Data Processing Addendum (DPA)

1. DEFINITIONS

1.1 Terms used in this Data Processing Addendum (“DPA”) have the meanings set forth below. Capitalized terms not defined herein shall have the meanings given to them in the Agreement.

• “Agreement” means the End User License Agreement, Terms of Service, or other agreement between Company and Customer governing Customer’s use of the Services.
• “Applicable Data Protection Laws” means all applicable laws, regulations, and binding guidance relating to data protection, privacy, and security, including without limitation: (a) Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”); (b) the California Consumer Privacy Act (“CCPA”); (c) the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under India’s Information Technology Act, 2000; and (d) any successor or replacement legislation.
• “Controller” means the entity that determines the purposes and means of processing Personal Data.
• “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
• “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Company on behalf of Customer in connection with the Services.
• “Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• “Processor” means the entity that processes Personal Data on behalf of and on the instructions of the Controller.
• “Services” means the software, applications, and related services provided by Company under the Agreement.
• “Sub-processor” means any entity engaged by Company to process Personal Data on behalf of Customer.

2. SCOPE AND APPLICATION

2.1 Relationship of Parties
Customer is the Controller and Company is the Processor of Personal Data processed under this DPA. Each party will comply with its respective obligations under Applicable Data Protection Laws.

2.2 Precedence
This DPA supplements and forms part of the Agreement. In case of conflict between this DPA and the Agreement regarding Personal Data processing, this DPA prevails.

2.3 Processing Scope
Company will process Personal Data only: (a) as necessary to provide the Services; (b) as documented in Annex A (Processing Details); and (c) as otherwise instructed by Customer in writing.

3. PROCESSING INSTRUCTIONS AND COMPLIANCE

3.1 Processing Instructions
Company will process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to third countries or international organizations, unless required by applicable law.

3.2 Unlawful Instructions
If Company believes Customer’s instructions violate Applicable Data Protection Laws, Company will promptly notify Customer and may suspend processing until the instruction is modified or withdrawn.

3.3 Compliance Obligations
Company will:

• Implement appropriate technical and organizational measures to protect Personal Data;
• Ensure personnel processing Personal Data are bound by confidentiality obligations;
• Assist Customer in responding to Data Subject requests;
• Notify Customer of Personal Data breaches without undue delay;
• Assist Customer in conducting Data Protection Impact Assessments when required.

4. TECHNICAL AND ORGANIZATIONAL MEASURES

4.1 Security Measures
Company implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of Personal Data in transit and at rest using industry-standard methods;
• Regular security assessments and penetration testing;
• Access controls limiting personnel access to Personal Data on a need-to-know basis;
• Secure backup and disaster recovery procedures;
• Regular security training for personnel;
• Incident response procedures.

4.2 Security Standards
Company maintains security measures consistent with industry standards, including ISO 27001 or equivalent frameworks. Details of current security measures are available in Annex B (Security Measures).

4.3 Updates
Company may update security measures to maintain or improve protection levels, provided such changes do not materially diminish the overall security of Personal Data processing.

5. SUB-PROCESSING

5.1 Authorization
Customer authorizes Company to engage Sub-processors in accordance with this Section 5.

5.2 Current Sub-processors
Company’s current Sub-processors are listed in Annex C (Sub-processors).

5.3 New Sub-processors
Company will provide Customer with at least 30 days’ advance notice before engaging new Sub-processors or changing existing Sub-processor arrangements. Customer may object to new Sub-processors on reasonable data protection grounds.

5.4 Sub-processor Requirements
Company ensures each Sub-processor is bound by data protection obligations substantially similar to those in this DPA.

5.5 Liability
Company remains fully liable to Customer for Sub-processors’ compliance with obligations under this DPA.

6. DATA SUBJECT RIGHTS

6.1 Assistance Obligation
Company will assist Customer in fulfilling Data Subject requests, including:

• Access to Personal Data
• Rectification of inaccurate Personal Data
• Erasure of Personal Data
• Restriction of processing
• Data portability
• Objection to processing

6.2 Response Timeframe
Company will respond to Customer’s requests for assistance within 30 days or as otherwise required by Applicable Data Protection Laws.

6.3 Direct Requests
If Company receives Data Subject requests directly, it will redirect the Data Subject to Customer and notify Customer without undue delay.

