Skip to content

Data Processing Agreement

Last updated: 13 July 2026

On this page

Owned and provided by AIO Infinity Private Limited (parent company) Website: https://www.infiq.in Effective / Last Updated: 13 July 2026


Summary (non-binding). This Data Processing Agreement ("DPA") explains how InfiQ handles Personal Data on your behalf when you use the Service. Under it, you (the Customer) are the Controller / Data Fiduciary and decide why and how the Personal Data is processed; InfiQ is the Processor / Data Processor and acts only on your documented instructions. This DPA forms part of the Terms and describes our security measures, our use of Sub-processors, how we handle international transfers, how we respond to data-subject requests, how we notify you of a Personal Data Breach, and how we handle the return and retention of data when your subscription ends. The operative text below controls; this box does not.


1. Introduction and Incorporation

1.1 Parties

This DPA is entered into by and between:

  • AIO Infinity Private Limited, a company incorporated under the laws of India (CIN U62013MP2025PTC074108; GSTIN 23ABBCA9125H1ZX), having its registered office at 54, Old Subhash Nagar, Bhopal – 462023, Madhya Pradesh, India — the parent company that owns and provides the InfiQ WhatsApp Business API (CPaaS) platform ("InfiQ", "we", "us", "our", and, for the purposes of this DPA, the "Processor" / "Data Processor"); and
  • the Customer — the business or organisation that has registered for, subscribed to, or uses the Service (the "Customer", "you", "your", and, for the purposes of this DPA, the "Controller" / "Data Fiduciary").

Each is a "party" and together they are the "parties".

1.2 How this DPA is incorporated

This DPA is incorporated into, and forms an integral part of, the InfiQ Terms and Conditions published at https://www.infiq.in/terms (the "Terms"). By accepting the Terms, or by accessing or using the Service, the Customer accepts this DPA. No separate signature is required for this DPA to be binding; however, where a Customer requires a counter-signed copy (for example, to satisfy its own compliance or procurement requirements), it may request one at privacy@infiq.in, and InfiQ will make available a signable version referencing the Customer's account.

Capitalised terms used but not defined in this DPA have the meanings given to them in the Terms and in the shared definitions of the InfiQ legal suite (including "Platform", "Service", "Customer", "Authorised User", "End User", "Recipient", "Customer Data", "WhatsApp Business API", "Cloud API", "Meta", and "WABA").

1.3 Scope and applicability

This DPA applies to all Processing of Personal Data carried out by InfiQ on behalf of the Customer in the course of providing the Service, to the extent such Processing is subject to Applicable Data Protection Law (as defined in Section 2). Where InfiQ processes Personal Data that is not Customer Data — for example, account-administration data about the Customer's own personnel that InfiQ uses for its own billing, security, and product-improvement purposes — InfiQ acts as an independent Controller / Data Fiduciary for that limited Processing, and the InfiQ Privacy Policy (https://www.infiq.in/privacy-policy) governs it, not this DPA.

1.4 Order of precedence

In the event of any conflict or inconsistency between the documents referenced by, or forming part of, the contractual relationship between the parties, the following order of precedence applies on matters relating to the Processing and protection of Personal Data:

  1. the applicable Standard Contractual Clauses and the UK International Data Transfer Addendum (as described in Section 7), where and to the extent they apply;
  2. this DPA, including its Annexes;
  3. the Terms; and
  4. any other agreement, order form, or policy between the parties.

On all matters that do not relate to the Processing or protection of Personal Data, the Terms control. Except as expressly modified by this DPA, the Terms remain in full force and effect.

1.5 Duration

This DPA takes effect on the date the Customer first accepts the Terms or first uses the Service (whichever is earlier) and continues for as long as InfiQ Processes or retains Personal Data on behalf of the Customer, notwithstanding termination or expiry of the Terms, in accordance with Section 10.


2. Definitions

For the purposes of this DPA, the following terms have the meanings set out below. Where a term is defined differently under India's DPDP Act, the GDPR, and the CCPA/CPRA, the definitions are treated as equivalent and interchangeable to the extent required to give effect to each Applicable Data Protection Law.

