Data Processing Agreement (DPA)
This DPA forms part of the Terms of Service between the customer ("Business", the data fiduciary for its own records) and Zesst Now Services Private Limited ("Processor") and applies whenever the Service processes personal data contained in the Business's records (e.g., customer names, phone numbers, GSTINs, addresses in invoices and khata).
1. Roles
- For business records the Business uploads/creates: the Business is the data fiduciary; we process only on its instructions.
- For account and usage data of the Business's own users: we are the data fiduciary per our Privacy Policy.
2. Scope & Instructions
We process business-record data solely to provide, secure and support the Service as configured by the Business (documented instructions). We do not use it for advertising and do not sell it.
3. Confidentiality
Personnel with access are bound by confidentiality obligations and access is limited to what their role requires.
4. Security Measures
Technical and organisational measures are described on the Security page and include TLS encryption, encryption at rest, row-level tenant isolation, role-based access, rate limiting, CAPTCHA and append-only audit logging. We will not materially degrade these protections during a subscription term.
5. Subprocessors
The Business authorises the subprocessors listed in the Privacy Policy (currently Supabase, Vercel, OpenAI, Razorpay, Cloudflare). We will update that list before adding subprocessors that process business-record data; continued use after update constitutes acceptance, and the Business may terminate if it reasonably objects.
6. Data Principal Requests
If a data principal (e.g., the Business's customer) contacts us directly about data controlled by the Business, we will redirect them to the Business and, where technically feasible, assist the Business in fulfilling access/correction/erasure requests via in-app tools.
7. Breach Notification
We will notify the Business without undue delay after becoming aware of a personal-data breach affecting its data, including known scope, likely impact and remediation steps, and will cooperate with the Business's obligations under the DPDP Act.
8. Data Location & Transfers
Primary storage is in Mumbai, India. Certain subprocessors (hosting/CDN, AI) may process limited data outside India as described in the Privacy Policy, subject to their contractual safeguards.
9. Return & Deletion
The Business can export its records (CSV) at any time. On termination, records are deleted per the retention terms in the Privacy Policy (30 days, plus up to 35 days for backup roll-off), except where law requires retention.
10. Audit
On written request (max once per year), we will provide reasonable documentation demonstrating compliance with this DPA. On-site audits are not offered at current plan tiers.
11. Liability & Order of Precedence
Liability is governed by the Terms of Service. If this DPA conflicts with the Terms regarding data protection, this DPA prevails.
Enterprises needing a countersigned copy of this DPA or a mutual NDA may email support@bizgstpro.com — we will provide signature-ready versions.
Other policies: Terms · Privacy · Refunds · Security · DPA · Disclaimer