Data Processing Agreement
Effective: 1 May 2026
This Data Processing Agreement (“DPA”) forms part of the API Terms of Service between you (the “Controller” / “Data Fiduciary”) and EvolvePro Tech Solutions Private Limited (“Splashify Pro”, the “Processor” / “Data Processor”). It applies whenever you use the Splashify Pro Email API to process Personal Data on behalf of yourself or your end-customers.
1. Definitions
Terms used here have the meanings given in the Digital Personal Data Protection Act, 2023 (India) (“DPDP”) and the General Data Protection Regulation (EU) (“GDPR”). Where the two diverge, the more protective definition applies.
- Personal Data — Information about an identified or identifiable natural person (“Data Principal” / “Data Subject”), including but not limited to email address, IP address, device identifiers, and message content.
- Controller / Data Fiduciary — The party that determines the purposes and means of processing.
- Processor / Data Processor — The party that processes Personal Data on behalf of the Controller.
- Sub-processor — A third party engaged by the Processor to process Personal Data.
- Personal Data Breach — A breach of security leading to unauthorized access, disclosure, alteration, or destruction of Personal Data.
2. Roles
For Personal Data sent or processed through the Splashify Pro Email API on your instruction:
- You are the Data Fiduciary / Controller. You determine which recipients to email, what content to send, and the lawful basis for the processing.
- Splashify Pro is the Data Processor. We process Personal Data only on your documented instructions, expressed through your use of the API.
For Personal Data we collect about you (your account, payment information, usage logs), Splashify Pro acts as the Data Fiduciary in its own right; that processing is governed by our Privacy Policy.
3. Subject matter and duration
| Field | Detail |
|---|---|
| Subject matter | Sending email on behalf of the Controller |
| Duration | Term of the API Terms of Service plus retention periods in §7 |
| Nature of processing | Receiving email content + recipient list, signing with DKIM, transmitting via SMTP, storing delivery outcomes |
| Purpose | Email transmission and delivery analytics |
| Categories of Data | Email addresses, names, IP addresses, message content, headers, delivery metadata |
| Categories of Data Principals | Recipients of email sent through the API; senders’ employees who configure the account |
4. Processor obligations
Splashify Pro will:
- Process Personal Data only on the Controller’s documented instructions, including transfers, unless required to do otherwise by Indian or EU law (in which case we will inform the Controller before processing, unless prohibited from doing so).
- Ensure that personnel authorized to process Personal Data have committed themselves to confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including those listed in §9.
- Engage Sub-processors only as permitted under §5.
- Assist the Controller in fulfilling Data Principal rights (access, correction, erasure, portability, objection) within the timeframes set by applicable law.
- Notify the Controller without undue delay (and within 72 hours) of becoming aware of a Personal Data Breach affecting their data.
- Make available all information necessary to demonstrate compliance and contribute to audits as set out in §11.
- Delete or return all Personal Data at the end of the provision of services, except as required to be retained by law.
5. Sub-processors
Splashify Pro engages the following Sub-processors for the operation of the service. Each is bound by data-protection obligations no less protective than those in this DPA.
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloud infrastructure provider | Compute, storage, networking | India (primary) |
| DNS resolution | Delivering email to recipient mail servers | Global anycast |
| Inbox feedback loops (Gmail Postmaster, Microsoft SNDS, Yahoo CFL) | Reputation monitoring | US/EU |
| Anti-abuse intelligence | Spamtrap, blocklist, malware detection | US/EU |
| Payment gateway (Zoho Payments) | Account billing | India |
| Telemetry / error monitoring | Service reliability | US (encrypted) |
| Customer-support CRM | Handling support tickets | India |
We will give the Controller 30 days’ prior notice of changes to the list of Sub-processors. The Controller may object to a change in writing within 15 days; if objection is sustained on legitimate data-protection grounds, the Controller may terminate the relevant service without penalty.
6. International transfers
Personal Data is primarily stored and processed in India. Some Sub-processors are located outside India.
- DPDP Act: The Indian government may, by notification, restrict transfers to specified countries. We comply with any such notification.
- GDPR: Transfers from the EU/EEA to India and to non-adequate jurisdictions are made on the basis of the Standard Contractual Clauses (Module 2 — controller to processor) and supplementary measures including encryption in transit and at rest.
