Data Processing Agreement
Between Margifi (Data Processor) and you, the Client (Data Fiduciary), under the DPDP Act 2023.
Jump to a section
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
Data Controller / Data Fiduciary: The Client entity subscribing to the Margifi Service, as identified in the Client's Margifi account registration ("Controller"); and
Data Processor: Margifi Limited, Ground Floor, WeWork Forum, DLF Cyber City, DLF Phase 3, Sector 24, Gurugram, Haryana 122002, India ("Processor" or "Margifi").
This DPA forms part of, and is incorporated into, the Terms of Service between the Controller and Margifi ("Main Agreement"). In the event of any conflict between this DPA and the Main Agreement on matters of data processing and protection, this DPA shall prevail.
2. Definitions
The following terms have the meanings given below throughout this DPA. All other capitalised terms not defined here have the meanings given in the Main Agreement.
| Term | Definition |
|---|---|
| Applicable Data Protection Law | The Digital Personal Data Protection Act, 2023, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and any other Indian law or regulation relating to the processing of personal data that applies to the activities of the parties under this DPA. |
| Data Breach | Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA. |
| Data Fiduciary | As defined under the DPDP Act, 2023 — an entity that determines the purpose and means of processing Personal Data. In this DPA, the Controller is the Data Fiduciary in respect of Personal Data of the Data Principals. |
| Data Principal | As defined under the DPDP Act, 2023 — the natural person to whom the Personal Data relates. In this DPA, Data Principals include the end-customers of the Controller whose data may flow through the Margifi Platform. |
| Data Processor | An entity that processes Personal Data on behalf of and under the instructions of a Data Fiduciary. Margifi acts as a Data Processor in relation to the Controller's Personal Data processed through the Platform. |
| Personal Data | As defined under the DPDP Act, 2023 — any data about an individual who is identifiable by or in relation to such data. |
| Processing | Any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion. |
| Sub-Processor | Any third party engaged by Margifi to process Personal Data in connection with the provision of the Service. |
3. Subject Matter, Nature of Processing & Duration
3.1 Subject matter
This DPA governs Margifi's processing of Personal Data on behalf of the Controller in connection with the provision of the Margifi analytics Service as described in the Main Agreement.
3.2 Nature of processing
Margifi will process Personal Data by performing the following operations:
- Collection via API ingestion from Connected Platforms (Meta Ads, Shopify, delivery partners, Razorpay/Cashfree)
- Storage in the Margifi database (Supabase/PostgreSQL)
- Retrieval for analytics computation
- Aggregation and analysis to produce profit and performance reports
- Display to authorised Users of the Controller through the Dashboard
- Deletion upon termination in accordance with the Main Agreement
3.3 Duration
Margifi will process Personal Data for the duration of the Subscription Term under the Main Agreement, and for the thirty (30) day Data Retention Window following termination, unless earlier deletion is requested by the Controller.
4. Categories of Personal Data Processed
The following categories of Personal Data belonging to the Controller's end-customers may be processed by Margifi in the course of providing the Service:
4.1 Order Identifiers
Order IDs and transaction reference numbers used to match fulfilled orders to advertising conversions. These may, in some cases, be linked to customer identifiers assigned by the Controller's Shopify store.
4.2 Attribution Data
Data points such as device identifiers, click IDs, or session tokens received from Meta Ads or Google Ads, used to attribute orders to specific advertising campaigns. These are processed ephemerally for attribution matching and are not stored in identifiable form.
4.3 Delivery Status Data
Shipment identifiers and delivery outcome data (delivered, RTO, NDR) received from Delhivery or Shiprocket. This data may indirectly contain customer location information at a city or pin code level.
4.4 Payment Settlement Data
Transaction amounts and payment status data received from Razorpay or Cashfree, used for revenue reconciliation. Raw payment instrument details (card numbers, UPI IDs) are not received by Margifi — only settlement-level aggregates.
4.5 Account Holder Data
Names, email addresses, and company information of the Controller's authorised Users who access the Margifi Dashboard on behalf of the Controller.
Where the Controller subscribes to a tier that includes COD Intelligence, Margifi also processes a derived network signal: a one-way hashed and encrypted representation of the end-customer's phone number ("COD Intelligence contact_network record"). This record is used solely to compute a COD delivery reliability signal across the Margifi network of brands.
Raw phone numbers are never stored by Margifi in identifiable form. The contact_network record includes: a hashed phone identifier, a delivery rate signal, a risk flag, and a brands_ordered count. No personally identifiable information is reconstructable from this hash.
For the full privacy-first architecture of COD Intelligence, see COD Intelligence →
5. Purposes of Processing
Margifi shall process Personal Data only for the following purposes:
- Providing the analytics and reporting Service described in the Main Agreement
- Performing attribution matching between advertising spend data and order outcomes
- Computing campaign-level and account-level profitability metrics for display in the Dashboard
- Enabling daily profit reports and operational intelligence notifications
- Identifying anomalies, trends, or alerts that are part of the Service deliverables
- Maintaining the security, integrity, and availability of the Platform
Margifi shall not process Personal Data for any purpose other than those listed above without the prior documented instruction of the Controller, except where required by applicable Indian law — in which case Margifi will inform the Controller of such legal requirement before processing, unless legally prohibited from doing so.
6. Processor Obligations
Margifi is bound by the following obligations in relation to the Personal Data it processes on the Controller's behalf:
Margifi will process Personal Data only on documented instructions from the Controller (including as set out in the Main Agreement and this DPA) and will not process Personal Data in a manner inconsistent with such instructions.
Margifi will ensure that all personnel authorised to process Personal Data under this DPA are bound by appropriate confidentiality obligations and receive adequate data protection training.
Margifi implements and maintains the following measures to protect Personal Data:
- Encryption in transit (TLS 1.2+) and at rest (database-level encryption via Supabase)
- Role-based access controls restricting access to authorised personnel only
- Multi-factor authentication for internal system access
- Regular review of security configurations and patching of vulnerabilities
- Audit logging of access to sensitive data systems
Margifi will provide reasonable assistance to the Controller in:
- Responding to requests by Data Principals exercising their rights under Applicable Data Protection Law
- Fulfilling obligations relating to data security, Data Breach notification, and compliance assessments
- Conducting data protection impact assessments where required
Upon termination of the Main Agreement, or upon the Controller's request, Margifi will delete or return all Personal Data in its possession within thirty (30) days, and will confirm in writing that deletion has been completed.
Margifi may retain anonymised or aggregated data that is no longer attributable to any individual or to the Controller.
In the event of a Data Breach, Margifi will notify the Controller within 72 hours of becoming aware and will provide:
- The nature of the Data Breach
- Approximate categories and number of Data Principals affected
- Approximate categories and volume of Personal Data records affected
- Likely consequences and measures taken to address the breach
Margifi will cooperate with the Controller in any investigation and in notifications to the Data Protection Board of India as required under the DPDP Act.
7. Sub-Processors
7.1 Authorisation
The Controller grants Margifi general authorisation to engage Sub-Processors, subject to the conditions in this clause.
7.2 Current sub-processors
As at the Effective Date of this DPA, Margifi uses the following Sub-Processors in connection with the Service:
| Sub-Processor | Country | Purpose | Personal Data Processed |
|---|---|---|---|
| Supabase, Inc. | 🇺🇸 USA | Primary database and data storage | All Personal Data stored on the Platform |
| Clerk, Inc. | 🇺🇸 USA | Authentication and user session management | Account holder name, email, session tokens |
| DigitalOcean, LLC | 🇺🇸 USA | Cloud hosting infrastructure | All data hosted on Platform servers |
| Cloudflare, Inc. | 🇺🇸 USA | CDN, DDoS protection, TLS termination | IP addresses, request metadata |
| Functional Software, Inc. (Sentry) | 🇺🇸 USA | Error monitoring and crash reporting | Error logs, IP addresses, session metadata |
7.3 Changes to sub-processors
Margifi will notify the Controller in writing at least fourteen (14) days before engaging any new Sub-Processor or replacing an existing Sub-Processor. The Controller has the right to object within ten (10) days of such notification. If the Controller objects and Margifi cannot reasonably accommodate the objection, the Controller may terminate the Main Agreement without penalty by providing thirty (30) days' notice.
7.4 Sub-processor obligations
Margifi will enter into written agreements with each Sub-Processor imposing data protection obligations no less protective than those set out in this DPA.
7.5 Responsibility
Margifi remains responsible to the Controller for the performance of all Sub-Processors' obligations under this DPA.
8. Controller Obligations
As Data Fiduciary, the Controller represents and warrants that:
- The Controller has a lawful basis under Applicable Data Protection Law for providing Personal Data to Margifi and for instructing Margifi to process such data as described in this DPA.
- The Controller has obtained all necessary consents from Data Principals, or can otherwise rely on a legitimate legal basis, for the processing activities described in this DPA.
- The Personal Data provided to Margifi is accurate, up to date, and not excessive in relation to the purposes of processing.
- The Controller will not instruct Margifi to process Personal Data in a manner that would violate Applicable Data Protection Law.
- The Controller will promptly notify Margifi of any changes to the legal basis for processing that may affect Margifi's ability to process Personal Data in accordance with this DPA.
- The Controller is responsible for compliance with Applicable Data Protection Law in respect of its own collection and use of Personal Data, including obligations as Data Fiduciary under the DPDP Act.
9. International Data Transfers
The Controller acknowledges that certain Sub-Processors used by Margifi — including Supabase, Clerk, DigitalOcean, Cloudflare, and Sentry — operate infrastructure outside India. This means Personal Data processed under this DPA may be transferred to and processed in countries other than India.
Margifi will ensure that any international transfer of Personal Data is made subject to appropriate contractual, technical, or other safeguards, consistent with the requirements of Applicable Data Protection Law once the cross-border data transfer provisions of the DPDP Act are notified by the Government of India.
Margifi transfers personal data only to countries that are not restricted by the Central Government under Section 16 of the DPDP Act, 2023, under contractual data-protection safeguards.
10. Audit Rights
The Controller may, upon providing Margifi with at least thirty (30) days' prior written notice and at the Controller's own cost, conduct an audit of Margifi's data processing activities and security measures under this DPA. Such audit shall be conducted no more than once per calendar year, during normal business hours, and in a manner that minimises disruption to Margifi's operations.
In lieu of a direct audit, Margifi may satisfy the Controller's audit request by providing a current third-party security certification or independent audit report covering the relevant systems, where such report adequately addresses the Controller's concerns.
Any information obtained by the Controller in the course of an audit shall be treated as Confidential Information of Margifi.
11. Allocation of Responsibility for Data Breaches
To the extent that a Data Breach is caused by Margifi's failure to comply with its obligations under this DPA or Applicable Data Protection Law, Margifi shall bear liability for penalties, fines, and damages attributable to that failure, subject to the limitations of liability in the Main Agreement.
To the extent that a Data Breach is caused by the Controller's instructions, actions, or failure to maintain secure API credentials, the Controller shall bear responsibility for resulting penalties, fines, and damages.
12. Term, Termination & Governing Law
Term
This DPA is effective from the Effective Date specified above and continues until the termination or expiry of the Main Agreement.
Upon termination of the Main Agreement for any reason, this DPA terminates simultaneously, subject to Margifi's obligation to delete or return Personal Data as set out in Clause 6 (Deletion & Return).
Clauses 1, 5.5, 5.7, 8, 10, and 12 shall survive termination of this DPA.
Governing law
This DPA shall be governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and any rules and regulations made thereunder.
Any disputes arising under this DPA that are not resolved in accordance with the dispute resolution mechanism in the Main Agreement shall be subject to the exclusive jurisdiction of the courts at Gurugram, Haryana, India.
Questions about this DPA?
Contact us at admin@margifi.com
For general privacy questions, see our Privacy Policy. For information on how COD Intelligence handles cross-brand COD data, see COD Intelligence.