Data Processing Addendum

Scope

This Data Processing Addendum forms part of the Subscription Agreement between Webority Technologies Pvt. Ltd. (the Processor) and you (the Controller). It governs how we process Personal Data on your behalf in connection with the Ajuni platform.

If this DPA conflicts with the Subscription Agreement on a data-protection question, this DPA wins.

Subject matter and duration

Subject matter. We host the Ajuni platform, provide observability and support, write the audit trail, and run the incidental services your Subscription Agreement names.

Duration. This DPA runs for the life of the Subscription Agreement, plus the post-termination window we need to return or delete your Personal Data.

Roles and instructions

You decide the purposes and means of processing. We process Personal Data only on your documented instructions. Your instructions live in the Subscription Agreement, in this DPA, and in how you configure the platform.

If a law forces us to process Personal Data for some other purpose, we tell you before we do, unless the law itself prevents us from telling you.

Sub-processors

We use sub-processors for hosting (AWS, Azure, GCP, OCI, Yotta, CtrlS), for model serving where you have explicitly enabled a model provider, for observability, and for email delivery.

The full current list is published on the Trust page and is also available on request. We give you at least 30 days written notice before we add or replace any sub-processor. You may object on reasonable data-protection grounds.

If we cannot resolve the objection within 15 business days, the matter goes to executive escalation under the Subscription Agreement. If escalation does not resolve it within a further 15 business days, you may terminate the affected service with a pro-rated refund for the unused term and no early-termination penalty.

Emergency sub-processor changes. If a sub-processor outage forces immediate failover to a pre-approved alternate, we notify you within 24 hours and document the duration of the failover. We do not use emergency-change powers to bypass the normal 30-day notice.

Security

Our information security management system is certified to ISO/IEC 27001:2022. We meet the requirements of GDPR Article 32 and operate to the standards of Articles 28(3)(a) through (h).

Personal Data at rest is encrypted with AES-256-GCM. In transit, TLS 1.3 is mandatory and we restrict cipher suites to those on the IANA recommended list. Cryptographic keys are managed in FIPS 140-2 Level 3 HSMs with automatic 90-day rotation.

Access is granted on least privilege. Privileged access requires FIDO2 hardware-key MFA. Access reviews run every quarter. All personnel with access to Personal Data complete background checks aligned with the Indian BFSI standard before onboarding and recertify annually.

Vulnerability management. Critical vulnerabilities are patched within 24 hours, high within 7 days, medium within 30 days. We run third-party penetration tests annually and publish the executive summary.

Audit trail. Every action by every user, human or agent, is recorded in a SHA-256 hash-chained log. Each block is signed with a key held in our HSM, which makes the trail tamper-attributable in addition to tamper-evident.

A public redacted version of our technical and organisational measures (TOMs) is published on the Trust page. The full unredacted TOMs is appended to your Subscription Agreement on signing. We do not water either version down without your written consent.

Personal data breach

If we learn of a Personal Data breach affecting your data, we tell you without undue delay.

For Personal Data covered by the GDPR, we notify you within 72 hours of confirmed awareness. For Personal Data covered by the DPDP Act, we notify you within the timeframe the law sets, and as a target we aim to match the 72-hour standard.

The notice covers what happened, the categories and rough number of data subjects involved, the likely consequences, and what we are doing about it. We help you meet your own notification duties to supervisory authorities and data subjects. We do not bill you for breach response that follows from our failure.

Data subject requests

We help you respond to data subject requests under the DPDP Act, the GDPR, and other applicable laws. That includes access, correction, deletion, portability, restriction, and objection requests, inside the timeframes the relevant law sets.

Standard assistance is included in your subscription. For unusually complex or high-volume work we may charge a reasonable fee, and we tell you the fee in advance before any work starts.

Cross-border transfers

When Personal Data leaves its country of origin, we rely on the European Commission Standard Contractual Clauses (2021/914), Module 2 (controller to processor), or the equivalent transfer mechanism the origin country recognises. We add the technical and organisational measures the Trust page describes.

For every recurring transfer, we conduct a Transfer Impact Assessment (TIA) under the post-Schrems II expectation. The TIA records the destination country, the law that governs access by public authorities there, the supplementary measures we have applied, and the residual risk. The TIA is available to controllers on request under NDA.

For Personal Data covered by the DPDP Act, we follow the cross-border rules in force at the time of transfer, including any country restrictions notified under section 16.

Data residency commitments

The data-residency region named in your order form is contractually binding. If the order form names ap-south-1 (Mumbai) as your region, your Personal Data is stored, processed, and served from that region only. This commitment covers customer data, agent outputs, prompts, configurations, backups, replicas, derived data, embeddings, audit-trail entries, and operational telemetry that contains identifiers tied to your tenant.

For Indian regulated customers, the book of record stays in India. Backups, derived data, and metadata stay in India. Pre-production and disaster-recovery regions, if any, are also in India unless your order form explicitly approves an additional region.

We do not move Personal Data across regions to manage cost, capacity, or convenience. The only exception is a documented disaster-recovery event to a region you have pre-approved in the order form. We tell you within 24 hours of any such move and we restore data to the primary region as soon as recovery completes.

RBI cybersecurity alignment

For customers regulated by the Reserve Bank of India (Scheduled Commercial Banks, Payment System Operators, NBFCs, and other regulated entities), our controls align with the RBI Cybersecurity Framework. We support audit visibility for SE-1 and SE-2 categories.

On request, we share a control mapping that cross-references our ISO 27001 statement of applicability to the RBI Cybersecurity Framework controls and to the RBI Master Direction on Outsourcing of IT Services where applicable.

Audits

You may audit our compliance with this DPA once every 12 months, and any time after a Personal Data breach affecting your data. Audits run on 30 days notice, during business hours, under confidentiality, and in a way that does not disrupt the rest of the platform.

We also share, under NDA, our latest SOC 2 Type II report, the ISO 27001 certificate, and the executive summary of our most recent penetration test. For most teams these documents resolve audit questions without the need for an on-site visit.

Return or deletion of data

At the end of the Subscription Agreement, and after the 90-day export window in the Terms of Service, we return or delete all Personal Data, as you choose, except where a law tells us to keep it for a defined period.

Deletion verification. On request we issue a Deletion Certificate that records the date and time of deletion, the systems covered (primary stores, replicas, backups, search indices, derived data, telemetry), the deletion method (logical delete followed by cryptographic destruction for encrypted data, secure overwrite for unencrypted), and the personnel who performed and verified the deletion. The certificate is signed by our Data Protection Officer.

Backup retention. Backups roll off on a maximum 35-day cycle. Deletion takes immediate effect in primary systems and reaches backup media at the next backup-rotation event. We confirm both the immediate deletion and the final backup-cycle completion in writing.

Article 28 reference index

For controllers running an Article 28 GDPR checklist, the following sections cover the corresponding sub-points.

Article 28(3)(a) instructions: see Roles and instructions.

Article 28(3)(b) confidentiality: covered in Security under access control and personnel background checks.

Article 28(3)(c) security measures: see Security.

Article 28(3)(d) sub-processors: see Sub-processors.

Article 28(3)(e) data subject requests: see Data subject requests.

Article 28(3)(f) DPIA assistance: see Audits and the DPIA support clause in the Subscription Agreement.

Article 28(3)(g) return or deletion: see Return or deletion of data.

Article 28(3)(h) audit and information: see Audits.

Contact

For DPA questions, write to [email protected]. Our Data Protection Officer responds within five business days. For urgent breach matters, mark the email subject URGENT and we route it the same day.