Personal Data Processing Agreement

                Data Processing Agreement: This agreement governs how WappBlaster processes personal data for all our services. We are committed to protecting your privacy and complying with applicable data protection laws. All legal matters are subject to the exclusive jurisdiction of Bikaner Court, Rajasthan, India.
            

1. Definitions and Parties

1.1 Parties to this Agreement

Data Controller: You (the customer) who determines the purposes and means of processing personal data
Data Processor: WappBlaster, who processes personal data on behalf of the Data Controller
Data Subject: The individual whose personal data is being processed

1.2 Key Definitions

Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation performed on personal data, including collection, storage, use, disclosure
Special Categories: Sensitive personal data requiring enhanced protection
Data Breach: Unauthorized access, disclosure, or loss of personal data
Retention Period: The time period for which personal data is stored

1.3 Scope of Agreement

This agreement applies to all personal data processing activities conducted through WappBlaster services, including:

Auto WhatsApp Marketing automation
Auto Dialer and call management
Call logs and lead management systems
Customer reminder and notification services
Employee attendance and location tracking
Field team monitoring and management
Personal reminder and task management
Digital catalogue and review management
File management and document storage
WhatsApp Business API services

2. Categories of Personal Data

2.1 Customer and Contact Data

Data Category	Data Types	Purpose	Retention Period
Contact Information	Names, phone numbers, email addresses	Service provision, communication	Account lifetime + 2 years
Communication Records	WhatsApp messages, call logs, SMS	Automation, analytics, compliance	24 months
Business Information	Company details, industry, size	Service customization, support	Account lifetime + 5 years
Transaction Data	Payment details, billing history	Billing, compliance, fraud prevention	7 years (legal requirement)

2.2 Employee and Location Data

Data Category	Data Types	Purpose	Retention Period
Biometric Data	Selfie photos for attendance	Identity verification, attendance tracking	3 years (employment records)
Location Data	GPS coordinates, timestamps	Attendance verification, field tracking	3 years (employment records)
Work Records	Attendance logs, task completion	Performance tracking, payroll	7 years (employment law)
Device Information	Device ID, app usage, system info	Security, performance optimization	2 years

2.3 Special Categories of Data

Enhanced Protection Required: The following data categories require explicit consent and enhanced security measures:

Biometric Data: Selfie photos used for attendance verification
Location Data: Precise GPS coordinates for employee tracking
Health Data: Medical appointment reminders (if used)
Financial Data: Payment information and billing details

3. Lawful Basis for Processing

3.1 Legal Bases Under Indian Law

Primary Legal Bases:

Contract Performance: Processing necessary for service delivery
Legitimate Interest: Business operations, security, fraud prevention
Consent: Explicit consent for special categories of data
Legal Obligation: Compliance with Indian laws and regulations
Vital Interest: Emergency situations requiring immediate action

3.2 Specific Processing Purposes

Processing Activity	Legal Basis	Data Categories	Retention
WhatsApp Message Automation	Contract Performance	Contact info, message content	24 months
Call Log Management	Contract Performance	Phone numbers, call duration	24 months
Attendance Tracking	Consent + Employment Law	Biometric, location data	3 years
Payment Processing	Contract + Legal Obligation	Financial information	7 years
Customer Support	Legitimate Interest	Contact info, support tickets	3 years
Analytics and Improvement	Legitimate Interest	Usage data, performance metrics	2 years

3.3 Consent Management

Explicit Consent: Required for biometric and location data processing
Informed Consent: Clear information about processing purposes
Withdrawable Consent: Right to withdraw consent at any time
Granular Consent: Separate consent for different processing activities
Consent Records: Maintained records of all consent given

4. Data Processing Obligations

4.1 WappBlaster's Obligations as Data Processor

Process only on instructions: Process personal data only as instructed by the Data Controller
Confidentiality: Ensure all personnel processing data are bound by confidentiality
Security measures: Implement appropriate technical and organizational security measures
Sub-processor management: Only engage sub-processors with written authorization
Data subject rights: Assist with responding to data subject rights requests
Breach notification: Notify Data Controller of any personal data breaches
Data return/deletion: Return or delete data at the end of processing
Audit cooperation: Allow and contribute to audits and inspections

4.2 Customer's Obligations as Data Controller

Lawful instructions: Ensure all processing instructions are lawful
Legal basis: Establish and maintain appropriate legal basis for processing
Data subject consent: Obtain necessary consents from data subjects
Privacy notices: Provide appropriate privacy notices to data subjects
Data accuracy: Ensure personal data is accurate and up-to-date
Data minimization: Only process data necessary for specified purposes
Rights requests: Handle data subject rights requests appropriately
Compliance monitoring: Monitor compliance with data protection laws

4.3 Joint Processing Activities

For certain activities, WappBlaster and the customer may be joint controllers:

Analytics and insights: Generating business intelligence from aggregated data
Service improvement: Using feedback and usage data to enhance services
Security monitoring: Detecting and preventing fraudulent activities
Compliance reporting: Generating reports for regulatory compliance

