Subprocessor List and Subprocessor Policy
Effective Date: 01th April 2025
Last Updated: 29th June 2026
Company Legal Name: Treewalker Digital Private Limited
Product: Galla.app
Website: https://galla.app
Registered Office: Vikas Plaza.38/ 1A (4), Kanappana Agrahara, Hosur Rd, Phase II, Electronic City, Bengaluru, Karnataka 560100
Support Email: support@treewalkerlabs.com
Legal Email: legal@treewalkerlabs.com
CIN: U72900KA2021PTC153840
GSTIN: 29AAICT9733E1ZXs
This Subprocessor List and Subprocessor Policy explains how Treewalker Digital Private Limited (“Treewalker Digital”, “Galla”, “Galla.app”, “Company”, “we”, “us”, or “our”) uses third-party service providers and subprocessors to provide, operate, secure, support, improve, and maintain Galla.app and related services.
Galla.app is a SaaS platform for retail management, POS billing, warehouse management, inventory management, WhatsApp marketing, ecommerce development, third-party integrations, APIs, dashboards, reporting, automation, and related business operations.
This document should be read together with our Terms of Service, Privacy Policy, Cookie Policy, Data Processing Addendum, Security Policy, Data Retention and Deletion Policy, Acceptable Use Policy, WhatsApp Marketing Policy, and any applicable agreement, order form, proposal, statement of work, or data processing agreement.
1. Purpose of this Document
The purpose of this Subprocessor List and Subprocessor Policy is to provide transparency about third parties that may process Customer Data or Personal Data on behalf of Treewalker Digital Private Limited while delivering Galla.app services.
This document explains:
- What subprocessors are.
- Why Galla.app uses subprocessors.
- Categories of subprocessors used by Galla.app.
- Types of data that may be processed.
- Product-specific subprocessors for Retail, POS, WMS, WhatsApp Marketing, Ecommerce, Integrations, APIs, and Support.
- How we evaluate and manage subprocessors.
- How customers are notified of subprocessor changes.
- How customers may object to new subprocessors.
- How third-party integrations selected by customers are handled.
- Current or intended subprocessor register format.
2. Definitions
For the purpose of this policy:
“Customer” means a business, organisation, company, firm, proprietorship, partnership, or legal entity that subscribes to or uses Galla.app.
“Customer Data” means all data, content, files, records, documents, product data, inventory data, billing data, customer data, vendor data, employee data, warehouse data, ecommerce data, communication data, reports, logs, and other information submitted, uploaded, imported, generated, transmitted, stored, or processed by or on behalf of the Customer through Galla.app.
“Personal Data” means any information relating to an identified or identifiable individual, including data relating to customers, users, employees, vendors, ecommerce buyers, WhatsApp recipients, delivery recipients, and business contacts.
“Subprocessor” means a third-party service provider engaged by Treewalker Digital Private Limited to process Customer Data or Personal Data on behalf of Galla.app for the purpose of providing Galla.app services.
“Third-Party Integration” means a third-party platform, system, service, API, or application connected to Galla.app by or on behalf of the Customer, such as ERP, accounting software, ecommerce platform, marketplace, payment gateway, logistics system, WhatsApp Business provider, SMS provider, email provider, analytics tool, or custom API.
“Processing” means any operation performed on data, including collection, storage, hosting, transmission, retrieval, access, synchronisation, analysis, reporting, backup, support, deletion, or security monitoring.
3. What is a Subprocessor?
A subprocessor is a third-party provider that may process Customer Data or Personal Data on behalf of Treewalker Digital Private Limited to help us deliver Galla.app.
Examples may include:
- Cloud hosting providers.
- Database and storage providers.
- Backup providers.
- Email delivery providers.
- SMS providers.
- WhatsApp Business service providers.
- Payment gateways.
- Analytics providers.
- Error monitoring tools.
- Customer support tools.
- Security monitoring tools.
- Ecommerce platforms.
- Logistics or shipping integration providers.
- API infrastructure providers.
- Professional implementation or support partners.
Subprocessors are different from third-party integrations selected directly by the Customer. Third-party integrations may process data under their own terms and privacy policies.
4. Why Galla.app Uses Subprocessors
Galla.app may use subprocessors to:
- Host the SaaS platform.
- Store Customer Data securely.
- Deliver transactional emails.
- Deliver SMS or WhatsApp messages.
