Skip to main content
ER ExaRoutes
Sign in Get started

Data Processing Addendum

Last updated: 6 May 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer") and Aviral Gohil, sole proprietor based in Jabalpur, Madhya Pradesh, India, trading as ExaRoutes ("Processor", "we", "us"). It applies whenever you, as Customer, use ExaRoutes to process personal data of which you are the controller.

The clearest example is QR scan data: when an end user scans a QR code that you own, ExaRoutes processes their IP address, user agent, and approximate location on your behalf. Lead-capture form submissions, when those forms are published by you, are another example. For those processing activities, this DPA governs how we, as your processor, must behave.

This DPA is automatically incorporated into your Terms of Service at the moment you start using a feature that involves processing personal data on your behalf. You do not need to sign it separately. If you require a counter-signed copy for your records (for example, your customer asks for one in due diligence), email privacy@exaroutes.com with your legal entity name and registered address and we will return a signed PDF.

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service or in the applicable Data Protection Law. In this DPA:

  • "Customer Personal Data" means personal data that ExaRoutes processes on behalf of Customer in the course of providing the service.
  • "Data Protection Law" means whichever of the EU GDPR, UK GDPR, the UK Data Protection Act 2018, the California Consumer Privacy Act and Privacy Rights Act, India's Digital Personal Data Protection Act 2023, and other applicable privacy laws apply to a particular processing activity.
  • "Sub-processor" means any third party engaged by ExaRoutes to process Customer Personal Data on its behalf.
  • "Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission (Decision 2021/914), Module 2 (controller to processor).
  • "UK Addendum" means the International Data Transfer Addendum to the EU SCCs, version B1.0, issued by the UK Information Commissioner.

2. Roles and scope

For Customer Personal Data, Customer is the controller and ExaRoutes is the processor. ExaRoutes processes Customer Personal Data only in accordance with documented instructions from Customer. Customer's use of the service in the manner the service is designed to be used constitutes documented instructions, and Customer can give additional instructions in writing to privacy@exaroutes.com.

Customer represents that it has all rights and consents necessary to lawfully submit Customer Personal Data to the service and to authorise the processing described in this DPA, the Terms, and the Privacy Policy.

For personal data of which ExaRoutes is itself the controller (your account information, billing records, support correspondence, marketing-site analytics), the Privacy Policy applies and this DPA does not.

3. Description of processing

The subject matter, duration, nature, and purpose of the processing, the categories of personal data, and the categories of data subjects are set out in Annex I.

4. ExaRoutes obligations

ExaRoutes will:

  • Process Customer Personal Data only on documented instructions from Customer, including transfers, except where required to do otherwise by applicable law (and in that case will inform Customer of the legal requirement before processing, unless the law prohibits such notice).
  • Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain the technical and organisational measures set out in Annex II to protect Customer Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
  • Taking into account the nature of the processing, assist Customer with appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligation to respond to data subject rights requests.
  • Assist Customer in ensuring compliance with its obligations under articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to ExaRoutes.
  • At Customer's choice, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies, unless Indian law or another applicable law requires storage of the personal data.
  • Make available to Customer all information necessary to demonstrate compliance with this DPA and with article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer (subject to clause 9).

5. Sub-processors

Customer grants ExaRoutes general authorisation to engage sub-processors to process Customer Personal Data, on the condition that ExaRoutes:

  • Maintains an up-to-date list of sub-processors in Annex III (which is the canonical published list and is updated when changes occur).
  • Imposes data protection terms on each sub-processor that are no less protective than this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.
  • Remains liable to Customer for the acts and omissions of any sub-processor that fail to fulfil its data protection obligations.
  • Notifies Customer of intended additions to or replacements of sub-processors with at least 30 days' prior notice (by updating Annex III and, where Customer has subscribed to the sub-processor change notifications mailing list, by email) and gives Customer the opportunity to object on reasonable data-protection grounds. If Customer reasonably objects, the parties will work in good faith on a solution; if no solution can be found, Customer may terminate the affected services with a pro-rated refund of any pre-paid unused fees.

To subscribe to sub-processor change notifications, email privacy@exaroutes.com with the subject "Subscribe sub-processor changes".

6. International transfers

ExaRoutes is established in India and hosts the service in the United States (AWS us-east-1). Transfers of Customer Personal Data from the EEA, the UK, or Switzerland to ExaRoutes and its US-based sub-processors will be governed by:

  • For transfers from the EEA: the EU Standard Contractual Clauses, Module 2 (controller to processor), which are hereby incorporated by reference. Where Customer is itself a processor, Module 3 (processor to processor) applies and is likewise incorporated.
  • For transfers from the UK: the EU SCCs as modified by the UK Addendum, both incorporated by reference.
  • For transfers from Switzerland: the EU SCCs with the Swiss adaptations specified by the Swiss Federal Data Protection and Information Commissioner.

