Product CCaaS Use Cases Pricing About Trust
Book a Demo Get Started

Data Processing Addendum

Terms governing the processing of personal data under the Agreement.

Effective Date: March 21, 2025

This Data Processing Addendum, including its annexes and the Standard Contractual Clauses, ("DPA") is made by and between Cention, and Customer, pursuant to the Master Subscription Agreement or other written or electronic agreement between the parties (as applicable) ("Agreement"), and will be effective on the date both parties have signed the Agreement.

This DPA forms part of the Agreement and sets out the terms that apply when Personal Data is processed by Cention under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data is processed.

Definitions

Any capitalized term used but not defined in this DPA has the meaning provided to it in the Agreement.

Account Data: means Personal Data that relates to Customer's relationship with Cention, including to access Customer's account and billing information, identity verification, maintain or improve performance of the Services, provide support, investigate and prevent system abuse, or fulfill legal obligations.

Applicable Data Protection Legislation: refers to laws and regulations applicable to Cention's processing of personal data under the Agreement, including but not limited to the GDPR, UK Data Protection Laws, Swiss DPA, CCPA, Australian Privacy Principles, and the Philippines Data Privacy Act of 2012.

Controller: means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Customer Data: means personal data that relates to Customer's relationship with Cention, including Personal Data that Cention processes as a Processor on behalf of Customer.

GDPR: means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Personal Data: means any information relating to an identified or identifiable natural person ("data subject") or as defined in and subject to Applicable Data Protection Legislation.

Processor: means the entity which processes Personal Data on behalf of the Controller.

Processing: means any operation or set of operations performed upon Personal Data, whether or not by automated means.

Security Breach: means a breach of security leading to any accidental, unauthorized or unlawful loss, disclosure, destruction, alteration, or access to Customer Data.

Standard Contractual Clauses (SCCs): means the standard contractual clauses for the transfer of personal data to third countries pursuant to applicable data protection regulations.

Sub-processor: means any third-party Processor engaged by Cention to assist in fulfilling Cention's obligations under the Agreement.

1. Applicability and Scope

Applicability

This DPA will apply only to the extent that Cention processes, on behalf of Customer, Personal Data to which Applicable Data Protection Legislation applies.

Scope

The subject matter of the data processing is the provision of the Services, and the processing will be carried out for the duration of the Agreement. Schedule 1 (Details of Processing) sets out the nature and purpose of the processing, the types of Personal Data Cention processes and the categories of data subjects whose Personal Data is processed.

Cention as a Processor

The parties acknowledge and agree that regarding the processing of Customer Data, Customer may act either as a controller or processor and Cention is a processor. Cention will process Customer Data in accordance with Customer's instructions.

Cention as a Controller of Account Data

The parties acknowledge that, regarding the processing of Account Data, Customer is a controller and Cention is an independent controller. Cention will process Account Data as a controller (a) to manage the relationship with Customer; (b) carry out Cention's core business operations; (c) detect, prevent, or investigate security incidents; (d) identity verification; (e) comply with legal obligations; and (f) as otherwise permitted under Applicable Data Protection Legislation.

2. Cention as a Processor - Processing Customer Data

Customer Instructions

Customer appoints Cention as a processor to process Customer Data on behalf of, and in accordance with, Customer's instructions as set forth in the Agreement, this DPA, and as otherwise necessary to provide the Services.

Lawfulness of Instructions

Customer will ensure that its instructions comply with Applicable Data Protection Legislation. Cention will inform Customer if it becomes aware that Customer's instructions violate applicable law.

3. Purpose Limitation

Cention will process Personal Data in order to provide the Services in accordance with the Agreement. Schedule 1 (Details of Processing) of this DPA further specifies the nature and purpose of the processing.

