Skip to content
Janiva

Data Processing Agreement

Template — last updated: 9 June 2026 · Version 1.0

Contact addresses below are placeholders pending confirmation — owner to verify/create these inboxes.

This Data Processing Agreement ("DPA") supplements the Terms of Service between Janiva Digital Solutions (trading as Janiva, the "Processor") and the customer using the Service (the "Controller"), and governs the processing of Personal Data carried out by the Processor on behalf of the Controller through the Janiva platform (the "Service"). Capitalised terms not defined here have the meaning given in the India DPDP Act 2023 and, where applicable, the EU/UK GDPR.

1. Scope and roles

1.1 In respect of Personal Data processed through the Service, the Controller is the data controller and the Processor is the data processor.

1.2 The Processor processes Personal Data only on the documented instructions of the Controller, unless required to do otherwise by applicable law. Where such a law requires processing, the Processor will inform the Controller before processing unless the law prohibits doing so.

1.3 The Controller's instructions are the use of the Service in accordance with the Terms of Service and this DPA, together with any reasonable written instructions sent to [email protected].

2. Processor's obligations

The Processor will:

  • process Personal Data only on the Controller's documented instructions;
  • ensure that persons authorised to process the Personal Data are bound by appropriate confidentiality undertakings;
  • implement the technical and organisational measures set out in Section 5;
  • assist the Controller, taking into account the nature of the processing, in fulfilling its own data-protection obligations including security, breach notification, and data-subject requests;
  • make available to the Controller information reasonably necessary to demonstrate compliance with this DPA;
  • inform the Controller if, in its opinion, an instruction infringes applicable data-protection law.

3. Sub-processors

3.1 The Controller grants the Processor a general authorisation to engage sub-processors to provide the Service, subject to the conditions in this Section.

3.2 The current sub-processors are listed in Schedule B. The Processor will give the Controller reasonable advance notice of any intended change. If the Controller reasonably objects on data-protection grounds, the Processor will work with the Controller in good faith to find an alternative; if none can be agreed, the Controller may terminate the affected portion of the Service.

3.3 The Processor imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains responsible to the Controller for the sub-processor's performance.

4. International transfers

Personal Data is hosted in the Processor's infrastructure. Where Personal Data is transferred outside its primary hosting region in the course of providing the Service — for example to an AI/LLM provider that processes a request in another country — the Processor relies on an appropriate transfer mechanism available under applicable law (for example, the cross-border transfer rules under the India DPDP Act, and EU Standard Contractual Clauses or the UK Addendum for transfers originating in the EEA or UK).

(Primary hosting region and per-provider transfer destinations to be confirmed.)

5. Security measures

The Processor implements appropriate technical and organisational measures including:

  • Encryption in transit (TLS) and encryption at rest for sensitive credentials and access tokens.
  • Salted password hashing; credentials are never logged.
  • Account-level isolation so each Controller's data is kept separate.
  • Access controls and an audit trail of administrative and sensitive actions.
  • Regular backups of production data.
  • A documented incident-response procedure.

6. Personal data breach notification

The Processor will notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's data. The notice will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

7. Assistance with data-subject requests

The Service provides self-service tools that help the Controller respond to requests from data subjects, including access to, correction of, and deletion of the records held about a contact. For more complex requests, the Controller can email the Processor at [email protected] and the Processor will provide reasonable assistance within a reasonable time.

8. Audits and inspections

The Processor will, on reasonable written request no more than once per 12 months, make available the most recent independent audit reports it holds, if any, and otherwise respond in good faith to a security questionnaire of reasonable scope. The Processor makes no representation that any particular third-party certification exists. On-site audits are by mutual agreement and at the Controller's cost.

9. Term and deletion on termination

This DPA applies for as long as the Processor processes Personal Data on behalf of the Controller. On termination of the Service the Processor will, at the Controller's choice, return or delete the Personal Data within a reasonable period, unless retention is required by law (for example, tax and accounting records).

(Post-termination return/deletion window to be confirmed.)

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits a party's liability for matters that cannot be limited under applicable data-protection law.

Schedule A — Details of processing

  • Subject matter: provision of the Janiva AI back-office platform (accounting, GST invoicing, virtual numbers, shared inbox, social publishing, and task delegation) to the Controller.
  • Duration: for the term of the Controller's subscription, plus any post-termination return/deletion period.
  • Nature and purpose: store and process business records; send and receive WhatsApp messages; generate invoices, replies, posts, and summaries with AI assistance; surface reports and exports to the Controller's team.
  • Categories of data subject: the Controller's customers, vendors, and contacts; the Controller's own team members (as users of the Service).
  • Categories of Personal Data: names, phone numbers, email addresses, message and media content, invoice and ledger details, social content, and task assignments; for team members, also account credentials (hashed) and audit metadata.
  • Special categories: none intentionally processed. The Controller must not use the Service to solicit or store sensitive personal data.

Schedule B — Approved sub-processors

As of the date above, the Processor engages the following sub-processors:

  • Google (Gemini) — AI/LLM processing for assistant features.
  • OpenRouter — AI/LLM routing and its underlying model providers per configuration.
  • Anthropic — AI/LLM processing for assistant features.
  • Meta Platforms — WhatsApp Business messaging, and Instagram/Facebook for social publishing where connected.
  • The Processor's hosting and database infrastructure, managed as an extension of its own operations.

(Final sub-processor list, including hosting provider and region, to be confirmed.)

See also our Privacy Policy and AI System Card.