- Process payments or subscription billing.
- Provide customer support and ticketing.
- Monitor platform performance.
- Detect and resolve errors.
- Provide analytics and product insights.
- Secure the platform.
- Maintain backups and disaster recovery.
- Enable integrations with third-party platforms.
- Support ecommerce development and managed services.
- Provide implementation, migration, or support assistance.
- Comply with legal, tax, audit, security, and operational requirements.
5. Customer Authorisation
By using Galla.app, entering into a service agreement, accepting our Terms of Service, or signing a Data Processing Addendum, the Customer authorises Treewalker Digital Private Limited to use subprocessors as reasonably necessary to provide Galla.app services.
Treewalker Digital Private Limited remains responsible for ensuring that subprocessors engaged by us are subject to appropriate contractual, privacy, confidentiality, and security obligations.
6. Subprocessor Management Principles
Treewalker Digital Private Limited follows the following principles while selecting and managing subprocessors:
- Use subprocessors only for legitimate service delivery, security, support, infrastructure, integration, or business purposes.
- Share only the data reasonably required for the intended service.
- Conduct reasonable vendor review before onboarding important subprocessors.
- Require subprocessors to maintain appropriate confidentiality and security obligations.
- Maintain a list of subprocessors used for Galla.app services.
- Review subprocessors periodically where commercially and operationally feasible.
- Notify customers of material changes where required by contract or policy.
- Stop using or replace subprocessors where they create unacceptable security, legal, compliance, or operational risk.
- Ensure that customer-facing documentation is updated when material subprocessor changes occur.
7. Categories of Subprocessors
Categories of Subprocessors
8. Cloud Hosting and Infrastructure Providers
Cloud Hosting and Infrastructure Providers
Purpose
- Hosting Galla.app.
- Running application servers.
- Storing Customer Data.
- Operating databases.
- Providing compute and network infrastructure.
- Supporting scalability and availability.
- Providing backup and disaster recovery infrastructure.
- Supporting security and monitoring.
Data Processed
Depending on usage, this may include:
- Customer Data.
- User account data.
- Retail and POS data.
- Warehouse data.
- Inventory data.
- Ecommerce data.
- Integration data.
- Support logs.
- System logs.
- IP addresses.
- Device and browser metadata.
- Backup data.
-
9. Email Delivery Providers
These providers help Galla.app send transactional, service, security, onboarding, support, billing, and notification emails.
Purpose
- Sending account verification emails.
- Sending password reset emails.
- Sending product notifications.
- Sending invoice or billing emails.
- Sending support updates.
- Sending onboarding and training communication.
- Sending service alerts.
- Sending legal or policy notices.
Data Processed
- Name.
- Email address.
- Company name.
- Email subject and content.
- Delivery metadata.
- Open/click metadata, if enabled.
- Bounce and unsubscribe status.
-
10. sms Providers
These providers help Galla.app send OTPs, alerts, service messages, or customer communication through SMS, if enabled.
Purpose
- OTP delivery.
- Login verification.
- Account security.
- Transactional alerts.
- Order notifications.
- Service updates.
- Customer communication, if enabled.
- Support notifications.
Data Processed
- Name, where applicable.
- Mobile number.
- Message content.
- Delivery status.
- Message metadata.
- Timestamp.
- Campaign or notification category, where applicable.
11. WhatsApp Business and Messaging Providers
These providers support WhatsApp marketing, customer communication, business messaging, templates, delivery reports, and campaign workflows.
Purpose
- WhatsApp Business messaging.
- WhatsApp template submission and delivery.
- Campaign execution.
- Customer communication.
- Message delivery tracking.
- Message status tracking.
- Opt-out and communication status management, where configured.
- Integration with WhatsApp Business Platform or authorised providers.
Data Processed
- Recipient name.
- Recipient mobile number.
- WhatsApp message content.
- Template content.
- Campaign name.
- Campaign audience.
- Message delivery status.
- Read status, where available.
- Failed delivery status.
- Response data.
- Opt-out status, where configured.
- Consent status, where configured.
- WhatsApp Business Account metadata.
- Phone number metadata.
Important Customer Responsibility
Customers using WhatsApp marketing features are responsible for:
- Obtaining lawful recipient consent.
- Maintaining opt-in records where required.
- Not uploading purchased, scraped, unauthorised, or unlawful contact lists.
- Following WhatsApp Business terms and messaging policies.
