In General Data Protection Regulation (GDPR) lingo, we take on the role of "data processor" and we abide by all the rules that follow from that. Because we can't tell when someone is sharing their shoe size or their most intimate secrets, we simply treat all message data as potentially "Personally Identifiable Information" and act accordingly.
Note that because we're a "data processor", our customers (that is, you) are still responsible for getting your user's permission for collecting said data (depending on your reading of the law, this is implicitly given by their choice to use your messaging feature, or you'll have to ask for explicit consent).
We recommend that you send us as little user data as possible. For example, do not send us a user's email address if you don't intend to use our email notification feature, do not send a phone number unless you want SMS notifications, and so on.
In line with GDPR principles, we do not collect or store any data that is not needed for providing a good cross-device messaging service. Notably, we don't "track" your users for marketing purposes. If a user files a "right to be forgotten" request, you can either use our REST API to irrevocably remove all their data, or ask us to do it for you.
Chapter 9 of our Terms of Service covers security and privacy as per the GDPR and similar legislation elsewhere. We do not have a separate DPA.
By default, we store all your data in the EU. See our data processors for an up-to-date list.