Refer a fellow business and get a flat 10% discount

Close Icon
whatsapp
Menu close

Data Processing Agreement (DPA)

Effective Date: 1st March 2025
Last Updated: 27th September 2025

This Data Processing Agreement (“DPA“) forms part of the Terms of Service between:

Data Controller:

The Zyfoo customer (store owner) who uses the Zyfoo platform to collect, store, or process personal data of their customers.

Data Processor:

BHOOLOGAM SOLUTIONS PRIVATE LIMITED

No. 348/8A1 East Coast Road, By pass, Kottakuppam, Tamil Nadu 605104.

Email: info@boomimart.com 

DPO: Raj Thilak – rajthilak@boomimart.com

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data (collection, storage, use, etc.).
  • “Data Controller” means the party determining the purpose and means of processing Personal Data.
  • “Data Processor” means the party processing data on behalf of the Data Controller.

2. Scope of Processing

Zyfoo processes Personal Data on behalf of the Controller for the following purposes:

  • Managing ecommerce websites, mobile apps, and backend dashboards
  • Processing customer orders, transactions, and user accounts
  • Enabling communication (email, SMS, whatsapp, notifications)
  • Managing store analytics and customer insights
  • Storing and backing up customer-related data
  • 3. Duration of Processing

This DPA applies for the duration that the Controller uses Zyfoo services and until all Personal Data has been deleted or returned.

4. Types of Personal Data

The Data Processor may process the following types of Personal Data:

  • Customer name, email, phone number, address
  • Order history and payment data (through third-party gateways)
  • Device and browser information
  • Customer inquiries and reviews

5. Data Subject Categories

  • End-users and customers of the Controller’s online store
  • Employees or staff using Zyfoo tools
  • Website or app visitors

6. Processor Obligations

Zyfoo agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure confidentiality and security of the data
  • Implement appropriate technical and organizational security measures
  • Ensure staff are trained and bound by confidentiality obligations
  • Assist the Controller in responding to data subject rights requests
  • Notify the Controller of data breaches without undue delay (within 72 hours)
  • Delete or return all Personal Data upon termination of services

7. Subprocessors

Zyfoo uses third-party subprocessors to deliver its services (e.g. cloud hosting, payment, communication, analytics). The current list includes (but is not limited to):

  • Amazon Web Services (AWS)
  • Google Cloud Platform
  • Firebase
  • Stripe / Razorpay
  • SendGrid / Twilio / Interakt / Meta / Whatsapp
  • Google Analytics

Controller consents to the use of these subprocessors. Zyfoo will notify the Controller of any changes and ensure that all subprocessors comply with GDPR.

8. International Data Transfers

Zyfoo may transfer Personal Data outside the EEA. Such transfers shall only occur where:

  • The recipient country has an adequacy decision from the European Commission, or
  • Standard Contractual Clauses (SCCs) are in place

Zyfoo ensures appropriate safeguards for all such transfers.

9. Assistance to Controller

Zyfoo shall assist the Controller in:

  • Complying with GDPR obligations (Articles 32–36)
  • Conducting data protection impact assessments (DPIAs)
  • Notifying supervisory authorities and affected individuals in case of a breach

10. Audits and Inspections

The Controller may audit Zyfoo’s compliance with this DPA:

  • Upon reasonable notice
  • During normal business hours
  • No more than once per year unless required by law or after a breach

Zyfoo will provide necessary documentation to demonstrate compliance.

11. Data Breach Notification

In the event of a Personal Data breach, Zyfoo shall:

  • Notify the Controller without undue delay (within 72 hours)
  • Provide details of the breach, its impact, and mitigation steps
  • Cooperate in investigation and resolution

12. Termination

Upon termination of services:

  • Zyfoo shall, at the Controller’s choice, delete or return all Personal Data
  • Deletion includes removing backups unless retention is required by law

13. Governing Law & Jurisdiction

This DPA shall be governed by the laws of  India.
 Any disputes shall be resolved in the courts of Pondicherry, India.

14. Miscellaneous

  • This DPA overrides any conflicting provisions in the main agreement.
  • This DPA is effective from the date the Controller accepts Zyfoo’s Terms of Service.

Appendices

  • Appendix A: Subprocessor List
  • Appendix B: Security Measures (Technical & Organizational)

Appendix A – Subprocessor List

Below is a list of third-party subprocessors that Zyfoo engages to process personal data on behalf of its customers (Controllers). Each subprocess is GDPR-compliant and bound by a data processing agreement.

SubprocessorService ProvidedData LocationType of Data Processed
Amazon Web Services (AWS)Cloud hosting, storageEurope (Frankfurt), USA, IndiaAll platform and customer data
Google Cloud PlatformCloud services, backupsEurope / USAApp and dashboard data
Firebase (Google)Real-time database, crash reportsUSAUser data, device info, logs
Stripe / RazorpayPayment gatewayUSA / IndiaPayment transaction metadata (not card details)
SendGrid / Twilio / Interakt / MetaEmail, WhatsApp and SMS communicationUSA / GlobalContact info, messages, alerts
Google AnalyticsWebsite usage analyticsUSA / GlobalIP addresses, browser info, behavior data
Hotjar / Microsoft Clarity (if used)User interaction analyticsEurope / USASession data, clicks, heatmaps
Zoho / Freshdesk (if used)Customer support & ticketingIndia / USASupport tickets, customer communication

Note: Zyfoo monitors subprocessors to ensure GDPR compliance. Controllers will be notified of any new subprocessors.

Appendix B – Technical and Organizational Security Measures

Zyfoo implements the following security measures to protect Personal Data in accordance with Article 32 of the GDPR:

1. Data Encryption

  • TLS (HTTPS) used for all data in transit
  • AES-256 encryption for data at rest
  • Secure encryption for sensitive fields (e.g. tokens, credentials)

2. Access Controls

  • Role-based access for internal teams
  • Multi-factor authentication (MFA) for admin access
  • Access logs and audits of all admin activities

3. Application Security

  • OWASP Top 10 best practices in development
  • Regular vulnerability scans and penetration tests
  • Code review and static code analysis pipeline

4. Infrastructure Security

  • Hosted on secure cloud platforms (AWS/GCP)
  • Firewalls, VPC isolation, and DDoS protection
  • Automated system patching and updates

5. Data Backup & Disaster Recovery

  • Automated daily backups
  • Secure offsite storage
  • Disaster recovery plans with defined RTO and RPO

6. Monitoring & Logging

  • Continuous monitoring of uptime, usage, and anomalies
  • Alerting systems for unusual activity
  • Secure logging with limited access

7. Employee Awareness & Confidentiality

  • Employee access is granted on a need-to-know basis
  • Regular data protection training
  • NDAs signed by all staff and contractors

8. Incident Response

  • Defined procedures for identifying and managing data breaches
  • 72-hour breach notification commitment
  • Documentation and root cause analysis post-incident

9. Data Minimization & Retention

  • Only essential data is collected and stored
  • Automatic purging of old or inactive data
  • Configurable data retention options for users
R. S. No. 348/8A1 East Coast Road, By pass, Kottakuppam, Tamil Nadu 605104.

© 2026 Boomimart