5. Security Measures

5.1 Technical Security Measures

Encryption: End-to-end encryption for data transmission and storage
Access controls: Role-based access control with multi-factor authentication
Network security: Firewalls, intrusion detection, and monitoring systems
Data backup: Regular encrypted backups with secure storage
System monitoring: 24/7 monitoring for security threats and anomalies
Vulnerability management: Regular security assessments and patch management
Secure development: Security-by-design in all development processes

5.2 Organizational Security Measures

Staff training: Regular privacy and security training for all personnel
Background checks: Security screening for personnel with data access
Incident response: Documented procedures for security incident response
Business continuity: Disaster recovery and business continuity plans
Vendor management: Security requirements for all third-party vendors
Regular audits: Internal and external security audits and assessments
Policy compliance: Regular review and update of security policies

5.3 Data Center Security

Physical security: Secured facilities with biometric access controls
Environmental controls: Climate control and power backup systems
Access logging: Detailed logs of all physical and logical access
Certification: ISO 27001 and SOC 2 compliant data centers
Geographic distribution: Multiple data centers for redundancy

6. Sub-Processors and Third Parties

6.1 Authorized Sub-Processors

Sub-Processor	Service	Data Categories	Location
WhatsApp Business API	Message delivery	Contact info, message content	Global
Cloud Infrastructure Providers	Data hosting and storage	All data categories	India, Singapore
Payment Processors	Payment processing	Financial information	India
Analytics Providers	Usage analytics	Anonymized usage data	Global
Support Tools	Customer support	Contact info, support tickets	India, US

6.2 Sub-Processor Requirements

Written agreements: All sub-processors bound by written data processing agreements
Equivalent protection: Same level of data protection as this agreement
Regular audits: Regular assessment of sub-processor compliance
Liability: WappBlaster remains liable for sub-processor actions
Notification: 30-day notice for new sub-processors
Objection rights: Customer right to object to new sub-processors

6.3 International Transfers

Adequacy decisions: Transfers to countries with adequate protection
Standard contractual clauses: EU standard clauses for other transfers
Additional safeguards: Technical and organizational measures for protection
Transfer records: Maintained records of all international transfers

7. Data Subject Rights

7.1 Individual Rights

Right of access: Request access to personal data being processed
Right to rectification: Request correction of inaccurate personal data
Right to erasure: Request deletion of personal data ("right to be forgotten")
Right to restrict processing: Request limitation of processing activities
Right to data portability: Request data in a structured, machine-readable format
Right to object: Object to processing based on legitimate interests
Right to withdraw consent: Withdraw consent for consent-based processing
Right to complain: Lodge complaints with supervisory authorities

7.2 Rights Response Process

Request channels: Email, phone, WhatsApp, or in-app requests
Identity verification: Secure verification of data subject identity
Response timeframe: 30 days from receipt of valid request
Free of charge: No fee for initial requests (fee for excessive requests)
Clear communication: Plain language responses and explanations
Assistance provided: WappBlaster assists customers with rights requests

7.3 Rights Limitations

Legal obligations: Rights may be limited by legal requirements
Public interest: Processing for public interest may continue
Freedom of expression: Balancing with freedom of expression rights
Security considerations: Security measures may limit certain rights
Third-party rights: Rights of other individuals must be considered

8. Data Breach Management

8.1 Breach Detection and Response

Continuous monitoring: 24/7 monitoring for security incidents
Incident classification: Assessment of breach severity and impact
Immediate containment: Steps to contain and minimize breach impact
Forensic investigation: Detailed investigation of breach causes
Remediation actions: Steps to prevent future similar breaches

8.2 Notification Requirements

Controller notification: Notify Data Controller within 24 hours
Authority notification: Report to supervisory authorities within 72 hours
Data subject notification: Notify affected individuals when required
Documentation: Maintain detailed records of all breaches
Public disclosure: Public notification if required by law

8.3 Breach Information

Breach notifications will include:

Nature and scope of the breach
Categories and number of affected data subjects
Types of personal data involved
Likely consequences of the breach
Measures taken to address the breach
Contact information for further inquiries

9. Data Retention and Deletion

9.1 Retention Principles

Purpose limitation: Data retained only as long as necessary for specified purposes
Legal requirements: Compliance with applicable retention laws
Business needs: Retention for legitimate business purposes
Data minimization: Regular review and deletion of unnecessary data
Automated deletion: Automated systems for data lifecycle management

9.2 Retention Schedules

Data Category	Retention Period	Legal Basis	Deletion Method
Customer account data	Account lifetime + 2 years	Contract + Legal obligation	Secure deletion
Communication records	24 months	Business operations	Automated deletion
Financial records	7 years	Legal requirement	Secure archival then deletion
Employee attendance	3 years	Employment law	Secure deletion
Support tickets	3 years	Business operations	Automated deletion
Usage analytics	2 years	Legitimate interest	Automated deletion

9.3 Secure Deletion

Cryptographic deletion: Deletion of encryption keys to render data unreadable
Physical destruction: Physical destruction of storage media when required
Multi-pass overwriting: Multiple overwrite cycles for sensitive data
Verification: Verification that data has been completely deleted
Documentation: Certificates of destruction for compliance purposes

