Data Processing Addendum
A binding commitment by Shivicx Technologies Private Limited on how we process your customers' personal data — transparently, securely, and in compliance with global privacy law.
This Data Processing Addendum (“DPA” or “Addendum”) between Shivicx Technologies Private Limited (“Shivicx”) and the Customer (as defined in the Agreement) forms part of the Shivicx Terms of Service or such other written or electronic agreement incorporating this Addendum, in each case governing Customer's access to and use of the Services (the “Agreement”).
Customer enters into this DPA on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with Shivicx. The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.
Definitions
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- Affiliate
- An entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Customer or Shivicx, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity.
- Customer Personal Data
- Any Personal Data provided by or made available by Customer to Shivicx, or collected by Shivicx on behalf of Customer, which is Processed by Shivicx to perform the Services.
- Data Protection Laws
- Any local, state, or national law regarding the processing of Personal Data applicable to Shivicx in the jurisdictions in which the Services are provided to Customer, including the DPDP Act 2023 (India) and GDPR (EU/UK).
- Security Incident
- Any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by Shivicx. Security Incidents do not include unsuccessful attempts that do not compromise the security of Customer Personal Data.
- Services
- The products and services provided by Shivicx to Customer under the Agreement, including but not limited to NetraERP and NetraOCR.
- Sub-processor
- Any third-party Processor engaged by Shivicx to Process Customer Personal Data in connection with the Services.
- Standard Contractual Clauses (SCCs)
- The standard contractual clauses for cross-border transfers of Personal Data published by the European Commission on 4 June 2021, as applicable.
- Third Country
- Countries that have not received an adequacy decision from an applicable authority relating to cross-border data transfers of Personal Data.
- EU Area
- The European Union, European Economic Area, United Kingdom, and Switzerland.
- EU Area Law
- (i) Regulation (EU) 2016/679 (EU GDPR) together with applicable legislation implementing or supplementing the same; (ii) the Data Protection Act 1998 of the United Kingdom and the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the Swiss Federal Data Protection Act and its Ordinance ("Swiss DPA"); or (iv) any successor or amendments thereto.
The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process”, “Processor”, “Subprocessor”, and “Supervisory Authority” have the same meanings as described in applicable Data Protection Laws.
Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.
Scope of Addendum
This DPA applies to Shivicx's Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This DPA is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.
Roles of the Parties
The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer acts as a Controller and Shivicx acts as a Processor. This DPA shall apply solely to the Processing of Customer Personal Data by Shivicx acting as a Processor or Sub-processor.
Customer
Controller- Determines purposes and means of Processing.
- Solely responsible for ensuring timely communications to Affiliates or relevant Controllers as required by applicable Data Protection Laws.
- Solely responsible for complying with Security Incident notification laws applicable to Customer.
- Responsible for ensuring lawful basis for collection and transfer of Customer Personal Data to Shivicx.
Shivicx Technologies Pvt. Ltd.
Processor- Processes Customer Personal Data only on Customer's documented instructions.
- Does not Sell or Share Customer Personal Data or use it for its own commercial purposes.
- Maintains technical and organizational security measures as set out in this DPA.
- Notifies Customer of Personal Data Breaches without undue delay.
Description and Purpose of Personal Data Processing
The Parties have mutually set out their understanding of the subject matter and details of the Processing of Customer Personal Data pursuant to this DPA. The Parties may make reasonable amendments by mutual written agreement as necessary to meet the requirements of Data Protection Laws.
The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement. Customer agrees not to provide Shivicx with any data concerning a natural person's health, religion, or any special categories of data as defined in Article 9 of the GDPR.
