VEDHIN TECHNOLOGY DATA PROCESSING ADDENDUM
Controller-Processor Agreement | Effective: May 2024
DPA REFERENCE: VEDHIN-DPA-2024-01
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement between Client ("Controller") and Vedhin Technology ("Processor"). This DPA reflects the parties' agreement with regard to Processing of Personal Data in accordance with GDPR, DPDP, and other applicable data protection laws.
Execution: This DPA is incorporated by reference into the MSA. By continuing to use Vedhin's services, Client agrees to this DPA.
SCHEDULE 1: DETAILS OF PROCESSING
| Category | Details |
|---|---|
| Subject Matter | Processing necessary for provision of IT services as per SOW |
| Duration | Term of MSA plus data return/deletion period |
| Nature & Purpose | Software development, testing, maintenance, support, hosting |
| Data Categories |
Client Employee Data: Name, email, business contact End User Data: As contained in Client applications Technical Data: IP addresses, device identifiers Special Categories: Only if explicitly specified in SOW |
| Data Subjects | Client employees, contractors, end users, business contacts |
SCHEDULE 2: SECURITY MEASURES
Technical & Organizational Measures
- Role-based access controls (RBAC)
- Multi-factor authentication
- Principle of least privilege
- Quarterly access reviews
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.3)
- Data minimization principles
- Pseudonymization where feasible
- 24/7 security monitoring
- Vulnerability scanning weekly
- Penetration testing annually
- Security incident simulation quarterly
SCHEDULE 3: SUB-PROCESSORS
Approved Sub-Processor List
| Sub-Processor | Service | Location | DPA in Place |
|---|---|---|---|
| Amazon Web Services | Cloud Infrastructure | USA, Ireland, Singapore | Yes (AWS GDPR DPA) |
| Microsoft Azure | Cloud Services | Netherlands, USA, India | Yes |
| Google Cloud Platform | Cloud Services | Belgium, USA, Taiwan | Yes |
| Freshworks | Support Ticketing | USA, Germany | Yes |
| Slack Technologies | Communication | USA | Yes |
Sub-Processor Engagement Terms:
- Vedhin will notify Client of new sub-processors 30 days in advance
- Client may object on reasonable grounds within 14 days
- Vedhin will impose same data protection obligations on sub-processors
- Vedhin remains liable for sub-processor breaches
SCHEDULE 4: INTERNATIONAL TRANSFERS
Transfer Mechanisms
| Transfer Scenario | Applicable Mechanism | Reference |
|---|---|---|
| EU/EEA to India | EU Standard Contractual Clauses (2021) | Module Two: Controller to Processor |
| UK to India | International Data Transfer Addendum to EU SCCs | UK ICO Approved IDTA |
| Switzerland to India | Revised Swiss SCCs | FDPIC Approved |
| Other Countries | Adequacy Decision or SCCs | Case-by-case assessment |
Transfer Impact Assessments: Vedhin will conduct TIAs for transfers to countries without adequacy decisions. Client will be notified of any high-risk findings.
SCHEDULE 5: DATA SUBJECT RIGHTS COOPERATION
Assistance Obligations
| Data Subject Right | Controller Responsibility | Processor Assistance |
|---|---|---|
| Right to Access | Verify identity, validate request | Provide technical means to access data |
| Right to Erasure | Determine lawfulness of request | Delete/return data as instructed |
| Right to Rectification | Validate accuracy of correction | Implement correction in systems |
| Data Portability | Specify format requirements | Provide data in structured format |
Cost Allocation: Vedhin will bear costs for first 10 hours of assistance per calendar year. Additional assistance billed at ₹2,500 per hour.
SCHEDULE 6: AUDIT RIGHTS
Audit Protocol
- Notice: Client must provide 30 days written notice
- Scope: Limited to systems processing Client Data
- Frequency: Maximum once per calendar year
- Duration: Maximum 2 business days on-site
- Auditors: Must be independent, qualified, sign NDA
- Costs: Client bears all audit costs
- Reports: Confidential findings shared with Vedhin
- Remediation: Vedhin will address material findings within 90 days
Alternative to Audit: Client may accept Vedhin's most recent:
• ISO 27001 certification
• SOC 2 Type II report
• Penetration test results
• External audit reports
EXECUTION & GOVERNANCE
This DPA becomes effective upon the later of: (i) execution of MSA, or (ii) commencement of Processing.
Termination: Upon termination, Vedhin will delete or return all Client Data as instructed. Deletion certified in writing.
Governing Law: As per MSA, with specific jurisdiction for data protection matters to supervisory authorities where Data Subjects reside.
Amendments: Vedhin may update this DPA to reflect legal changes. Material changes notified 30 days in advance.
VEDHIN TECHNOLOGY
DPO: Ms. Ananya Sharma | Email: dpo@vedhin.com
Address: Jaipur, Rajasthan 302001
Last Updated: May 2025 | DPA Version: 2025.2