Term Meaning
Applicable Data Protection Law All laws and regulations relating to the processing of Personal Data and privacy that apply to a party's Processing of Personal Data under this DPA, including, as applicable: (a) the Digital Personal Data Protection Act, 2023 of India and the rules made thereunder ("DPDP Act"); (b) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"); (c) the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018 ("UK GDPR"); (d) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its regulations ("CCPA/CPRA"); and (e) any other applicable privacy or data protection law, in each case as amended, superseded, or replaced from time to time.
Controller / Data Fiduciary The natural or legal person that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. "Data Fiduciary" is the corresponding term under the DPDP Act; "Business" is the corresponding term under the CCPA/CPRA. Under this DPA, the Customer is the Controller / Data Fiduciary / Business.
Processor / Data Processor The natural or legal person that Processes Personal Data on behalf of, and on the documented instructions of, the Controller. "Data Processor" is the corresponding term under the DPDP Act; "Service Provider" is the corresponding term under the CCPA/CPRA. Under this DPA, InfiQ is the Processor / Data Processor / Service Provider.
Data Subject / Data Principal The identified or identifiable natural person to whom the Personal Data relates. "Data Principal" is the corresponding term under the DPDP Act; "Consumer" is the corresponding term under the CCPA/CPRA.
Personal Data Any information relating to an identified or identifiable natural person (a Data Subject / Data Principal), and, to the extent it is broader, "personal data" under the DPDP Act and "personal information" under the CCPA/CPRA, in each case that is Processed by InfiQ on behalf of the Customer under this DPA.
Special Categories of Personal Data / Sensitive Personal Data Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic data, biometric data processed for the purpose of uniquely identifying a natural person; data concerning health, sex life or sexual orientation; and any other category treated as sensitive under Applicable Data Protection Law.
Processing Any operation or set of operations performed on Personal Data, whether or not by automated means — such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. "Process", "Processes", and "Processed" are construed accordingly.
Sub-processor Any third party (including any InfiQ affiliate) engaged by InfiQ to Process Customer Data on InfiQ's behalf in connection with the provision of the Service. The current list of Sub-processors is maintained at https://www.infiq.in/subprocessors (see Section 6 and Annex III).
Personal Data Breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed under this DPA.
Standard Contractual Clauses / SCCs The Standard Contractual Clauses for the transfer of personal data to third countries set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.
UK IDTA / UK Addendum The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, as amended or replaced from time to time.
Data Privacy Framework / DPF The EU–US Data Privacy Framework, the UK Extension to the EU–US Data Privacy Framework, and the Swiss–US Data Privacy Framework, as administered by the U.S. Department of Commerce, together with the related principles, as amended or replaced from time to time.
Restricted Transfer A transfer of Personal Data that is subject to restrictions on cross-border transfer under Applicable Data Protection Law and that would be unlawful in the absence of a lawful transfer mechanism (such as the SCCs, the UK IDTA, an adequacy decision, or the DPF).

3. Roles and Scope of Processing

3.1 Roles of the parties

The parties acknowledge and agree that, with respect to the Processing of Customer Data under this DPA:

  • the Customer is the Controller / Data Fiduciary (and, where the Customer itself acts as a processor on behalf of a third-party controller, InfiQ is a sub-processor and the provisions of Module Three of the SCCs and the corresponding flow-down obligations apply); and
  • InfiQ is the Processor / Data Processor, Processing Customer Data solely on behalf of, and on the documented instructions of, the Customer.

Neither party purports to make the other its agent, and neither has authority to bind the other except as expressly set out in the Terms or this DPA.

3.2 Processing only on documented instructions

InfiQ will Process Customer Data only on the Customer's documented instructions, including with regard to Restricted Transfers, unless required to Process Customer Data by a law of the Union, a Member State, the United Kingdom, India, or another applicable jurisdiction to which InfiQ is subject. In such a case, InfiQ will (unless that law prohibits it on important grounds of public interest) inform the Customer of that legal requirement before Processing.

The Customer's documented instructions are constituted by:

  1. the Terms and this DPA, including the Annexes;
  2. the Customer's configuration and use of the Service through the dashboard, APIs, integrations, and settings (including the contacts it uploads, the templates it submits, the automations and chatbots it builds, and the messages it sends and receives); and
  3. any further written instructions the Customer gives from time to time (for example, by email to privacy@infiq.in), which InfiQ may treat as a chargeable change if they fall outside the scope of the Service or require material additional effort.

InfiQ will inform the Customer if, in its reasonable opinion, an instruction infringes Applicable Data Protection Law; in that case, InfiQ may suspend performance of the affected instruction (without liability) until the Customer confirms, withdraws, or amends it. InfiQ is not responsible for advising the Customer on the requirements of Applicable Data Protection Law that apply to the Customer as Controller.

3.3 Details of Processing

The subject-matter, nature and purpose of the Processing, the types of Personal Data, the categories of Data Subjects, the duration, and the frequency of the Processing are set out in Annex I to this DPA.

3.4 Scope limitation

InfiQ will not Process Customer Data for any purpose other than performing its obligations under the Terms and this DPA and providing, securing, and supporting the Service, except as permitted or required by Applicable Data Protection Law. In particular, InfiQ will not "sell" or "share" Personal Data, and will not retain, use, or disclose Personal Data outside the direct business relationship with the Customer, as further described in the CCPA/CPRA Addendum in Section 13.


4. InfiQ (Processor) Obligations

InfiQ undertakes and warrants that, in respect of all Customer Data Processed under this DPA, it will:

4.1 Instructions

Process the Customer Data only on the Customer's documented instructions, as described in Section 3.2, including with regard to Restricted Transfers.

4.2 Confidentiality of personnel

Ensure that persons authorised to Process the Customer Data (its employees, contractors, and Authorised personnel) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access to Customer Data is limited to those personnel who need it to provide, secure, and support the Service, on a strict need-to-know basis.

4.3 Security measures

Implement and maintain appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. The TOMs InfiQ maintains are described in Annex II. InfiQ may update the TOMs from time to time provided that the updates do not materially reduce the overall level of protection.

4.4 Sub-processing

Engage Sub-processors only in accordance with Section 6, flow down equivalent data-protection obligations, and remain fully liable to the Customer for the performance of each Sub-processor's obligations.

4.5 Assistance with Data-Subject requests

Taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for exercising Data Subject / Data Principal rights under Applicable Data Protection Law, as further described in Section 8.

