Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) governs the processing of personal data that PACUSOFT S.A.S. (“Pacunex”) performs as Processor on behalf of each Customer organization (“Controller”), in accordance with Ecuador’s Organic Law on Personal Data Protection (LOPDP).

This DPA is part of the Terms of Service and applies automatically from the moment the Customer activates the account or signs a service order.

1. Definitions

• Customer / Controller: the organization that contracts the Pacunex service and decides what data to upload and for what purpose.
• Processor: Pacunex, which processes Customer data under its instructions.
• Data subject: the natural person whose personal data is processed.
• Customer Data: the personal data the Customer uploads or processes on the Pacunex platform (e.g., contacts, WhatsApp messages, ERP records).

2. Subject matter

Pacunex processes Customer Data exclusively to provide the service described in the Terms of Service. It does not use Customer Data for its own purposes, does not transfer it to third parties beyond authorized sub-processors, and does not use it to train AI models.

3. Nature, scope and duration

• Nature of processing: storage, transmission, analysis, automated response generation, sending and receiving messages via WhatsApp and other channels the Customer configures.
• Scope: as determined by the Customer when configuring the service.
• Duration: for the duration of the service contract between Customer and Pacunex.

4. Data categories and data subjects

Categories are determined by the Customer. They typically include:

• Data subjects: end customers, prospects, employees and third parties the Customer interacts with.
• Data: name, phone, message content, commercial identifiers (invoice, amount, term), interaction history.

The Customer warrants that it has a valid legal basis to upload the data to the service and complies with its obligations as Controller.

5. Pacunex obligations as Processor

• Process data only according to the Customer’s documented instructions.
• Ensure confidentiality of personnel with access to the data through formal commitments.
• Apply reasonable technical and organizational measures (see §11 of the Personal Data Protection Policy).
• Assist the Customer in responding to data subject rights (access, rectification, deletion, objection, portability).
• Notify the Customer without undue delay of any security breach affecting Customer Data.
• Return or delete Customer Data at the end of the contract, according to the Customer’s instructions.

6. Sub-processors

By accepting this DPA, the Customer authorizes the use of the sub-processors published at /legal/subprocesadores. Pacunex notifies any addition or material change of sub-processor with at least thirty days of advance notice. The Customer may object on reasoned grounds within that period; in such case, the parties will negotiate an alternative solution.

7. International transfers

Some sub-processors operate outside Ecuador. Pacunex ensures a level of protection equivalent to that required by LOPDP through contractual clauses and, where applicable, adequacy decisions.

8. Data subject rights

Data subjects exercise their rights before the Customer (Controller). Pacunex technically assists the Customer in responding within LOPDP timeframes. If a data subject contacts Pacunex directly, we redirect them to the Customer with the minimum information for the Customer to handle the request.

9. Audit

Pacunex makes available to the Customer the information necessary to demonstrate compliance with this DPA. Where applicable, the Customer may request reasonable audits with at least sixty days’ notice, subject to confidentiality clauses.

10. Termination and data return

Upon termination of the contract, Pacunex returns Customer Data in a reasonable exportable format and proceeds with deletion from active systems within a reasonable period, except for legal retention obligations.

11. Breach notification

Pacunex notifies the Customer without undue delay of any incident affecting Customer Data security, including: incident description, affected data, containment measures and remediation plan.

12. Version and modifications

Pacunex may update this DPA. Material modifications are notified with at least thirty days of advance notice. The current version is the one published at this URL with the “Last updated” date indicated above.

13. Annexes

• Annex A: Processing details (defined at each Customer onboarding).
• Annex B: Security measures (see §11 of the Personal Data Protection Policy).
• Annex C: Authorized sub-processors (see /legal/subprocesadores).

14. Contact

DPA and privacy matters: privacidad@pacusoft.com.