Effective date: 8 July 2026

Data Processing Agreement

This DPA governs how we process personal data on your behalf when you use DPDPA Shield, as required by DPDPA 2023 Section 8(2).

This Agreement is part of the Terms of Service and takes effect when you start using the platform.

1. Definitions

  • Customer / Data Fiduciary: That's you - the entity that subscribes to DPDPA Shield and determines why and how personal data is processed through the platform.
  • DPDPA Shield / Data Processor: That's us - we process personal data on your behalf and under your instructions.
  • Personal Data: Any data about an individual who can be identified by or from that data, as defined in the DPDPA 2023.
  • Processing: Any operation on personal data - collection, storage, use, disclosure, deletion, or anything in between.
  • Data Principal: The individual whose data is being processed - your end user.

2. Subject Matter and Duration

We process personal data as you direct us to through the DPDPA Shield platform. This lasts for the duration of your subscription, plus a 30-day window after termination so you can export your data before we delete it.

3. Nature and Purpose of Processing

We process personal data solely to operate the platform as you've configured it. That includes:

  • Storing and managing consent records from your Data Principals
  • Receiving, routing, and tracking Data Principal rights requests
  • Managing breach incident records and sending notifications
  • Generating compliance reports, RoPA exports, and audit trails
  • Running the Data Inventory, vendor risk, and other modules you've enabled

We don't use your personal data for our own commercial or marketing purposes. Ever.

4. Categories of Data Subjects

The data subjects are your end users - individuals (Data Principals under DPDPA) who interact with your products and services.

5. Types of Personal Data

What we process depends on what you configure and what your Data Principals submit. This might include names, email addresses, phone numbers, device identifiers, IP addresses, consent timestamps, rights request content, and whatever else comes through your consent or rights forms.

6. Our Obligations as Processor (DPDPA S.8(2))

Here's what we commit to:

  1. We only process on your instructions: We handle personal data only as you direct through the platform configuration and API. We won't process it for any other purpose without your explicit written say-so.
  2. We maintain strong security: We keep appropriate technical and organisational safeguards per DPDPA S.8(5) - encryption, access controls, incident response. See our Security Policy for the full picture.
  3. We help with rights requests: We'll assist you in fulfilling Data Principal rights requests (access, correction, erasure, grievance) through the platform's built-in tools.
  4. We notify you of breaches fast: If we discover a breach affecting your data, we'll tell you within 24 hours. Details in Section 11.
  5. We delete when you're done: When you tell us to, or after the 30-day post-termination window expires, we delete all your personal data from our systems - unless the law requires us to keep something.
  6. We show our work: On reasonable request, we'll give you the information you need to verify we're complying with this DPA - including our security measures and sub-processor list.

7. Sub-Processors

You consent to the following sub-processors that we use to run the platform:

Sub-ProcessorPurposeLocation
Amazon Web Services (AWS)Core infrastructure - RDS PostgreSQL (database), App Runner (API), Amplify (frontend), S3 (file and proof storage), ElastiCache Redis (cache), KMS (encryption keys), Secrets Manager (credentials), Bedrock (AI processing)India (ap-south-1, Mumbai)
ResendTransactional email deliveryUnited States

If we ever change this list, we'll give you at least 30 days' notice. You can object to a new sub-processor within 14 days; if we can't resolve it, you may terminate.

8. Security Measures

Here's what we maintain:

  • Encryption at rest (AES-256 via AWS KMS) for all database and file storage
  • Encryption in transit (TLS 1.2+) for every data transfer
  • Role-based access controls - cross-tenant access is architecturally impossible
  • Immutable audit logs for all data processing operations
  • IAM token authentication for database access (no static passwords anywhere)
  • VPC isolation with no public internet egress from application services
  • Incident response procedures with defined timelines

9. Data Residency

All primary data processing happens in India (AWS ap-south-1, Mumbai). Your personal data - consent records, rights requests, breach incidents, compliance data - is stored exclusively in AWS Mumbai.

The only exception: transactional emails via Resend may involve US-based processing for delivery purposes. Resend doesn't store personal data beyond what's needed to send the email.

We comply with Central Government notifications under DPDPA S.16 on permissible cross-border transfers as they're issued.

10. Audit Rights

Once per calendar year, you can request compliance evidence from us by emailing hello@dpdpashield.in. We'll provide a written summary of our security measures, sub-processor agreements, and breach notification procedures within 30 days.

11. Breach Notification

If we discover a personal data breach affecting your data, here's what happens:

  • We notify you within 24 hours of discovery
  • We tell you what happened - the nature of the breach, data categories affected, approximate number of Data Principals impacted, and what we've done to contain it
  • We cooperate with you on your notification to the Data Protection Board (required within 72 hours under DPDPA S.8(6))

12. Governing Law

This DPA is governed by Indian law and the DPDPA 2023 and DPDP Rules 2025. Disputes are resolved per the Terms of Service.