| Categories of Data Subjects | Customer's authorized users of the Services; end users whose data Customer submits to the Services. |
| Categories of Personal Data | Names, email addresses, and other identifying information voluntarily submitted by Customer or its authorized users in connection with use of the Services. |
| Sensitive Personal Data | None. Customer shall not submit special category data or sensitive personal data to the Services. |
| Frequency of Transfer | Continuous, as Customer uses the Services. |
| Nature of Processing | Storage, retrieval, use, and analysis of Customer Personal Data to provide the Services, including AI/ML inference, OCR processing, and document analysis. |
| Purpose of Transfer | To facilitate the performance of the Services as described in the Agreement and any applicable Order Forms. |
| Retention Period | For the duration of the Agreement, unless a shorter period is required by applicable law or agreed in writing. Upon termination, data is deleted within 30 days. |
Data Processing Terms
Customer shall comply with all applicable Data Protection Laws in connection with the performance of this DPA and the Processing of Customer Personal Data. Shivicx shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and shall:
5.1 Processing on Instructions
Process the Customer Personal Data for the purposes of the Agreement and solely on the documented instructions of Customer. Shivicx shall use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of Customer and for the specific business purpose of providing the Services. Shivicx shall not Sell or Share Customer Personal Data, nor use it for any other purpose, including Shivicx's own commercial purpose, except as required or permitted by law. Shivicx shall immediately inform Customer if, in Shivicx's opinion, an instruction infringes applicable Data Protection Laws. Customer reserves the right to take reasonable and appropriate steps to ensure Shivicx's Processing of Customer Personal Data is consistent with Customer's obligations under applicable Data Protection Laws and to discontinue and remediate unauthorized use of Customer Personal Data. Shivicx will not combine Customer Personal Data which it Processes on Customer's behalf with Personal Data received from or on behalf of another person, or collected from its own interactions with individuals, except as necessary to perform the Services.
5.2 Confidentiality
Implement and maintain measures designed to ensure that Shivicx personnel authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, unless disclosure is required by law or professional regulations.
5.3 Technical and Organizational Measures
Implement and maintain the technical and organizational measures set out in Annex 2 to this DPA, and any further commercially reasonable and appropriate measures designed to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, including: (i) pseudonymization and encryption of Customer Personal Data; (ii) ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems; (iii) restoring availability and access in a timely manner in the event of a physical or technical incident; and (iv) regularly testing and evaluating the effectiveness of technical and organizational measures.
5.4 Sub-processors
Customer hereby agrees that Shivicx is generally authorized to engage and appoint Sub-processors, specifically those listed in Section 7 of this DPA. Shivicx shall: (i) notify Customer at least 30 calendar days in advance of any intended changes to its Sub-processors; (ii) include data protection obligations in its contract with each Sub-processor that are materially the same as those set out in this DPA; and (iii) remain liable to Customer for any failure by each Sub-processor to fulfill its obligations. Customer shall have 30 days from notice to object on data protection grounds to a new Sub-processor.
5.5 Legal Disclosure Requests
To the extent legally permissible, promptly notify Customer in case of any legally binding requests for disclosure of Customer Personal Data by a government authority. Where such disclosure is not legally binding, Customer Personal Data will not be disclosed and Shivicx will notify Customer of the rejection. A record of all legally binding disclosure requests shall be maintained.
5.6 Data Subject Rights Assistance
To the extent legally permissible, promptly notify Customer of any communication from a Data Subject or Supervisory Authority regarding the Processing of Customer Personal Data. Shivicx will not respond to any such request unless expressly authorized by Customer or required by applicable Data Protection Laws. Taking into account the nature of the Processing, Shivicx will reasonably assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligation to respond to Data Subject rights requests under applicable law. Customer agrees to reimburse Shivicx for time and out-of-pocket expenses incurred in connection with this assistance.
5.7 Breach Notification
Upon becoming aware of a Personal Data Breach involving Customer Personal Data, notify Customer without undue delay. Shivicx targets notification within 48 hours of internal confirmation — always within the 72-hour threshold required under GDPR Art. 33 and ISO 27701 Annex B. Notification will include, to the extent available: nature and scope of the breach, estimated number of affected Data Subjects, likely consequences, and remedial measures taken or proposed. Customer acknowledges that Shivicx's notification of a Security Incident is not an acknowledgement of fault or liability.
5.8 DPIA Assistance
To the extent required by applicable Data Protection Laws, provide reasonable assistance to Customer with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and information available to Shivicx. Customer agrees to reimburse Shivicx for time and out-of-pocket expenses incurred in connection with any such assistance.