- Managing unsubscribe or opt-out requests.
- Ensuring message content is lawful and not misleading.
- Handling recipient complaints.
- Complying with applicable marketing and data protection laws.
12. Payment Gateway and Billing Providers
These providers support subscription payments, invoices, recurring billing, payment links, refunds, payment status, and financial transaction workflows.
Purpose
- Subscription payments.
- Payment gateway processing.
- Payment links.
- Recurring billing.
- Invoice payment tracking.
- Refund status.
- Payment failure alerts.
- Tax invoice payment reconciliation.
- Customer billing records.
Data Processed
- Customer name.
- Company name.
- Email address.
- Phone number.
- Billing address.
- GSTIN, where applicable.
- Invoice amount.
- Payment status.
- Transaction reference number.
- Payment mode.
- Refund status.
- Limited payment metadata.
Treewalker Digital Private Limited does not intentionally store full card numbers or sensitive payment authentication data unless specifically required, lawfully permitted, and contractually agreed.
13. Analytics and Product Usage Providers
These providers help Galla.app understand product usage, website traffic, feature usage, user journeys, performance, conversions, and product improvement opportunities.
Purpose
- Website analytics.
- Product usage analytics.
- Feature adoption analysis.
- Conversion tracking.
- Funnel analysis.
- Performance improvement.
- Customer experience improvement.
- Marketing source attribution.
- Error and behaviour analysis.
Data Processed
- IP address.
- Device information.
- Browser information.
- Page visits.
- Click events.
- Session data.
- Referrer data.
- User activity metadata.
- Approximate location.
- Product usage data.
- Feature usage metadata.
- Account or user identifiers, where configured.
14. Customer Support and Ticketing Providers
These providers help Galla.app manage customer support, issue resolution, onboarding, service requests, troubleshooting, and customer communication.
Purpose
- Support ticket management.
- Helpdesk operations.
- Chat support.
- Customer issue tracking.
- Implementation support.
- Onboarding assistance.
- Bug reporting.
- Remote troubleshooting.
- Customer communication history.
Data Processed
- Name.
- Email address.
- Phone number.
- Company name.
- Support query.
- Ticket content.
- Screenshots or attachments.
- Error details.
- Account details.
- Product usage information.
- Communication history.
- Support status.
15. Error Monitoring and Performance Monitoring Providers
These providers help Galla.app detect bugs, errors, crashes, latency, downtime, performance issues, and system stability problems.
Purpose
- Error detection.
- Bug tracking.
- Crash reporting.
- Performance monitoring.
- Downtime monitoring.
- API performance monitoring.
- Application health monitoring.
- Security and reliability improvement.
Data Processed
- Error logs.
- Device data.
- Browser data.
- IP address.
- User session metadata.
- API logs.
- Application logs.
- Stack traces.
- Performance data.
- Limited account or user identifiers, where configured.
16. Security, Logging, and Fraud Prevention Providers
These providers help protect Galla.app from unauthorised access, abuse, attacks, suspicious activity, fraud, spam, bot traffic, and security incidents.
Purpose
- Platform security.
- Firewall protection.
- Bot protection.
- Abuse prevention.
- Suspicious activity detection.
- Security logging.
- Vulnerability monitoring.
- Access monitoring.
- Fraud prevention.
- Incident investigation.
Data Processed
- IP address.
- Device information.
- Browser information.
- Login metadata.
- Request metadata.
- Security logs.
- Access logs.
- Event logs.
- Account identifiers.
- Suspicious activity indicators.
17. Ecommerce Platform and Managed Ecommerce Providers
Galla.app may provide ecommerce development, managed ecommerce services, ecommerce setup, store management, plugin configuration, payment gateway setup, marketplace connection, and order workflow setup.
Where the Customer chooses or approves an ecommerce platform or provider, those platforms may process ecommerce-related data.
Purpose
- Ecommerce website development.
- Product catalogue hosting.
- Shopping cart functionality.
- Customer checkout.
- Payment gateway integration.
- Order management.
- Shipping and logistics setup.
- Customer account functionality.
- Ecommerce analytics.
- Marketplace integration.
- Plugin or theme functionality.
Data Processed
- Buyer name.
- Email address.
- Phone number.
- Billing address.
- Shipping address.
- Order details.
- Product details.
- Payment status.
- Return and refund data.
- Cart data.
- Website visitor data.
