DPA

Sign the DPA in one click.

The Data Processing Agreement covers everything GDPR Article 28 asks of a processor: roles, sub-processors, transfers, breach notification, and what happens to your data when you leave. No printing, no wet-signing.

# version 2.0 · effective 25_feb_2026
# how_to_sign

The DPA is accepted electronically at dashboard.tagdrishti.com during account creation. Nothing to print, wet-sign, or email back. Enterprise customers can request a custom version if your procurement team needs one.

1. Parties and scope.

This Data Processing Agreement (“DPA”) is entered into between:

  • Data Processor: TagDrishti Technologies, India (“TagDrishti”, “we”, “us”)
  • Data Controller: The customer entity that has accepted the TagDrishti Terms of Service (“Customer”, “you”)

The DPA covers the Personal Data that TagDrishti processes on your behalf while delivering the monitoring service. It supplements and is incorporated by reference into the Terms of Service; by accepting the Terms at signup or continuing to use the service after the date below, you accept this DPA without further action. A signed copy is available on request from [email protected] — we will counter-sign and return within five business days. Customers on the Enterprise tier receive a counter-signed PDF as part of activation; other tiers can request one at any time.

2. Definitions.

  • “Personal Data” means any information relating to an identified or identifiable natural person processed through the TagDrishti service on the Customer’s behalf.
  • “Processing” means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
  • “Sub-processor” means any third party engaged by TagDrishti to process Personal Data.
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament.
  • “DPDP” means the Digital Personal Data Protection Act, 2023 (India).

3. Nature and purpose of processing.

Purpose: Real-time GTM tag monitoring, security event detection, consent compliance tracking, Core Web Vitals measurement, and anomaly alerting.

Nature: Automated collection, storage, analysis, and presentation of tag event data from the Customer’s websites.

Duration: For the term of the Customer’s subscription, plus 30 days after termination so that you have time to export.

Types of Personal Data processed: Pseudonymised session identifiers, page paths with PII parameters stripped, device type, browser type, viewport dimensions, consent signals, Core Web Vitals measurements, and tag execution metadata.

Categories of data subjects: End users of the Customer’s websites.

4. Obligations of TagDrishti (processor).

TagDrishti agrees to:

  • Process Personal Data only on your documented instructions, including any transfer outside the EEA
  • Bind every person authorised to process Personal Data to confidentiality obligations
  • Maintain the technical and organisational security measures set out on our Security page
  • Respect the sub-processor conditions in Section 6 before adding or replacing any vendor
  • Assist you in responding to data subject rights requests
  • Assist you with your own security, breach notification, impact assessment, and prior consultation obligations
  • Delete or return all Personal Data at the end of the service and remove existing copies, unless the law requires us to hold them
  • Provide whatever information you need to evidence compliance with this DPA
  • Notify you without undue delay, and within 72 hours, after becoming aware of a Personal Data breach

5. Obligations of the customer (controller).

The Customer agrees to:

  • Maintain a valid legal basis for processing Personal Data through TagDrishti
  • Inform data subjects that GTM tags on their devices are being monitored
  • Not instruct TagDrishti to process Personal Data in a way that breaks applicable law
  • Stand behind the accuracy, quality, and legality of the Personal Data submitted to the service

6. Sub-processors.

The Customer grants general authorisation for TagDrishti to engage sub-processors. Any change to the list comes with 30 days’ notice and an opportunity to object before it takes effect.

Current sub-processors:

  • Google Cloud Platform: Cloud Run, BigQuery, Pub/Sub. Region: asia-south1. Purpose: Service hosting and data storage.
  • Supabase (via AWS): PostgreSQL database. Region: ap-south-1. Purpose: Application state storage.
  • Cloudflare, Inc.: CDN and network services. Purpose: Script delivery, DDoS protection, Worker proxy.
  • Paddle.com Market Ltd (UK): Merchant of Record. Purpose: Subscription billing, payment processing, and global tax collection only.
  • Resend, Inc.: Email delivery. Purpose: Alert and transactional email only.
  • Upstash, Inc.: Redis caching. Purpose: Performance caching of aggregated, non-personal dashboard data.

7. International data transfers.

TagDrishti runs region-isolated processing environments on Google Cloud Platform. At signup you choose from: europe-west1 (Belgium, EEA), us-central1 (Iowa, USA), or asia-south1 (Mumbai, India). Event data ingested on a regional endpoint sits in a BigQuery dataset physically located in that region, and only services in that region ever read it. Cross-region transfers do not happen in the normal course of processing.

EEA customers who select the Europe region keep their Personal Data inside the EEA, with no onward transfer to a third country. If an EEA customer picks Asia Pacific or United States, Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor), are incorporated by reference into this DPA to cover the transfer of EU Personal Data outside the EEA.

8. Data subject rights assistance.

TagDrishti gives you concrete tooling so data subject requests do not turn into engineering projects:

  • DSAR Export: Dashboard → Settings → Data & Privacy → Export produces a JSON export of all data tied to a pseudonymous session ID
  • Erasure API: DELETE /api/consent/session/{session_hash} purges every row for that session from BigQuery within 24 hours
  • Bulk erasure: Available on request for Enterprise customers. Email [email protected]

9. Security measures.

The technical and organisational measures we run include TLS 1.3 in transit, AES-256 at rest, API key authentication with bcrypt hashing, tenant-level data isolation, role-based access control, API request logging with 30-day retention, and regular security reviews. The Security page has the full picture.

10. Breach notification.

If a Personal Data breach occurs, TagDrishti will notify you without undue delay and within 72 hours of becoming aware of it. The notice will include the nature of the breach, categories and approximate number of data subjects and records concerned, the name and contact point handling the response, likely consequences, and the measures taken or proposed.

11. Term and termination.

The DPA stays in force for the life of your subscription. On termination, TagDrishti deletes all Customer Personal Data within 30 days unless you request an export inside that window, or unless applicable law requires us to hold the data longer.

12. Governing law.

This DPA is governed by the laws of India. For EU customers, the Standard Contractual Clauses are governed by the law of the EU member state in which the Customer is established.

Sign this DPA.

The DPA is accepted electronically as part of account creation at dashboard.tagdrishti.com. Enterprise customers who need a custom DPA with wet signatures can reach us at [email protected].