Legal

Data Processing Agreement

Version 2.0 ยท Effective: 25 February 2026
๐Ÿ“‹
How to sign: The DPA is signed electronically at accounts.tagdrishti.com as part of the account creation process. You do not need to print, wet-sign, or email anything. Enterprise customers may request a custom DPA version.

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between:

  • Data Processor: TagDrishti Technologies, India ("TagDrishti", "we", "us")
  • Data Controller: The customer entity that has accepted the TagDrishti Terms of Service ("Customer", "you")

This DPA governs the processing of Personal Data that TagDrishti performs on behalf of the Customer in connection with the TagDrishti monitoring service. It supplements and is incorporated into the Terms of Service.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed through the TagDrishti service on the Customer's behalf.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
  • "Sub-processor" means any third party engaged by TagDrishti to process Personal Data.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament.
  • "DPDP" means the Digital Personal Data Protection Act, 2023 (India).

3. Nature and Purpose of Processing

Purpose: Providing real-time GTM tag monitoring, security event detection, consent compliance tracking, Core Web Vitals measurement, and anomaly alerting.

Nature: Automated collection, storage, analysis, and presentation of tag event data from the Customer's websites.

Duration: For the term of the Customer's subscription, plus 30 days following termination (to allow for data export).

Types of Personal Data processed: Pseudonymised session identifiers, page paths (with PII parameters stripped), device type, browser type, viewport dimensions, consent signals, Core Web Vitals measurements, and tag execution metadata.

Categories of data subjects: End users of the Customer's websites.

4. Obligations of TagDrishti (Processor)

TagDrishti agrees to:

  • Process Personal Data only on documented instructions from the Customer, including with regard to transfers outside the EEA
  • Ensure that persons authorised to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organisational security measures as described in our Security page
  • Respect the conditions for engaging sub-processors set out in Section 6
  • Assist the Customer in responding to data subject rights requests
  • Assist the Customer in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations
  • Delete or return all Personal Data on request at the end of the service, and delete existing copies unless retention is required by law
  • Provide all information necessary to demonstrate compliance with this DPA
  • Notify the Customer without undue delay (and within 72 hours) after becoming aware of a Personal Data breach

5. Obligations of the Customer (Controller)

The Customer agrees to:

  • Ensure there is a valid legal basis for the processing of Personal Data through TagDrishti
  • Ensure that data subjects are informed about the monitoring of GTM tags on their devices
  • Not instruct TagDrishti to process Personal Data in a way that violates applicable law
  • Be responsible for the accuracy, quality, and legality of the Personal Data submitted to the service

6. Sub-processors

The Customer provides general authorisation for TagDrishti to engage sub-processors. TagDrishti will notify the Customer of any changes to its sub-processor list with 30 days' notice, providing opportunity to object.

Current sub-processors:

  • Google Cloud Platform โ€” Cloud Run, BigQuery, Pub/Sub. Region: asia-south1. Purpose: Service hosting and data storage.
  • Supabase (via AWS) โ€” PostgreSQL database. Region: ap-south-1. Purpose: Application state storage.
  • Cloudflare, Inc. โ€” CDN and network services. Purpose: Script delivery, DDoS protection, Worker proxy.
  • Razorpay Software Pvt. Ltd. โ€” Payment processing. Purpose: Subscription billing only.
  • Resend, Inc. โ€” Email delivery. Purpose: Alert and transactional email only.
  • Upstash, Inc. โ€” Redis caching. Purpose: Performance caching of aggregated (non-personal) dashboard data.

7. International Data Transfers

Processing primarily occurs in India (GCP asia-south1). For customers in the European Economic Area, Standard Contractual Clauses (SCCs) โ€” Module 2 (Controller to Processor) โ€” are incorporated by reference into this DPA for any transfer of EU Personal Data to India or other non-adequate countries.

8. Data Subject Rights Assistance

TagDrishti provides the following mechanisms to assist the Customer in fulfilling data subject rights:

  • DSAR Export: Dashboard โ†’ Settings โ†’ Data & Privacy โ†’ Export โ€” generates a JSON export of all data associated with a pseudonymous session ID
  • Erasure API: DELETE /api/consent/session/{session_hash} โ€” purges all data for a session from BigQuery within 24 hours
  • Bulk erasure: Available on request for Enterprise customers โ€” contact contact@tagdrishti.com

9. Security Measures

Technical and organisational measures implemented by TagDrishti include: TLS 1.3 encryption in transit, AES-256 encryption at rest, API key authentication with bcrypt hashing, tenant-level data isolation, role-based access control, API request logging (30-day retention), and regular security reviews. See Security page for full details.

10. Breach Notification

In the event of a Personal Data breach, TagDrishti will notify the Customer without undue delay and within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of data subjects concerned, categories and approximate number of records concerned, name and contact details of the DPO or contact point, likely consequences, and measures taken or proposed.

11. Term and Termination

This DPA remains in force for the duration of the Customer's subscription. On termination, TagDrishti will delete all Customer Personal Data within 30 days unless the Customer requests an export within that period, or unless retention is required by applicable law.

12. Governing Law

This DPA is governed by the laws of India. For EU customers, the Standard Contractual Clauses are governed by the law of the EU member state in which the Customer is established.

Sign This DPA

This DPA is accepted electronically as part of the account creation process at accounts.tagdrishti.com. For Enterprise customers requiring a custom DPA with wet signatures, contact contact@tagdrishti.com.