4.6 Assistance with compliance obligations

Assist the Customer in ensuring compliance with the Customer's obligations relating to:

  • security of Processing (Article 32 GDPR / equivalent DPDP Act and CCPA/CPRA obligations);
  • Personal Data Breach notification to supervisory authorities and communication to Data Subjects (Articles 33–34 GDPR / equivalent), as described in Section 9;
  • data protection impact assessments ("DPIAs", Article 35 GDPR / equivalent); and
  • prior consultation with supervisory authorities (Article 36 GDPR / equivalent),

in each case taking into account the nature of Processing and the information available to InfiQ. InfiQ may charge a reasonable fee for assistance that materially exceeds the standard functionality of the Service or requires significant additional effort, and will notify the Customer of any such fee in advance.

4.7 Compliance information and records

Make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and in Applicable Data Protection Law, and maintain a written record of Processing activities carried out on behalf of the Customer, in accordance with Section 11 (Audits and Compliance).

4.8 Return and retention

Make Customer Data available to the Customer for export after the end of the provision of the Service, as described in Section 10. The Customer acknowledges that InfiQ does not provide automated deletion or purge and retains Customer Data for operational, record-keeping, and legal purposes, deleting it only to the extent strictly required by Applicable Data Protection Law, as described in Section 10.

4.9 No independent commercial use

Not use Customer Data to build or improve products or services for third parties, to create user profiles for InfiQ's own marketing, or for any purpose incompatible with providing the Service to the Customer. Aggregated, de-identified, or statistical data that does not identify the Customer, any Data Subject, or any End User, and that cannot reasonably be re-identified, is not Customer Data and may be used by InfiQ to operate, secure, analyse, and improve the Service.


5. Customer (Controller) Obligations

The Customer undertakes and warrants that, in respect of all Customer Data it (or its Authorised Users or End Users) submits to or Processes through the Service, it will:

Establish and maintain a valid lawful basis under Applicable Data Protection Law for the Processing of Customer Data through the Service, and obtain and maintain all necessary consents, opt-ins, notices, and authorisations from Data Subjects / Data Principals. In particular, and without limitation, the Customer is solely responsible for obtaining and keeping records of each WhatsApp Recipient's opt-in / prior consent to receive messages, as required by Applicable Data Protection Law, the InfiQ WhatsApp Messaging and Anti-Spam Policy (https://www.infiq.in/messaging-policy), and the Meta / WhatsApp policies (including the WhatsApp Business Messaging Policy). InfiQ does not obtain consent from End Users on the Customer's behalf.

5.2 Lawful and accurate instructions

Ensure that its instructions to InfiQ for the Processing of Customer Data comply with Applicable Data Protection Law, and that the Customer has the right to transfer, or provide access to, the Customer Data to InfiQ and its Sub-processors for Processing in accordance with this DPA.

5.3 Notices and transparency

Provide all notices and make all disclosures to Data Subjects / Data Principals required under Applicable Data Protection Law (including as to the engagement of InfiQ as a Processor and, where applicable, its Sub-processors, and as to any international transfer).

5.4 Data-subject requests as Controller

Be responsible, as Controller / Data Fiduciary / Business, for responding to and resolving requests from Data Subjects / Data Principals / Consumers to exercise their rights, with InfiQ providing assistance in accordance with Sections 4.5 and 8.

5.5 Restricted and special-category data

Not submit to the Service, and not instruct InfiQ to Process, any Special Categories of Personal Data except where the Customer has ensured an appropriate lawful basis and additional safeguards and has informed InfiQ in advance; and not use the Service to Process Personal Data in a manner that would require InfiQ to comply with obligations (such as sector-specific regulation) that fall outside the scope of the Service without InfiQ's prior written agreement. As noted in Annex I, the Service is not designed or intended for the Processing of Special Categories of Personal Data.

5.6 Security of its own environment

Maintain the security of its InfiQ account and credentials, configure the Service appropriately (including access controls and role-based permissions for its Authorised Users), and promptly notify InfiQ of any suspected compromise of its account.


6. Sub-processing

6.1 General written authorisation

The Customer grants InfiQ general written authorisation to engage Sub-processors to Process Customer Data in connection with the provision of the Service. InfiQ engages Sub-processors to provide core infrastructure and hosting (Amazon Web Services, Microsoft Azure, and Google Cloud), the WhatsApp / Meta messaging platform, payments (Zoho Payments and Razorpay), and other operational services such as email / notification delivery, analytics, monitoring, and customer-support tooling.

6.2 List of Sub-processors

InfiQ maintains a current list of its Sub-processors — including each Sub-processor's name, the Processing activity or purpose, and the Processing location — at:

https://www.infiq.in/subprocessors

This list is referenced in Annex III and is published as a separate document in the InfiQ legal suite ("Sub-processors"). The Customer can subscribe to change notifications as described on that page.

6.3 Notice of changes and right to object

Before InfiQ authorises any new Sub-processor to Process Customer Data, or replaces an existing Sub-processor, InfiQ will give the Customer at least ten (10) days' prior notice by updating the Sub-processors page and/or notifying Customers who have subscribed to change notifications. Within that notice period, the Customer may object to the new or replacement Sub-processor on reasonable data-protection grounds by writing to privacy@infiq.in with a description of its grounds.