7. DATA TRANSFERS

7.1 Transfer Restrictions
Company will not transfer Personal Data outside the country where Customer is located without Customer’s prior written consent and appropriate safeguards.

7.2 International Transfers
For transfers to countries without adequate data protection laws, Company will implement appropriate safeguards such as:

• Standard Contractual Clauses approved by relevant authorities
• Binding Corporate Rules
• Other legally recognized transfer mechanisms

7.3 Transfer Records
Company will maintain records of all Personal Data transfers and make them available to Customer upon request.

8. DATA RETENTION AND DELETION

8.1 Retention Period
Company will retain Personal Data only as long as necessary to provide Services or as instructed by Customer in writing.

8.2 Return or Deletion
Upon termination or expiry of the Agreement, Company will, at Customer’s choice:

• Return all Personal Data to Customer in a commonly used format; or
• Delete all Personal Data from its systems

8.3 Deletion Timeline
Deletion will be completed within 90 days of termination unless longer retention is required by law.

8.4 Deletion Certification
Upon Customer’s request, Company will provide written certification of Personal Data deletion.

9. PERSONAL DATA BREACHES

9.1 Breach Notification
Company will notify Customer without undue delay (and in any case within 72 hours) after becoming aware of any Personal Data breach.

9.2 Breach Information
Notifications will include:

• Description of the breach and affected Personal Data categories
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact information for further details

9.3 Investigation and Remediation
Company will investigate breaches and take reasonable steps to remediate and prevent future breaches.

10. AUDITS AND COMPLIANCE

10.1 Audit Rights
Customer may audit Company’s compliance with this DPA once per year upon reasonable notice, or engage a qualified third-party auditor.

10.2 Audit Cooperation
Company will cooperate with audits and provide necessary information and access to facilities.

10.3 Audit Costs
Each party bears its own audit costs unless the audit reveals material non-compliance by Company.

10.4 Compliance Reports
Company will provide annual compliance reports regarding its adherence to this DPA.

11. LIABILITY AND INDEMNIFICATION

11.1 Data Protection Liability
Each party is liable for damages caused by its breach of Applicable Data Protection Laws, subject to the limitations in the Agreement.

11.2 Indemnification
Company will indemnify Customer against third-party claims arising from Company’s breach of this DPA, subject to Customer’s cooperation in defense.

11.3 Liability Limitations
Liability limitations in the Agreement apply to claims under this DPA, except where prohibited by law.

12. TERM AND TERMINATION

12.1 Term
This DPA remains in effect for the duration of the Agreement and any period during which Company processes Personal Data.

12.2 Survival
Sections relating to data deletion, confidentiality, and liability survive termination.

13. GOVERNING LAW AND DISPUTES

13.1 Governing Law
This DPA is governed by the laws specified in the Agreement.

13.2 Dispute Resolution
Disputes will be resolved according to the dispute resolution procedures in the Agreement.

13.3 Regulatory Authority
Nothing in this DPA limits party’s right to file complaints with data protection authorities.

ANNEX A: PROCESSING DETAILS

Categories of Data Subjects:

• Customer employees and contractors
• Customer’s customers and end users
• Other individuals whose Personal Data is processed through the Services

Categories of Personal Data:

• Contact information (names, email addresses, phone numbers)
• Professional information (job titles, company affiliations)
• Technical data (IP addresses, device identifiers, usage logs)
• Authentication credentials
• Identity and access management data
• System logs and audit trails

Purposes of Processing:

• Provision of Services
• Customer support
• Service improvement and optimization
• Security monitoring and incident response
• Identity verification and access control
• System administration and maintenance

Retention Periods:

• Active customer data: Duration of Agreement plus 12 months
• Log data: 24 months
• Backup data: 36 months (unless earlier deletion requested)
• Authentication data: Duration of active user accounts

ANNEX B: SECURITY MEASURES

Technical Measures:

• AES-256 encryption for data at rest
• TLS 1.3 for data in transit
• Multi-factor authentication
• Intrusion detection systems
• Regular vulnerability assessments
• Secure development practices
• Access logging and monitoring
• Data loss prevention controls

Organizational Measures:

• Background checks for personnel
• Regular security training
• Incident response procedures
• Business continuity planning
• Vendor management program
• ISO 27001 certification maintained
• Regular security audits

Change management processes