DATA PROCESSING ADDENDUM (DPA)
This Data Processing Addendum (“DPA”) is entered into on 13-Oct-2025 between the Client (“Controller”) and BizMagnets International Private Limited (“BizMagnets” or “Processor”), having its registered office at Plot 41B & 41C, North Phase, SIDCO Industrial Estate, Ekkatuthangal, Chennai, Tamil Nadu 600032, India.
WHEREAS, the Controller determines the purposes and means of processing Personal Data; and WHEREAS, BizMagnets provides workflow automation services via WhatsApp and processes such data on behalf of the Controller; and WHEREAS, the parties seek to ensure compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
1. DEFINITIONS
Unless otherwise defined herein, capitalized terms shall have the meanings set forth in the General Data Protection Regulation (GDPR). Key terms include: Controller, Processor, Data Subject, Personal Data, Processing, and Sub-Processor.
2. PURPOSE AND SCOPE
2.1 This DPA applies to the Processing of Personal Data by BizMagnets on behalf of the Controller. 2.2 The Processor shall process Personal Data solely for the purpose of providing the agreed services and in accordance with the Controller’s documented instructions.
3. ROLES AND RESPONSIBILITIES
3.1 The Controller is responsible for ensuring that Personal Data is collected lawfully. 3.2 BizMagnets shall process such data only as instructed, maintain confidentiality, and ensure personnel are bound by confidentiality obligations. 3.3 The Processor shall not determine the purposes or means of Processing.
4. SECURITY MEASURES
4.1 BizMagnets shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, or destruction. 4.2 Measures include encryption (at rest and in transit), SSL, restricted access, logging, and automated backups. 4.3 BizMagnets leverages DigitalOcean (Bangalore) infrastructure, compliant with SOC 2 standards.
5. SUB-PROCESSORS
5.1 BizMagnets may engage Sub-Processors for hosting, APIs, or communication services, listed in Annex B. 5.2 BizMagnets shall ensure Sub-Processors provide data protection obligations equivalent to those under this DPA. 5.3 The Controller provides general authorization for the engagement of such Sub-Processors.
6. DATA SUBJECT RIGHTS
6.1 BizMagnets shall assist the Controller in fulfilling its obligations to respond to requests for exercising Data Subject rights under the GDPR. 6.2 Requests shall be forwarded promptly to the Controller.
7. DATA BREACH MANAGEMENT
7.1 In the event of a Personal Data Breach, BizMagnets shall notify the Controller without undue delay and no later than 72 hours after becoming aware. 7.2 The notification shall include details of the breach, affected data, potential impact, and remedial measures. 7.3 BizMagnets shall cooperate fully in the investigation and mitigation of such incidents.
8. DATA RETENTION AND DELETION
8.1 Personal Data shall be retained only for the duration of the service. 8.2 Upon termination, BizMagnets shall delete or anonymize Personal Data within 90 days unless otherwise instructed. 8.3 The Controller may request data export prior to deletion.
9. INTERNATIONAL TRANSFERS
9.1 BizMagnets processes and stores data within India (DigitalOcean Bangalore region). 9.2 No cross-border data transfers are made unless expressly instructed by the Controller or required by law.
10. AUDITS AND COMPLIANCE
10.1 BizMagnets shall make available all information necessary to demonstrate compliance with GDPR Article 28 obligations. 10.2 The Controller may request documentation or conduct remote audits under reasonable notice. 10.3 Physical audits are limited to regulatory requirements.
11. LIABILITY AND INDEMNITY
11.1 Each Party shall be liable for damages resulting from its breach of this DPA. 11.2 Liability shall be limited to the total fees paid under the applicable Service Agreement during the 12 months preceding the event.
12. TERM AND TERMINATION
12.1 This DPA shall remain in force for as long as BizMagnets processes Personal Data on behalf of the Controller. 12.2 Termination of the main Service Agreement shall automatically terminate this DPA, subject to retention and deletion clauses.
13. GOVERNING LAW AND JURISDICTION
This DPA shall be governed by the GDPR for compliance and by the laws of India for enforcement. The courts of Chennai, Tamil Nadu, India, shall have exclusive jurisdiction.
14. MISCELLANEOUS
14.1 Any amendments must be in writing and mutually agreed. 14.2 If any provision of this DPA is held invalid, the remaining provisions shall remain in full force. 14.3 This DPA shall prevail over conflicting provisions in other agreements.
ANNEX A – DATA CATEGORIES & SUBJECTS
Data Subjects: Customers, Patients, Employees, Students. Data Categories: Name, Phone Number, Chat Content, and other context provided by the user. Purpose: Workflow automation, chat handling, and analytics support.
ANNEX B – APPROVED SUB-PROCESSORS
1. Meta (WhatsApp Business API) – Messaging Infrastructure 2. DigitalOcean (Bangalore) – Cloud Hosting 3. Google GCP – APIs and Cloud Services 4. GitLab – Source Code Management 5. Gmail – Communication 6. Zoho Books – Accounting 7. Redington BSP – Business Service Partner
ANNEX C – TECHNICAL AND ORGANIZATIONAL MEASURES
- Data encrypted at rest and in transit (SSL/TLS) - Automated daily backups - Role-based access control (RBAC) - Logging and monitoring - Regular security patching and software updates - Periodic review of data retention policies - Data deletion within 90 days of termination
SIGNATURES
For and on behalf of BizMagnets International Private Limited Authorized Signatory: ______________________ Name: Prasanna Kothandaraman Designation: Founder & CEO Date: 13-Oct-2025
Last updated