Data Processing Agreement
Effective June 26, 2026 · Last updated June 26, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Paramount Tech Network OPC Private Limited ("Paramount", "Processor") and the customer that has agreed to those Terms ("Customer", "Controller"). It applies to the extent Paramount processes personal data subject to the GDPR, the UK GDPR, or other applicable data protection laws on Customer's behalf in connection with the Captivar service (the "Service").
Where Customer is itself a processor for an end client (for example, a digital agency acting on behalf of its own customer), Customer accepts this DPA as a processor and Paramount accepts the role of sub-processor. The provisions of this DPA apply accordingly.
1. Definitions
Terms used in this DPA have the meanings given to them in the GDPR. In addition:
- —"GDPR" means Regulation (EU) 2016/679 and, as the context requires, the UK GDPR.
- —"Customer Personal Data" means personal data Paramount processes on Customer's behalf in connection with the Service.
- —"SCCs" means the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914.
- —"Sub-processor" means any third party engaged by Paramount to process Customer Personal Data.
2. Roles and scope
Customer is the controller (or processor on behalf of its own controller) of Customer Personal Data. Paramount is the processor (or sub-processor) and will process Customer Personal Data only on documented instructions from Customer as set out in this DPA, the Terms of Service, and any further instructions given through the Service.
The subject matter, duration, nature and purpose of processing, the categories of data subjects, and the categories of personal data are set out in Annex I. The technical and organizational measures applied by Paramount are set out in Annex II. The current list of sub-processors is set out in Annex III and is also maintained at captivar.com/sub-processors.
3. Paramount's obligations
Paramount will:
- —Process Customer Personal Data only on Customer's documented instructions, including with regard to international transfers, except where required by law (and in that case, will inform Customer of the legal requirement before processing unless prohibited from doing so)
- —Ensure persons authorized to process Customer Personal Data are subject to confidentiality obligations
- —Implement the technical and organizational measures set out in Annex II and review them periodically
- —Assist Customer in responding to data subject rights requests under Articles 15–22 of the GDPR, taking into account the nature of the processing
- —Assist Customer in complying with its obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to Paramount
- —On termination, at Customer's choice, delete or return all Customer Personal Data and delete existing copies, except where storage is required by law
- —Make available to Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits (including inspections) conducted by Customer or a mandated auditor, subject to reasonable confidentiality and operational protections
4. Sub-processors
Customer provides general authorization for Paramount to engage the sub-processors listed in Annex III. Paramount will inform Customer of any intended addition or replacement of sub-processors at least 30 days in advance via the sub-processors page at captivar.com/sub-processors and, where Customer has subscribed, by email. Customer may object to such changes on reasonable data protection grounds within that notice period. If the parties cannot agree on a resolution, Customer may terminate the Service with respect to the affected processing.
Paramount will impose on each sub-processor data protection obligations no less protective than those in this DPA and remains fully liable to Customer for the performance of those sub-processors.
5. International data transfers
To the extent Customer Personal Data subject to the GDPR is transferred to a country outside the EEA that is not the subject of an adequacy decision, the parties agree that:
- —Where Customer is a controller and Paramount is the processor: SCCs Module 2 (controller-to-processor) are incorporated by reference into this DPA, with Customer as data exporter and Paramount as data importer.
- —Where Customer is itself a processor and Paramount is the sub-processor: SCCs Module 3 (processor-to-processor) are incorporated by reference, with Customer as data exporter and Paramount as data importer.
For the purposes of the SCCs, the optional clauses are selected as follows: docking clause (Clause 7) — included; option for general authorization of sub-processors (Clause 9(a)) — selected, with the 30-day notice period set out in Section 4; option 1 of Clause 17 — Indian law does not apply to the SCCs themselves, which are governed by the law of the EU Member State in which Customer's lead supervisory authority is located, or in absence of one, Ireland; competent court under Clause 18 — the courts of the same jurisdiction.
For UK transfers, the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018 ("UK IDTA") is incorporated by reference and applies in addition to the SCCs.
A summary Transfer Impact Assessment is available to Customer on request.
