Introduction
This Data Processing Agreement ("DPA") forms part of the service agreement between AIzYantra Technologies ("Data Processor" or "we") and the client ("Data Controller" or "you") for the processing of personal data in connection with AIzYantra's services.
This DPA is designed to ensure compliance with India's Digital Personal Data Protection Act, 2023 (DPDPA), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws. It supplements our Privacy Policy and Terms of Service.
Definitions
| Term | Definition |
|---|---|
| Data Controller | The client entity that determines the purposes and means of processing personal data. Under DPDPA, this corresponds to the "Data Fiduciary." |
| Data Processor | AIzYantra Technologies, which processes personal data on behalf of the Data Controller. Under DPDPA, this corresponds to the "Data Processor." |
| Data Principal | The individual whose personal data is being processed (DPDPA terminology), equivalent to "Data Subject" under GDPR. |
| Personal Data | Any data about an individual who is identifiable by or in relation to such data, as defined under DPDPA Section 2(t). |
| Processing | Any operation performed on personal data, including collection, storage, use, analysis, modification, transmission, erasure, or destruction. |
| Sub-Processor | A third party engaged by AIzYantra to process personal data on behalf of the Data Controller. |
Scope of Processing
AIzYantra processes personal data on behalf of clients in the context of the following services:
| Service | Data Processed | Processing Purpose |
|---|---|---|
| AI Starter Kits | Customer data, transaction records, communication logs as configured by the client | Automation execution, analytics, reporting |
| Custom AI Projects | As defined in the project Statement of Work (SOW) | AI model training, system integration, deliverable creation |
| Fractional CTO Services | Business data, employee data, system access as required for advisory role | Technical strategy, system audits, architecture decisions |
| AI Readiness Assessment | Organizational data, employee counts, technology inventory, process descriptions | Assessment scoring, benchmarking, recommendation generation |
| Tripti Voice SDR | Voice recordings, transcripts, contact information of callers | Lead qualification, conversation analysis, service delivery |
Obligations of AIzYantra (Data Processor)
As Data Processor, AIzYantra agrees to the following obligations:
- Lawful Processing: Process personal data only on documented instructions from the Data Controller, unless required to do so by applicable law. In such cases, we will inform the Data Controller before processing unless legally prohibited.
- Purpose Limitation: Process personal data only for the specific purposes outlined in the service agreement and this DPA. We will not process data for our own purposes or any other unauthorized purpose.
- Confidentiality: Ensure that all personnel authorized to process personal data are bound by confidentiality obligations, whether contractual or statutory.
- Security Measures: Implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or damage (detailed in our Security Practices page).
- Data Principal Rights: Assist the Data Controller in responding to requests from Data Principals exercising their rights under DPDPA or GDPR, including access, correction, erasure, and data portability requests.
- Data Breach Notification: Notify the Data Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach affecting the Controller's data.
- Audit Rights: Make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for reasonable audits upon 30 days' written notice, no more than once per year.
- Deletion & Return: Upon termination of the service agreement, delete or return all personal data to the Data Controller within 30 days, unless retention is required by applicable law. Certification of deletion will be provided upon request.
Obligations of the Client (Data Controller)
As Data Controller, the client agrees to the following:
- Lawful Basis: Ensure that a valid legal basis exists for the processing of personal data under applicable data protection law before providing data to AIzYantra.
- Consent Management: Obtain and manage all necessary consents from Data Principals, including informed consent as required by DPDPA Section 6.
- Data Accuracy: Ensure the accuracy and completeness of personal data provided to AIzYantra for processing.
- Instructions: Provide clear, documented processing instructions and notify AIzYantra promptly of any changes to processing requirements.
- Data Principal Notifications: Inform Data Principals about the processing of their personal data by AIzYantra as required by applicable law.
Technical & Organizational Security Measures
AIzYantra implements the following security measures to protect personal data processed on behalf of clients:
| Category | Measure |
|---|---|
| Encryption in Transit | TLS 1.3 enforced on all communications (HTTPS only) |
| Encryption at Rest | AES-256 encryption via Supabase infrastructure |
| Access Control | Row-Level Security (RLS) on all 41+ database tables ensuring strict data isolation between clients |
| Authentication | Multi-factor authentication (MFA) enforced for all AIzYantra team members with system access |
| Least Privilege | Role-based access control (RBAC) ensuring personnel access only data necessary for their function |
| Logging & Monitoring | Comprehensive audit logging of all data access and processing activities |
| Incident Response | Documented incident response plan with defined escalation procedures and notification timelines |
| Personnel Security | All team members undergo security awareness training and are bound by confidentiality agreements |
For complete details on our security practices, please refer to our Security Practices page.
