Data Processing Addendum (DPA)
Processor terms for personal data we process on your instructions.
Company: EcomSarthi Business Solutions LLP ("EcomSarthi", "we", "us", "our")
Product: Ecom10x — One Dashboard. Every Marketplace. (the "Platform" or "Service")
Effective Date: [EFFECTIVE_DATE — e.g., 1 August 2026] · Version: [VERSION — e.g., 1.0] · Next Review: [NEXT_REVIEW_DATE — e.g., 1 February 2027]
1. Scope and Roles
This DPA forms part of the Terms and applies where EcomSarthi processes personal data contained in Customer Data on the Customer's instructions (e.g., buyer names, addresses and contact details inside order and shipment records). For such data, the Customer is the Data Fiduciary (or equivalent controller) and EcomSarthi acts as a processor/service provider. For account data of the Customer's own users, the Privacy Policy applies and EcomSarthi is the Data Fiduciary.
2. Details of Processing
- Subject matter: provision of the Ecom10x Service.
- Duration: the subscription term plus deletion periods in the Data Deletion Policy.
- Nature and purpose: collection via official Marketplace integrations and file uploads; storage; organisation; analysis; display; export; deletion — solely to deliver the Service features configured by the Customer.
- Categories of data subjects: the Customer's personnel; the Customer's buyers/end-customers.
- Categories of data: identification and contact details, order and delivery details, payment/settlement references (no card numbers), and related business records.
3. Processor Obligations
EcomSarthi shall: (a) process personal data only on documented instructions from the Customer, including as embodied in Service configuration, unless required by law (in which case we inform the Customer unless prohibited); (b) ensure persons authorised to process are bound by confidentiality; (c) implement the technical and organisational measures described in the Security Policy (encryption in transit and at rest, RBAC, least privilege, audit logging, secure token storage, monitoring); (d) assist the Customer, taking into account the nature of processing, in responding to data-principal requests and in meeting security and breach-notification obligations; (e) notify the Customer without undue delay and in any case within 72 hours of becoming aware of a personal data breach affecting Customer Data, with the information reasonably required for the Customer's own notifications; (f) delete or return personal data at the end of the engagement per the Data Deletion Policy; and (g) make available information reasonably necessary to demonstrate compliance, and allow audits as per Section 6.
4. Sub-processing
The Customer provides general authorisation for the subprocessors listed in the Subprocessor Policy. We will give at least 15 days' notice of intended additions or replacements, during which the Customer may object on reasonable data-protection grounds; if we cannot resolve the objection, the Customer may terminate the affected portion of the Service with a pro-rata refund of prepaid fees. We remain responsible for our subprocessors' performance.
5. International Transfers
Transfers outside India occur only as permitted by the DPDP Act and applicable rules, with contractual protections binding the recipient to obligations no less protective than this DPA.
6. Audit
Not more than once annually (and additionally after a material breach), the Customer may audit compliance by: (a) reviewing our security documentation and third-party assessments made available on request; and (b) where reasonably required, a remote or on-site audit at mutually agreed times, under confidentiality, at the Customer's cost, without access to other customers' data.
7. Liability
Liability under this DPA is subject to the limitations in the Terms, except where applicable data protection law does not permit such limitation.
8. Precedence
In conflict between this DPA and the Terms regarding processing of personal data, this DPA prevails.
Governing Law & Dispute Resolution
This document is governed by and construed in accordance with the laws of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, without regard to conflict-of-law principles.
Any dispute arising out of or in connection with this document shall first be attempted to be resolved amicably through good-faith negotiation within thirty (30) days of written notice. Failing amicable resolution, the dispute shall be referred to arbitration by a sole arbitrator appointed in accordance with the Arbitration and Conciliation Act, 1996. The seat and venue of arbitration shall be [JURISDICTION_CITY — e.g., New Delhi], India, and proceedings shall be conducted in English. Subject to the foregoing, the courts at [JURISDICTION_CITY — e.g., New Delhi], India shall have exclusive jurisdiction.
Contact
EcomSarthi Business Solutions LLP
[REGISTERED_OFFICE_ADDRESS OF ECOMSARTHI BUSINESS SOLUTIONS LLP]
Support: [SUPPORT_EMAIL — e.g., support@ecom10x.in] · Legal: [LEGAL_EMAIL — e.g., legal@ecom10x.in] · Phone: [SUPPORT_PHONE_NUMBER]