6. Personal data breach
Paramount will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) of the GDPR to the extent known. Paramount will cooperate with Customer in investigating and mitigating the breach.
7. Audit rights
Customer may, at its expense and no more than once per calendar year (unless a personal data breach has occurred, or a supervisory authority requires more frequent audit), audit Paramount's compliance with this DPA on reasonable prior written notice. Audits will be conducted during normal business hours, will not unreasonably disrupt Paramount's operations, and will be subject to confidentiality undertakings. As an alternative to on-site audit, Paramount may satisfy this obligation by providing relevant third-party attestations, security questionnaires, or written summaries of its controls.
8. Term and termination
This DPA applies for the duration of Paramount's processing of Customer Personal Data and survives termination of the Terms of Service to the extent and for the period that Paramount continues to hold Customer Personal Data.
9. Order of precedence and miscellaneous
In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.
This DPA may be updated by Paramount from time to time. Material changes will be notified to active Customers by email at least 14 days before they take effect.
10. Signature and acceptance
Customer accepts this DPA by:
- —Subscribing to the Service through the captivar.com signup flow (click-through acceptance), or
- —Counter-signing the DPA document available on request at [email protected]
Customers who require a counter-signed PDF of this DPA for their records may request one from the address above.
Annex I — Description of processing
- —Subject matter: provision of the Captivar service — visitor tracking, lead capture, AI receptionist, booking, chat, and related analytics — to Customer.
- —Duration: the term of Customer's subscription, plus the retention periods set out in the Privacy Policy and the Service.
- —Nature and purpose: hosting, storing, retrieving, analyzing, and presenting personal data submitted by Customer or collected from Customer's website visitors, to provide the Service to Customer.
- —Categories of data subjects: Customer's employees and authorized users; visitors of websites on which Customer has installed the Service; individuals who submit forms, chat messages, or booking requests through the Service.
- —Categories of personal data: identification (name, email, phone, business name), authentication (hashed passwords, login times, IP), online identifiers (cookie ID, device, browser, OS), location (approximate from IP), interaction data (pages viewed, sessions, form submissions, chat transcripts, booking metadata), billing metadata (no card numbers).
- —Special categories (Article 9): Customer must not submit special-category data to the Service without prior written agreement with Paramount.
- —Frequency: continuous, in line with Customer's use of the Service.
Annex II — Technical and organizational measures
Paramount implements the following measures to ensure a level of security appropriate to the risk:
- —Encryption in transit: TLS on all customer-facing connections, terminated by our CDN.
- —Encryption at rest: backups are encrypted at rest via the storage provider's server-side encryption; database storage runs on dedicated infrastructure with provider-managed disk encryption.
- —Access control: production system access is restricted to a small number of authorized personnel, authenticated using SSH keys; administrative accounts on critical third-party services are protected by multi-factor authentication.
- —Account security: passwords stored as one-way hashes using an industry-standard algorithm; two-factor authentication available for customer accounts; session tokens with defined expiry.
- —Audit logging: sensitive administrative actions (account deletion, bulk export, security-policy changes) logged with actor, timestamp, and IP.
- —Network security: firewall rules permit only required ports; rate limiting at application and CDN layer; WAF protection via our CDN.
- —Backups: hourly (7-day), daily (30-day), and weekly (12-week) retention; automatic pruning of expired backups.
- —Breach response: documented incident response procedure with notification within 72 hours of awareness of a personal data breach.
- —Personnel: all personnel with access to Customer Personal Data are bound by confidentiality undertakings.
- —Software hygiene: dependencies reviewed and updated on a regular schedule; security-relevant code changes undergo additional review.
Annex III — Sub-processors
The current list of authorized sub-processors, including the role, country, and transfer mechanism for each, is published at captivar.com/sub-processors. That page also forms Annex III to this DPA.
Contact
DPA execution, audit requests, and data-protection inquiries: [email protected]
Paramount Tech Network OPC Private Limited, Panache Villa, 14 B, Vivekanand Nagar, Kohka, Bhilai, Chhattisgarh 490023, India.