5.9 Return or Deletion of Data
Cease Processing the Customer Personal Data upon the termination or expiry of the Agreement, and at the option of Customer, either return or delete all copies of the Customer Personal Data Processed by Shivicx, unless applicable law requires retention of some or all of the Customer Personal Data. Any retained data shall remain subject to the confidentiality obligations in the Agreement. There are no temporary files generated during processing that are retained beyond the session.
5.10 Records and Compliance Demonstration
Maintain necessary records in support of demonstrating compliance with its obligations for the processing of Customer Personal Data. Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by Customer or an independent third party auditor mandated by Customer, provided that Customer gives Shivicx reasonable prior written notice, conducts any audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Shivicx's operations. Audits shall be limited to once per year unless required by a competent Supervisory Authority or following a Personal Data Breach. Customer agrees to reimburse Shivicx for time and out-of-pocket expenses incurred in connection with audits.
Warranties
The Parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the term of this DPA. Shivicx warrants that it shall comply with all statutory and regulatory requirements, including ISO 27001:2022, ISO 27701:2019, and EU GDPR, insofar as they are applicable to its Processing of Customer Personal Data.
Sub-processors
Shivicx currently engages the following Sub-processors. Shivicx will notify Customer at least 30 calendar days in advance of any intended additions or replacements. Customer may object on data protection grounds within this period; if no commercially reasonable solution can be found, either Party may terminate the relevant Services on written notice without penalty.
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud Infrastructure & Data Hosting | India (ap-south-1, Mumbai) |
| Cloudflare | Edge Network, CDN, DDoS Protection & WAF | Global edge network |
Restricted Transfers
The parties agree that when the transfer of Customer Personal Data from Customer (as exporter) to Shivicx (as importer) is a Restricted Transfer, the transfer shall be subject to the appropriate Transfer Mechanism:
EU / EEA
EU Standard Contractual Clauses (Module 2 — Controller to Processor) pursuant to the European Commission Decision of 4 June 2021, with Module Two applying and the optional docking clause in Clause 7 applying. The EU SCCs will be governed by Irish law; disputes shall be resolved before the courts of the Republic of Ireland.
United Kingdom
The EU SCCs as modified and interpreted by the UK International Data Transfer Addendum (IDTA) issued by the ICO under Section 119A of the Data Protection Act 2018, effective 21 March 2022.
Switzerland
The EU SCCs with references to "Regulation (EU) 2016/679" interpreted as references to the Swiss Federal Data Protection Act; governed by Swiss law with disputes before the competent Swiss courts.
Shivicx shall not participate in any other Restricted Transfers of Customer Personal Data unless the transfer is made in compliance with applicable Data Protection Law and pursuant to the relevant Standard Contractual Clauses.
Customer should routinely review all international transfers of Personal Data on a case-by-case basis to monitor new risks and implement additional safeguards such as encryption or pseudonymization to mitigate identified risks.
If the Transfer Mechanism is insufficient to safeguard the transferred Customer Personal Data, Shivicx will promptly implement supplementary measures to ensure Customer Personal Data is protected to the same standard required under applicable Data Protection Laws.
If Shivicx receives a request from a public authority to access Customer Personal Data, it will, to the extent legally permitted: challenge the request and promptly notify Customer, and disclose to the public authority only the minimum amount of Customer Personal Data required, keeping a record of such disclosure.
Precedence
The provisions of this DPA are supplemental to the provisions of the Agreement. In the event of any inconsistency between the provisions of this DPA and the provisions of the Agreement, they will take priority in this order: (a) any Standard Contractual Clauses or other agreed Cross-Border Transfer Mechanisms, (b) this DPA, (c) the Agreement. In the event that any provision of this DPA and/or the Agreement contradicts, directly or indirectly, the applicable SCCs, the SCCs will control.
Indemnity
To the extent permissible by law, Customer shall defend Shivicx and its Affiliates from and against any and all claims made or brought against them by any third party, and indemnify and hold harmless Shivicx and its Affiliates from and against any and all losses, damages, liabilities, fines, penalties and costs of any kind (including reasonable legal fees) arising from any breach by Customer of this DPA or of its obligations under applicable Data Protection Laws. Shivicx may participate in the defense and/or settlement of any such claim with counsel of its own choosing at its own expense.
Severability
The Parties agree that, if any section or sub-section of this DPA is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this DPA.
