is governed by the laws of Greece and disputes are subject to the exclusive jurisdiction of the competent courts of Athens, Greece, except where mandatory data protection law requires otherwise.

18. Data Protection Officer / Contact

Mariza Katsantoni has appointed herself as the contact point for data protection matters and acts as the Data Protection Officer for Messagio:

Mariza Katsantoni (Data Protection Officer / Controller)
Email: hello@bigg.gr

Supervisory Authority: Hellenic Data Protection Authority (HDPA) — www.dpa.gr.

Acceptance

This DPA is accepted electronically when Customer clicks "I accept" during onboarding or when an authorised user of Customer accepts it on Customer's behalf. A record of acceptance (user, tenant, timestamp, version, IP, user agent) is stored in Messagio's legal_acceptances table as evidence of consent.