- Ecommerce account data.
- Support or complaint data.
Customer Responsibility
The Customer is responsible for:
- Ecommerce privacy policy.
- Ecommerce cookie policy.
- Return/refund policy.
- Shipping policy.
- Payment gateway terms.
- Marketplace terms.
- Consumer protection compliance.
- Product content legality.
- Product claims, images, pricing, and warranties.
- Customer-facing consent and communication compliance.
18. ERP, Accounting, and Business System Integrations
Galla.app may integrate with ERP systems, accounting software, Tally or similar platforms, business applications, or customer-specific systems.
These systems are generally selected or authorised by the Customer and may be treated as Third-Party Integrations rather than Galla-appointed subprocessors.
Purpose
- Syncing invoices.
- Syncing purchase data.
- Syncing sales data.
- Syncing stock data.
- Syncing customer or vendor data.
- Syncing payment status.
- Syncing order data.
- Generating reports.
- Connecting business workflows.
Data Processed
- Customer records.
- Vendor records.
- Invoice data.
- Product data.
- Stock data.
- GST/tax fields.
- Payment status.
- Order records.
- Purchase and sales data.
- Integration logs.
19. Logistics and Shipping Providers
Galla.app may integrate with logistics, shipping, courier, transport, or delivery providers as part of warehouse, ecommerce, dispatch, or order fulfilment workflows.
Purpose
- Dispatch management.
- Shipping label generation.
- Delivery tracking.
- Order fulfilment.
- Delivery status update.
- Return shipment processing.
- Logistics cost calculation.
- Proof of delivery workflows.
Data Processed
- Recipient name.
- Recipient phone number.
- Shipping address.
- Order number.
- Product shipment details.
- Delivery status.
- Tracking number.
- Return status.
- Logistics metadata.
20. Marketplace Integrations
Galla.app may integrate with marketplaces selected by the Customer for ecommerce, inventory, order, billing, and fulfilment workflows.
Purpose
- Product listing.
- Order sync.
- Inventory sync.
- Price sync.
- Dispatch update.
- Return and refund update.
- Sales reporting.
- Customer communication, where permitted.
Data Processed
- Buyer data.
- Order data.
- Product data.
- Inventory data.
- Payment status.
- Shipment details.
- Return and refund data.
- Marketplace account metadata.
21. Professional Services, Implementation, and Support Partners
Treewalker Digital Private Limited may engage authorised partners, contractors, consultants, or implementation teams to assist with onboarding, configuration, migration, customisation, development, training, and support.
Purpose
- Customer onboarding.
- Data migration.
- Configuration.
- Custom development.
- Integration support.
- Training.
- Report setup.
- Troubleshooting.
- Ecommerce implementation.
- Warehouse or POS rollout support.
Data Processed
- Customer account data.
- Configuration data.
- Product and inventory data.
- POS and billing data.
- Warehouse data.
- Ecommerce data.
- Support tickets.
- Integration logs.
- Limited Personal Data required for support.
22. Customer-Selected Third-Party Integrations
Some third-party services are selected, authorised, connected, or controlled by the Customer. These may not be direct subprocessors of Treewalker Digital Private Limited.
Examples include:
- Customer’s ERP system.
- Customer’s accounting software.
- Customer’s Tally account.
- Customer’s ecommerce platform.
- Customer’s marketplace account.
- Customer’s payment gateway account.
- Customer’s logistics provider.
- Customer’s WhatsApp Business Account.
- Customer’s SMS or email provider.
- Customer’s analytics tool.
- Customer’s custom API.
- Customer’s cloud storage or reporting system.
When the Customer connects a Third-Party Integration:
- The Customer authorises Galla.app to send data to and receive data from that third party.
- The Customer is responsible for reviewing that third party’s privacy policy, terms, security, pricing, and data processing practices.
- The Customer is responsible for maintaining valid accounts, licenses, API keys, approvals, and permissions.
- Treewalker Digital Private Limited is not responsible for third-party downtime, data loss, API changes, policy changes, account suspension, pricing changes, security incidents, or misuse by such third party.
- Data shared with such third party may be governed by that third party’s terms and privacy policy.
