Data Processing Agreement

Between Zithara Technologies Pvt. Ltd. ('Processor') and Merchant ('Controller')

Version 1.0 — March 2026

1. Definitions

• Controller: The merchant who subscribes to Zithara.AI services
• Processor: Zithara Technologies Pvt. Ltd.
• Data Principal: The individual whose personal data is processed (merchant's customer)
• Personal Data: Any data relating to an identified or identifiable data principal
• Processing: Any operation performed on personal data
• Sub-processor: A third party engaged by the Processor to process Personal Data

2. Scope of Processing

The Processor processes Personal Data on behalf of the Controller for the following purposes:

• Providing CRM and customer engagement platform services
• Operating AI-powered features (WhatsApp chat agents, customer segmentation, campaign automation, lead scoring)
• Sending marketing communications via WhatsApp, SMS, and email on behalf of the Controller
• Generating analytics and reporting on customer engagement
• Providing customer support and platform maintenance

Categories of data processed:

• Customer contact information (names, phone numbers, email addresses)
• Purchase and transaction history
• WhatsApp message content (for chat agent functionality)
• Customer engagement data (open rates, response patterns)
• Demographic data as provided by the Controller

3. Security Obligations

The Processor implements the following security measures:

• AES-256 encryption for data at rest
• TLS 1.2+ encryption for data in transit
• Multi-tenant architecture with per-Controller database isolation
• Role-based access controls with multi-factor authentication
• Regular penetration testing by independent third parties
• 24/7 network operations monitoring
• Secure software development lifecycle (SSDLC)
• Employee security training and background checks

4. AI-Specific Provisions

For AI-powered features, the Processor additionally commits to:

• AI processing is isolated per Controller tenant — no cross-tenant data sharing
• Controller customer data is not used to train third-party AI models
• AI processing activities are auditable with timestamped logs
• AI-generated content (campaign messages, chat responses) requires Controller approval before deployment to Data Principals
• Guardrails and escalation rules for AI chat agents are configurable by the Controller

5. Data Retention

• Active subscription: Data retained as required for service delivery
• Campaign analytics: Retained for 12 months for analytics
• The Controller may request data export in standard formats (CSV, JSON) at any time

6. Breach Notification

In the event of a Personal Data breach:

• The Processor will notify the Controller within 72 hours of becoming aware of the breach
• Notification will include: nature of the breach, categories and approximate number of Data Principals affected, likely consequences, and measures taken to mitigate
• The Processor will cooperate with the Controller in any regulatory notifications required under DPDPA 2023
• The Processor maintains an incident response team with documented procedures

7. Sub-processor Management

The Processor uses the following sub-processors:

The Processor will notify the Controller at least 30 days before engaging a new sub-processor. The Controller may object to a new sub-processor within 14 days.

8. Controller Rights

The Controller has the right to:

• Audit the Processor's compliance with this DPA (with reasonable notice)
• Request data export in standard formats
• Object to new sub-processors
• Receive breach notifications within 72 hours
• Access AI processing logs for audit purposes

9. Governing Law

This DPA is governed by the laws of India, including the Digital Personal Data Protection Act 2023. Disputes will be subject to the jurisdiction of courts in Hyderabad, Telangana.