If the Customer objects, the parties will work together in good faith to resolve the objection — for example, by InfiQ describing additional safeguards, offering an alternative configuration, or (where feasible) making the Service available without the objected-to Sub-processor. If the parties cannot resolve the objection within a reasonable period, the Customer may, as its sole and exclusive remedy, terminate the affected part of the Service by written notice, and InfiQ will refund any prepaid Subscription Fees for that affected part of the Service on a pro-rata basis for the unused portion of the then-current subscription term. Termination of the affected Service does not relieve the Customer of amounts already due, including Conversation Charges already incurred.

If the Customer does not object within the notice period, the Customer is deemed to have authorised the new or replacement Sub-processor.

6.4 Flow-down and continuing liability

Where InfiQ engages a Sub-processor, InfiQ will:

  • impose on the Sub-processor, by a written contract, data-protection obligations that are equivalent in substance to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures such that the Processing meets the requirements of Applicable Data Protection Law; and
  • remain fully liable to the Customer for the performance of that Sub-processor's data-protection obligations. Where a Sub-processor fails to fulfil its data-protection obligations, InfiQ remains liable to the Customer for the performance of those obligations, subject to the limitation of liability in Section 12.

6.5 Meta / WhatsApp

The Customer acknowledges that Meta Platforms, Inc. and its affiliates (including WhatsApp LLC) are an essential Sub-processor for the provision of the Service, because the Service operates on top of the WhatsApp Business API / Cloud API. Message content, media, and related metadata are Processed by Meta in accordance with the WhatsApp Business Data Processing Terms and the other Meta Terms. The Customer's use of the Service cannot be provided without this Processing by Meta; accordingly, an objection to Meta as a Sub-processor may, as a practical matter, only be resolved by termination of the affected Service under Section 6.3.


7. International Transfers

7.1 General

InfiQ is established in India and currently hosts and Processes all Customer Data in data centres located in India. InfiQ's infrastructure Sub-processors — Amazon Web Services, Microsoft Azure, and Google Cloud — are configured to use India data-centre regions, and the WhatsApp Business API / Meta Cloud API on which the Service operates is localised to India. The current Processing location for each Sub-processor is identified on the Sub-processors page.

Because InfiQ hosts in India, the Service does not, in the ordinary course, export Customer Data out of India. However, where a Customer (or a Controller on whose behalf the Customer acts) uses the Service to transfer Personal Data that is subject to the EU GDPR, the UK GDPR, or another Applicable Data Protection Law into India, that transfer may be a Restricted Transfer. For such transfers into India, the parties will ensure that an appropriate transfer mechanism under Applicable Data Protection Law — as set out in this Section 7 (EU SCCs, the UK IDTA, and/or the DPF) — is in place before the transfer takes place.

7.2 EU Standard Contractual Clauses

To the extent that the EU GDPR applies to a Restricted Transfer of Customer Data from the Customer (or a Controller on whose behalf the Customer acts) to InfiQ, the parties agree that the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 are hereby incorporated into this DPA by reference and apply as follows:

  • Module Two (Controller-to-Processor) applies where the Customer acts as Controller and InfiQ acts as Processor;
  • Module Three (Processor-to-Processor) applies where the Customer acts as a processor on behalf of a third-party controller and InfiQ acts as a sub-processor (including for any onward transfer to a Sub-processor);

with the following selections and completions:

SCC element Selection for this DPA
Clause 7 (Docking clause) Included / applies.
Clause 9 (Use of sub-processors) Option 2 — General written authorisation, with a minimum notice period of ten (10) days as set out in Section 6.3.
Clause 11 (Redress) The optional independent-dispute-resolution language is not used.
Clause 17 (Governing law) The SCCs are governed by the law of the EU Member State of the Customer's establishment; where the Customer is not established in an EU Member State, by the law of Ireland.
Clause 18 (Choice of forum and jurisdiction) The courts of the EU Member State determined under Clause 17; where that is Ireland, the courts of Ireland.
Annex I Completed by Annex I of this DPA (parties, Data Subjects, categories of data, purposes, retention). The competent supervisory authority is determined in accordance with Clause 13 and Annex I.C.
Annex II Completed by Annex II of this DPA (technical and organisational measures).
Annex III Completed by Annex III of this DPA and the Sub-processors page.

Where there is any conflict between the SCCs and this DPA, the SCCs prevail in respect of the Restricted Transfer they govern.

7.3 UK International Data Transfer Addendum

To the extent that the UK GDPR applies to a Restricted Transfer, the UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner, is incorporated into this DPA by reference and applies to that transfer. For the purposes of the UK Addendum:

  • Table 1 (Parties) and Table 3 (Appendix Information) are completed by the information in Annex I, Annex II, and Annex III of this DPA;
  • Table 2 identifies the version of the EU SCCs to which the Addendum is appended (as set out in Section 7.2, Modules Two and Three, with the selections above); and
  • Table 4 — either party may end the Addendum as set out in Section 19 of the Addendum where the ICO issues a revised approved addendum.

Any queries regarding UK transfers may be directed to privacy@infiq.in.

