Content hnuaia lo rawh
Legal

Data Processing Agreement

Update tawh: 19 June 2026

For the BillBasket POS App — controller and processor terms for Customer Personal Data

1. Introduction and Incorporation

This Data Processing Agreement ("DPA") forms part of the agreement between BillBasket Solutions LLP ("BillBasket", "Company", "we", "our", or "us") and the customer that has accepted the BillBasket Terms of Service, an Enterprise Service Agreement, or another written agreement governing use of the BillBasket POS App and related services (the "Customer", and together with BillBasket, the "Parties").

This DPA applies where BillBasket processes Personal Data on behalf of the Customer in connection with the POS App — in particular where the Customer uses cloud sync, online backup, hosted reporting, or other features that involve BillBasket processing Personal Data controlled by the Customer.

This DPA supplements and is incorporated into the Terms of Service and any Enterprise Service Agreement. In the event of conflict regarding the processing of Personal Data, this DPA prevails to the extent of the conflict, except where an Enterprise Service Agreement expressly states otherwise.

2. Definitions

  • "Applicable Data Protection Laws" means all laws relating to the processing and protection of Personal Data applicable to the Parties, including, in India, the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000 and rules thereunder; in Nepal, the Individual Privacy Act, 2018 (2075) and the Electronic Transactions Act, 2008 (2063); in Bangladesh, the Information and Communication Technology Act, 2006, the Cyber Security Act, 2023, and any data protection legislation in force from time to time; together with applicable payment-data and financial-sector requirements.
  • "Controller / Data Fiduciary" means the entity that determines the purposes and means of processing Personal Data. The Customer is the Controller / Data Fiduciary for Customer Personal Data.
  • "Processor / Data Processor" means the entity that processes Personal Data on behalf of the Controller. BillBasket acts as Processor / Data Processor for Customer Personal Data processed through the POS App.
  • "Data Principal / Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Customer Personal Data" means Personal Data within Customer Data that BillBasket processes on behalf of the Customer.
  • "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data processed by BillBasket.
  • "Sub-processor" means any third party engaged by BillBasket to process Customer Personal Data on its behalf.

3. Roles of the Parties

The Parties agree that, for Customer Personal Data:

  • The Customer is the Controller / Data Fiduciary and BillBasket is the Processor / Data Processor, acting on the Customer's documented instructions;
  • Where BillBasket processes Personal Data for its own purposes — account administration, billing, licensing, fraud prevention, security, and its own legal obligations — BillBasket acts as an independent Controller / Data Fiduciary for that limited processing, as described in the Privacy Policy;
  • Each Party is responsible for complying with the obligations applicable to it.

The Customer is responsible for establishing a valid legal basis (including, where required, obtaining consent or providing notices) for processing Customer Personal Data through the POS App, and for the accuracy and lawfulness of that data and its instructions.

4. Scope and Details of Processing

BillBasket processes Customer Personal Data only to provide the POS App. The subject-matter includes provision of the BillBasket POS App selected by the Customer, including billing, invoicing, GST e-invoicing, payment acceptance, reconciliation, inventory, and reporting. Categories of Data Principals may include: the Customer's employees and authorised users; the Customer's customers and payers; the Customer's vendors and suppliers; and other individuals whose data the Customer enters into the POS App.

5. Customer Obligations

The Customer shall:

  • Ensure it has a lawful basis to process Customer Personal Data and to authorise BillBasket to process it;
  • Provide all notices and obtain all consents required under Applicable Data Protection Laws from relevant Data Principals (for example, its customers and staff whose details are entered into the POS App);
  • Issue instructions that comply with Applicable Data Protection Laws;
  • Be responsible for the accuracy, integrity, and legality of Customer Personal Data;
  • Not transfer to BillBasket any special, sensitive, or restricted categories of data except as contemplated by the POS App and permitted by law.

6. BillBasket Processing Obligations

BillBasket shall:

  • Process Customer Personal Data only on the Customer's documented instructions, including the Terms of Service, this DPA, and any Order Form, unless required otherwise by law;
  • Not sell, rent, or commercially exploit Customer Personal Data, and not use it for advertising or unrelated profiling;
  • Ensure personnel authorised to process Customer Personal Data are bound by confidentiality obligations;
  • Implement appropriate technical and organisational measures;
  • Assist the Customer, taking into account the nature of processing and information available, with security, breach notification, impact assessments, and regulator consultation, to the extent applicable;
  • Make available information reasonably necessary to demonstrate compliance with this DPA.

If BillBasket considers an instruction infringes Applicable Data Protection Laws, it shall inform the Customer without undue delay, to the extent permitted by law.

7. Security Measures

BillBasket implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk. These may include as appropriate: encryption of data in transit and, where applicable, at rest; access controls, role-based permissions, and authentication (including multi-factor authentication where available); network security controls; logging and monitoring of security-relevant events; secure software development practices and vulnerability management; backup and recovery procedures for hosted/cloud features; personnel confidentiality obligations and need-to-know access; and physical and infrastructure security through reputable infrastructure providers.

The Customer is responsible for security within its own environment, including devices, credentials, networks, and locally stored POS data.

8. Sub-Processing

The Customer provides general authorisation for BillBasket to engage Sub-processors to support the POS App, including cloud infrastructure, payment processing, communication, and security providers.