23. Product-Specific Subprocessor Mapping
The following table shows the types of subprocessors that may be relevant to each Galla.app product module.
|
Galla Product / Service |
Likely Subprocessor Categories |
Typical Data Processed |
|
Retail Management |
Cloud hosting, database, analytics, support, email |
Customer records, vendor records, product data, store data, user logs |
|
POS Billing |
Cloud hosting, database, email, payment gateway, support, analytics |
Invoice data, buyer data, payment status, tax fields, billing user logs |
|
Warehouse Management |
Cloud hosting, database, support, logistics integrations, ERP integrations, monitoring |
Warehouse user data, stock movement, dispatch contacts, inventory logs, barcode/QR/RFID records |
|
Inventory Management |
Cloud hosting, database, ERP integrations, analytics, support |
Product data, stock data, purchase/sales data, transfer records |
|
WhatsApp Marketing |
WhatsApp/Meta, WhatsApp BSP, cloud hosting, analytics, support |
Recipient phone numbers, message content, campaign data, delivery status, opt-out records |
|
Ecommerce Development |
Ecommerce platform, hosting, payment gateway, logistics, analytics, support |
Buyer data, order data, shipping data, payment status, product catalogue data |
|
Third-Party Integrations |
API providers, ERP/accounting systems, ecommerce platforms, marketplace/logistics/payment systems |
Data shared or received through customer-authorised integrations |
|
APIs and Webhooks |
Cloud hosting, API infrastructure, logging, monitoring, security tools |
API payloads, tokens, logs, technical metadata |
|
Customer Support |
Helpdesk, chat, remote support, screen sharing, email |
Contact details, support tickets, screenshots, issue logs |
|
Security and Monitoring |
Security tools, logging, error monitoring, uptime monitoring |
IP address, device data, logs, technical metadata |
24. Data Shared with Subprocessors
Depending on the service used, subprocessors may process one or more of the following categories of data:
- Customer business name.
- Customer legal entity name.
- Admin user details.
- User name.
- User email address.
- User phone number.
- Login metadata.
- IP address.
- Device and browser data.
- Customer records.
- Vendor records.
- Employee or staff user records.
- Product data.
- Inventory data.
- Warehouse transaction data.
- POS billing data.
- Invoice data.
- Payment status.
- Ecommerce buyer data.
- Order data.
- Shipping data.
- WhatsApp recipient data.
- Message content.
- Campaign metadata.
- Support tickets.
- Screenshots and attachments.
- API logs.
- Error logs.
- Security logs.
- Analytics events.
- Backup data.
Treewalker Digital Private Limited aims to share only the data necessary for the subprocessor to provide its service.
25. International Processing and Data Location
Subprocessors may process or store data in India or other countries depending on:
- Cloud infrastructure region.
- Subprocessor location.
- Third-party provider architecture.
- Integration settings.
- Support location.
- Customer-selected service.
- WhatsApp/Meta processing location.
- Payment gateway or ecommerce platform architecture.
Where required by applicable law or contract, Treewalker Digital Private Limited will use reasonable safeguards for international data transfers, such as contractual protections, data processing agreements, security measures, and vendor due diligence.
Customers with specific data residency requirements should contact Treewalker Digital Private Limited before deploying Galla.app or enabling integrations.
26. Subprocessor Due Diligence
Before engaging important subprocessors, Treewalker Digital Private Limited may review relevant factors such as:
- Nature of service.
- Type of data processed.
- Security posture.
- Privacy policy.
- Data processing terms.
- Confidentiality commitments.
- Infrastructure reliability.
- Data location.
- Access controls.
- Incident response commitments.
- Compliance certifications, where available.
- Business criticality.
- Availability of support.
- Contractual protections.
The level of review may vary depending on the risk, service type, data sensitivity, and business impact.
27. Contractual Safeguards
Treewalker Digital Private Limited will take reasonable steps to ensure that subprocessors are subject to appropriate contractual obligations, which may include:
- Confidentiality obligations.
- Data protection obligations.
- Security obligations.
- Restricted use of Customer Data.
- Incident notification obligations.
- Subprocessing restrictions, where applicable.
- Return or deletion obligations, where applicable.
- Compliance with applicable law.
- Access control obligations.
- Cooperation obligations.
28. Changes to Subprocessors
Treewalker Digital Private Limited may add, replace, or remove subprocessors from time to time due to:
- Product changes.
- Infrastructure changes.
- Security improvements.
- Cost optimisation.
- Vendor performance.
- Customer requirements.
- New features.
- Integration requirements.
- Legal or regulatory changes.
