Data Processing Agreement
Last updated ·
This Data Processing Agreement (DPA) supplements our Terms of Service and applies when ByteWeb IT Solutions Private Limited ("ByteWeb", "we") processes Personal Data on your behalf as part of providing cardziAI. It's designed to meet the requirements of GDPR, the Indian Digital Personal Data Protection Act, and similar laws. The wording is a working draft pending legal review.
Introduction
When you use cardziAI, ByteWeb processes Personal Data about you, your team, and the contacts you scan. This DPA explains the lawful basis for that processing, the safeguards we apply, and what happens if something goes wrong. It is automatically binding on accounts on paid plans; we're also happy to execute a signed copy on request — email [email protected].
1. Definitions
Terms used in this DPA have the meanings given under applicable data-protection law:
- Personal Data — information relating to an identified or identifiable natural person.
- Customer — you, the cardziAI subscriber.
- Processor — ByteWeb IT Solutions Private Limited, acting on the Customer's instructions.
- Controller — the Customer, who determines the purposes and means of processing.
- Sub-processor — any third party engaged by ByteWeb to process Personal Data on the Customer's behalf.
2. Scope of processing
What we process
- User identifiers — name, email, password hash, country, timezone, company name.
- WhatsApp identifiers — the WhatsApp numbers of your team members (registered by you) and the inbound senders whose cards are scanned.
- Contact data from scans — the text and image of business cards you forward to cardziAI, and the structured contact data extracted from them.
- Operational metadata — timestamps, delivery receipts, usage counters, audit log entries.
Why we process it
Solely to provide and improve the cardziAI service for you. We do not use this data for our own marketing, ad targeting, or AI model training.
How long
For the duration of your subscription, plus 30 days after termination for active systems and up to 90 days for backups, except where longer retention is required by law (typically billing records for 7 years).
3. Roles
You are the Controller of the Personal Data you upload to cardziAI. ByteWeb is the Processor and acts only on your documented instructions, which include your use of the cardziAI dashboard and APIs, and any written instructions you send us.
4. ByteWeb's obligations
ByteWeb will:
- Process Personal Data only on your documented instructions;
- Ensure people authorised to process Personal Data are under confidentiality obligations;
- Implement appropriate technical and organisational measures (see section 6);
- Assist you with data-subject rights requests where reasonably required;
- Notify you without undue delay of any Personal Data breach (see section 7);
- Delete or return Personal Data on termination (see section 11);
- Make available the information necessary to demonstrate compliance.
5. Sub-processors
You authorise ByteWeb to engage Sub-processors to deliver cardziAI. Our Sub-processors fall into the following categories, all operating under written agreements that bind them to confidentiality, security, and data-protection obligations equivalent to those in this DPA:
- Messaging platform — to deliver and receive WhatsApp messages and media on your behalf.
- Cloud infrastructure — application hosting, file storage, and managed database services.
- Transactional email — for account emails such as verification codes, password resets, and receipts.
- Payment processing — for card and transaction handling and tax-compliant invoicing.
- Website hosting — for our public marketing site only (no customer Personal Data).
The current named list of Sub-processors (including each provider's name, location of processing, and the activity for which they are engaged) is available to customers on request. Email [email protected] from the address associated with your account and we will return the list within 5 business days, typically alongside a signed copy of this DPA.
We will notify you at least 30 days before adding or replacing a Sub-processor. If you object on reasonable grounds within that period, we will work with you to accommodate the objection or, failing that, you may terminate the affected service. Termination ends future billing immediately; fees already paid for the running cycle are non-refundable, as set out in our Refund Policy.
6. Security measures
ByteWeb maintains the following technical and organisational safeguards:
- Encryption in transit (TLS 1.2+) on every endpoint;
- Encryption at rest for stored secrets using AES-256-GCM;
- Role-based access control and least-privilege for production systems;
- Audit logging on every state-changing administrative action;
- Webhook signature verification for inbound integrations;
- Regular security reviews of code and infrastructure;
- Background-checked personnel under written confidentiality agreements.
7. Personal data breach
If we become aware of a Personal Data breach affecting your data, we will notify you without undue delay and within 72 hours where feasible. The notice will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures we've taken to mitigate it. We will cooperate with you on any required notifications to data subjects or supervisory authorities.
8. International transfers
ByteWeb operates primarily from India. When Personal Data is transferred outside its country of origin (for example, from the EEA or the UK), we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards. These are deemed incorporated into this DPA by reference.
9. Data subject rights
As Controller, you are primarily responsible for handling data-subject requests (access, rectification, erasure, restriction, portability, objection). We will provide reasonable assistance — for example, by giving you the ability to export or delete data through the dashboard, and by responding to direct requests we receive by routing them back to you.
10. Audits
On request and no more than once per year (or following a Personal Data breach), we'll make available a summary of our security controls and respond in writing to reasonable audit questionnaires. On-site audits are available to Team-plan customers under a separate signed agreement and at the requesting party's cost.
11. Termination & return of data
On termination of your subscription, you can export your data through the dashboard for 30 days. After that period, we will delete your Personal Data from active systems within 30 days and from backups within a further 90 days, except where longer retention is required by law.
12. General
This DPA is governed by the laws of India. If any provision conflicts with the Terms of Service, this DPA prevails as it relates to the processing of Personal Data. The Customer remains liable for use of the service in accordance with the Terms of Service. Questions: [email protected].