Legal
Data Processing Agreement
Effective date: June 25, 2026 · Between Chativo (Data Processor) and Customer (Data Controller)
This Data Processing Agreement ("DPA") is incorporated by reference into the Chativo Terms of Service. By accepting the Terms of Service, the customer (Controller) agrees to this DPA. It governs the processing of personal data of WhatsApp contacts by Chativo by Arbind Digital Solutions on behalf of the customer.
1. Definitions
2. Scope and Purpose
Permitted Processing
The Processor shall process Personal Data solely to deliver Chativo's WhatsApp CRM services as described in the Terms of Service. Processing is limited to: storing contacts, routing messages, managing templates, providing analytics, and performing backup and recovery operations.
Duration
Processing continues for the term of the active Chativo subscription, plus a 30-day post-termination period during which the Controller may export or request deletion of their data.
Nature of Processing
Automated processing of Personal Data using Chativo's platform infrastructure, including storage in encrypted databases, delivery via the Meta WhatsApp Business API, and aggregation for analytics purposes.
3. Processor Obligations
Documented Instructions
The Processor shall process Personal Data only on the documented instructions of the Controller as expressed through the platform's features and settings. The Processor will notify the Controller if it believes an instruction infringes applicable data protection law.
Confidentiality
The Processor shall ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations.
Security Measures
The Processor implements and maintains appropriate technical and organisational security measures, including:
- TLS 1.3 encryption for all data in transit
- AES-256-GCM encryption for WhatsApp access tokens at rest
- bcrypt hashing for all passwords
- PostgreSQL row-level tenant isolation ensuring each customer can only access their own data
- Access controls restricting production data access to authorised personnel only
Data Breach Notification
The Processor shall notify the Controller of any personal data breach within 72 hours of becoming aware of it. The notification shall include: nature of the breach, categories and approximate volume of data affected, likely consequences, and measures taken or proposed to address the breach.
Data Subject Rights Assistance
The Processor shall assist the Controller in fulfilling Data Subject rights requests (access, correction, deletion, portability) within 30 days of the Controller's written request.
DPIA Assistance
The Processor shall assist the Controller in conducting Data Protection Impact Assessments (DPIAs) where required under applicable law, providing relevant information about the processing operations.
Post-Termination Deletion
Upon termination of the subscription and at the Controller's written request, the Processor shall delete or return all Personal Data within 30 days, and provide written confirmation of completion.
Audit Rights
The Processor shall make available all information necessary to demonstrate compliance with this DPA and allow for audits with 30 days' written notice from the Controller, at the Controller's cost.
4. Sub-Processors
The Controller grants general authorisation for the Processor to engage the following sub-processors:
| Sub-Processor | Location | Purpose |
|---|---|---|
| Meta Platforms Inc. | United States | WhatsApp API delivery |
| Contabo GmbH | Germany (EU) | Server/VPS infrastructure |
| iDrive E2 | Tokyo, Japan | Media file storage (S3-compatible) |
| Razorpay | India | Payment processing |
| ZeptoMail | India / Cloud | Transactional email delivery |
| Google LLC | United States | OAuth authentication only |
Chativo will notify Controllers of any new sub-processor with 14 days' notice. Controllers may object in writing within 7 days. If no objection is received, the new sub-processor is deemed approved.
5. Controller Obligations
The Controller agrees to:
- Ensure a lawful basis exists for processing WhatsApp contact data before using the platform
- Obtain valid opt-in consent from all WhatsApp contacts before messaging them through Chativo
- Provide accurate and current personal data only
- Issue written instructions to the Processor for any processing outside the agreed scope
- Ensure their own privacy policies and notices inform contacts about Chativo's role as a data processor
- Comply with applicable data protection laws with respect to their use of the platform
6. International Data Transfers
Personal Data may be transferred to sub-processors located in the United States (Meta, Google), Germany/EU (Contabo), and Japan (iDrive E2) as listed in Section 4. Transfers are conducted under:
- Standard Contractual Clauses for EU-based sub-processors where applicable
- Sub-processor's own adequacy mechanisms or transfer safeguards (Meta, Google)
- Contractual safeguards and data processing agreements with all other sub-processors
7. Liability
Each party is liable for damages caused by processing that violates this DPA or applicable data protection law. The Processor's aggregate liability under this DPA shall not exceed the total fees paid by the Controller to the Processor in the 12 months preceding the claim, unless the damage was caused by the Processor's gross negligence or wilful misconduct.
8. Governing Law
This DPA is governed by the laws of India. The Digital Personal Data Protection Act, 2023 applies to processing of personal data of Indian residents. Any disputes relating to this DPA shall be subject to the dispute resolution mechanism set out in the Chativo Terms of Service (arbitration, seat: Guwahati, Assam, India).
9. Execution
This DPA is incorporated by reference into the Chativo Terms of Service. By accepting the Terms of Service, the customer (Controller) agrees to this DPA without requiring a separate signed document.
For customers who require a countersigned DPA for their own compliance purposes, please email legal@chativo.in with the subject line "DPA Signature Request — [Company Name]". We will respond within 5 business days.
Questions About This DPA
Chativo by Arbind Digital Solutions
Legal email: legal@chativo.in
Privacy email: privacy@chativo.in
Website: https://chativo.in