Data Processing Agreement

Parties and Purpose

Under this DPA, the Controller acts as the Data Fiduciary (or controller) and the Processor acts as a Data Processor. The Processor will process personal data solely on documented instructions from the Controller (such instructions being provided by the Controller’s configuration of the Service and its use of the product) and only to the extent necessary to provide the Service.

Subject Matter and Duration

The subject matter of the processing is the personal data provided by, or collected by the Processor on behalf of, the Controller through the Service. The duration of the processing is the term of the Controller’s subscription, plus the retention period described in the Privacy Policy, after which personal data will be deleted or anonymised.

Nature and Purpose of Processing

The Processor processes personal data for the following purposes, each necessary to deliver the Service:

• Hosting and securing workspace data;
• Running AI agents that plan, launch, and optimise ad campaigns across connected ad platforms;
• Reading, analysing, and writing campaign data via Meta, Google, and TikTok APIs;
• Producing analytics, dashboards, reports, and notifications for the Controller;
• Billing, support, security monitoring, and legal compliance.

Types of Personal Data

• Identity data about Controller users: name, email, phone, role;
• Authentication data: hashed credentials, OAuth tokens, session identifiers;
• Ad-platform data: campaign configurations, creatives, targeting settings, audience identifiers, and performance metrics, which may include pseudonymous identifiers relating to end users;
• Usage and device data: IP address, browser, device type, timestamps, pages viewed;
• AI processing data: prompts, outputs, and logs associated with AI calls;
• Support data: any personal data included in support communications.

Categories of Data Subjects

• The Controller’s employees, contractors, and authorised users;
• Individuals who interact with the Controller’s ad campaigns or audiences, where such data is exposed through the ad-platform APIs;
• Other individuals whose personal data the Controller chooses to process through the Service.

Obligations of the Processor

The Processor shall:

• Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country, unless required to do so by law;
• Ensure that persons authorised to process the personal data are bound by appropriate confidentiality obligations;
• Implement the security measures described in Section 10;
• Assist the Controller, taking into account the nature of the processing and the information available, in fulfilling its obligations to respond to requests from Data Principals (Section 8);
• Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and consultation with regulators;
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, subject to reasonable confidentiality protections;
• At the choice of the Controller, delete or return all personal data after the end of the provision of services, as described in Section 13.

Sub-Processors

The Controller grants a general authorisation for the Processor to engage the sub-processors listed below. The Processor remains fully liable to the Controller for the performance of its sub-processors’ obligations.

• Supabase — database, authentication, and storage (primary region: Mumbai ap-south-1);
• Vercel — application hosting, edge compute, and CDN (primary region: Mumbai);
• Anthropic — AI inference (Claude family models);
• OpenAI — AI inference (fall-back and selected tasks);
• Google — AI inference (Gemini family models);
• Groq — low-latency AI inference;
• Cerebras — high-throughput AI inference;
• DeepSeek — selected AI inference tasks;
• Mistral — selected AI inference tasks;
• OpenRouter — AI provider routing and fall-back;
• Razorpay — payment processing;
• Resend — transactional email delivery;
• AiSensy — WhatsApp Business messaging (where enabled by the Controller).

The Processor will provide reasonable prior notice of the addition or replacement of any sub-processor. The Controller may object to such changes on reasonable grounds related to data protection by written notice within 30 days, after which the parties will cooperate in good faith to find an acceptable solution.

Data Subject Rights

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller’s obligation to respond to Data Principal requests to exercise their rights (including access, correction, erasure, and portability) under the DPDP Act. If a Data Principal contacts the Processor directly, the Processor will forward the request to the Controller without undue delay.

Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 72 hoursof becoming aware of a personal data breach affecting the Controller’s personal data. The notification will include, to the extent known at that time:

• The nature of the breach and the categories and approximate number of data subjects;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach and mitigate its effects;
• A contact point for further information.

Security Measures

The Processor implements and maintains the following technical and organisational security measures:

• Encryption of secrets and sensitive fields at rest using AES-256-GCM;
• Encryption of data in transit using TLS 1.2 or higher;
• Row-level security (RLS) in the Postgres database to isolate workspace data;
• Least-privilege production access gated by SSO and multi-factor authentication;
• Immutable audit logs for administrative and AI agent actions;
• Automated daily backups with point-in-time recovery;
• A buffer architecture that prevents AI outputs from being written directly to ad-platform APIs without validation;
• Regular security reviews and dependency patching;
• Incident response procedures and designated on-call engineers.

International Transfers

The Processor stores personal data primarily in India. Where sub-processors process personal data outside India, the Processor has assessed the protections available and, where required, entered into data processing terms with those sub-processors. The Processor will comply with any restrictions on cross-border transfers that the Central Government of India may notify under the DPDP Act.

Audit Rights

Upon reasonable prior written notice (and no more than once per calendar year, except where a supervisory authority requires otherwise), the Controller may request information reasonably necessary to verify the Processor’s compliance with this DPA. The Processor may satisfy such requests by providing summaries of its security controls, third-party audit reports (where available), and responses to a security questionnaire. On-site audits may be arranged where demonstrably necessary, subject to reasonable confidentiality, scheduling, and scope limitations, and at the Controller’s cost.

Return and Deletion of Data at Contract End

On termination or expiry of the Controller’s subscription, the Controller may request, within 30 days, an export of its Customer Data in a commonly used format. After that window, or on the Controller’s earlier written request, the Processor will delete or anonymise the Controller’s personal data from active systems within 90 days, except for copies retained in secure backups (which will be deleted in accordance with the Processor’s backup-rotation schedule) and copies that must be retained by law.

Liability and Indemnification

Each party’s liability arising out of or related to this DPA is subject to the limitation of liability provisions in the underlying Terms of Service. Nothing in this DPA is intended to alter the allocation of risk between the parties or to create liability that would not otherwise exist under the underlying agreement.

Governing Law

This DPA is governed by the laws of the Republic of India, and any disputes arising under it are subject to the jurisdiction and arbitration provisions of the underlying Terms of Service.

Signatures

This DPA is incorporated by reference into the Terms of Service between the Controller and the Processor. Where a Controller requires a counter-signed copy for its compliance records, both parties may sign below.