Data Processing Agreement

• Customer / Data Fiduciary: The entity that has subscribed to DPDPA Shield and determines the purpose and means of processing personal data through the platform.
• DPDPA Shield / Data Processor: The operator of DPDPA Shield, processing personal data on behalf of and under the instructions of the Customer.
• Personal Data: Any data about an individual who is identifiable by or in relation to such data, as defined in DPDPA 2023.
• Processing: Any operation or set of operations on personal data, including collection, storage, use, disclosure, and deletion.
• Data Principal: The individual whose personal data is being processed — the Customer's end user.

DPDPA Shield processes personal data as directed by the Customer to provide the DPDPA Shield platform services. The duration of processing corresponds to the Customer's active subscription term, plus a 30-day window following termination or expiry during which the Customer may export their data before it is deleted.

DPDPA Shield processes personal data solely to operate the platform as configured by the Customer. This includes:

• Storing and managing consent records submitted by Data Principals
• Receiving, routing, and tracking Data Principal rights requests
• Managing breach incident records and notifications
• Generating compliance reports, RoPA exports, and audit trails
• Operating the Data Inventory and related modules as configured

DPDPA Shield does not use Customer personal data for its own commercial or marketing purposes.

The data subjects are the Customer's end users — individuals (Data Principals under DPDPA) who interact with the Customer's products and services.

The categories of personal data processed depend on what the Customer configures and what Data Principals submit. This may include: names, email addresses, phone numbers, device identifiers, IP addresses, consent timestamps, rights request content, and any other personal data submitted by Data Principals through the Customer's consent or rights forms.

DPDPA Shield (as Data Processor) agrees to:

1. Process only on documented instructions: We process personal data only as instructed by the Customer through the platform configuration and API. We will not process data for any other purpose without explicit written instruction.
2. Implement security safeguards: We maintain appropriate technical and organisational security measures per DPDPA S.8(5), including encryption, access controls, and incident response. See our Security Policy.
3. Assist with Data Principal rights: We will assist the Customer in fulfilling Data Principal rights requests (access, correction, erasure, grievance) through the platform's rights management tools.
4. Breach notification: We will notify the Customer without undue delay (within 24 hours) upon becoming aware of any personal data breach affecting the Customer's data. See Section 11.
5. Deletion on termination: On instruction from the Customer or on expiry of the 30-day post-termination window, we will delete all Customer personal data from our systems, except where retention is required by law.
6. Compliance evidence: We will make available to the Customer, on reasonable request, information necessary to demonstrate compliance with this DPA, including a written summary of our security measures and sub-processor list.

The Customer consents to the following sub-processors, which DPDPA Shield uses to operate the platform:

We will notify the Customer at least 30 days in advance of any changes to this sub-processor list. The Customer may object to a new sub-processor within 14 days; if the objection cannot be resolved, the Customer may terminate the subscription.

DPDPA Shield maintains the following security measures:

• Encryption at rest (AES-256) for all database storage
• Encryption in transit (TLS 1.2+) for all data transfers
• Role-based access controls — no cross-tenant data access
• Immutable audit logs for all data processing operations
• Vulnerability management and dependency monitoring
• Incident response procedures with defined response timelines

Sub-processors may operate data centres outside India (see Section 7). All such transfers are governed by contractual protections. We comply with Central Government notifications under DPDPA S.16 on permissible cross-border transfers as they are issued.

The Customer may request compliance evidence from DPDPA Shield once per calendar year by emailing hello@dpdpashield.in. We will provide a written summary of our security measures, sub-processor agreements, and breach notification procedures within 30 days of the request.

If DPDPA Shield discovers a personal data breach affecting Customer data, we will:

• Notify the Customer within 24 hours of discovering the breach
• Provide information on the nature of the breach, data categories affected, approximate number of Data Principals affected, and steps taken to contain the breach
• Cooperate with the Customer to assist their notification to the Data Protection Board (required within 72 hours under DPDPA S.8(6))

This DPA is governed by Indian law and the provisions of the Digital Personal Data Protection Act 2023 and DPDP Rules 2025. Any disputes shall be resolved in accordance with the Terms of Service.