Data Processing Agreement

DPA — processor terms.

Last updated: 2026-05-10 · Auto-attached to all subscriptions

This Data Processing Agreement ("DPA") supplements the Terms of Service for any customer using SellerDost. It governs how we process personal data on your behalf as a Data Processor under India's Digital Personal Data Protection Act, 2023 ("DPDPA").

1. Roles

You are the Data Fiduciary ("Controller" in GDPR terms) for the marketplace data you upload or authorise us to fetch — orders, returns, customer ship-to addresses, contact phone numbers, etc. SellerDost is the Data Processor acting only on your documented instructions, which are: (a) the configurations you set in /settings, (b) the explicit instructions you give Saarthi, and (c) what these terms allow.

2. Scope of processing

3. Sub-processors

The current list of sub-processors:

Each sub-processor is contractually bound to (a) confidentiality, (b) processing only on SellerDost's instructions, and (c) appropriate technical and organisational security measures. We'll give you 30 days notice before adding a new sub-processor; you may object in writing.

4. Security measures

5. Data subject requests

If a data subject contacts us directly (e.g. an end-customer asking about their ship-to address in your seller account), we forward the request to you within 5 working days. You respond as the Data Fiduciary; we assist by extracting / deleting the relevant data when you instruct us to.

6. Personal data breach

If we discover or are notified of a personal-data breach affecting your data, we notify you in writing without undue delay (target: within 24 hours of confirmation). Notification includes the nature of the breach, categories and approximate volume of records involved, likely consequences, and the measures we've taken or propose to take. You report to the Data Protection Board of India per DPDPA s.8(6) — we provide whatever evidence you need.

7. Audit + cooperation

Once per year, with 30 days notice, you may request an independent audit of our processing activities at our cost. We'll cooperate with the Data Protection Board and any supervisory authority as required.

8. Return + deletion

On termination, you may export your data via the dashboard or by emailing dpo@sellerdost.com. After 30 days, we delete or irreversibly anonymise the data, except records we're legally required to retain.

9. Liability

Each party's liability under this DPA is subject to the limits in the main Terms of Service. Statutory rights under the DPDPA are not waived.

10. Order of precedence

Where this DPA conflicts with the Terms of Service, this DPA prevails for matters of data protection. The DPDPA prevails over both.

Contact

Data Protection Officer: dpo@sellerdost.com · SMEMinds Technologies, Mumbai