LGPD Compliance

The General Data Protection Law (LGPD) — Federal Law No. 13,709/2018 — is the Brazilian legislation regulating the processing of personal data of individuals. In effect since September 2020 and with enforcement of administrative sanctions since August 2021, the LGPD is inspired by the European GDPR and applies to any company processing personal data of residents in Brazil.

The LGPD defines personal data as any information related to an identified or identifiable natural person, including name, CPF (taxpayer registry), email, phone number, address, and behavioral data.

BulkSMS was built from the ground up with the LGPD as a fundamental principle — not as an afterthought. Our commitments include:

• All customer and end-user data are stored exclusively in Brazilian national territory (São Paulo and Rio de Janeiro)
• We have appointed a Data Protection Officer (DPO) registered with the ANPD
• We maintain an up-to-date Record of Processing Operations (ROPA)
• We implement technical and organizational security measures in accordance with ISO 27001
• We provide a standard DPA (Data Processing Agreement) for all clients
• We report security incidents to the ANPD within the legal timeframe of 2 business days

BulkSMS relies on the following legal bases from Art. 7 of the LGPD for data processing:

• Contract execution (Art. 7, V): to deliver the contracted services
• Legitimate interest (Art. 7, IX): for security, fraud prevention, and service improvement
• Consent (Art. 7, I): for marketing communications and use of optional cookies
• Legal obligation (Art. 7, II): to comply with regulatory obligations (ANATEL, Bacen)

In accordance with Art. 18 of the LGPD, every data subject has the right to:

• Confirmation and access: confirm whether we process your data and access a copy
• Correction: correct incomplete, inaccurate, or outdated data
• Anonymization or deletion: when the data is unnecessary or excessive
• Portability: receive your data in a structured format for transfer
• Consent revocation: at any time, by express request
• Objection: object to processing based on legitimate interest

To exercise your rights, contact our DPO: sales@bulksms.com.br

BulkSMS implements state-of-the-art security measures, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for all internal accesses
• Access control based on the principle of least privilege
• 24/7 monitoring and incident response
• Annual penetration tests by specialized third parties
• ISO 27001 certification audited annually

Data Protection Officer of BulkSMS: