Data Processing Addendum

Please note, by signing up to our services, you are automatically agreeing to our Data Processing Addendum.

Please note this agreement is valid for all users signed up after 27th May, 2026.

Download Data Processing Addendum
Data Processing Addendum illustration

Data Processing Addendum

Last updated: 27 May 2026 Effective: 27 May 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Cobay Technology Private Limited ("Cobay," "Processor") and the customer identified in the underlying agreement ("Customer," "Controller") for the use of Cobay's e-commerce operations platform and related services. It is incorporated into and governed by the Cobay Terms of Service or other written agreement between the parties (the "Principal Agreement").

01 Definitions

Applicable Data Protection Laws All laws applicable to the processing of personal data, including India's DPDP Act 2023, the IT Act 2000 and rules thereunder, and where applicable, the EU GDPR and equivalent laws in other jurisdictions.
Customer Personal Data Personal data processed by Cobay on behalf of Customer under the Principal Agreement.
Data Principal / Data Subject The identified or identifiable individual to whom Customer Personal Data relates.
Sub-processor Any third party engaged by Cobay to process Customer Personal Data.
Personal Data Breach A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

02 Roles of the Parties

Customer is the Data Fiduciary / Controller of Customer Personal Data and determines the purposes and means of its processing. Cobay is the Data Processor acting on behalf of and under the documented instructions of the Customer.

For data Cobay processes for its own purposes as a Data Fiduciary (e.g., account holder information for billing and account management), Cobay's Privacy Policy applies.

03 Scope and Subject Matter

Subject matter
Processing of Customer Personal Data as necessary to provide the Services.
Duration
For the term of the Principal Agreement and any period thereafter required for return or deletion of data.
Nature and purpose
Order, inventory, warehouse, shipping, returns, NDR, and post-purchase operations on behalf of the Customer.
Types of data
Names, email addresses, phone numbers, shipping and billing addresses, order and transaction details, product details, payment status, communication preferences, and other data Customer chooses to upload.
Data Principals
Customer's end-customers, vendors, employees, and other individuals whose data Customer submits to the Services.

04 Customer Obligations

Customer represents and warrants that it:

  • Has all necessary rights, lawful bases, consents, and notices required to provide Customer Personal Data to Cobay
  • Will issue lawful instructions to Cobay
  • Will comply with Applicable Data Protection Laws in its use of the Services
  • Is responsible for the accuracy and quality of Customer Personal Data

05 Cobay's Obligations

Cobay will:

  • Process Customer Personal Data only on documented instructions from Customer (including this DPA and the Principal Agreement)
  • Not sell Customer Personal Data
  • Ensure persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 7)
  • Notify Customer without undue delay of any legally binding request for disclosure of Customer Personal Data, unless prohibited by law

06 Sub-Processors

6.1 Authorization

Customer provides general authorization for Cobay to engage Sub-processors to provide the Services, including cloud hosting, communication providers, analytics, and other operational tools. A list of current Sub-processors is available on request.

6.2 Obligations

Cobay will impose data protection terms on each Sub-processor that are no less protective than this DPA. Cobay remains liable for the acts and omissions of its Sub-processors.

6.3 Changes

Cobay will notify Customer of intended additions or replacements of Sub-processors with reasonable advance notice. Customer may object on reasonable grounds related to data protection. If the parties cannot resolve the objection, Customer may terminate the affected portion of the Services.

07 Security

Cobay will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:

  • Encryption of data in transit
  • Encryption of sensitive data at rest where appropriate
  • Access controls based on the principle of least privilege
  • Logging and monitoring of access
  • Secure development practices
  • Regular review of security controls
  • Personnel training
  • Business continuity and disaster recovery measures

Cobay may update these measures from time to time, provided that the level of protection is not materially reduced.

08 Personal Data Breach

Cobay will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide reasonable information to help Customer meet its notification obligations under Applicable Data Protection Laws. Cobay will take reasonable steps to mitigate and remediate the breach.

09 Data Principal Rights and Cooperation

Cobay will, taking into account the nature of the processing, provide reasonable assistance to Customer in:

  • Responding to requests from Data Principals to exercise their rights (access, correction, erasure, withdrawal of consent, nomination, etc.)
  • Complying with data protection impact assessments and prior consultations with authorities
  • Demonstrating compliance with Applicable Data Protection Laws

If Cobay receives a request from a Data Principal regarding Customer Personal Data, Cobay will, where legally permitted, forward the request to Customer rather than respond directly.

10 International Data Transfers

Cobay is based in India and may engage Sub-processors located in other jurisdictions. Where Customer Personal Data is transferred internationally, Cobay will implement appropriate safeguards as required by Applicable Data Protection Laws, including standard contractual clauses or other approved mechanisms.

11 Audit Rights

Cobay will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Audits will be conducted no more than once per year (except in case of a Personal Data Breach or regulatory requirement), during normal business hours, with at least 30 days' notice, and subject to confidentiality. Scope, timing, and cost will be agreed in advance.

12 Return or Deletion of Data

Upon termination or expiration of the Principal Agreement, Cobay will, at Customer's choice, return or delete Customer Personal Data, except to the extent retention is required by law. Customer Data will be available for export for 30 days after termination, after which Cobay may delete it from active systems. Backups will be deleted in accordance with Cobay's standard retention schedules.

13 Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement.

14 Order of Precedence

In case of conflict, the order of precedence is:

  • Applicable Data Protection Laws
  • This DPA
  • The Principal Agreement

15 Governing Law

This DPA is governed by the laws of India, consistent with the Principal Agreement.

Cobay Technology Private Limited 15-2, 15-3, Kovaipudur Road
Coimbatore 641042, Tamil Nadu, India
DPA enquiries
privacy@cobay.com