7.4 EU–US / UK / Swiss Data Privacy Framework

Where a Sub-processor located in the United States is self-certified under the EU–US Data Privacy Framework, the UK Extension to it, and/or the Swiss–US Data Privacy Framework, the parties may rely on that Sub-processor's DPF certification as a valid transfer mechanism for the relevant Restricted Transfer, in addition to or instead of the SCCs, for so long as the certification remains valid. Any queries regarding EU transfers may be directed to privacy@infiq.in.

7.5 India — DPDP Act transfers

To the extent the DPDP Act applies, InfiQ will Process and transfer Personal Data in accordance with the DPDP Act and any restrictions the Central Government of India may notify on transfers of Personal Data to countries or territories outside India. If and when the Central Government notifies a list of restricted countries or additional conditions, InfiQ will comply with those conditions and, where necessary, adjust its Processing locations or Sub-processor arrangements accordingly.

7.6 Supplementary measures and government access

InfiQ will implement appropriate supplementary measures (such as encryption in transit and at rest, access controls, and internal policies for handling government or law-enforcement requests) to protect Personal Data that is subject to a Restricted Transfer. If InfiQ receives a legally binding request from a public authority for access to Customer Data, InfiQ will, unless legally prohibited, notify the Customer, review the legality of the request, challenge requests that are unlawful or overbroad, and disclose only the minimum amount of data legally required.


8. Assistance with Data-Subject / Data-Principal Requests

8.1 Forwarding requests

If InfiQ receives a request from a Data Subject / Data Principal / Consumer to exercise any of their rights under Applicable Data Protection Law (including rights of access, correction, rectification, erasure, restriction, portability, objection, withdrawal of consent, nomination, or grievance redressal, and rights to know, delete, correct, opt out of sale/sharing, or limit use of sensitive personal information) in respect of Customer Data, InfiQ will:

  • not respond to the request directly (except to acknowledge receipt and to direct the individual to the Customer, or as required by law), because the Customer is the Controller / Data Fiduciary / Business responsible for the request; and
  • promptly forward the request to the Customer, to the extent InfiQ can identify the relevant Customer.

8.2 Assistance and tooling

Taking into account the nature of the Processing, InfiQ will assist the Customer, by appropriate technical and organisational measures and insofar as possible, to fulfil the Customer's obligation to respond to such requests. In many cases the Customer can respond to requests directly using the self-service tools in the InfiQ dashboard and APIs (for example, to search, export, correct, or delete a contact and its message history). Where the Customer cannot fulfil a request through those tools, InfiQ will provide reasonable additional assistance on the Customer's documented instruction. InfiQ may charge a reasonable fee for assistance that materially exceeds standard functionality.

8.3 Records

InfiQ will maintain reasonable records of requests it forwards to the Customer and of the assistance it provides.


9. Personal Data Breach

9.1 Notification to the Customer

InfiQ will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Data. Notification will be sent to the Customer's designated security or administrative contact (or, absent one, to the account owner's email address on file). A delay in notification will not be treated as "undue" to the extent it results from InfiQ's reasonable investigation to confirm the existence, nature, and scope of the incident.

9.2 Contents of the notice

To the extent known and available at the time of notification (and supplemented as further information becomes available), the notice will:

  • describe the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
  • provide a point of contact at InfiQ (privacy@infiq.in) from whom more information can be obtained;
  • describe the likely consequences of the Personal Data Breach; and
  • describe the measures taken or proposed to be taken by InfiQ to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 Cooperation and remediation

InfiQ will:

  • take reasonable steps to contain, investigate, and remediate the Personal Data Breach and to mitigate its effects;
  • cooperate with the Customer and provide the Customer with reasonable information and assistance to enable the Customer to meet its own notification obligations to supervisory authorities (including the Data Protection Board of India, EEA/UK supervisory authorities, or US regulators) and to affected Data Subjects, within the timelines required by Applicable Data Protection Law; and
  • maintain a record of the Personal Data Breach, including the facts, its effects, and the remedial action taken.

9.4 No admission

InfiQ's notification of, or response to, a Personal Data Breach is not an acknowledgement by InfiQ of any fault or liability. The Customer is responsible for determining whether the Personal Data Breach requires notification to any supervisory authority or Data Subject and for making any such notification, unless Applicable Data Protection Law places that obligation directly on InfiQ.


10. Return and Retention of Data

10.1 During the term

Throughout the term, the Customer may access, export, and correct Customer Data using the self-service features of the Service. The Customer acknowledges that InfiQ does not provide an automated data-deletion or data-purge facility, and that Customer Data submitted to the Service is retained within the Service as described in this Section 10 and in Annex I.

10.2 On termination — export window

On termination or expiry of the Terms (or of the affected Service), the Customer may, for a reasonable period, request and export its Customer Data in a commonly used, machine-readable format using the Service's export tools or by written request to privacy@infiq.in. InfiQ will make Customer Data available for export during this period, subject to the Customer's account being in good standing and any outstanding fees having been paid, except where withholding data for non-payment would be unlawful.

10.3 Retention — no routine deletion or purge

InfiQ does not routinely delete or purge Customer Data and does not provide automated deletion. Following termination or expiry, Customer Data is retained for the life of the account and thereafter for legitimate operational, record-keeping, audit, security, dispute-resolution, and legal-compliance purposes. InfiQ may continue to retain Customer Data on this basis. Retained Customer Data is not actively Processed for any purpose other than those set out above and remains protected by the technical and organisational measures in Annex II and by the confidentiality and use restrictions in this DPA.