The optional and bracketed clauses are completed as follows:

  • Clause 7 (docking clause): not used.
  • Clause 9 (sub-processors): option 2 (general written authorisation), with a 30-day notification period as set out in clause 5 above.
  • Clause 11 (redress): independent dispute resolution body option not used.
  • Clause 17 (governing law): Republic of Ireland.
  • Clause 18 (forum and jurisdiction): courts of Ireland for disputes between data exporters and data importers under the SCCs. This is in addition to, and does not displace, clause 18 of the Terms of Service for disputes between Customer and ExaRoutes generally.
  • Annex I (parties; description of transfer): as set out in Annex I of this DPA.
  • Annex II (technical and organisational measures): as set out in Annex II of this DPA.
  • Annex III (sub-processors): as set out in Annex III of this DPA.

7. Personal data breach notification

ExaRoutes will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Customer Personal Data. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach. ExaRoutes will provide updates as additional information becomes available. Notification of a breach is not an admission by ExaRoutes of any fault or liability.

8. Data subject rights

Customer is responsible for responding to data subject rights requests relating to Customer Personal Data. ExaRoutes will, taking into account the nature of the processing and at Customer's reasonable cost, provide appropriate technical and organisational measures to assist Customer in fulfilling those requests. The dashboard provides export and deletion tooling for the most common requests; for anything not covered there, email privacy@exaroutes.com.

If a data subject contacts ExaRoutes directly with a request relating to Customer Personal Data, ExaRoutes will, where reasonably possible, redirect the request to Customer and inform the data subject that they should contact Customer.

9. Audits

ExaRoutes will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including a current description of the technical and organisational measures, third-party audit reports (when available), and responses to written security questionnaires within a reasonable timeframe.

Where this is insufficient and applicable Data Protection Law requires on-site audit rights, Customer may, on at least 30 days' written notice and no more than once per 12-month period (unless required more frequently by a competent supervisory authority or by a confirmed material breach), audit ExaRoutes' compliance with this DPA, at Customer's expense, during normal business hours, in a manner that does not unreasonably disrupt the service or compromise the confidentiality of other customers. The parties will agree the scope and methodology in good faith in advance.

10. Deletion or return on termination

On termination of the service or earlier on Customer's written request, ExaRoutes will, at Customer's choice, delete or return all Customer Personal Data and delete existing copies, except to the extent retention is required by Indian or other applicable law or is preserved for the rolling 30-day backup window described in the Privacy Policy. Where applicable law requires longer retention, ExaRoutes will continue to protect that data in accordance with this DPA for as long as it is held.

11. Liability

The liability provisions of the Terms of Service apply to claims under this DPA, with the cap and exclusions therein. Nothing in this DPA limits or excludes either party's liability where applicable Data Protection Law prohibits such limitation or exclusion.

12. Order of precedence

In case of conflict, this DPA prevails over the Terms of Service with respect to the processing of Customer Personal Data. The SCCs prevail over this DPA to the extent of any conflict involving international transfers.

13. Changes

ExaRoutes may update this DPA from time to time, including to reflect changes in Data Protection Law, additions or replacements of sub-processors, and updates to the technical and organisational measures. Material changes that adversely affect Customer's rights will be communicated with at least 30 days' notice and Customer may, in that period, object on reasonable data-protection grounds.

Annex I: Description of the processing

Parties

  • Data exporter (Controller): Customer, as identified in the ExaRoutes account record.
  • Data importer (Processor): Aviral Gohil, sole proprietor, Jabalpur, Madhya Pradesh, India, trading as ExaRoutes. Contact: privacy@exaroutes.com.

Categories of data subjects

  • End users who scan QR codes generated by Customer.
  • Visitors who submit Customer's lead-capture forms hosted on ExaRoutes.
  • Visitors who interact with Customer's AI-generated landing pages or branded short links hosted on ExaRoutes.

Categories of personal data

  • Network identifiers: IP address, user agent string.
  • Approximate location derived from IP (country, region, city).
  • Device and browser metadata: operating system family, browser family, device type.
  • HTTP Referer header (where the browser sends one).
  • Pseudonymous deduplication fingerprint (SHA-256 hash; not reversible to inputs).
  • Form submission contents, where Customer has published a lead-capture form (whatever fields Customer chose to include, which may include name, email, phone, free-text responses).
  • Timestamps of the above.

Special categories of data (article 9 GDPR) are not knowingly collected and must not be submitted by Customer through the lead-capture form fields unless Customer has obtained explicit consent and has informed ExaRoutes in writing.

