Data Processing Addendum (DPA)

Effective date: 5 September 2025

This DPA forms part of the agreement between Ektasi Technology (“Processor” or “Service Provider”) and the client identified in the ordering document (“Controller” or “Business”). It governs Processor’s processing of Personal Data on behalf of Controller in connection with the services, including Ektasi Labs modules (bulk email/SMS, social automation, ERP).

1) Definitions

Applicable Data Protection Law means laws applicable to the Processing of Personal Data, including the EU/UK GDPR, India’s DPDP Act 2023 and rules, and US state privacy laws (e.g., CPRA). Capitalized terms not defined here have the meaning in the Agreement.

2) Roles & scope

Controller determines the purposes and means of Processing. Processor will Process Personal Data solely to provide the Services and as documented by Controller’s instructions (including via the Agreement and settings). Processor will not: (a) sell or share Personal Data, (b) combine Personal Data with other data for cross-context behavioral advertising, or (c) Process beyond the limited and specified purposes, except as required by law.

3) Controller instructions

Processor will follow lawful instructions provided by Controller. If an instruction violates Applicable Law, Processor will notify Controller (unless legally prohibited). Controller is responsible for the accuracy and lawfulness of Personal Data and obtaining any required consents.

4) Confidentiality & personnel

Processor ensures personnel are bound by confidentiality obligations and receive appropriate privacy/security training. Access follows least-privilege principles.

5) Security

Processor implements appropriate technical and organizational measures described in Annex B (including encryption in transit, access controls, logging, backups/DR, vulnerability management, and incident response).

6) Sub-processors

Controller authorizes Processor to use Sub-processors reasonably required to deliver the Services, subject to written contracts imposing data protection obligations no less protective than this DPA. Processor will maintain a list of Sub-processors (Annex C) and notify Controller of material changes where required, allowing objection on reasonable grounds.

7) International transfers

Where Processor transfers Personal Data internationally, it will use appropriate safeguards (e.g., EU SCCs/UK IDTA or Addendum, and contractual measures). See Annex D.

8) Assistance to Controller

• Data subject requests: Processor will assist Controller by providing tools or forwarding requests (access, deletion, correction, portability, objection) without undue delay.
• Security & DPIAs: Processor will provide information necessary for security assessments and to support DPIAs, subject to confidentiality.
• Records: Processor maintains records of Processing as required by law.

9) Audits

Upon reasonable written notice, Processor will make available relevant information and allow audits by Controller or an independent auditor (not more than annually, unless required by a Supervisory Authority or after a Material Incident). Audits will minimize disruption and protect Processor’s and other clients’ confidentiality.

10) Personal Data Breach

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller’s Personal Data. The notice will include available details (nature, categories, approximate numbers, likely consequences, measures taken or proposed). Processor will cooperate with remediation and notifications required by law.

11) Return & deletion

Upon termination or at Controller’s written request, Processor will delete or return Personal Data and delete existing copies within commercially reasonable timeframes, unless retention is required by law (in which case data will be isolated and protected).

12) Liability & indemnity

Liability is governed by the Agreement. Each party remains responsible for its own compliance with Applicable Law.

13) Term & termination

This DPA is effective for the duration of the Agreement and any renewal. If there is a conflict between this DPA and the Agreement as relates to data protection, this DPA controls.

14) Governing law

Unless otherwise agreed, the governing law mirrors the Agreement. For SCCs/IDTA, the chosen laws in those modules apply.

Annex A — Processing Details

Subject matter: Provision of services (web/apps, integrations, analytics, AI features, Ektasi Labs modules).
Duration: Term of the Agreement plus retention described below.
Nature & purpose: Hosting, transmission, storage, transformation, analytics, messaging, automation, support.
Types of Personal Data: Identifiers (name, email, phone), account IDs, transaction metadata, device/usage data, communications, and any data provided by Controller within the Services.
Special categories: Not intended. If Controller introduces such data, Parties will agree on additional safeguards.
Data subjects: Controller’s customers, end users, employees, contractors, and other contacts as defined by Controller.

Retention & deletion

• Operational logs & telemetry: 12–24 months (unless required longer for security/investigations).
• Backups: rolling cycles (e.g., 30–90 days).
• Exports/archives for Controller: as configured by Controller.

Annex B — Technical & Organizational Security Measures

1. Governance & access: Role-based access control, least privilege, MFA for admin access, joiner/mover/leaver processes, periodic access reviews.
2. Asset & data management: Data classification, encryption in transit (TLS 1.2+), encryption at rest where supported, key management with restricted access.
3. Application security: Secure SDLC, code review, dependency/SBOM scans, CI policy gates, secrets hygiene, change management, separation of environments.
4. Network & platform: Firewalls/WAF, hardened images, patching, time-bound credentials, logging and centralized monitoring.
5. Resilience: Backups, disaster recovery objectives, availability monitoring, capacity planning.
6. Incident response: Runbooks, 24×7 alerting on critical paths, breach notification process.
7. Vendor & sub-processor risk: Diligence, contractual safeguards, periodic reviews.
8. Personnel & training: Confidentiality agreements, security/privacy training, awareness programs.
9. Physical security: Data center controls (via cloud providers); office access controls where applicable.
10. Testing: Vulnerability scanning and, where appropriate, penetration testing; remediation tracking.

Annex C — Authorized Sub-processors (illustrative)

Processor will maintain a current list upon request. Typical categories include: cloud hosting/IaaS, CDN/WAF, email/SMS/WhatsApp gateways, analytics, error/uptime monitoring, payments, and support tooling.

Annex D — Cross-border Transfers

Where required, the EU Standard Contractual Clauses (Controller–Processor, Module 2) and UK Addendum/IDTA are incorporated by reference. For India DPDP, international transfers follow applicable rules and contractual protections.

Annex E — Contact Points

Processor: Ektasi Technology, Varanasi, Uttar Pradesh, India — info@ektasi.io — +91 88799 52595

Controller: As stated in the ordering document/SOW.