10.4 Deletion only where strictly required by law

InfiQ will delete or de-identify Customer Data only to the extent strictly required by applicable law, or where InfiQ otherwise elects to do so on a specific, verified, written instruction that InfiQ agrees to action. Where deletion is required by law, InfiQ will delete the relevant Customer Data within the timeframe required by that law and, where the data cannot be fully deleted (for example, residual copies held in encrypted backups), will protect the confidentiality of, and cease active Processing of, the retained data until it is overwritten in the ordinary course.

10.5 Sub-processors and Meta

Retention and deletion of Customer Data held by InfiQ's Sub-processors follow the same position, subject to each Sub-processor's own retention practices. The Customer acknowledges that retention and deletion of message content and related data held by Meta / WhatsApp is governed by the Meta Terms and Meta's own retention practices, which are outside InfiQ's control.


11. Audits and Compliance

11.1 Demonstrating compliance

InfiQ will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, in accordance with this Section 11.

11.2 Audit reports and certifications

The Customer agrees that, in the first instance, InfiQ may satisfy the audit obligation by providing third-party audit reports, certifications, and summaries, such as ISO/IEC 27001 certification or SOC 2 reports where InfiQ holds them, together with a description of its technical and organisational measures (Annex II).

Where InfiQ does not hold a particular certification or report, it will, on request, provide a completed security questionnaire, a description of its technical and organisational measures (Annex II), and other reasonable evidence of its security posture.

11.3 On-site and additional audits

Where the audit reports and information described in Section 11.2 are not sufficient to demonstrate compliance, or where a supervisory authority requires it, the Customer (or its mandated auditor) may conduct an audit or inspection of InfiQ's relevant facilities, systems, and records, subject to the following conditions:

  • the Customer gives reasonable prior written notice (at least thirty (30) days, except where Applicable Data Protection Law or a supervisory authority requires shorter notice, or in the case of a confirmed Personal Data Breach);
  • audits take place during normal business hours, no more than once per twelve (12) month period (except where required by a supervisory authority or following a Personal Data Breach), and in a manner that does not unreasonably disrupt InfiQ's business or compromise the security or confidentiality of other customers' data;
  • the auditor and the Customer are bound by appropriate confidentiality obligations, and the auditor is not a competitor of InfiQ; and
  • the Customer bears its own and InfiQ's reasonable costs of the audit, except where the audit reveals a material breach by InfiQ of this DPA, in which case InfiQ bears its own costs.

11.4 Records of Processing

InfiQ will maintain a written record of the categories of Processing activities carried out on behalf of the Customer, as required by Applicable Data Protection Law, and will make relevant parts available to the Customer or a supervisory authority on reasonable request.


12. Liability

12.1 Limitation of liability

Each party's liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, is subject to, and counts toward, the limitations and exclusions of liability set out in the Terms. The existence of more than one claim under the Terms and/or this DPA does not enlarge that limit. Nothing in this DPA limits or excludes either party's liability to the extent that such liability cannot be limited or excluded under Applicable Data Protection Law (including the direct statutory rights of Data Subjects).

12.2 Allocation between the parties

As between the parties, each party is responsible for the portion of any damage, cost, or liability that corresponds to its own responsibility for the underlying breach of Applicable Data Protection Law. Where InfiQ has paid compensation for damage caused by Processing, it is entitled to claim back from the Customer that part of the compensation corresponding to the Customer's responsibility, and vice versa.


13. CCPA / CPRA Addendum

This Section 13 applies to the extent InfiQ Processes Personal Data that is subject to the CCPA/CPRA on behalf of the Customer. Terms used in this Section that are defined in the CCPA/CPRA have the meanings given to them there.

13.1 Service Provider status

The parties acknowledge and agree that, with respect to Personal Data subject to the CCPA/CPRA, the Customer is a Business and InfiQ is a Service Provider. InfiQ Processes such Personal Data only for the business purpose(s) of providing the Service as set out in the Terms, this DPA, and Annex I, and pursuant to the Customer's written instructions.

13.2 No sale or sharing

InfiQ will not:

  • sell or share (as those terms are defined in the CCPA/CPRA) the Personal Data;
  • retain, use, or disclose the Personal Data for any purpose other than the specific business purpose of performing the Service, or as otherwise permitted by the CCPA/CPRA;
  • retain, use, or disclose the Personal Data outside the direct business relationship between InfiQ and the Customer; or
  • combine the Personal Data with personal information InfiQ receives from other sources, except as permitted by the CCPA/CPRA for a Service Provider.

13.3 Certification

InfiQ certifies that it understands the restrictions in this Section 13 and will comply with them.

13.4 Assistance and rights

InfiQ will assist the Customer in responding to verifiable consumer requests (to know, delete, correct, opt out of sale/sharing, and limit the use of sensitive personal information) in accordance with Section 8, and will notify the Customer if InfiQ determines it can no longer meet its obligations as a Service Provider under the CCPA/CPRA. The Customer may take reasonable and appropriate steps to stop and remediate unauthorised use of Personal Data.


14. Term, Termination, and General

14.1 Term

This DPA is effective and continues as described in Section 1.5. Termination or expiry of the Terms automatically terminates this DPA, except that provisions that by their nature should survive (including Sections 10, 11, 12, and this Section 14) survive.

