Data Processing Agreement
Controller-to-processor terms when you provide personal data through BillBasket products and services.
Parties & role
This Data Processing Agreement ("DPA") is between you ("Controller", "Customer") and BillBasket Solutions LLP ("Processor", "BillBasket"), entered into when you accept our Terms of Service or sign an Order Form referencing this DPA. BillBasket acts as a processor on your behalf with respect to personal data you input or upload to the Services.
Duration
This DPA applies for the term of the underlying subscription and any period after termination during which BillBasket retains personal data, until deletion is complete in line with the exit section.
Categories of data subjects
- your employees, contractors, and authorised users;
- your end-customers, vendors, debtors, and prospects;
- any other individuals whose data Customer chooses to process through the Services.
Categories of personal data
- identification data — name, business name, contact details, government IDs where Customer chooses to upload them;
- financial data — invoices, transaction records, settlement references;
- KYC/AML data — submitted at Customer's discretion for onboarding flows;
- communication metadata — to deliver SMS, WhatsApp, email and IVR workflows;
- technical data — IP addresses, device identifiers, log timestamps.
Purposes of processing
BillBasket processes personal data only on documented Customer instructions — namely:
- to provide and operate the Services in line with the Terms and Order Form;
- to comply with applicable law and regulatory obligations;
- to maintain security, prevent fraud, and respond to incidents.
Sub-processors
Customer grants general authorisation for BillBasket to engage sub-processors for cloud hosting, payment processing, communications, KYC bureaus, analytics, and support tooling. BillBasket will:
- maintain a current list available on request and post material additions with at least 30 days' notice;
- impose data-protection obligations on sub-processors no less onerous than this DPA;
- remain liable for sub-processor acts and omissions.
If Customer reasonably objects to a new sub-processor on data-protection grounds, the parties will work in good faith to address the objection; failing that, Customer may terminate the affected Service.
Security measures
BillBasket implements and maintains the technical and organisational measures described in the Annex and reviews them periodically.
Assistance with data-subject rights
BillBasket will, taking into account the nature of processing, provide reasonable assistance to Customer in responding to access, correction, erasure, restriction, portability, and objection requests received from data subjects. Requests received directly by BillBasket will be referred to Customer without undue delay.
Audits
BillBasket will make available the information necessary to demonstrate compliance with this DPA, including third-party certifications and audit summaries where available. Customer may, on reasonable prior notice and not more than once per year (except after a confirmed incident), conduct an audit limited in scope to compliance with this DPA, subject to confidentiality and security controls.
International transfers
Personal data is stored in India by default. Where any sub-processor processes limited data outside India, BillBasket relies on appropriate safeguards (standard contractual clauses or equivalent) and on Customer's instruction.
Personal-data breach
BillBasket will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer's personal data. The notification will include the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and mitigation measures taken or proposed. BillBasket will update Customer as the investigation progresses.
Return or deletion on termination
On termination, BillBasket will make Customer personal data available for export in a structured format for a window of at least 30 days (longer where required by the underlying agreement). After that window, BillBasket will delete remaining personal data within 90 days unless retention is required by applicable law, in which case the data is isolated and protected until lawful deletion.
Governing law
This DPA is governed by the laws of India and is subject to the dispute-resolution and jurisdiction terms of the underlying agreement.
Annex — security controls
- Encryption in transit (TLS 1.2 or higher) and at rest where applicable.
- Access control based on least privilege, MFA for administrative access, periodic access reviews.
- Authentication using strong passwords and modern token formats.
- Network security including WAF, rate limiting, and intrusion detection.
- Secure development with code review, dependency scanning, and segregation of environments.
- Backups performed regularly with periodic restore testing.
- Incident response with documented playbooks and on-call rotation.
- Personnel screened, trained, and bound by confidentiality.
- Physical hosting in vetted cloud regions with provider attestations (ISO 27001 / SOC 2).