- Vendor discontinuation.
- Business continuity reasons.
- Operational improvements.
We may update this Subprocessor List when material changes occur.
29. Customer Notice of Subprocessor Changes
Treewalker Digital Private Limited may notify customers of material subprocessor changes through one or more of the following methods:
- Updating this webpage.
- Email notice.
- Dashboard notification.
- Account manager communication.
- Contractual notice.
- Update to the Data Processing Addendum.
- Update to the Trust Center.
Customers are encouraged to review this Subprocessor List periodically.
30. Customer Objection Process
If a Customer has a reasonable privacy or security objection to a new subprocessor, the Customer may submit a written objection to:
Legal Email: legal@trewwalkerlabs.com
The objection must include:
- Customer name.
- Account details.
- Name of the objected subprocessor.
- Specific privacy or security concern.
- Relevant facts supporting the objection.
- Proposed resolution, if any.
The objection must be submitted within 15 days of receiving notice or publication of the updated Subprocessor List.
Treewalker Digital Private Limited will review the objection in good faith and may:
- Provide additional information.
- Explain the safeguards in place.
- Offer an alternative configuration, where available.
- Disable the affected optional feature, where feasible.
- Use an alternative provider, where commercially reasonable.
- Allow the Customer to terminate the affected service as per the Agreement, if the concern cannot be resolved.
Objections cannot be used to avoid payment obligations for services already delivered.
31. Emergency Subprocessor Changes
Treewalker Digital Private Limited may add or replace a subprocessor without prior notice if urgent action is required for:
- Security.
- Service continuity.
- Legal compliance.
- Disaster recovery.
- Platform stability.
- Prevention of data loss.
- Replacement of a failing vendor.
- Customer support emergency.
- Compliance with third-party platform requirements.
In such cases, we will update the Subprocessor List or notify affected customers as soon as reasonably practicable.
32. Removal of Subprocessors
Treewalker Digital Private Limited may remove a subprocessor if:
- The service is no longer required.
- The vendor is replaced.
- The vendor creates security or compliance risk.
- The vendor is discontinued.
- The feature is discontinued.
- The Customer no longer uses the relevant module.
- The vendor fails to meet contractual or operational expectations.
- There is a legal, regulatory, or business reason to discontinue use.
33. Responsibility for Subprocessors
Treewalker Digital Private Limited remains responsible for subprocessors engaged by us to process Customer Data on our behalf, to the extent required by applicable law and the Agreement.
However, Treewalker Digital Private Limited is not responsible for third-party services that are:
- Selected by the Customer.
- Contracted directly by the Customer.
- Controlled by the Customer.
- Connected through Customer-provided credentials.
- Used independently by the Customer outside Galla.app.
- Governed by separate agreements between the Customer and the third party.
34. Subprocessors and WhatsApp Marketing
For WhatsApp Marketing, certain subprocessors or third-party platforms may be required, including:
- Meta / WhatsApp.
- WhatsApp Business Solution Providers.
- Cloud hosting providers.
- Campaign delivery infrastructure.
- Analytics tools.
- Support tools.
- Logging and monitoring tools.
Customers must understand that WhatsApp messaging is subject to WhatsApp/Meta’s own terms, policies, pricing, approval rules, message categories, quality ratings, and account restrictions.
Treewalker Digital Private Limited is not responsible for:
- WhatsApp policy changes.
- Template rejection.
- Message delivery failure.
- WhatsApp account suspension.
- WhatsApp Business Account restrictions.
- Phone number quality restrictions.
- Pricing changes.
- Recipient complaints caused by Customer campaigns.
- Unlawful use of WhatsApp Marketing by the Customer.
35. Subprocessors and POS Billing
For POS Billing, subprocessors may support:
- Hosting.
- Database.
- Backup.
- Email invoice delivery.
- Payment gateway integration.
- Analytics.
- Error monitoring.
- Support ticketing.
- Security logging.
Personal Data may include buyer contact details, invoice data, payment status, billing address, and user activity logs.
The Customer is responsible for correct tax, GST, invoice, HSN/SAC, product, pricing, and statutory configuration.
36. Subprocessors and Warehouse Management
For Warehouse Management, subprocessors may support:
- Hosting.
- Storage.
- Backup.
- ERP integration.
- Logistics integration.
- Error monitoring.
- Support tools.
- Security logging.
- Reporting.