14.2 Amendments

InfiQ may amend this DPA from time to time (a) to reflect changes in Applicable Data Protection Law or the requirements of a supervisory authority; (b) to reflect changes in the SCCs, the UK IDTA, the DPF, or other approved transfer mechanisms; or (c) where the amendment does not materially reduce the protections in this DPA. InfiQ will post the updated DPA at https://www.infiq.in/dpa and update the "Effective / Last Updated" date. Continued use of the Service after the effective date constitutes acceptance.

14.3 Severability

If any provision of this DPA is held invalid or unenforceable, the remainder continues in full force, and the invalid provision is replaced by a valid provision that most closely reflects the parties' intent.

14.4 Governing law and dispute resolution

Except where the SCCs, the UK IDTA, or Applicable Data Protection Law require otherwise (see Section 7), this DPA is governed by the laws of India. The parties will first try to resolve any dispute amicably within thirty (30) days of written notice. Failing that, the dispute will be referred to arbitration by a sole arbitrator under the Arbitration and Conciliation Act, 1996, seated in Bhopal, Madhya Pradesh, India, conducted in English. Subject to arbitration, the courts at Bhopal, Madhya Pradesh, India have exclusive jurisdiction. This clause is aligned with the governing-law clause in the Terms.

14.5 Entire agreement

This DPA, together with the Terms and (where applicable) the SCCs and UK IDTA, constitutes the entire agreement between the parties on the subject matter of the Processing of Customer Data and supersedes any prior data-processing terms between them.


Annex I — Details of Processing

A. List of parties

Role Details
Data Exporter / Controller / Data Fiduciary The Customer — the business or organisation identified in the InfiQ account and the Terms. Activities relevant to the transfer: use of the InfiQ Service to communicate with, and manage relationships with, its End Users / Recipients over the WhatsApp Business API. Role: Controller (or processor, where acting on behalf of a third-party controller). Contact: the account owner / privacy contact designated in the InfiQ account.
Data Importer / Processor / Data Processor AIO Infinity Private Limited (InfiQ) — the parent company that owns and provides InfiQ — 54, Old Subhash Nagar, Bhopal – 462023, Madhya Pradesh, India. Activities relevant to the transfer: providing the InfiQ WhatsApp Business API (CPaaS) Platform, including the dashboard, team inbox, broadcast and campaign tools, chatbot / automation builder, APIs, and related features, hosted in India. Role: Processor (or sub-processor, where the Customer is a processor). Contact: privacy@infiq.in.

B. Categories of Data Subjects

The Personal Data Processed concerns the following categories of Data Subjects / Data Principals:

  • the Customer's End Users / Recipients — the individuals (contacts, leads, and customers) with whom the Customer communicates through the Service over WhatsApp; and
  • the Customer's Authorised Users — the individuals (employees, agents, contractors) the Customer permits to access and operate its InfiQ account.

C. Categories of Personal Data

Category Examples
Contact and identity data Names, WhatsApp phone numbers, and other phone numbers; email addresses; contact-list attributes, tags, and custom fields the Customer maintains.
WhatsApp message content and media The text of messages sent and received; images, audio, video, documents, stickers, location, and contact cards; template messages and their variable content; interactive message components (buttons, lists).
Metadata Message timestamps; delivery, sent, read, and failure statuses; conversation and session identifiers; message and template IDs; WABA and phone-number identifiers; quality-rating and messaging-limit signals.
Profile information WhatsApp profile name and, where shared, profile attributes; language and locale; opt-in / opt-out status and consent records the Customer stores.
Authorised-User account data Names, email addresses, phone numbers, role / permission assignments, and activity logs of the Customer's Authorised Users within the account.
Customer-defined data Any additional Personal Data the Customer chooses to submit to the Service through fields, attributes, uploads, integrations, or API calls.

D. Special Categories of Personal Data

None intended. The Service is not designed or intended for the Processing of Special Categories of Personal Data. The Customer is responsible for not submitting such data unless it has ensured an appropriate lawful basis and additional safeguards and has informed InfiQ in advance (see Section 5.5). To the extent any Special Categories of Personal Data are nonetheless contained within message content submitted by the Customer or its End Users, they are subject to the TOMs in Annex II.

E. Nature and purpose of the Processing

The nature of the Processing includes collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission, routing, display, and (on instruction) deletion of Customer Data. The purpose is to provide, operate, secure, support, and maintain the InfiQ Service — namely to enable the Customer to send, receive, route, automate, and manage WhatsApp Business API communications with its End Users, to manage its contacts and campaigns, to operate chatbots and automations, and to access analytics and support — all on the documented instructions of the Customer.

F. Duration of the Processing

For the duration of the provision of the Service to the Customer under the Terms, and thereafter for the life of the account and for so long as InfiQ retains Customer Data as described in Section 10. InfiQ does not provide automated deletion or purge and retains Customer Data for operational, record-keeping, and legal purposes; deletion occurs only to the extent strictly required by Applicable Data Protection Law.

G. Frequency of the transfer

Continuous — Personal Data is transferred and Processed on an ongoing basis for as long as the Customer uses the Service.

