Data Processing Agreement
Effective Date: January 26, 2026
1. Introduction and Parties
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Aruvalai Tech Private Limited ("Data Processor" or "Processor") and the customer ("Data Controller" or "Controller") for the use of our Services.
Data Processor Information:
| Legal Name: | Aruvalai Tech Private Limited |
| CIN: | U62099UP2025PTC223698 |
| Registration: | 223698 (RoC-Kanpur) |
| Address: | CO TULSHI DAS VILL GIZORE, Noida, Gautam Buddha Nagar, Uttar Pradesh, India 201301 |
| Contact: | Contact@aruvalai.io |
| DPO: | Contact@aruvalai.io |
This DPA applies when the Controller provides Personal Data to the Processor for processing in connection with the Services, in compliance with applicable Data Protection Laws including GDPR, CCPA/CPRA, and other regulations.
2. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.) |
| Data Controller | Entity that determines purposes and means of processing Personal Data |
| Data Processor | Entity that processes Personal Data on behalf of the Controller |
| Sub-processor | Third party engaged by Processor to process Personal Data |
| Data Protection Laws | GDPR, CCPA/CPRA, UK GDPR, and other applicable privacy regulations |
| Data Subject | Individual whose Personal Data is processed |
| Supervisory Authority | Independent public authority regulating data protection compliance |
3. Scope and Nature of Processing
3.1 Subject Matter and Duration
| Aspect | Details |
|---|---|
| Subject Matter | Provision of SaaS platform services for business operations |
| Duration | Term of the Services agreement |
| Purpose | To provide and maintain Services as specified in the Terms of Service |
3.2 Nature of Processing
| Processing Activity | Description |
|---|---|
| Collection | Gathering Personal Data from Controller and Data Subjects |
| Storage | Secure storage on cloud infrastructure |
| Organization | Structuring and indexing data for retrieval |
| Use | Processing to provide Services functionality |
| Transmission | Transfer between systems and to authorized users |
| Deletion | Erasure upon termination or as instructed |
3.3 Categories of Data Subjects
- Controller's employees, contractors, and representatives
- Controller's customers and end users
- Controller's suppliers and business partners
- Website visitors and prospective customers
3.4 Types of Personal Data
| Data Category | Examples |
|---|---|
| Identification Data | Name, email, phone number, address, date of birth |
| Professional Data | Job title, employer, work history, professional qualifications |
| Financial Data | Payment information, billing address, transaction history |
| Technical Data | IP address, device ID, browser type, login credentials |
| Usage Data | Activity logs, preferences, feature usage |
| Communication Data | Messages, emails, support tickets, chat transcripts |
Special Categories: Processor does not intentionally process special category data (sensitive personal information such as health data, biometric data, etc.) unless specifically agreed in writing.
4. Obligations of the Processor
4.1 General Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure personnel authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational measures (see Section 5)
- Respect conditions for engaging Sub-processors (see Section 6)
- Assist the Controller in responding to Data Subject requests (see Section 7)
- Assist the Controller with compliance obligations (see Section 8)
- Delete or return Personal Data upon termination (see Section 10)
- Make available information necessary to demonstrate compliance
4.2 Processing Instructions
| Instruction Type | Method |
|---|---|
| General Instructions | Specified in Terms of Service and this DPA |
| Specific Instructions | Via email to Contact@aruvalai.io or in-app support |
| Emergency Instructions | Via phone or emergency contact procedures |
5. Security Measures
5.1 Technical Measures
| Security Control | Implementation |
|---|---|
| Encryption at Rest | AES-256 encryption for all stored data |
| Encryption in Transit | TLS 1.3 for all data transmissions |
| Access Controls | Role-based access control (RBAC), multi-factor authentication |
| Network Security | Firewalls, intrusion detection/prevention systems |
| Logging and Monitoring | Comprehensive audit logs, real-time monitoring |
| Backup and Recovery | Daily automated backups, tested disaster recovery procedures |
5.2 Organizational Measures
| Measure | Details |
|---|---|
| Staff Training | Regular data protection and security training for all personnel |
| Confidentiality Agreements | All staff sign confidentiality agreements |
| Access Management | Principle of least privilege, regular access reviews |
| Incident Response | Documented procedures for security incidents |
| Vendor Management | Security assessments of all Sub-processors |
| Physical Security | Secure data center facilities (via cloud providers) |
5.3 Certifications and Compliance
- ISO 27001 compliance (planned/in progress)
- SOC 2 Type II certification (planned/in progress)
- Regular third-party security audits
- Compliance with industry security standards
6. Sub-processors
6.1 Authorization and Notice
The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance.
