DPDPA Compliance
DPDPA Compliance
The Digital Personal Data Protection Act, 2023 (DPDPA) is India's primary data-protection law. Many businesses are working out compliance for the first time. This page explains what we do under DPDPA and how it affects you. In short: MMS is DPDPA-compliant by architecture — consent, timestamps, erasure, and breach handling are built into how the system works, not bolted on as policy.
Our role
Data Fiduciary for the business data you give us directly (your name, business details, brand assets).
Data Processor for the customer data you upload via the Customer Data Gateway — you remain the Data Fiduciary for your customers.
Consent architecture
We require explicit, granular, informed consent at every collection point. We don't assume consent from continued use or pre-checked boxes. Section 5 notices are built into every consent flow, with the specific purpose, data categories, and retention period stated clearly.
Your customer data — your responsibility
When you upload customer contact data to the Customer Data Gateway, you confirm you have explicit consent from each customer for the specific use (marketing messages, birthday wishes, win-backs). MMS doesn't pre-validate that consent — under DPDPA, that's the Data Fiduciary's obligation.
Data Principal rights
Your customers exercise their rights through you (their Data Fiduciary). We propagate erasure requests across our systems within 72 hours of your relayed request.
Breach notification
If we detect a personal-data breach affecting your data, we notify you within 72 hours and follow our runbook to inform the Data Protection Board of India as required.
Cross-border transfers
Our infrastructure runs primarily in Indian data regions. Some third-party APIs (fal.ai, Google, Meta) may process data outside India per their own published policies — these are listed in our Privacy Policy.
Sub-processors (named for transparency)
For service delivery and DPDPA transparency, our processors include: Google Business Profile API, Meta (WhatsApp Business API), GoHighLevel, fal.ai, Razorpay, Cloudflare, and our database systems. Named deliberately — DPDPA transparency requires disclosure.
The Empowerment Principle
No third-party passwords stored. Ever. We act through official APIs only — so your accounts, and your customers' trust, stay yours.
Data Processing Agreement
A DPA template is available on request for customers who need formal execution.
Grievance officer
Legally required under DPDPA. A grievance officer will be appointed before go-live, with name and contact details published here.
Pending counsel (binding text)
Final DPDPA-binding language — Data Protection Board engagement, consent-withdrawal mechanics, and the formal grievance-officer appointment — to be drafted by counsel before go-live.
Registered office
ITS Infra India · GSTIN 29KZQPS9533FIZANo. A407, SY No. 3/1, Navanrami Platina, Opp. Thanisandra Main Road, Thirumenahalli Village, Bengaluru Urban, Karnataka — 560064.
(ITS Infra India is a proprietorship — no CIN.)