H. Competent supervisory authority (SCCs, where applicable)

Determined in accordance with Clause 13 of the SCCs — the supervisory authority of the EU Member State in which the Customer (or its EU representative) is established, or, where the Customer is not established in the EU but has designated an EU representative under Article 27 GDPR, the supervisory authority of that Member State. For UK transfers, the UK Information Commissioner's Office (ICO).


Annex II — Technical and Organisational Measures (TOMs)

InfiQ implements and maintains the following technical and organisational security measures, which it may update from time to time provided the overall level of protection is not materially reduced. These measures also complete Annex II of the SCCs and the corresponding table of the UK IDTA.

# Measure Description
1 Encryption in transit All data transmitted between the Customer, the Service, and Sub-processors is encrypted using TLS 1.2 or TLS 1.3. Legacy and insecure protocols and cipher suites are disabled. WhatsApp message transport additionally relies on Meta's transport security.
2 Encrypted databases and storage (industry standards) Customer Data stored in databases, object storage, and backups is encrypted at rest to industry standards using AES-256 (or equivalent), and data in transit to and from those databases is protected using TLS 1.2 / 1.3. InfiQ's databases are encrypted to industry standards. Encryption keys are managed through a dedicated key-management service with restricted access and periodic rotation.
3 Access control and RBAC Access to Customer Data is governed by the principle of least privilege and role-based access control (RBAC). Access is granted on a need-to-know basis, reviewed periodically, and revoked promptly on role change or termination. Within the Customer's account, the Customer administers roles and permissions for its Authorised Users.
4 Multi-factor authentication (MFA) MFA is enforced for InfiQ personnel accessing production systems and administrative interfaces, and MFA / two-factor authentication is required for Customers and their Authorised Users for account access.
5 Network security Production systems are segmented within a virtual private cloud (VPC) protected by firewalls, security groups, and network access-control lists. Administrative access is restricted to hardened bastions / VPNs. Public exposure of internal services is minimised.
6 Logging and monitoring Security-relevant events, access to Customer Data, and administrative actions are logged, centralised, and monitored. Alerting is configured for anomalous or suspicious activity. Logs are retained for a defined period and protected against tampering.
7 Secure software development (SDLC) InfiQ follows a secure development lifecycle, including code review, dependency management, secrets management, separation of development / staging / production environments, and change-management controls.
8 Vulnerability and patch management InfiQ performs vulnerability scanning, applies security patches on a risk-prioritised basis, and conducts (or commissions) periodic penetration testing. Identified vulnerabilities are tracked to remediation.
9 Backups and disaster recovery Customer Data is backed up on a regular schedule, with backups encrypted (measure 2). InfiQ maintains business-continuity and disaster-recovery processes with defined recovery objectives, and tests restoration periodically.
10 Personnel security, training, and confidentiality Personnel are subject to confidentiality obligations, receive data-protection and security-awareness training, and are subject to appropriate background checks where lawful. Access is provisioned and de-provisioned through a controlled process.
11 Physical security of data centres (India) Customer Data is hosted in data centres located in India operated by reputable cloud providers (Amazon Web Services, Microsoft Azure, and Google Cloud — see the Sub-processors page) that maintain physical-security controls such as 24×7 monitoring, access control, environmental controls, and recognised certifications (e.g., ISO 27001, SOC 2). InfiQ does not operate its own data centres for the Service.
12 Incident response InfiQ maintains a documented incident-response plan covering detection, triage, containment, eradication, recovery, notification (Section 9), and post-incident review.
13 Data minimisation and segregation The Service is designed to Process only the Customer Data necessary to provide it. Customer environments are logically segregated so that one Customer cannot access another Customer's data.
14 Pseudonymisation / de-identification Where appropriate and feasible, InfiQ uses pseudonymisation or de-identification (for example, for analytics and product-improvement data that is aggregated and cannot reasonably be re-identified).
15 Vendor / Sub-processor management InfiQ assesses the security posture of Sub-processors before engagement and imposes equivalent data-protection and security obligations by contract (Section 6.4).

Annex III — Sub-processors

InfiQ engages Sub-processors to provide the Service, as authorised in Section 6. The current list of Sub-processors — including each Sub-processor's name, purpose / Processing activity, and Processing location — is maintained as a separate, living document in the InfiQ legal suite and published at:

https://www.infiq.in/subprocessors

That page is incorporated into this DPA by reference and constitutes Annex III. It includes, at a minimum, the following categories, all currently Processing in India: Cloud & Hosting (Amazon Web Services, Microsoft Azure, and Google Cloud); the Messaging Platform (Meta Platforms, Inc. / WhatsApp LLC — WhatsApp Business API / Cloud API, localised to India); Payments (Zoho Payments and Razorpay); and other operational services (such as email / notification delivery, analytics, monitoring, and customer-support tooling). Customers may subscribe to change notifications and exercise the objection right described in Section 6.3 via that page or by writing to privacy@infiq.in.


Contact

For any questions, requests, or notices relating to this DPA or to data protection at InfiQ, contact:

Purpose Contact
Privacy / data requests privacy@infiq.in
Support support@infiq.in
Phone 022-69621762 (Monday–Friday, 10:00 AM–5:00 PM IST)
Postal AIO Infinity Private Limited (InfiQ), 54, Old Subhash Nagar, Bhopal – 462023, Madhya Pradesh, India
Website https://www.infiq.in