Skip to content
Robnu
Legal

Data Processing Addendum

Data processing terms for enterprise sellers — roles, security measures, breach notification, return and deletion of data.

Contact legal

Last updated: 1 May 2026

This Data Processing Addendum (“DPA”) supplements the Terms of Service between the seller (“Customer”) and Onviqa Inc. operating Robnu (“Processor”) and applies where Robnu processes personal data on Customer's behalf in providing the Service. Enterprise sellers who require a counter-signed DPA may request one at [email protected].

Roles

Customer is the Data Fiduciary (Data Controller) in respect of personal data submitted to or processed through the Service. Robnu is the Data Processor. Robnu processes personal data only on documented instructions from Customer, which include the Terms of Service and the standard configuration of the Service.

Scope and purpose of processing

Subject matter: provision of the Robnu Service. Duration: the term of the underlying agreement plus any retention required by law. Nature and purpose: managing orders, shipments, returns, payouts, and inventory across marketplaces. Categories of data subjects: Customer's authorised users; end-buyers (only to the extent the marketplace exposes such data to the seller for fulfilment). Categories of personal data: contact details, transaction records, addresses, marketplace identifiers, marketplace session tokens.

Subprocessors

Customer authorises Robnu to engage the subprocessors listed in the Privacy Policy. Robnu will give 14 days' notice of the addition or replacement of a subprocessor by updating the list and, on request, by email. Customer may object on reasonable grounds.

Security measures

Robnu maintains the technical and organisational measures described in the Privacy Policy, including encryption at rest using per-seller AWS KMS Data Encryption Keys, TLS 1.2+ in transit, role-based access control, audit logging of all token-using actions, and encrypted daily backups retained for 30 days.

Breach notification

Robnu will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting Customer's data. The notification will describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address it.

Assistance with Data Principal requests

Robnu will provide reasonable assistance to Customer in responding to requests from Data Principals for access, correction, erasure, and other rights under DPDP 2023, taking into account the nature of processing and the information available to Robnu.

Return or deletion of data

On termination of the underlying agreement, Robnu will, at Customer's choice, return or delete Customer personal data within 30 days, except where retention is required by applicable law (in which case Robnu will protect the confidentiality of the retained data and will not actively process it for any other purpose).

Audit

Robnu will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports and policies on request, subject to reasonable confidentiality protections.

build 547000c1ac5d3ea9cb039864711ed788f9948b69 · 2026-06-12T02:03:58+05:30