4. Compliance

Customer shall be responsible for ensuring that:

  • All necessary notices have been given and authorizations obtained as required under Applicable Data Protection Legislation
  • It has complied with all applicable laws relating to privacy and data protection
  • It has the right to transfer Customer Data to Cention for processing

5. Confidentiality

Confidentiality Obligations

Cention requires all employees to acknowledge in writing that they will adhere to Cention's security policy and protect Customer Data. All employees sign a confidentiality statement at the time of hire.

Cention will ensure that any person authorized to process Customer Data shall be subject to a duty of confidentiality.

Background Checks

Cention conducts criminal background investigations on all employees who perform material aspects of the Services.

Responding to Third Party Requests

If any Third Party Request is made directly to Cention in connection with Customer Data, Cention will promptly inform Customer and provide details, to the extent legally permitted. Cention will not respond without prior notice to Customer and an opportunity to object, except as legally required.

6. Sub-processors

Authorization for Sub-processing

Customer agrees that Cention may engage Sub-processors as listed at https://cention.com/subprocessors (the "Sub-processor Page").

Cention will:

  • Restrict sub-processor access to Customer Data to what is strictly necessary
  • Impose contractual data protection obligations on sub-processors
  • Remain liable for any breach caused by sub-processors

Notification of Sub-processor Changes

Cention will notify Customer at least 10 days prior to adding or replacing Sub-processors. Customers can follow the link above to receive notifications.

If Customer objects to a new Sub-processor within thirty (30) days on reasonable grounds, Cention will work in good faith to find an alternative solution. If no solution is found, Customer may terminate the Agreement at no additional cost.

7. Impact Assessments and Consultations

Customer shall be responsible for ensuring that all necessary notices, authorizations, and compliance requirements are met under Applicable Data Protection Legislation.

8. Security

Cention has in place and will maintain appropriate technical and organizational measures designed to protect Customer Data against Security Breaches. These measures are detailed in Schedule 2 (Technical and Organizational Security Measures).

Upon becoming aware of a Security Breach involving Customer Data, Cention shall notify Customer without undue delay and provide information as Customer may reasonably require.

Customer is solely responsible for:

  • Making appropriate use of the Service to ensure security appropriate to the risk
  • Securing account authentication credentials, systems and devices
  • Backing up Customer Data

9. Return or Deletion of Customer Data

Upon termination or expiry of this Agreement, Cention will (at Customer's election) delete or return all Customer Data within a maximum period of 30 days, except where required by law to retain some or all of the Customer Data.

10. Audits

Cention shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR.

Cention shall permit Customer (or appointed third party auditors) to carry out an audit at Customer's cost following a Security Breach or upon instruction of a data protection authority. Customer must give reasonable prior notice and conduct audits during normal business hours. Audits may only be performed once annually.

Cention uses external auditors to verify the adequacy of its security measures. A description of Cention's certifications can be found at https://cention.com/security.

11. Transfer Mechanisms

Location of Processing

Customer acknowledges that Cention and its Sub-processors may transfer and process personal data in locations where Cention maintains data processing operations. Cention shall ensure that such transfers comply with Applicable Data Protection Legislation.

Transfer Mechanism

When the transfer of personal data is a Restricted Transfer and Applicable Data Protection Legislation requires appropriate safeguards, such transfer shall be subject to the appropriate Standard Contractual Clauses.

For transfers protected by the GDPR, the EU SCCs shall apply with Module Two or Module Three (as applicable).

For transfers protected by UK GDPR or Swiss DPA, the EU SCCs will apply with appropriate modifications for UK or Swiss law.

Alternative Transfer Mechanism

If Cention adopts an alternative data export mechanism that complies with Applicable Data Protection Legislation, it shall apply instead of the mechanisms described above, upon notice to Customer and an opportunity to object.

12. Miscellaneous

If there is a conflict between the Agreement and this DPA, the terms of this DPA will prevail. The order of precedence will be: (a) this DPA; (b) the Agreement; and (c) the Privacy Policy.

In the event of a conflict among Applicable Data Protection Legislation, the parties shall comply with the more onerous requirement.

Cention reserves the right to modify this DPA as may be required to comply with Applicable Data Protection Legislation.