7. Retention
| Data category | Retention | Purpose |
|---|---|---|
| Email content (body, attachments) | 30 days from send | Bounce diagnosis, support |
| Delivery metadata (status, bounce reason, click/open events) | 18 months | Reputation analytics, audit |
| Suppression list entries | Indefinite, until removed by Controller | Compliance with §10 of CAN-SPAM and similar laws |
| Audit log | Term of agreement + 3 years | DPDP §11(3) record-keeping |
| Account billing records | 8 years from invoice | Indian tax law (§44AA Income Tax Act) |
On termination, we delete email content and delivery metadata within 30 days. Suppression lists are retained as legal-compliance records unless the Controller specifically requests their deletion. Audit logs and billing records are retained for the legal periods listed above.
8. Data Principal rights
The Controller is responsible for responding to Data Principal requests. Splashify Pro will assist the Controller through:
- API endpoints to query a recipient’s status (delivery history, suppression status, click/open events).
- Tools to delete a recipient’s data on Controller request
(
DELETE /suppression/{email}retains compliance evidence; contact dpo@splashifypro.in for full erasure). - Within 48 hours for requests forwarded to us in writing.
9. Security measures
Splashify Pro implements security measures appropriate to the risk, including:
- Encryption in transit — TLS 1.2 or higher for all API calls and SMTP submission to recipient mail servers (with opportunistic STARTTLS where the recipient supports it).
- Encryption at rest — Storage volumes encrypted with industry-standard algorithms (AES-256 or equivalent).
- Access control — Role-based access for Splashify Pro personnel; multi-factor authentication; principle of least privilege; audit logging of all administrative access.
- Secure development — Code review for all changes, automated vulnerability scanning, periodic penetration testing.
- Network controls — Network segmentation, firewall rules, intrusion detection.
- Backup and recovery — Encrypted backups with regular restore testing; documented disaster-recovery plan.
- Personnel — Background checks for all engineers handling production systems; mandatory annual security training.
10. Breach notification
In the event of a Personal Data Breach affecting Controller data, Splashify Pro will:
- Notify the Controller without undue delay and within 72 hours of becoming aware of the Breach.
- Provide all reasonable information necessary for the Controller to meet its own notification obligations under DPDP Act §8(6) (notify the Data Protection Board) and GDPR Articles 33 and 34 (notify the supervisory authority and, where required, the Data Subjects).
- Cooperate with the Controller’s investigation and remediation.
The notification will include: nature of the Breach, categories and approximate number of Data Principals affected, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address it.
11. Audits
The Controller may audit Splashify Pro’s compliance with this DPA:
- By reviewing third-party audit reports (SOC 2, ISO 27001) we publish on request.
- By submitting written questions and requesting documentary evidence; we respond within 30 days.
- For Controllers processing high volumes of sensitive data, on-site audits can be arranged with 60 days’ notice and at the Controller’s expense, subject to confidentiality terms and reasonable scope limits.
Audit rights do not extend to systems or data of other Controllers.
12. Liability
Liability for breaches of this DPA is governed by Section 13 of the API Terms of Service. In addition, Splashify Pro indemnifies the Controller for direct losses arising from Splashify Pro’s failure to comply with its Processor obligations under DPDP Act §8 and GDPR Article 28, subject to the cap and exclusions in the Terms of Service.
13. Termination
This DPA terminates automatically on termination of the API Terms of Service. The deletion obligation in §7 survives termination. The audit and breach-notification rights survive for 1 year after termination for events that occurred during the term.
14. Order of precedence
In case of conflict between this DPA and the API Terms of Service, this DPA prevails for matters of data protection. In case of conflict with mandatory provisions of the DPDP Act or GDPR, the law prevails.
15. Governing law
This DPA is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts of Kolkata, West Bengal, without prejudice to the Controller’s mandatory consumer or data-protection rights under the DPDP Act or GDPR.
Contact
| For | |
|---|---|
| Data-protection enquiries | dpo@splashifypro.in |
| Grievance Officer | grievance@splashifypro.in |
| Breach notifications | security@splashifypro.in |
| Sub-processor change objections | dpo@splashifypro.in |
By signing the API Terms of Service or sending your first request, you accept this DPA on behalf of yourself and any end-customer for whom you act.