Data Processing Addendum
Last updated: 2026-05-05
This Data Processing Addendum ("DPA") supplements our Terms of Service and applies whenever BloomDM ("Processor") processes personal data on behalf of you ("Controller" or "Tenant") under the Digital Personal Data Protection Act 2023 ("DPDP") of India, and where applicable under the GDPR for EU-resident end users.
1. Roles
- Tenant: Data Fiduciary (DPDP) / Data Controller (GDPR) for personal data of Instagram end users captured via BloomDM automations the Tenant configures.
- BloomDM: Data Processor under both frameworks. We process personal data only on Tenant's documented instructions, namely the automation rules and data export/delete requests issued through the dashboard or API.
2. Subject matter and duration
Subject matter: comment-to-DM automation, story-reply automation, AI-generated DM replies, and lead capture inside DMs. Duration: for the term of the Tenant's active workspace plus 30 days (the soft-delete window).
3. Categories of data subjects and data
Data subjects: Tenant's authorised users; Instagram end users who interact with Tenant's connected accounts. Categories: IG handles, page IDs, content of public comments and inbound DMs, email and phone numbers volunteered in DM replies.
4. Sub-processors
Tenant authorises the sub-processors listed on our Privacy Policy page. We give 30 days' notice via email before adding new sub-processors that process personal data; Tenant may terminate if they object.
5. Security measures
- AES-256-GCM encryption at rest for Instagram access tokens, with per-row Additional Authenticated Data binding ciphertext to identity.
- HMAC-SHA256 verification of every Meta and Razorpay webhook over the raw request body.
- Three application-layer multi-tenancy guards: Zod schema, ctx-from-session, repo prepend.
- TLS 1.2+ for all transport.
- Logs scrubbed of token bytes, DM contents, and email addresses (masked).
6. Data subject requests
Tenants self-serve access and deletion rights via Settings → Privacy. End-user requests received directly by BloomDM will be forwarded to the relevant Tenant within 5 business days; we do not act on end-user requests unilaterally.
7. Breach notification
We notify affected Tenants without undue delay (and within 72 hours where DPDP §8(6) applies) upon becoming aware of a personal data breach, with the information required to enable Tenant compliance.
8. International transfers
Primary database and queue infrastructure are in India. Operational logs and analytics may be processed outside India by sub-processors listed in §4 above; transfers are made under Standard Contractual Clauses or equivalent safeguards.
9. Return and deletion
On workspace deletion or Tenant request, we return data via the export endpoint and delete all copies within 30 days, except where retention is required by Indian law.
For a counter-signed copy of this DPA (Agency-tier and above), email parvinderawal@gmail.com.