DPDPA.center — Data Processing Addendum (DPA)

Version: 1.0 | Effective date: 2026-06-12

This Data Processing Addendum (“DPA”) forms part of the DPDPA.center Terms of Service between CynorSense Solutions Pvt. Ltd. (“Processor”) and the installing site owner (“Fiduciary”), and governs the Processor’s processing of personal data of the Fiduciary’s Data Principals under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), in particular §8 (general obligations of Data Fiduciaries, discharged in part through valid contracts with Data Processors).

1. Roles and scope

The Fiduciary is the Data Fiduciary under the DPDP Act and determines the purposes of processing for its Data Principals.
CynorSense is a Data Processor processing personal data only on behalf of, and under a valid contract with, the Fiduciary as required by DPDP Act §8(2).
Categories of data processed: consent records (purpose, grant/withdraw, timestamp, provenance); contact identifiers (email addresses, member/contact IDs); cookie/tracker consent decisions; grievance, correction, and portability request contents; audit event envelopes. During access-report assembly and erasure legal-hold checks, the Processor transiently reads the Data Principal’s site records (contact, member, orders, bookings, submissions, invoices, messages); these are not retained beyond the report and audit artifacts. The Processor does not process payment card data and does not store message contents.

2. Processing only on instructions

The Processor shall process personal data only: (a) to provide the App’s documented functions (consent ledgering, withdrawal enforcement, rights fulfilment, audit); (b) on the Fiduciary’s documented instructions, including those given through the App’s controls; or (c) as required by applicable Indian law, in which case the Processor will inform the Fiduciary unless legally prohibited. The Processor shall not sell or share personal data, use it for its own purposes, or use it for advertising, profiling, or training AI models.

3. Security safeguards (DPDP Act §8(5))

The Processor implements reasonable security safeguards, including: TLS encryption for all data in transit; per-tenant isolation with sessions cryptographically bound to a single site instance; secrets and per-tenant credentials held exclusively in a managed vault (OpenBao), never in code or the browser; server-side identity resolution with one-time-code step-up (no typed email addresses); webhook authenticity verification (signed RS256 JWTs); append-only audit logging; and error handling that prevents infrastructure disclosure to end users. Details are in the Security Statement (security-statement.md).

4. Personal data breach notification (DPDP Act §8(6))

The Processor shall notify the Fiduciary (via the DPO email on record) without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Fiduciary’s tenant, providing: the nature and scope of the breach, categories and approximate number of Data Principals affected, likely consequences, and measures taken or proposed. The Processor shall reasonably assist the Fiduciary in meeting its own obligations to notify the Data Protection Board of India and affected Data Principals, including by supplying audit-log extracts and incident timelines. See the Incident Response Policy (incident-response.md).

5. Sub-processors

The Fiduciary authorizes the following sub-processors:

Sub-processor	Function
Microsoft 365 (Microsoft Graph)	Transactional email delivery (one-time codes, notices) from dpo@cynorsense.com
Hosting/infrastructure provider — [PLACEHOLDER: provider name and region]	Hosting of the consent ledger (PostgreSQL), app services, and vault

The Processor shall flow down data-protection obligations no less protective than this DPA to each sub-processor and remains responsible for their performance. The Processor will give the Fiduciary 30 days’ prior notice of any new sub-processor; the Fiduciary may object on reasonable data-protection grounds, and if unresolved may terminate per the Terms.

6. Assistance with Data Principal rights

The Processor provides the technical means for §11 (access/portability), §12 (correction/erasure), and §13 (grievance) requests through the My Data page and supporting services, and shall promptly forward to the Fiduciary any rights request it receives directly.

7. Audit cooperation

On reasonable written notice (not more than once per 12 months absent a breach or regulator demand), the Processor shall make available information reasonably necessary to demonstrate compliance with this DPA, including the Security Statement, audit-log extracts for the Fiduciary’s tenant, and written responses to security questionnaires. On-site audits, if required by the Data Protection Board of India or applicable law, will be scoped to the Fiduciary’s tenant and conducted so as not to compromise other tenants’ isolation.

8. Deletion at termination

On uninstall or termination, the Processor shall delete the Fiduciary’s tenant data after a 90-day reinstatement window, except records subject to a documented statutory legal hold (DPDP Act §8(7); approximately 8 years for books/tax records), which are frozen storage-only with a retention-clock registry entry and physically purged with recorded proof at expiry. The Fiduciary may request an export of its consent ledger during the 90-day window.

9. Governing law

This DPA is governed by the laws of India. In case of conflict between this DPA and the Terms of Service regarding personal data processing, this DPA prevails.