Sub-Processors
AIzYantra engages the following sub-processors to deliver its services. Each sub-processor is bound by data processing agreements that provide a level of protection equivalent to this DPA.
| Sub-Processor | Location | Purpose |
|---|---|---|
| Supabase Inc. | United States | Database hosting, authentication, storage |
| Vercel Inc. | United States | Website and application hosting, CDN |
| OpenAI LLC | United States | AI model inference (GPT-4o, Whisper, Realtime API) |
| Simli Inc. | United States | 3D avatar rendering for Tripti Voice SDR |
| Razorpay Software Pvt. Ltd. | India | Payment processing |
| Google LLC | United States | Analytics, advertising, cloud services |
Changes to Sub-Processors
We will notify the Data Controller at least 30 days in advance before engaging any new sub-processor or replacing an existing one. The Data Controller may object to the change within 14 days of notification. If a reasonable objection cannot be resolved, either party may terminate the affected service without penalty.
Cross-Border Data Transfers
Where personal data is transferred outside India, AIzYantra ensures the following safeguards are in place:
- DPDPA Compliance: Data is transferred only to countries or entities not restricted by the Central Government of India under DPDPA Section 16.
- GDPR Safeguards: For data originating from the EEA, transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent mechanisms.
- Sub-Processor Agreements: All sub-processors receiving data outside India are bound by data processing agreements that ensure equivalent protection.
- Transparency: The Data Controller is informed of all countries where data may be processed, as listed in the Sub-Processors section above.
Data Retention & Deletion
Personal data processed under this DPA is retained according to the following principles:
- Data is retained only for the duration necessary to fulfill the processing purposes specified in the service agreement.
- Upon termination or expiry of the service agreement, AIzYantra will delete or return all personal data within 30 days, unless retention is required by applicable law.
- The Data Controller may request deletion of specific data at any time during the engagement. AIzYantra will comply within 14 business days, subject to legal retention obligations.
- Backup copies containing personal data will be purged within 90 days following deletion of live data.
- Certification of deletion will be provided upon written request.
Data Breach Response
| Timeline | Action |
|---|---|
| Within 48 hours | AIzYantra notifies the Data Controller of any confirmed or suspected personal data breach affecting their data |
| Initial Notification Includes | Nature of the breach, categories and approximate number of Data Principals affected, likely consequences, and measures taken or proposed to address the breach |
| Within 72 hours | Detailed incident report provided, including root cause analysis and remediation plan |
| Ongoing | Regular updates until the incident is fully resolved. Post-incident review and preventive measures documented. |
| Regulatory Notification | AIzYantra assists the Data Controller in fulfilling notification obligations to the Data Protection Board of India (DPDPA) or relevant supervisory authority (GDPR) as required |
Audit Rights
The Data Controller has the right to verify AIzYantra's compliance with this DPA through the following mechanisms:
- Documentation Review: AIzYantra will provide relevant compliance documentation, security certifications, and audit reports upon reasonable request.
- On-Site Audit: The Data Controller may conduct or commission a third-party audit of AIzYantra's data processing activities, with 30 days' advance written notice, no more than once per year.
- Scope: Audits are limited to the processing activities relevant to the Data Controller's data and must not disrupt AIzYantra's operations or compromise other clients' data.
- Costs: The Data Controller bears the costs of any audit it initiates, unless the audit reveals material non-compliance by AIzYantra.
Term & Termination
This DPA takes effect upon execution of the service agreement and remains in force until all personal data processed under it is deleted or returned. Specifically:
- This DPA automatically terminates when the underlying service agreement terminates or expires.
- Obligations relating to data deletion, return, and confidentiality survive termination of this DPA.
- Either party may terminate this DPA if the other party materially breaches its obligations and fails to remedy the breach within 30 days of written notice.
Governing Law
This DPA is governed by the laws of India, specifically the Digital Personal Data Protection Act, 2023. For clients based in the European Economic Area, the provisions of the GDPR apply in addition to Indian law where applicable. Any disputes arising from this DPA shall be resolved through arbitration in Bengaluru, Karnataka, under the Arbitration and Conciliation Act, 1996.
Contact Us
For questions about this Data Processing Agreement or to request a signed copy for your records, please contact us:
- Data Protection Officer: dpo@aizyantra.com
- Grievance Officer: Kunal Bellur, CPO — grievance@aizyantra.com
- Phone: +91-9958824555
- Address: AIzYantra Technologies, Bengaluru, Karnataka, India
