Partner compliance can be a rather tedious thing to understand since lawyers love legalese and it happens to be rather difficult to understand for anyone who doesn’t own a law degree. To help clear things up a bit, here are some primary things to consider when managing A2P messaging vendor partners and reviewing their compliance.
1. Look at privacy policies and terms of service provided by your partner
They're usually found on their websites. GDPR requires certain privacy policies to be stated, such as the rights of all EU citizen whose data is being processed. These rights include the right of data portability, the right to be forgotten, and the right to a subject data access request. Whether or not these statements are in the privacy policy may indicate compliance.
Other key aspects to consider are:
- The security feature and protocols used and described as it is key to have the latest encryption in the base (sha256) as well as meet a standard such as ISO27001.
- Anything relating to payments, payment terms, crediting and invoices as these affect your bottom line directly.
- Liability and force majeure - what limitations does the service provider set for itself in terms of liability for actions that might lead to damages to you or your business.
- Cookies, marketing and tracking - there are clear rules in place in Europe for example as to what and how can be tracked and what type of consent needs to obtained beforehand.
- International transfer of data - where does the data move and via which channels, are there potential areas where government supervision or interest groups might gain access to your data?
- What’s prohibited and allowed in terms of using the service? What are the limitations on content and communication?
- How are changes to the agreements made and do they automatically apply to your business?
2. Does the service provider utilize cyber-security tools to prevent data theft such as 2FA or encryption?
The GDPR states that security tools must be in place to match the risks associated with data processing. With any type of service, there are certain risks that stem from it, such as fraud, data breaches, etc.
Wish to know more? Here's everything you need to know about SMS API providers!
When evaluating these risks, one needs to look at the risk itself, the likelihood of the risk becoming a reality and comparing those aspects to the methods and processes in place to combat them. In other words - what has the service provider done to ensure that my data and business interests are safe?
2FA is a good way to protect against account hijacking. Encryption and strong password requirements help protect stored customer data. These types of security features should also be described in the documents to add transparency as to how data protection is provided.
3. Obtaining consent before data processing - no pre-ticked boxes allowed
Strict rules are in place that restrict data processing and client communications to activities that are mainly either needed to fulfil contractual obligations or deliver the service at the needed level of quality.
So, for any other data processing, consent must be freely given, specific, informed, and unambiguous indication of the individual’s wishes. Thus, checking how consent is obtained can show if the new regulations are considered.
The first indication would be to see how marketing communication consent is obtained - pre-ticked boxes or not for example. Or if unsolicited emails are sent, if they are, that’s a clear violation. The cookie pop-up that we see on a very first visit to a website is a good indicator as well when combined with the cookie policy. Are the cookies used explained and is the consent required for tracking?
4. Look over the partnership agreements and amend them where needed
Make sure they include the new regulations. Then establish an agreement between your company and the partner. Review and specify the Service Agreements, add needed support agreements if they are lacking via a Service Level Agreement and if needed add a Non-Disclosure Agreement to define the needs for confidentiality.
NDA can actually be signed even before the service is used, in the testing or even in the offer phase as this allows for a more compliant means of sharing information on how the alternative service has worked so far or what the future plans might be for the customer.
Conclusion
While there are additional aspects to consider, these four provide a good indication if the right kind of steps have been taken and if the partners you use can be relied on to provide a compliant service that will not leave you open to litigation, fines, or a PR nightmare.
While legalese can be a bit difficult to understand, following some key indicators in the contracts can help cut through the rest of the fluff and define the potential partner's lawfulness.