Data Processing Agreement

For Enterprise Clients · Version 1.0 · April 2026

1. Definitions

• Controller: The enterprise client who determines the purposes and means of processing personal data.
• Processor: ShipKaro Technologies Pvt. Ltd., which processes personal data on behalf of the Controller.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data including collection, storage, use, disclosure, or deletion.
• Sub-processor: Any third party engaged by ShipKaro to process personal data (e.g., courier partners, SMS providers).

2. Scope of Processing

• ShipKaro processes personal data solely for the purpose of providing logistics and shipping services as described in the Master Service Agreement.
• Categories of data processed: Customer names, addresses, phone numbers, email addresses, and order information.
• ShipKaro will not process personal data for any purpose other than fulfilling the contracted services.
• Processing will continue for the duration of the Master Service Agreement plus any legally required retention period.

3. ShipKaro's Obligations as Processor

• Process personal data only on documented instructions from the Controller.
• Ensure all personnel with access to personal data are bound by confidentiality obligations.
• Implement appropriate technical and organizational security measures (encryption, access controls, audit logs).
• Notify the Controller within 72 hours of becoming aware of a personal data breach.
• Assist the Controller in responding to data subject rights requests.
• Delete or return all personal data upon termination of the agreement.
• Make available all information necessary to demonstrate compliance with this DPA.

4. Sub-processors

• ShipKaro uses the following sub-processors: Delhivery (delivery), BlueDart (delivery), DTDC (delivery), Razorpay (payments), MSG91 (SMS), Twilio (WhatsApp), Oracle Cloud (infrastructure).
• ShipKaro will notify the Controller at least 30 days before engaging new sub-processors.
• The Controller may object to new sub-processors within 14 days of notification.
• ShipKaro ensures all sub-processors are bound by equivalent data protection obligations.

5. Data Security Measures

• Encryption: TLS 1.3 in transit, AES-256 at rest.
• Access Control: Role-based access, principle of least privilege, MFA for admin access.
• Monitoring: 24/7 security monitoring, intrusion detection, anomaly alerts.
• Backups: Daily encrypted backups with 30-day retention.
• Penetration Testing: Annual third-party security assessments.
• Incident Response: Documented incident response plan with 72-hour breach notification.

6. Data Transfers

• All data is stored and processed within India on Oracle Cloud Infrastructure (Mumbai region).
• No personal data is transferred outside India without explicit Controller consent.
• If international transfer is required, Standard Contractual Clauses will be executed.

7. Audit Rights

• The Controller may audit ShipKaro's data processing activities with 30 days written notice.
• Audits are limited to once per year unless a security incident has occurred.
• ShipKaro may require the Controller to use an independent auditor bound by confidentiality.
• Audit costs are borne by the Controller unless a material breach is found.

8. Liability

• Each party is liable for damages caused by its own breach of this DPA.
• ShipKaro's liability under this DPA is limited to the amounts paid in the 12 months preceding the claim.
• Neither party is liable for indirect or consequential damages arising from DPA breaches.

9. Governing Law

• This DPA is governed by the laws of India.
• Disputes will be resolved through arbitration in Hyderabad, Telangana.
• This DPA supersedes any conflicting data protection provisions in the Master Service Agreement.