PushSMS Service


1. General principle and purpose of processing

This service relates to the PushSMS product sold by Axialys.

It entails the sending of SMS messages (either single messages or in batches) by our customers to mobile phones in France and around the world.

Our clients submit the SMS messages to be sent in various ways (FTP, web interface, etc.), we store them and we then submit them to various partners. We also process the responses, following the same principle (but in reverse).

Within the context of this processing, Axialys acts as a data processor on behalf of its customers who are data controllers in this case.

This processing is done in our data centre in Courbevoie, where the data is stored.

2. Categories of persons concerned

All persons, particularly:

  • customers of our customers
  • prospective customers/contacts of our customers

3. Categories of personal data

The following personal data is processed:

  • telephone numbers of recipients
  • the content of sent messages; although, in practice, this is rarely personal data in the context of direct mail campaigns or notifications, it is nevertheless considered as such

Sensitive personal data as defined by the GDPR is not processed.

4. Recipients of data

4.1. Internal recipients

In general, no one at Axialys is a recipient of data when it comes to this processing, which is essentially automated.

Nevertheless:

  • Access to personal data by the functional support team of the PushSMS service is possible for checks and verification
  • The IT operations team may have access to personal data, as part of the normal maintenance and operations of our systems

4.2. External recipients and subcontractors

To provide this service, Axialys works with:

  • telecom operators
  • “facilitators” whose job is to act as intermediaries between Axialys and a large number of telecom operators

The list of partners is confidential [PPPUSHSMS].

Nevertheless, Axialys guarantees that it has obtained assurances from the partners in question as to their own compliance with the GDPR. 1.4.3. Exports outside the EU

This personal data will not be transferred outside the EU.

The only personal data transmitted outside the EU concerns the messages and telephone numbers of recipients residing outside the EU which are essentially excluded from the scope of the GDPR.

5. Timeframe for deletion

Data is kept for a 12-month period, in accordance with our obligations to the CPCE (French Civil Procedure Code).

6. Impact in the event of a breach

6.1. Breach of confidentiality

In the event of data theft, there is risk is that mobile phone numbers and/ or personal messages might be known/read by external parties; furthermore, the name of the person is not necessarily associated. The main risk is the use of the telephone number for advertising purposes.

Moderate impact.

6.2. Breach of integrity

In the event of a breach of data integrity or destruction, the main impact is on the service provided by Axialys. Given that the data itself comes from the customer, the latter is supposed to manage it.

Low impact

6.3. Breach of availability

In principle, the service is not used by the people who are the subjects of the data, but by suppliers or other partners to communicate information. The temporary unavailability of the service does not represent a significant risk from the point of view of personal use.

Low impact

7. Risks and operational security measures

This processing does not represent a specific risk in principle:

  • sensitivity of personal data: no
  • appeal it could have for malicious third parties: generally low, the only identified risk being that of possible attempted abuse (sending SMS without paying, for example), with this risk being unrelated to personal data.

In general, the overall prevention and safety measures for services operated by Axialys apply. Cf Safety measures applicable to all internal processing.

More specifically:

  • HTTP transfers: data transfers, via the web interface and the customer API, are encrypted in SSL, thanks to a certificate issued by COMODO signed by a 2048 bit key using PKCS#1 standards. It is the customer’s responsibility to ensure that any requests made are encrypted to an appropriate standard.
  • FTP transfers: batch file transfers are transferred via SFTP. Axialys recommends the use of an Ed25519 key.
  • emails: unencrypted email file transfer is no longer recommended by Axialys
  • data storage: the data relating to this processing is stored on a cluster of two internal database servers which are unencrypted and externally inaccessible (firewall). These servers operate in real-time replication, so that the slave server can immediately maintain service if the master server is unavailable.