Where BillBasket engages a Sub-processor, it shall:

  • Impose data protection obligations substantially similar to those in this DPA;
  • Remain responsible to the Customer for the Sub-processor's performance regarding Customer Personal Data;
  • Make available, on reasonable request, information about Sub-processors that process Customer Personal Data.

BillBasket shall inform the Customer of intended additions or replacements of such Sub-processors, allowing a reasonable opportunity to object on reasonable data protection grounds.

9. Assistance With Data Principal Rights

Taking into account the nature of processing, BillBasket shall provide reasonable assistance to enable the Customer to respond to Data Principal requests (such as access, correction, erasure, or grievance redressal). Where BillBasket receives a request directly relating to Customer Personal Data, it shall, unless legally required to act, refer it to the Customer.

10. Personal Data Breach Notification

BillBasket shall notify the Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data processed by BillBasket, describing (to the extent available) the nature of the breach, likely consequences, and measures taken or proposed.

BillBasket shall take reasonable steps to mitigate the breach and cooperate with the Customer on any notifications required to regulators or affected Data Principals. The Customer, as Controller / Data Fiduciary, remains responsible for deciding whether and how to notify regulators and individuals. The Parties acknowledge that certain jurisdictions impose specific incident-reporting timelines (including directions issued by CERT-In) and shall cooperate to meet them.

11. Data Localisation and Cross-Border Transfers

BillBasket shall process and store Customer Personal Data in accordance with applicable localisation and cross-border transfer requirements:

  • India — Where the POS App handles payment data, such data is handled consistent with Reserve Bank of India directions on the storage of payment system data, which require payment system data relating to transactions to be stored in India. Cross-border transfers of Personal Data occur only as permitted under the Digital Personal Data Protection Act, 2023 and applicable regulations.
  • Nepal — Where required by Nepal Rastra Bank regulations and applicable law, payment-related and customer data relating to Nepali customers is stored and processed within Nepal or otherwise handled in accordance with applicable directives.
  • Bangladesh — Where required by Bangladesh Bank regulations and applicable law, payment and customer data relating to Bangladeshi customers is handled in accordance with applicable directives, including any localisation or prior-approval requirements.

12. Audits and Compliance

BillBasket shall make available information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice and subject to confidentiality, the Customer (or an independent auditor it mandates, reasonably acceptable to BillBasket) may audit BillBasket's processing of Customer Personal Data, no more than once per year unless required by a regulator or following a material Personal Data Breach. Audits occur during business hours with minimal disruption. BillBasket may satisfy audit requests with relevant certifications or third-party assessment reports.

13. Return and Deletion of Data

On termination or expiry of the Services, BillBasket shall, at the Customer's choice and subject to the functionality of the POS App, return or delete Customer Personal Data processed on the Customer's behalf within a reasonable period, except where retention is required by law or for legal claims. The Customer remains responsible for exporting and retaining its own copies of Customer Data before termination.

14. Liability

Each Party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service or applicable Enterprise Service Agreement. Nothing limits liability that cannot be limited or excluded under Applicable Data Protection Laws.

15. Term and Termination

This DPA takes effect when the Customer first uses the POS App in a manner that involves BillBasket processing Customer Personal Data and continues until BillBasket ceases all such processing. Provisions intended to survive termination shall survive.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of India, and the courts located in Pune, Maharashtra, India shall have jurisdiction, subject to mandatory provisions of Applicable Data Protection Laws and jurisdiction-specific provisions, which prevail for Customers in the relevant jurisdiction to the extent of any conflict.

17. Order of Precedence

In the event of conflict regarding the processing of Personal Data: (1) mandatory requirements of Applicable Data Protection Laws; (2) this DPA; (3) the Enterprise Service Agreement (if any); (4) the Terms of Service; (5) the Privacy Policy and other policies.


Annex A — Details of Processing

Subject-matter: Provision of the BillBasket POS App selected by the Customer, including billing, invoicing, GST e-invoicing, payment acceptance, reconciliation, inventory, and reporting.

Duration: For the term of the Services, plus any period required for return, deletion, or legally required retention.

Nature and purpose: Hosting, storage, transmission, synchronisation, processing, and support of Customer Personal Data to deliver the POS features requested by the Customer.

Types of Personal Data may include: names, contact details (email, phone, address), billing and payment-related details, transaction records, account and customer identifiers, and other data the Customer chooses to process. BillBasket does not intentionally store full card numbers, CVV, PINs, or banking passwords, as described in the Privacy Policy and Payment & Billing Policy.

Annex B — Technical and Organisational Security Measures

BillBasket maintains a security programme that may include, as appropriate to the POS App: encryption of data in transit and at rest; access controls, role-based permissions, and authentication; network security controls, including firewalls and monitoring; logging and monitoring of security-relevant events; secure software development practices and vulnerability management; backup and recovery procedures; personnel confidentiality obligations and need-to-know access; and physical and infrastructure security through reputable infrastructure providers. These measures may be updated over time provided the overall level of security is not materially reduced.

Annex C — Categories of Sub-Processors

BillBasket may engage Sub-processors in categories including: cloud and infrastructure hosting; payment gateways and payment service providers; communication providers (email, SMS, WhatsApp, notifications); customer support and remote-assistance platforms; analytics providers; and security and backup providers. A current list of specific Sub-processors that process Customer Personal Data may be provided to enterprise Customers on request.


Contact Information

BillBasket Solutions LLP — Legal & Compliance