Skip to main content
Codlinh10 — Multi-channel Business Messaging Platform

Data Processing Agreement

Last updated: July 11, 2026

This Data Processing Agreement (“DPA”) supplements the Codlinh10 Terms of Service and applies where Codlinh10 processes personal data on behalf of the Customer as a Data Processor under GDPR Article 28 and as a Data Processor under the Digital Personal Data Protection Act 2023. For a customised DPA for Enterprise contracts, contact legal@codlinh10.in.

1. Definitions

  • Controller / Data Fiduciary: The Customer, who determines the purposes and means of processing end-customer personal data.
  • Processor / Data Processor: Codlinh10, which processes personal data on behalf of the Customer.
  • Personal Data: Any information relating to an identified or identifiable natural person, including end-customers' names, phone numbers, and message content processed through the Codlinh10 platform.
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • GDPR: EU General Data Protection Regulation 2016/679.
  • DPDP Act: India's Digital Personal Data Protection Act 2023.

2. Subject matter and duration

Codlinh10 processes personal data on behalf of the Customer for the duration of the subscription agreement. The subject matter of processing is the provision of the Codlinh10 business messaging platform, including WhatsApp message routing, contact management, analytics, and related features.

3. Nature and purpose of processing

Codlinh10 processes personal data to:

  • Route WhatsApp messages between the Customer's business account and end-customers
  • Store message history and contact records in the Customer's dashboard
  • Execute automated messaging workflows configured by the Customer
  • Provide analytics and reporting on messaging performance
  • Manage message template submission and approval tracking

4. Types of personal data processed

  • End-customer phone numbers (WhatsApp contact identifiers)
  • End-customer names and profile information (as provided by or synced from Customer)
  • Message content (text, images, documents, locations)
  • Message metadata (timestamps, delivery status, read receipts)
  • Custom contact attributes configured by Customer

5. Categories of data subjects

End-customers of the Customer who have opted in to receive WhatsApp communications from the Customer's business.

6. Instructions and compliance

Codlinh10 processes personal data only on documented instructions from the Customer (via platform configuration) and in accordance with this DPA and applicable law. Codlinh10 will inform the Customer if it believes an instruction infringes applicable data protection law.

7. Sub-processors

The Customer authorises Codlinh10 to engage the following sub-processors:

  • Meta Platforms, Inc. (USA): WhatsApp message routing and delivery infrastructure. Meta is a data controller for WhatsApp's own processing.
  • Vercel, Inc. (USA): Application hosting and infrastructure. Relevant data processed in accordance with Vercel's DPA.

Codlinh10 will notify the Customer of any intended changes to sub-processors (additions or replacements) with at least 30 days' notice, giving the Customer the opportunity to object. Codlinh10 remains liable for sub-processors' processing under this DPA.

8. Security measures

Codlinh10 implements the following technical and organisational security measures:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Role-based access controls (RBAC) with principle of least privilege
  • Mandatory multi-factor authentication for all staff with data access
  • Network-level access controls and WAF protection
  • Regular security assessments including dependency scanning
  • Employee access logging and monitoring
  • Background verification for staff with access to customer data
  • Incident response procedures as described in Section 11

9. Data subject rights assistance

Codlinh10 will assist the Customer in responding to data subject rights requests (access, rectification, erasure, portability, objection) within the platform's technical capabilities. The Customer is responsible for responding to data subjects directly. Codlinh10 will provide data deletion within 7 business days of a written deletion request from the Customer.

10. Data retention and deletion

Upon termination of the subscription, Codlinh10 will retain the Customer's data for 90 days to allow for export. After this period, data will be deleted within 30 days. The Customer may request earlier deletion by written request.

11. Data breach notification

Codlinh10 will notify the Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting the Customer's data. The notification will include: (a) nature of the breach; (b) categories and approximate number of data subjects affected; (c) likely consequences; (d) measures taken or proposed to address the breach.

12. Audits and inspections

Codlinh10 will make available to the Customer all information necessary to demonstrate compliance with this DPA and will allow for, and contribute to, audits and inspections conducted by the Customer or an auditor mandated by the Customer with reasonable prior notice (minimum 30 days). Audits may not unreasonably disrupt Codlinh10 operations or compromise other customers' data.

13. International data transfers

Customer data is primarily processed in India. Where personal data is transferred outside India (e.g., through sub-processors in the USA), Codlinh10 will ensure appropriate safeguards are in place as required by applicable data protection law, including standard contractual clauses where applicable.

14. Governing law

This DPA is governed by the laws of India, subject to the jurisdiction of courts in Pune, Maharashtra.

Contact for DPA matters

legal@codlinh10.in
CODLINH10 TECHNOLOGIES PRIVATE LIMITED, FLNO A/2-704, SNEHA VIHAR, SNO 82/10, SHIVANE, PUNE, Maharashtra 411023, India