Home · Data Processing Agreement

DPA Template

Data Processing Agreement.

The template Data Processing Agreement between GigaWebZone LLP (processor) and the Customer (data fiduciary), under the Digital Personal Data Protection Act, 2023. A countersigned copy can be issued on request.

Last updated: 21 May 2026 · Version 1.0 · Template DPA

Working draft This DPA template is a structured draft for review by qualified legal counsel before launch. It implements the Digital Personal Data Protection Act, 2023 framework. Each Engagement should issue a countersigned, customer-specific version of this DPA alongside the Kickoff Document.

Parties & purpose

This Data Processing Agreement ("DPA") is entered into between:

  • GigaWebZone LLP, an Indian limited liability partnership (LLPIN AAV-4776) with its registered office in Maharashtra, India, operating the GigaBizZone services ("Processor"); and
  • The Customer identified in the Kickoff Document ("Data Fiduciary").

It supplements the Terms of Service and the Kickoff Document, and governs the processing of personal data by the Processor on behalf of the Data Fiduciary in connection with the Services.

Definitions

Terms used in this DPA have the meaning given in the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000. In particular:

Personal Data
Any data about an individual identifiable by or in relation to such data.
Data Principal
The individual to whom Personal Data relates.
Data Fiduciary
The Customer, who determines the purpose and means of processing.
Data Processor
GigaBizZone, who processes Personal Data on behalf of the Data Fiduciary.
Sub-processor
Any third party engaged by the Processor to process Personal Data.
Personal Data Breach
Any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to Personal Data.

Roles & responsibilities

The Customer is the Data Fiduciary for Personal Data processed in connection with the Services. GigaBizZone acts as a Data Processor on the Customer's documented instructions, except where required by law to do otherwise.

The Customer is responsible for the lawfulness of its instructions, for obtaining valid consent from Data Principals where required, and for ensuring that the Personal Data shared with GigaBizZone is accurate and lawfully collected.

Scope of processing

The nature and purpose of processing is to deliver the Modules selected by the Customer in the configurator and recorded in the Kickoff Document — for example, voice agent operations, WhatsApp conversational flows, CRM and pipeline management, outbound prospecting, content production, reputation management and document/operations automation.

Processing continues for the duration of the Engagement and ceases on termination, subject to the deletion provisions in section 14.

Data & data subjects

Personal Data processed under this DPA typically includes the categories listed below, in each case limited to what is necessary for the Module concerned:

  • Customer contacts and leads — name, phone, email, organisation, role, enquiry history.
  • Customer employees — name, role, work email, account credentials.
  • End users / patients / parents / diners / prospects — contact details, conversation history, appointment/order data, location data only where strictly necessary.
  • Voice call recordings and transcripts, where the voice agent is in scope.

The Customer is responsible for ensuring that no special-category data is shared with GigaBizZone outside the scope agreed in the Kickoff Document.

Customer instructions

GigaBizZone processes Personal Data only on the documented instructions of the Customer, as set out in the Kickoff Document, these Terms or subsequent written instructions. If GigaBizZone reasonably believes an instruction violates applicable law, it will notify the Customer and may pause the affected processing.

Sub-processors

The Customer authorises GigaBizZone to engage Sub-processors for the categories listed below, subject to written agreements imposing data-protection obligations at least as strict as this DPA:

  • Hosting and infrastructure (Company-owned VPS, Cloudflare CDN, MinIO storage)
  • CRM and pipeline (GoHighLevel)
  • Communication platforms (WhatsApp Business API providers, telephony providers)
  • LLM and model providers used for AI features
  • Email and analytics (transactional email providers, self-hosted Plausible/PostHog)

GigaBizZone will maintain a current list of Sub-processors and notify the Customer of any material change before it takes effect. The Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the concern; if it cannot be resolved, the Customer may terminate the affected Modules without penalty for the remainder of the then-current term.

Security measures

GigaBizZone implements and maintains the technical and organisational measures set out in Annex A below, designed to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction or damage.

Annex A — Security measures (summary)

  • HTTPS-only transport with HSTS and modern TLS.
  • Web Application Firewall and rate-limiting on public endpoints.
  • Encrypted storage on the Company-owned VPS; encrypted backups to MinIO.
  • Daily automated backups with documented retention.
  • Role-based access control, principle of least privilege, periodic access reviews.
  • Multi-factor authentication for administrative access.
  • Hardened WordPress and infrastructure baselines; disabled XML-RPC and file editing.
  • Centralised logging of administrative actions and security events.
  • Documented incident response and breach-notification procedure.

Personnel & confidentiality

GigaBizZone ensures that personnel authorised to process Personal Data are bound by written confidentiality obligations, are trained in their data-protection duties, and receive access on a need-to-know basis.

International transfers

Personal Data is primarily processed within India. Where a Sub-processor processes Personal Data outside India (for example, model inference performed abroad), GigaBizZone will ensure appropriate contractual safeguards are in place, in line with the DPDP Act, 2023 and any notifications issued by the Central Government.

Data-subject rights

GigaBizZone will, taking into account the nature of the processing, provide reasonable assistance to the Customer to respond to requests from Data Principals to access, correct, complete, erase or restrict the processing of their Personal Data, or to withdraw consent.

Breach notification

GigaBizZone will notify the Customer without undue delay, and in any case within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting the Customer's data. The notification will include, to the extent known, the nature of the breach, categories and approximate number of Data Principals and records affected, likely consequences and the measures taken or proposed.

Audits

GigaBizZone will, on reasonable written notice and not more than once a year (except following a notified breach), make available to the Customer the information necessary to demonstrate compliance with this DPA, and contribute to audits — including inspections — conducted by the Customer or a mutually agreed auditor bound by confidentiality.

Deletion & return

On termination of the Engagement, GigaBizZone will, at the Customer's choice, return or delete all Personal Data processed on the Customer's behalf, together with copies, unless retention is required by applicable law. Retained data will continue to be protected under this DPA.

Liability

Liability under this DPA is governed by the limitations set out in the Terms of Service, except where applicable law requires otherwise.

Governing law

This DPA is governed by the laws of India. The courts at Pune, Maharashtra have exclusive jurisdiction, consistent with the Terms of Service.

For a countersigned copy of this DPA for your Engagement, please email legal@gigawebzone.com.