Frequency of the transfer

Continuous, on a per-event basis, throughout the term of the service.

Nature of the processing

Collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission to sub-processors, alignment, restriction, erasure, and destruction.

Purpose of the processing

To provide Customer with the QR redirect, scan analytics, lead-capture, and related features of ExaRoutes; to operate the service securely and reliably; to forward scan events to Customer's connected GA4 or Meta Pixel destinations where Customer has configured those integrations; and to comply with applicable law.

Retention period

As described in section 6 of the Privacy Policy. In summary: scan analytics retained for as long as Customer's QR code or account exists; operational backups on a rolling 30-day window; longer retention only as required by applicable law.

Annex II: Technical and organisational measures

ExaRoutes implements the following measures to ensure the security of Customer Personal Data appropriate to the risk. The list reflects current measures and may be updated to reflect security improvements; updates will not materially decrease the protection afforded.

Pseudonymisation and encryption

  • TLS 1.2 or higher for all data in transit between Customer, end users, and ExaRoutes.
  • Server-side encryption at rest for all DynamoDB tables and S3 buckets containing Customer Personal Data, using AWS-managed KMS keys.
  • Application-level encryption for highly sensitive fields (e.g. TOTP seeds) with keys stored separately from the database.
  • Bcrypt hashing of passwords with a cost factor that is reviewed periodically.
  • SHA-256 hashing of scan deduplication fingerprints; raw inputs are not retained alongside the fingerprint.

Confidentiality, integrity, availability, resilience

  • Single-AZ deployment of the application tier in AWS us-east-1, with DynamoDB Global Tables and S3 cross-region replication available as upgrade paths if Customer's risk profile requires geographic redundancy.
  • DynamoDB point-in-time recovery and S3 object versioning for resilience against accidental deletion.
  • Rolling 30-day operational backups; documented restore procedure.
  • Network-layer rate limiting and per-account login-attempt counters.
  • Web Application Firewall and bot-management at the CDN edge (Cloudflare).
  • Separate production and non-production environments with no shared credentials.

Access control

  • Least-privilege IAM for all internal access to AWS resources; no shared root credentials.
  • Multi-factor authentication required for all administrative access to AWS, the production database, and the admin panel.
  • Audit logs of privileged operations on the admin panel and on customer accounts.
  • Sign-in to the dashboard supports MFA (TOTP) for all customers, with hashed single-use backup codes.
  • Refresh tokens are bound to a server-side record that supports revocation.

Application security

  • Input validation on all customer-controlled inputs (form submissions, API payloads, profile updates) including size and content-type limits.
  • Anti-XSS handling on user-uploaded content (profile pictures, brand logos, form attachments).
  • HTTP-only, Secure, SameSite cookies for session tokens.
  • CAPTCHA on signup, password recovery, and abuse-sensitive endpoints.
  • Automated dependency scanning in CI; security patches applied on a defined cadence.

Personnel and process

  • ExaRoutes is currently operated by its sole proprietor; any contractor with access to production data is bound by a written confidentiality agreement.
  • Documented incident response procedure with a 72-hour Customer notification target as set out in clause 7.
  • Documented data deletion procedure aligned with the Privacy Policy retention schedule.

Sub-processor management

  • Each sub-processor is bound by data protection terms no less protective than this DPA.
  • Where required, international transfers are governed by the SCCs and the UK Addendum.
  • The list of sub-processors is published at Annex III below and kept current.

Annex III: Sub-processors

The following sub-processors may process Customer Personal Data. The list is current as of the "Last updated" date at the top of this page.

Sub-processor Purpose Location of processing
Amazon Web Services, Inc. Hosting, DynamoDB, S3, CloudFront USA (us-east-1)
Dodo Payments Payment processing as Merchant of Record As disclosed by Dodo Payments
Zoho Corporation Pvt. Ltd. Transactional and support email delivery India / USA (per Zoho region)
PostHog Inc. Marketing-site product analytics (consent-gated) USA
Cloudflare, Inc. CDN, bot protection, cookieless web analytics, Turnstile CAPTCHA Global edge network
Sentry, Inc. Error and performance monitoring USA
Google LLC Google sign-in (only if Customer end-user uses it); AI landing page generation via the Gemini API (only if Customer uses the feature) USA

Customer-configured destinations (Customer's own GA4 property, Meta Pixel, webhook endpoint, custom DNS provider) are not ExaRoutes sub-processors; they are Customer's own onward processors and are governed by Customer's relationship with those services.

Contact

DPA questions, audit requests, sub-processor objections, or requests for a counter-signed copy go to privacy@exaroutes.com.