Miscellaneous
This DPA considers the following and follows:
- Privacy by Design and by default
- Achieving security of Processing
- Notification of breaches involving Customer Personal Data to the relevant Supervisory Authority
- Notification of breaches involving Customer Personal Data to Customer
- Conducting Privacy Impact Assessments where appropriate and required by applicable Data Protection Law
- Assurance of Shivicx's assistance if prior consultations with relevant Supervisory Authorities are needed and required by applicable Data Protection Laws
In the event a Data Subject wishes to exercise its data subject rights under applicable Data Protection Law, including but not limited to the right of access, correction and/or erasure of its Personal Data in Shivicx's control, the Data Subject can submit such request by contacting Shivicx's Data Protection Officer as set out in Section 13 below.
Description of Processing Activities for Customer Personal Data
This Annex includes certain details of the Processing of Customer Personal Data by Shivicx in connection with the Services.
1. List of Parties
Data Exporter
Name: Customer (as defined in the Agreement)
Address: As set forth in the relevant Order Form.
Contact: As set forth in the relevant Order Form.
Activities: Recipient of the Services provided by Shivicx in accordance with the Agreement.
Signature and date: As set out in the Agreement.
Role: Controller
Data Importer
Name: Shivicx Technologies Private Limited
Address: India
Contact: Adarsh Negi, [email protected]
Activities: Provision of the Services to the Customer in accordance with the Agreement.
Signature and date: As set out in the Agreement.
Role: Processor
2. Competent Supervisory Authority
As determined by application of Clause 13 of the EU SCCs.
3. Processing Information
| Categories of data subjects | Customer's authorized users of the Services. |
| Categories of personal data transferred | Processed automatically by the Services: Names, email IDs. Processed where and to the extent provided by Customer or its authorized users in connection with services provided by Shivicx. |
| Sensitive personal data transferred | None. |
| Frequency of the transfer | Continuous. |
| Nature of the processing | Storage, retrieval, use, and analysis of Customer Personal Data to provide the Services, including AI/ML inference, OCR processing, and document analysis. |
| Purpose of the transfer | To facilitate the performance of the Services more fully described in the Agreement and accompanying order forms. |
| Period for which data will be retained | As more fully described in the Agreement, this Addendum, and accompanying order forms. Upon termination, data is deleted within 30 days unless law requires longer retention. |
| Sub-processor transfers | The subject matter, nature, and duration of Sub-processor Processing are more fully described in the Agreement, this Addendum, and accompanying order forms. |
Technical & Organizational Measures (TOMs)
ISO 27001:2022 / ISO 27701:2019 aligned — Description of the technical and organisational security measures implemented by Shivicx as data processor
Infrastructure & Data Residency
- Primary data processing on AWS Mumbai (ap-south-1) with Service Control Policies (SCP) enforcing data residency boundaries.
- Multi-Availability Zone deployment for high availability; automated snapshot-based backups with 30-day retention.
- Disaster recovery playbooks tested quarterly; Recovery Time Objective (RTO) < 4 h, Recovery Point Objective (RPO) < 1 h.
- Environment isolation: production, staging, and development workloads are separated via dedicated AWS accounts and VPCs.
- AWS CloudTrail enabled across all accounts for immutable audit logging of API activity.
Encryption
- Data in transit: TLS 1.2 minimum; TLS 1.3 enforced on all public endpoints via Cloudflare.
- Data at rest: AES-256 encryption for all S3 buckets (SSE-KMS) and EBS volumes.
- AWS KMS with customer-managed keys (CMKs) for sensitive data stores; key rotation enforced annually.
- Database encryption enabled on all RDS instances; storage-level encryption active.
- Secrets and API keys managed via AWS Secrets Manager — no plaintext credentials in source code or CI/CD pipelines.
Access Controls
- Role-Based Access Control (RBAC) enforced across all systems; principle of least privilege applied.
- Multi-Factor Authentication (MFA) mandatory for all engineers accessing production environments.
- AWS IAM policies scoped to minimum required permissions; wildcard (*) actions prohibited in production.
- Privileged access reviews conducted quarterly; access revoked immediately on employee offboarding.
