Skip to content
TwoDots

Data Processing Agreement

Last updated: April 2026

1. Scope and Purpose

This Data Processing Agreement ("DPA") applies to any processing of personal data by TwoDots Software Services OPC Private Limited ("Data Processor") on behalf of clients and website visitors ("Data Controller"). This agreement is intended to comply with the General Data Protection Regulation (GDPR), UK GDPR, and similar data protection laws.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data (collection, storage, use, transmission, deletion).
  • Data Controller: The natural or legal person determining the purposes and means of processing.
  • Data Processor: The natural or legal person processing data on behalf of the controller (TwoDots).
  • Data Subject: The individual to whom personal data relates.

3. Subject Matter and Duration of Processing

TwoDots processes personal data for the following purposes:

  • Delivering consulting and implementation services
  • Website functionality and user communications
  • Newsletter distribution and marketing (with consent)
  • Analytics and service improvement
  • Compliance with legal obligations

Processing duration extends for the period of service engagement plus applicable retention periods as outlined in our Privacy Policy.

4. Nature and Categories of Personal Data

Personal data processed may include:

  • Identification data (name, email, phone, company)
  • Business contact information
  • Technical data (IP address, browser information, cookies)
  • Project and engagement data (as provided during service delivery)
  • Communication records (emails, support tickets)

5. Rights and Obligations of the Data Controller

The Data Controller shall:

  • Ensure it has a lawful basis for collecting and transferring personal data to TwoDots
  • Provide clear privacy notices to data subjects
  • Ensure data is accurate, adequate, and not excessive
  • Obtain necessary consents (particularly for marketing communications)
  • Respond to data subject access requests within applicable timeframes
  • Notify TwoDots of any data breaches or compliance concerns

6. Rights and Obligations of the Data Processor (TwoDots)

TwoDots shall:

  • Process personal data only on documented instructions from the controller
  • Ensure confidentiality of personnel with access to personal data
  • Implement appropriate technical and organizational security measures
  • Not use personal data for purposes other than instructed (except as required by law)
  • Assist the controller in fulfilling data subject rights requests
  • Delete or return personal data upon termination of services (unless required to retain by law)
  • Maintain records of processing activities (processor's records)
  • Notify the controller promptly of any suspected data breach

7. Sub-processors and Third Parties

TwoDots may engage the following sub-processors for services:

  • Resend: Email delivery and communication services
  • Vercel: Website hosting and analytics
  • Other tools: As outlined in our Privacy Policy (e.g., communication platforms, document management)

We ensure all sub-processors are bound by equivalent data protection obligations. Clients will be notified of any new sub-processors, and may object within a reasonable timeframe.

8. Security Measures

TwoDots implements the following security measures:

  • Encryption of data in transit (TLS/SSL) and at rest (where applicable)
  • Secure authentication and access controls
  • Regular security assessments and updates
  • Incident response procedures
  • Employee training and confidentiality agreements
  • Regular backups and business continuity planning

9. International Data Transfers

TwoDots is located in India. Transfers of personal data from the EU, UK, or other jurisdictions with data protection laws are based on:

  • Standard Contractual Clauses (SCCs) where required
  • Adequacy decisions where applicable
  • Consent of data subjects (where necessary)

By engaging with TwoDots, controllers acknowledge and accept the transfer of their data to India in accordance with applicable regulations.

10. Data Subject Rights

TwoDots will, upon written request from the controller, assist in facilitating data subject rights including:

  • Right of access (data portability)
  • Right to rectification (correction of inaccurate data)
  • Right to erasure ("right to be forgotten") — subject to legal retention requirements
  • Right to restrict processing
  • Right to object to processing
  • Rights related to automated decision-making

11. Audit and Inspection

The Data Controller, or an authorized auditor, may request information about our processing activities and security measures. TwoDots will provide reasonable access upon written request and may require an NDA for sensitive information.

12. Data Breach Notification

In the event of a suspected or confirmed data breach, TwoDots will:

  • Notify the controller without undue delay (within 72 hours where practicable)
  • Provide details of the breach, data affected, and likely consequences
  • Cooperate in breach notification to authorities and data subjects as required

13. Deletion and Return of Data

Upon termination of services, TwoDots will:

  • Delete personal data within 30 days unless a longer retention period is required by law
  • Return data to the controller in a structured, commonly used, machine-readable format if requested
  • Certify deletion in writing upon request

14. Regulatory Compliance

TwoDots commits to complying with:

  • GDPR (for EU residents' data)
  • UK GDPR (for UK residents' data)
  • Applicable data protection laws in the data subject's jurisdiction
  • Any additional agreements entered into between the parties

15. Amendments and Changes

This DPA may be updated to reflect changes in our processing activities or legal requirements. We will notify controllers of material changes and allow reasonable time for review or objection.

16. Contact and Queries

For questions regarding data processing or to submit a data processing request:

  • Data Protection Contact: privacy@2dots.io
  • Address: TwoDots Software Services OPC Private Limited, H-6050, Solitaire Business Hub, Viman Nagar, Pune, Maharashtra, India — 411014

17. Governing Law

This DPA is governed by the laws of India, with particular regard to GDPR, UK GDPR, and equivalent data protection regulations to the extent applicable.

← Back to Home

The Retail AI Implementation Weekly

Practical AI implementation for e-commerce operators. No hype.