Your data. Your control. This DPA defines our responsibilities as your data processor. We are committed to handling your business data with the highest standards of security, transparency, and compliance.
📋About This Agreement
This Data Processing Agreement ("DPA") governs how Darvaza.PK ("Data Processor") processes personal data on behalf of businesses ("Data Controller") using our Order Management System.
This DPA is incorporated into and forms part of our Terms of Service. By using Darvaza.PK, you agree to the terms of this agreement. This document applies to all personal data we process on your behalf, including order data, customer information, and business analytics.
🎯Scope & Purpose
Subject Matter: Processing of personal data through the Darvaza.PK OMS platform.
Duration: For the term of your subscription and 30 days post-termination.
Nature of Processing:
• Storing and organizing order data
• Syncing data with Shopify and courier APIs
• Analytics and reporting on order performance
• Team access management and audit logging
• Automated notifications and communications
Types of Personal Data:
• Customer names, phone numbers, addresses
• Order details and transaction records
• Delivery tracking information
• Team member login credentials
Categories of Data Subjects: Your customers, team members, and business contacts.
⚖️Roles & Responsibilities
You (Data Controller):
• Determine the purposes and means of processing
• Ensure lawful basis for collecting customer data
• Respond to data subject requests from your customers
• Ensure your team members are informed about data processing
• Maintain appropriate records of processing activities
Darvaza.PK (Data Processor):
• Process data only on your documented instructions
• Ensure confidentiality of personnel with data access
• Implement appropriate technical and organizational security measures
• Assist you in responding to data subject requests
• Delete or return data upon termination
• Notify you of security incidents within 72 hours
🔐Technical & Organizational Security
Darvaza.PK implements the following security measures to protect your data:
Encryption:
• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Encrypted database connections (Neon PostgreSQL SSL)
Access Controls:
• Role-based access control (RBAC) system
• JWT authentication with short-lived tokens
• OTP verification for sensitive operations
• Multi-factor authentication for admin accounts
Infrastructure Security:
• Hosted on Vercel (SOC 2 compliant)
• Neon PostgreSQL with enterprise security
• Automatic security patches and updates
Monitoring:
• 24/7 automated security monitoring
• Intrusion detection systems
• Regular security audits
• Automated backup and disaster recovery
🌍Sub-processors
We use the following sub-processors to deliver our services. We ensure each maintains adequate data protection standards:
Vercel Inc. (USA)
Purpose: Platform hosting and edge computing
Data: Application data, logs, performance metrics
Safeguard: Vercel Privacy Policy & DPA
Neon Inc. (USA)
Purpose: PostgreSQL database hosting
Data: All stored business and order data
Safeguard: Neon Privacy Policy & SOC 2 compliance
Courier APIs (Pakistan)
PostEx, Leopards, TCS, BlueEx, Dux, M&P, Trax
Purpose: Shipment booking and tracking
Data: Customer delivery addresses and contact info
Safeguard: Individual courier data agreements
Email Service Provider
Purpose: OTP delivery and notifications
Data: Email addresses only
Safeguard: Provider DPA
We will notify you at least 14 days before adding new sub-processors.
📤International Data Transfers
Some of our sub-processors (Vercel, Neon) are based in the United States. Data transfers to these providers are governed by:
• Standard Contractual Clauses (SCCs) as recognized under international data protection frameworks
• Data Processing Agreements with each provider
• Technical safeguards including encryption
By using Darvaza.PK, you authorize these transfers. All data transfers are necessary to provide the service you have subscribed to.
Data related to your Pakistani customers is processed in accordance with Pakistani data protection principles and applicable laws.
👤Data Subject Rights
We will assist you in fulfilling your obligations to data subjects. When your customers exercise their rights, we will:
Access Requests: Provide you with an export of all data held about a specific customer within 5 business days.
Deletion Requests: Delete specified customer records from our system within 7 business days of your instruction. Note: Some records may need to be retained for legal compliance.
Correction: Update customer data as instructed by you.
Portability: Export customer data in CSV or JSON format.
Data subject requests should be submitted to: dpa@darvaza.pk
🚨Security Incident Notification
In the event of a personal data breach, Darvaza.PK will:
• Notify you within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach
• Describe the categories and approximate number of data subjects affected
• Describe the likely consequences of the breach
• Describe measures taken or proposed to address the breach
Notifications will be sent to your registered email address. For critical incidents, we will also attempt phone contact.
You are responsible for notifying your customers and relevant authorities (if required by applicable law) based on the information we provide.
🗑️Data Deletion & Return
Upon termination of your subscription or upon your written request:
Data Return:
We will provide a complete export of your data in CSV format within 14 days of termination.
Data Deletion:
All your data will be permanently deleted from our systems within 30 days of termination or deletion request.
Confirmation:
We will provide written confirmation once deletion is complete.
Backups:
Backup copies will be deleted within 90 days of the deletion request.
Legal Retention:
Certain records may be retained for longer periods if required by Pakistani law (e.g., tax records for 5 years).
📝Amendments
We may update this Data Processing Agreement to reflect:
• Changes in applicable laws
• New sub-processors or services
• Updated security measures
• Regulatory requirements
We will provide at least 30 days notice before material changes take effect. For significant changes affecting your obligations, we will seek your explicit consent.
Continued use of the platform after the effective date constitutes acceptance of the updated DPA.
📞Contact & DPO
For data processing inquiries:
Data Protection Contact:
Email: dpa@darvaza.pk
Phone: +92 (300) 123-4567
Address: Karachi, Sindh, Pakistan
Response Times:
• General DPA queries: Within 5 business days
• Data subject requests: Within 5 business days
• Security incidents: Within 72 hours
• Data deletion confirmation: Within 30 days
For enterprise customers requiring a signed DPA, please contact our legal team at legal@darvaza.pk.
Need a signed DPA?
Enterprise clients can request a formally signed Data Processing Agreement.