Except as amended by this DPA, the Agreement will remain in full force and effect.

Schedule 1: Details of Processing

A. List of Parties

Data Exporter(s):

The party identified as the "Customer" in the Agreement and this DPA
As set forth in the Agreement

Data Importer(s):

Cention Group Sdn Bhd
19th floor Menara Worldwide
198 Jalan Bukit Bintang
55100 Kuala Lumpur, Malaysia

Contact: Cention's Privacy Team – legal@cention.com

B. Description of Processing/Transfer

Categories of Data Subjects:

  • Module One: Customer's employees and authorized individuals; employees or contact persons of Customer's prospects, customers, business partners and vendors
  • Modules Two and Three: Customer's end users: prospects, customers, business partners and vendors

Categories of Personal Data:

  • Module One: Account Data including name, contact information, and billing address
  • Modules Two and Three: Customer Data including username, password, email address, IP address, customer attribute data, website page view data, click data, and social media information

Nature and Purpose of Processing:

  • Module One: To manage the account, access billing information, identity verification, maintain Services, provide support, investigate system abuse, or fulfill legal obligations
  • Modules Two and Three: Cention provides a communication platform to facilitate interaction between Customer and end users. Processing is necessary to provide the Services under the Agreement

Retention Period:

  • Module One: As long as required to provide Services, for lawful business needs, or in accordance with applicable law
  • Modules Two and Three: Upon termination, Customer Data will be deleted or returned within 30 days, except where required by law

Schedule 2: Technical and Organizational Security Measures

The following technical and organizational security measures are implemented by Cention:

Encryption

  • All data sent to or from Cention is encrypted in transit using TLS 1.2
  • Customer Personal Data is encrypted at rest using 256-bit encryption
  • All datastores are configured and patched according to industry-recognized standards

Confidentiality, Integrity, Availability and Resilience

  • Formal procedure for handling security events with rapid response
  • Customer Data permanently stored in AWS (Europe: Stockholm and Ireland; APAC: Singapore and Sydney; US: within the US)
  • Backed up for disaster recovery
  • Geographic failover capability
  • 24×7 on-call incident management

Access Controls

  • Single Sign-On (SSO) with Multi-Factor Authentication (MFA)
  • Unique ID for each employee via Identity Provider
  • Access restricted to "need-to-know" following least privilege principles
  • Regular access reviews every 180 days
  • Strong password requirements (minimum 10 characters, mixed case, numbers, special characters)
  • Account lockout after 5 failed login attempts

Physical Security

  • Services hosted in AWS facilities with industry-standard security
  • 24×7×365 security organization
  • Access restricted to approved personnel only
  • N+1 uninterruptable power supply and HVAC systems
  • Backup power generators
  • Advanced fire suppression

Security Testing

  • Regular application vulnerability scans (at least monthly)
  • Annual third-party penetration tests
  • Security bug bounty program
  • ISO 27001 compliance audits

Data Protection

  • Network firewall protection
  • Intrusion prevention systems
  • Logical separation of customer instances
  • Endpoint security software
  • System event logging
  • Annual security and privacy training for all employees

Data Minimization and Retention

  • Data collection limited to processing purposes
  • Minimum access (least privilege) necessary to perform functions
  • Secure deletion within 90 days upon Customer request
  • Archival copies stored offline when required by law

More information about Cention's security measures is available at www.cention.com/security.

Schedule 3: List of Sub-Processors

Customer agrees that Cention may engage Sub-processors as listed at https://www.cention.com/subprocessors (the "Sub-processor Page").

Cention will notify Customer at least 10 days prior to adding or replacing Sub-processors. To receive notifications, customers can follow the link above.

If Customer objects to a new Sub-processor within thirty (30) calendar days on reasonable grounds relating to data protection, Cention will work in good faith to find an alternative solution. If no solution is found, Customer may terminate the Agreement at no additional cost.

Back to Trust Center View Master Subscription Agreement →