Data Processing
Data Processing Agreement (Template)
What this is. This is the template Data Processing Agreement we sign with a customer (the "Controller" or, under DPDP-2023, the "Data Fiduciary") when an engagement requires us (the "Processor" / "Data Processor") to process personal data on the Controller's behalf.
What this is not. This is not, by itself, a signed contract. The binding version is executed alongside the Statement of Work or Master Services Agreement for the relevant engagement.
1. Definitions
Capitalised terms have the meaning given to them in DPDP-2023. Where definitions diverge between DPDP-2023 and the GDPR (some customers operate cross-border), the DPDP-2023 definition prevails for India-resident Data Principals; the GDPR definition prevails for EU-resident Data Subjects, where applicable.
- "Personal Data" — as defined in §2(t) DPDP-2023.
- "Processing" — as defined in §2(x) DPDP-2023.
- "Data Principal" — the natural person to whom the personal data relates.
- "Data Fiduciary" / "Controller" — the customer who determines the purpose and means of processing.
- "Data Processor" / "Processor" — us, processing personal data on behalf of the Data Fiduciary.
- "Sub-processor" — a third party engaged by the Processor to process personal data.
2. Scope and processing instructions
We process personal data only on the Controller's documented instructions, including with regard to transfers, unless required to do otherwise by Indian law. The processing scope for each engagement is set out in Annex A of the executed DPA, which describes:
- The categories of Data Principals (e.g. employees, end-customers, contractors).
- The categories of personal data being processed.
- The nature and purpose of processing.
- The duration of processing.
- Any sensitive personal data categories involved.
3. Processor obligations
We will:
- Process personal data only for the purposes documented in Annex A.
- Ensure that personnel authorised to process personal data are bound by confidentiality obligations.
- Implement and maintain the security measures described in §5.
- Promptly assist the Controller in responding to Data-Principal requests under §7.
- Notify the Controller of any personal-data breach within the timelines in §8.
- Make available all information necessary to demonstrate compliance with this DPA.
4. Confidentiality
We treat all personal data processed under this DPA as the Controller's confidential information. Confidentiality obligations survive termination of the engagement.
5. Security measures
We implement and maintain technical and organisational measures appropriate to the risk, including, at minimum:
- Encryption of personal data in transit (TLS 1.2+) and at rest where stored on our infrastructure.
- Role-based access control with multi-factor authentication on administrative accounts.
- Network segmentation and a deny-by-default firewall posture between processing environments.
- Centralised logging with monitoring and alerting for suspicious activity.
- Regular vulnerability scanning and at least annual penetration testing of customer-facing systems.
- Documented incident-response procedures with named owners and tested run-books.
- Personnel security: pre-employment checks, security training, and signed confidentiality undertakings.
- Backup and disaster-recovery measures with periodic restore testing.
Annex B of the executed DPA documents the specific control set applicable to each engagement (e.g. ISO 27001 alignment, CIS Critical Security Controls coverage, sector-specific requirements).
6. Sub-processors
The Controller grants general authorisation for us to engage sub-processors, subject to:
- The current list of sub-processors being available on request.
- Notification at least 30 days in advance of adding or replacing a sub-processor that materially affects the engagement, with the Controller's right to object on reasonable grounds.
- Each sub-processor being bound by written terms providing for the same data-protection obligations as in this DPA.
We remain fully liable to the Controller for the performance of each sub-processor's data-protection obligations.
7. Data Principal rights assistance
Data Principals exercise their rights against the Controller, not against us. We assist the Controller, including by appropriate technical and organisational measures, in responding to requests for access, correction, erasure, nomination, and grievance redressal under DPDP-2023.
We acknowledge each request from the Controller within 3 working days and provide a substantive response within 15 working days, or such shorter period as the Controller's own legal obligation requires.
8. Personal data breach
On becoming aware of a personal-data breach affecting data we process for the Controller, we will:
- Notify the Controller without undue delay and, in any event, within 48 hours of becoming aware.
- Provide an initial impact assessment, the categories and approximate number of Data Principals affected, the categories of personal data affected, the likely consequences, and the measures taken or proposed to address the breach.
- Cooperate with the Controller in its own statutory notifications to the Data Protection Board and, where required, to affected Data Principals.
- Document every breach (whether or not it is reportable) and make the documentation available on request.
9. Cross-border transfers
We do not transfer personal data outside India unless (a) the Controller specifically instructs the transfer, (b) the destination country is not a country to which transfers have been restricted under §16 DPDP-2023, and (c) appropriate safeguards (contractual or technical) are in place.
Each cross-border transfer is documented in Annex A of the executed DPA.
10. Audit rights
On reasonable prior notice (not less than 15 working days), and not more than once per year unless a personal-data breach has occurred, the Controller may audit our compliance with this DPA. Audits are conducted at the Controller's expense, during business hours, and in a manner that does not unreasonably interfere with our operations or the rights of other customers.
We may satisfy this obligation in whole or in part by providing a current independent audit report (e.g. a SOC 2 Type II or ISO 27001 surveillance audit report) covering the relevant systems.
11. Return or deletion at end of services
At the Controller's choice, we will, on termination of the engagement, return all personal data processed on its behalf and delete remaining copies, unless retention is required by law (e.g. tax records) — in which case we will retain only what the law requires, for only as long as the law requires, and continue to apply this DPA's protections to that retained data.
Deletion is performed within 90 days of termination unless the Controller specifies a shorter period. Backups age out and are permanently overwritten according to the backup retention period documented in Annex B.
12. Liability
Liability under this DPA follows the liability framework in the underlying engagement contract (Master Services Agreement or Statement of Work). Where the underlying contract is silent, our aggregate liability under this DPA in any 12-month period is capped at the fees paid to us in that period.
13. Term and termination
This DPA takes effect from the effective date of the underlying engagement contract and remains in force for the duration of that contract plus any post-termination period during which we continue to process personal data (e.g. for return or deletion under §11).
14. How to request the signed DPA
If your engagement with us requires a signed DPA, please email
our Grievance Officer with the subject
[Privacy: DPA]. We aim to return a draft within
5 working days.
SRI INFOIT
D.No: 50-53-3/22, Plot 259MIG, Giridhar Bhavan, Seethammadhara
Visakhapatnam, Andhra Pradesh 530013, India
Email: info@sriinfoit.com