- All administrative actions logged to AWS CloudTrail and retained for 12 months.
- Internal data access processes designed to allow only authorized persons to access data they are authorized to access based on "least privileged" and "need to know" principles.
Incident Management & Breach Notification
- Documented Incident Response Plan (IRP) aligned with ISO 27001:2022 Annex A.5.26.
- Security events monitored 24/7 via AWS CloudWatch, GuardDuty, and Security Hub.
- Personal Data Breach: Customer notified without undue delay, targeted within 48 hours of Shivicx becoming aware — always within the 72-hour threshold mandated under GDPR Art. 33 and ISO 27701 Annex B.
- Notification includes: nature of breach, approximate data subject count, likely consequences, and remedial measures taken.
- Post-incident root cause analysis completed within 14 days; findings shared with Customer on request.
- Security Incidents do not include unsuccessful attempts that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, or denial of service attacks on firewalls.
Personnel Security
- Background verification conducted for all employees with access to production systems, to the extent permitted by Indian law.
- Mandatory privacy and security awareness training at onboarding and annually thereafter.
- All personnel sign a confidentiality agreement covering Customer Personal Data obligations and are required to protect Customer Personal Data at all times.
- Personnel with access to Customer Personal Data complete additional role-specific data protection training.
- Shivicx personnel will not process Customer Personal Data without authorization.
- Disciplinary process in place for policy violations; access revoked immediately upon termination.
Vulnerability Management & Audits
- Automated vulnerability scans run weekly on all production infrastructure via AWS Inspector.
- Annual third-party penetration testing; Critical and High findings remediated within 30 days.
- Dependency scanning integrated into GitHub CI/CD pipelines via automated SAST/SCA tools.
- ISO 27001:2022 and ISO 27701:2019 compliance maintained with annual external audits.
- Customers may request audit reports or conduct one (1) audit per year with 30-day prior written notice.
- Servers are customized for the application environment and hardened for the security of the Services. A code review process is employed to increase the security of code used to provide the Services.
Regional Compliance Modules
Jurisdiction-specific obligations
Module IN — Digital Personal Data Protection Act, 2023 (India)
Shivicx acts as a “Data Fiduciary” in relation to its own users and as a “Data Processor” when processing on Customer's behalf. Shivicx shall:
- Process Customer Personal Data only for the purpose specified in the Agreement and this DPA, in accordance with Section 8 of the DPDP Act.
- Implement reasonable security safeguards as prescribed under Section 8(5) of the DPDP Act to prevent Personal Data Breach.
- Notify Customer, and where required by the Data Protection Board of India, of any Personal Data Breach in the manner specified under Section 8(6) and applicable Rules.
- Not engage any Sub-processor except by way of a valid written contract consistent with the obligations of this DPA.
- Erase or return Customer Personal Data upon termination of the Agreement and any lawful retention period.
- Primary data processing is localized to AWS Mumbai (ap-south-1) by default, facilitating compliance with any data localization requirements prescribed under DPDP Rules.
Module EU — General Data Protection Regulation (GDPR / UK GDPR)
Where Customer Personal Data is subject to EU/UK GDPR, Shivicx shall comply with Article 28 obligations as Processor, including:
- Art. 28(3)(a): Process only on documented instructions; inform Customer if an instruction infringes GDPR.
- Art. 28(3)(b): Ensure confidentiality commitments from all authorized personnel.
- Art. 28(3)(c): Implement all TOMs required by Art. 32.
- Art. 28(3)(d): Engage Sub-processors only with Customer's prior general or specific authorization, subject to equivalent obligations.
- Art. 28(3)(e–f): Assist Customer with Data Subject Rights and DPIA obligations (Arts. 32–36).
- Art. 33: Notify Customer of Personal Data Breach without undue delay (target: 48 h; maximum: 72 h).
- Art. 30(2): Maintain processing records and make available to supervisory authorities on request.
- Cross-border transfers governed by EU SCCs (Module 2) as set out in Section 8.
Contact & Data Protection Officer
For questions about this DPA, to exercise Data Subject rights, or to submit a privacy concern, contact Shivicx's Data Protection Officer:
Shivicx Technologies Private Limited
Data Protection Officer — Adarsh Negi