Automate bulk messaging for promotions, alerts, and updates - Explore

Contact us

Data Processing Agreement (DPA)

Effective Date: 9 May 2025

This Data Processing Agreement (“DPA”) is entered into between the Client (the “Controller”) and VivaConnect Private Limited, operating the Helo.ai communications platform (the “Processor”). This DPA forms an integral part of the Terms and Conditions or any other master service agreement entered into between the Parties (collectively, the “Principal Agreement”).
This DPA governs the Processor’s processing of Personal Data on behalf of the Controller in compliance with applicable data protection laws, including the Information Technology Act, 2000 and Rules thereunder, and where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and any other relevant international privacy regulations.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below:

  • "Controller": The entity that determines the purposes and means of the processing of Personal Data.
  • "Processor": VivaConnect Private Limited (Helo.ai), which processes Personal Data on behalf of the Controller.
  • "Personal Data": Any information relating to an identified or identifiable natural person (“Data Subject”).
  • "Data Subject": An individual whose Personal Data is being processed.
  • "Processing": Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, storage, access, transmission, erasure, or destruction.
  • "Subprocessor": A third party appointed by the Processor to process Personal Data on its behalf.
  • "Applicable Data Protection Laws": Any laws and regulations applicable to the processing of Personal Data under this DPA.

2. Purpose and Scope of Processing

The Processor shall process Personal Data strictly for the following purposes:

  • Facilitating multichannel communications via WhatsApp, RCS, SMS, Email, and Voice;
  • Managing customer engagement campaigns and chatbot automation;
  • Tracking and reporting on message delivery, interaction, and analytics;
  • Providing infrastructure, technical support, and diagnostic services.

No Processing shall occur for purposes other than those explicitly documented by the Controller.

3. Duration

This DPA shall remain in effect for the duration of the Principal Agreement or for as long as the Processor continues to process Personal Data on behalf of the Controller, whichever is longer. Termination of this DPA does not relieve either party of its obligations under applicable law.

4. Categories of Personal Data and Data Subjects

Personal Data Categories:

  • Mobile phone numbers;
  • Message content (including bot responses);
  • Metadata such as timestamps, channel identifiers, and delivery status;
  • Email addresses (where applicable);
  • Communication logs and associated diagnostics.

The Processor shall not intentionally collect or process sensitive personal data (e.g., health, biometric, or financial data) unless explicitly instructed and justified by the Controller.

Data Subjects:

  • End users or consumers receiving communications through the Controller’s campaigns;
  • Business contacts of the Controller (e.g., clients, agents, affiliates).

5. Obligations of the Processor

  • Process Personal Data only on documented instructions from the Controller;
  • Ensure that all persons authorized to process Personal Data are subject to appropriate confidentiality obligations;
  • Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
  • Assist the Controller in meeting its obligations concerning Data Subject rights, data breach notification, and impact assessments;
  • Notify the Controller without undue delay (no later than 72 hours) upon becoming aware of a Personal Data Breach;
  • Maintain up-to-date records of processing activities where required by applicable laws.

6. Technical and Organizational Security Measures

The Processor shall maintain comprehensive security controls consistent with ISO/IEC 27001 standards, including but not limited to:

  • Encryption of Personal Data in transit and at rest;
  • Access control mechanisms (RBAC and MFA);
  • Firewall protection, end-point monitoring, and intrusion detection systems;
  • Regular internal audits, risk assessments, and vulnerability testing;
  • Incident management procedures and disaster recovery plans.

7. Use of Subprocessors

The Controller authorizes the Processor to engage Subprocessors for the delivery of the Services. Current Subprocessors include:

  • Telecom operators registered under India’s DLT framework;
  • Cloud hosting providers such as Amazon Web Services (AWS) India;
  • Messaging channel providers (e.g., Meta Platforms, Google RCS).

Each Subprocessor shall be bound by written agreements that ensure equivalent data protection standards. A current list is maintained in the [Subprocessor List] and may be updated with prior written notice to the Controller.

8. Data Transfers

All Personal Data shall be stored and processed within the territory of India, unless international transfers are requested or approved in writing by the Controller. In such cases, the Processor shall:

  • Implement appropriate legal safeguards (e.g., Standard Contractual Clauses, Data Processing Addendums);
  • Ensure that any international transfer complies with the Controller’s compliance requirements and local regulations;
  • Maintain documentation demonstrating the basis of transfer.

9. Data Subject Rights Assistance

The Processor shall provide reasonable cooperation to enable the Controller to fulfill its obligations concerning requests from Data Subjects, including but not limited to:

  • Right to access, rectify, or erase their data;
  • Right to restrict or object to processing;
  • Right to data portability (where applicable).

If the Processor directly receives such a request, it shall promptly forward the request to the Controller without responding to the Data Subject, unless legally compelled to do so.

10. Audit and Inspection Rights

The Controller may, at its own expense and with reasonable notice, conduct audits (including remote security reviews and on-site inspections) to verify compliance with this DPA.
The Processor agrees to:

  • Cooperate fully with the audit process;
  • Provide access to relevant documentation, systems, or personnel;
  • Address any findings of non-compliance in a commercially reasonable manner.

Audit frequency is limited to once per calendar year unless required by law or in the event of a security breach.

11. Return and Deletion of Data

Upon termination of the Principal Agreement or at the written request of the Controller, the Processor shall, at the Controller’s discretion:

  • Return all Personal Data in a structured, commonly used format; or
  • Securely delete all Personal Data and provide written certification of deletion.

The Processor may retain data solely to the extent and for the duration required under applicable legal or regulatory obligations.

12. Liability and Indemnification

Liability arising under this DPA shall be governed by the terms of the Principal Agreement. The Processor shall be liable for damages arising from:

  • Processing activities outside the scope of this DPA;
  • Non-compliance with applicable data protection laws;
  • Breach of confidentiality or security obligations.

Each Party agrees to indemnify the other for any claims arising out of its breach of this DPA.

13. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of India. The courts located in Mumbai, Maharashtra shall have exclusive jurisdiction over any dispute or claim arising out of or in connection with this DPA.

14. Contact Information

For any data protection-related inquiries, the Processor may be contacted at:
Email: info@helo.ai
Postal Address:
Vivaplex, C7, Street 22,
MIDC, Opp. Rolta Technology Park,
Andheri (East), Mumbai – 400093, India.