Data may include warehouse user data, dispatch contacts, delivery recipient data, vendor contacts, inventory logs, stock movement, barcode/QR/RFID records, and integration logs.
The Customer is responsible for warehouse process control, physical stock verification, scanner usage, hardware maintenance, and staff training.
37. Subprocessors and Ecommerce Services
For Ecommerce Development and Managed Ecommerce Services, subprocessors or third-party services may include:
- Ecommerce platform.
- Website hosting.
- Payment gateway.
- Logistics provider.
- Marketplace provider.
- Analytics provider.
- Marketing tools.
- Email/SMS/WhatsApp tools.
- Customer support tools.
- Theme, plugin, or app providers.
Customers are responsible for their own ecommerce privacy policy, cookie policy, refund policy, shipping policy, product claims, consumer compliance, payment gateway approvals, marketplace approvals, and lawful processing of buyer data.
38. Subprocessors and APIs
For APIs, webhooks, and integrations, subprocessors may support:
- API hosting.
- API gateway.
- Logging.
- Monitoring.
- Security.
- Error tracking.
- Cloud infrastructure.
- Customer-authorised third-party systems.
Data may include API payloads, authentication tokens, logs, endpoint metadata, IP addresses, and integration data.
Customers are responsible for securing API keys, access tokens, credentials, endpoints, and connected systems.
39. Data Retention by Subprocessors
Subprocessors may retain Customer Data or Personal Data only as needed to provide the relevant service, unless longer retention is required by law, contract, security, billing, audit, backup, dispute resolution, or technical necessity.
Retention periods may vary by subprocessor and service category.
Treewalker Digital Private Limited will use reasonable efforts to ensure that subprocessors return, delete, or restrict data in accordance with applicable agreements and operational requirements.
40.Security Incidents Involving Subprocessors
If Treewalker Digital Private Limited becomes aware of a confirmed security incident involving a subprocessor that affects Customer Personal Data, Treewalker Digital Private Limited will take reasonable steps to:
- Investigate the incident.
- Coordinate with the subprocessor.
- Assess impact on affected customers.
- Contain and mitigate the incident.
- Notify affected customers where required by law or contract.
- Provide available information reasonably required for customer compliance.
- Take remediation steps where commercially and technically feasible.
Notification of a security incident does not constitute an admission of fault or liability
41. Recommended Internal Vendor Register
Treewalker Digital Private Limited should maintain an internal vendor register with more detailed information than the public Subprocessor List.
Recommended internal fields:
- Vendor name.
- Vendor category.
- Business owner inside Galla.
- Purpose of use.
- Product module affected.
- Data types processed.
- Personal Data involved.
- Sensitive data involved.
- Data location.
- Contract owner.
- Agreement signed date.
- Data processing agreement status.
- Security review status.
- Privacy review status.
- Risk rating.
- Renewal date.
- Exit plan.
- Backup vendor, if any.
- Incident contact.
- Last review date.
42. Recommended Public Notice Text
Galla.app may use the following notice on its Trust Center:
“Treewalker Digital Private Limited uses trusted subprocessors to provide, secure, support, and improve Galla.app. Subprocessors may support cloud hosting, messaging, email delivery, payment processing, analytics, customer support, security monitoring, ecommerce workflows, and third-party integrations. We evaluate subprocessors based on service requirement, data sensitivity, security posture, and contractual safeguards. Customers may review our current Subprocessor List below and contact us for privacy or security questions.”
43. Contact information
For questions about this Subprocessor List or to raise a privacy/security objection to a new subprocessor, contact:
Treewalker Digital Private Limited
Product: Galla.app
Registered Office: Vikas Plaza.38/ 1A (4), Kanappana Agrahara, Hosur Rd, Phase II, Electronic City, Bengaluru, Karnataka 560100
Legal Email: legal@treewalkerlabs.com
Support Email: support@treewalkerlabs.com
Phone: +91-6366-740-274
CIN: U72900KA2021PTC153840
GSTIN: 29AAICT9733E1ZX
44. Related Policies
This Subprocessor List should be published together with:
- Terms of Service.
- Privacy Policy.
- Cookie Policy.
- Data Processing Addendum.
- Security Policy.
- Data Retention and Deletion Policy.
- Acceptable Use Policy.
- WhatsApp Marketing Policy.
- SLA and Support Policy.
- Responsible Disclosure Policy.
- Incident Response Policy.