10. Compliance and Auditing

10.1 Compliance Framework

Legal compliance: Compliance with Indian data protection laws
International standards: Alignment with GDPR and other international standards
Industry standards: Compliance with relevant industry standards
Contractual obligations: Meeting all contractual data protection requirements
Continuous monitoring: Ongoing compliance monitoring and assessment

10.2 Audit Rights

Customer audits: Customer right to audit WappBlaster's compliance
Third-party audits: Independent audits by qualified auditors
Regulatory inspections: Cooperation with regulatory inspections
Audit reports: Provision of audit reports and findings
Remediation: Prompt remediation of any identified issues

10.3 Documentation and Records

Processing records: Detailed records of all processing activities
Consent records: Documentation of all consents obtained
Breach logs: Records of all security incidents and breaches
Training records: Documentation of staff training and awareness
Policy documentation: Current versions of all policies and procedures

11. Liability and Indemnification

11.1 Liability Allocation

Controller liability: Customer liable for lawful instructions and legal basis
Processor liability: WappBlaster liable for unauthorized processing
Joint liability: Joint liability for joint processing activities
Sub-processor liability: WappBlaster liable for sub-processor actions
Limitation of liability: Liability limited as specified in main terms

11.2 Indemnification

Customer indemnification: Customer indemnifies for unlawful instructions
WappBlaster indemnification: WappBlaster indemnifies for unauthorized processing
Third-party claims: Protection against third-party data protection claims
Regulatory fines: Allocation of responsibility for regulatory fines
Defense cooperation: Mutual cooperation in defending claims

11.3 Insurance Coverage

Cyber liability insurance: Comprehensive cyber liability coverage
Professional indemnity: Professional indemnity insurance coverage
Coverage limits: Adequate coverage limits for potential claims
Certificate provision: Provision of insurance certificates upon request

12. Agreement Term and Termination

12.1 Agreement Duration

Effective period: Agreement effective during service provision
Automatic renewal: Renewal with service subscription renewal
Survival provisions: Certain provisions survive termination
Amendment process: Process for amending agreement terms

12.2 Termination Procedures

Service termination: Agreement terminates with service termination
Data return: Return of all personal data within 30 days
Deletion certification: Certification of data deletion
Ongoing obligations: Continued confidentiality and security obligations
Transition assistance: Reasonable assistance with data transition

12.3 Post-Termination

Data destruction: Secure destruction of all personal data
Documentation retention: Retention of compliance documentation
Ongoing liability: Continued liability for pre-termination processing
Confidentiality: Ongoing confidentiality obligations

13. Contact Information

Data Protection Officer:

WappBlaster Privacy Team
Email: info@wappblaster.com
Privacy Email: info@wappblaster.com
Phone: +91 7375092569
WhatsApp: +91 7375092569
Address: 11/346, Mukta Prasad Colony, Bikaner 334004 Raj IN

Data Subject Rights Requests:
Email: info@wappblaster.com
Phone: +91 7375092569
WhatsApp: +91 7375092569

Security Incident Reporting:
Email: info@wappblaster.com
Emergency Phone: +91 7375092569
24/7 WhatsApp: +91 7375092569

Legal Jurisdiction:
All data processing disputes are subject to the exclusive jurisdiction of the Courts in Bikaner, Rajasthan, India.

Response Times:
Data subject rights requests: 30 days
Security incidents: 24 hours
General inquiries: 48 hours

14. Governing Law and Dispute Resolution

14.1 Governing Law

This Data Processing Agreement is governed by the laws of India, specifically:

Information Technology Act, 2000
Information Technology (Reasonable Security Practices) Rules, 2011
Personal Data Protection Bill (when enacted)
Other applicable Indian data protection laws

14.2 Jurisdiction

Exclusive Jurisdiction: All disputes arising from this agreement shall be subject to the exclusive jurisdiction of the courts in Bikaner, Rajasthan, India.

14.3 Dispute Resolution Process

Direct negotiation: Good faith negotiations between parties
Mediation: Mediation through qualified data protection mediator
Arbitration: Binding arbitration if mediation fails
Court proceedings: Final resort to court proceedings

15. Effective Date and Amendments

15.1 Effective Date

This Personal Data Processing Agreement is effective as of January 2025 and applies to all data processing activities conducted after this date.

15.2 Amendment Process

Written amendments: All amendments must be in writing
Mutual agreement: Amendments require agreement from both parties
Legal updates: Updates may be required for legal compliance
Notice period: 30-day notice for non-urgent amendments
Version control: Maintained records of all agreement versions

15.3 Precedence

In case of conflict between this Data Processing Agreement and other terms:

This agreement takes precedence for data protection matters
Main service terms apply for non-data protection issues
Applicable law takes precedence over contractual terms
More protective provisions apply in case of ambiguity

By using WappBlaster services, you acknowledge that you have read, understood, and agree to be bound by this Personal Data Processing Agreement.