Data Processing Agreement
DPA — processor terms.
Last updated: 2026-05-10 · Auto-attached to all subscriptions
This Data Processing Agreement ("DPA") supplements the Terms of Service for any customer using SellerDost. It governs how we process personal data on your behalf as a Data Processor under India's Digital Personal Data Protection Act, 2023 ("DPDPA").
1. Roles
You are the Data Fiduciary ("Controller" in GDPR terms) for the marketplace data you upload or authorise us to fetch — orders, returns, customer ship-to addresses, contact phone numbers, etc. SellerDost is the Data Processor acting only on your documented instructions, which are: (a) the configurations you set in /settings, (b) the explicit instructions you give Saarthi, and (c) what these terms allow.
2. Scope of processing
- Categories of data: seller account info, marketplace orders, returns, inventory, settlements, ad reports, conversation transcripts, voice clips (transcribed; deleted on account erasure).
- Categories of data subjects: the seller-business owner / staff (you); incidentally, end-customers whose order ship-to data appears in marketplace exports.
- Purposes: running the dashboards, alerts, GSTR-1 generation, Saarthi replies, billing.
- Duration: for the lifetime of the subscription, plus 30 days for deletion / anonymisation, plus statutory minimum (GST: 6 years).
3. Sub-processors
The current list of sub-processors:
- Microsoft Azure (web hosting, database, and file storage) — Central India region (Pune). Application, database, and uploaded reports are held here.
- Anthropic (Claude API for Saarthi reasoning) — us-east-1. Message text only; no PII fields like email/phone are sent.
- Sarvam AI (Hindi STT/TTS) — Bengaluru.
- OpenAI (Whisper STT fallback) — us-east-1. Audio only when Sarvam is unavailable.
- Meta (WhatsApp Business Cloud API) — multi-region.
Each sub-processor is contractually bound to (a) confidentiality, (b) processing only on SellerDost's instructions, and (c) appropriate technical and organisational security measures. We'll give you 30 days notice before adding a new sub-processor; you may object in writing.
4. Security measures
- Encryption in transit (TLS 1.2+) for all API and storage I/O.
- Encryption at rest at the Microsoft Azure storage + database layer.
- Row-Level Security on every customer-data table — a leaked seller's session key can't read another seller's data.
- Service-role keys segregated and only used in server-side API routes / cron jobs.
- Audit log of every sensitive change (settings, GSTIN, recommendations, etc.).
- Per-route rate limiting + CSRF + signed-bearer-token cron auth.
- HMAC-signed WhatsApp webhook verification.
5. Data subject requests
If a data subject contacts us directly (e.g. an end-customer asking about their ship-to address in your seller account), we forward the request to you within 5 working days. You respond as the Data Fiduciary; we assist by extracting / deleting the relevant data when you instruct us to.
6. Personal data breach
If we discover or are notified of a personal-data breach affecting your data, we notify you in writing without undue delay (target: within 24 hours of confirmation). Notification includes the nature of the breach, categories and approximate volume of records involved, likely consequences, and the measures we've taken or propose to take. You report to the Data Protection Board of India per DPDPA s.8(6) — we provide whatever evidence you need.
7. Audit + cooperation
Once per year, with 30 days notice, you may request an independent audit of our processing activities at our cost. We'll cooperate with the Data Protection Board and any supervisory authority as required.
8. Return + deletion
On termination, you may export your data via the dashboard or by emailing dpo@sellerdost.com. After 30 days, we delete or irreversibly anonymise the data, except records we're legally required to retain.
9. Liability
Each party's liability under this DPA is subject to the limits in the main Terms of Service. Statutory rights under the DPDPA are not waived.
10. Order of precedence
Where this DPA conflicts with the Terms of Service, this DPA prevails for matters of data protection. The DPDPA prevails over both.
Contact
Data Protection Officer: dpo@sellerdost.com · SMEMinds Technologies, Mumbai