6.2 Current Sub-processors
| Sub-processor | Service | Location | Data Transferred |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting infrastructure | EU, US, India | All customer data |
| Google Cloud Platform | Analytics and machine learning | EU, US | Usage and analytics data |
| Stripe | Payment processing | US, EU | Payment information |
| SendGrid | Email delivery | US | Email addresses, names |
| Cloudflare | CDN and DDoS protection | Global | IP addresses, request data |
Up-to-date list: An updated list of Sub-processors is available at: [URL to Sub-processor list]
6.3 Sub-processor Obligations
The Processor shall:
- Impose the same data protection obligations on Sub-processors as set out in this DPA
- Ensure Sub-processors provide sufficient guarantees of compliance
- Remain fully liable to the Controller for Sub-processor performance
- Conduct due diligence before engaging Sub-processors
7. Data Subject Rights
7.1 Assistance with Data Subject Requests
The Processor shall assist the Controller in responding to Data Subject requests to exercise their rights:
| Right | Processor Assistance | Response Time |
|---|---|---|
| Right of Access | Provide access to Personal Data in structured format | Within 7 business days |
| Right to Rectification | Correct inaccurate Personal Data | Within 5 business days |
| Right to Erasure | Delete Personal Data as instructed | Within 10 business days |
| Right to Restriction | Limit processing as instructed | Within 5 business days |
| Right to Portability | Provide data in machine-readable format | Within 10 business days |
| Right to Object | Cease processing as instructed | Immediately |
7.2 Request Process
- Controller submits request to Contact@aruvalai.io
- Processor acknowledges receipt within 24 hours
- Processor provides assistance within timeframes specified above
- Controller remains responsible for responding to Data Subject
8. Data Breach Notification
8.1 Notification Obligations
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach.
| Timeline | Action |
|---|---|
| Within 24 hours | Initial notification to Controller |
| Within 48 hours | Detailed breach report with available information |
| Within 72 hours | Complete investigation report and remediation plan |
| Ongoing | Regular updates until breach is resolved |
8.2 Breach Information
The notification shall include, to the extent possible:
- Nature of the breach (categories and approximate number of Data Subjects affected)
- Name and contact details of Data Protection Officer or other contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate adverse effects
9. International Data Transfers
9.1 Transfer Mechanisms
| Mechanism | Applicability |
|---|---|
| EU Standard Contractual Clauses (SCCs) | Transfers from EU/EEA to third countries |
| UK International Data Transfer Agreement (IDTA) | Transfers from UK to third countries |
| Adequacy Decisions | Transfers to countries recognized as adequate |
| Data Privacy Framework | EU-U.S., Swiss-U.S. transfers (if certified) |
9.2 Supplementary Measures
For transfers to countries without adequacy decisions, the Processor implements supplementary measures:
- Strong encryption (AES-256) at rest and in transit (TLS 1.3)
- Pseudonymization where technically feasible
- Contractual commitments with Sub-processors
- Regular security audits and assessments
10. Data Retention and Deletion
10.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Active Account Data | Duration of Services agreement |
| Terminated Account Data | 30 days after termination (unless extended by Controller) |
| Backup Data | 30 days in rolling backups |
| Log Data | 90 days |
10.2 Return or Deletion Upon Termination
Upon termination of Services, the Processor shall, at the Controller's choice:
| Option | Process | Timeline |
|---|---|---|
| Return Data | Provide data export in standard format | Within 30 days of request |
| Delete Data | Securely delete all Personal Data | Within 90 days of termination |
Exception: Data may be retained to the extent required by applicable law, with continued protection under this DPA.
11. Audits and Compliance
11.1 Audit Rights
The Controller may audit the Processor's compliance with this DPA, subject to:
- Reasonable advance notice (at least 30 days)
- Limitation to once per year (unless required by Supervisory Authority)
- Execution of confidentiality agreement
- Conduct during normal business hours
- Controller bears costs of audit
11.2 Compliance Documentation
The Processor shall provide the Controller with:
- Annual SOC 2 Type II reports (when available)
- ISO 27001 certifications
- Security questionnaire responses
- Summaries of security measures and practices
12. Liability and Indemnification
12.1 Liability Cap
Each party's liability under this DPA shall be subject to the limitations of liability set out in the Terms of Service, except as prohibited by applicable Data Protection Laws.
12.2 Indemnification
The Processor shall indemnify the Controller for damages arising from the Processor's breach of this DPA or Data Protection Laws, subject to the liability limitations above.
13. Term and Termination
This DPA shall remain in effect for the duration of the Services agreement and shall automatically terminate upon termination of the Services agreement, except for provisions that by their nature should survive.
14. Amendments
This DPA may be amended to reflect changes in Data Protection Laws or business practices. Material changes will be notified to the Controller at least 30 days in advance.
15. Contact Information
For DPA-related inquiries:
| Email: | Contact@aruvalai.io |
| Subject Line: | "DPA Inquiry" or "Data Processing Agreement" |
| Address: | Aruvalai Tech Private Limited Data Protection Officer CO TULSHI DAS VILL GIZORE Noida, Gautam Buddha Nagar Uttar Pradesh, India 201301 |
Annex: Standard Contractual Clauses
EU Standard Contractual Clauses (Module Two: Controller to Processor)
For transfers from EU/EEA to third countries without adequacy decision, the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 are incorporated by reference and form an integral part of this DPA.
UK International Data Transfer Agreement (IDTA)
For transfers from the UK to third countries without adequacy regulations, the UK IDTA issued by the ICO is incorporated by reference and forms an integral part of this DPA.