DPDP & Data Processing Addendum
Our posture under India’s Digital Personal Data Protection Act, 2023, plus a Data Processing Addendum (DPA) you can attach to your subscription if you process personal data through GrowYu.
Last updated: 02 March 2026 · DPA v1.4
Draft — review with counsel before publication
1 · Roles & responsibilities
Under the Digital Personal Data Protection Act, 2023 ("DPDP"):
- You (the GrowYu customer) are the Data Fiduciary for personal data you put into the service — your leads, contacts, end-customers. You determine the purpose and means of processing.
- GrowYu is the Data Processor for that data. We process it only on your documented instructions.
- For data about your workspace itself — your team’s logins, billing, support tickets — GrowYu acts as the Data Fiduciary.
2 · Scope of processing
We process personal data only to provide the GrowYu service as described in our Terms — call routing, lead capture, AI features, integrations, reporting. We don’t repurpose customer data for advertising, model training, or analytics outside the workspace.
Plain English. Your data stays inside your workspace. We don’t borrow it for our own purposes.
3 · Sub-processors
We use a small number of sub-processors to operate the service. All are bound by written DPAs with terms at least as protective as ours.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting, storage, compute | Mumbai & Hyderabad, India |
| Razorpay | Subscription payments | Bengaluru, India |
| WhatsApp BSP (Wati / Gupshup) | WhatsApp Business API delivery | India |
| Exotel / Knowlarity | Cloud telephony & SMS | India |
| Twilio SendGrid | Transactional email delivery | Asia-Pacific region |
| Sentry | Error monitoring (anonymous traces) | EU region |
We notify customers at least 30 days before adding a new sub-processor; you may object in writing.
4 · Security measures
We maintain technical and organisational measures appropriate to the data we process. The summary lives at /security; full details are in the DPA. Highlights:
- AES-256 encryption at rest, TLS 1.3 in transit
- Role-based access controls; principle of least privilege internally
- 100% admin-action audit logging
- Annual penetration testing by an external firm
- SOC 2 Type I & ISO 27001 in progress (expected Q3–Q4 2026)
5 · Breach notification
If we become aware of a personal data breach affecting your data, we’ll notify you within 72 hours, with the information you need to meet your own DPDP obligations toward the Data Protection Board of India.
6 · Data principal rights
The DPDP Act gives data principals rights to access, correction, erasure, and grievance redressal. When a data principal exercises these rights for data you control as Fiduciary, we’ll assist promptly — typically inside 7 working days. Tools for export, correction, and erasure are available in your workspace; for help, contact privacy@growyu.com.
7 · Cross-border transfers
All customer data stays in India by default. Some operational sub-processors (e.g. Sentry for error traces) operate outside India — these handle no customer personal data; only anonymised system traces. If you require strict India-only processing for every byte (no exceptions), let us know on Enterprise tier and we’ll configure accordingly.
8 · Download the DPA
Need a signed DPA? Most customers can use our standard template — request a copy at legal@growyu.com and we’ll return a counter-signed PDF within 1 working day. Enterprise customers can negotiate redlines through their account manager.
Need a signed DPA?
Request the standard template at legal@growyu.com — we counter-sign and return inside one working day. Enterprise redlines via your account manager.