Data Processing Agreement (DPA)

1. Definitions

• "Controller" means the customer entity that determines the purposes and means of processing personal data.
• "Processor" means Datamotive Technologies Pvt. Ltd. processing personal data on behalf of the Controller.
• "Data Subject" means any individual whose personal data is processed.
• "GDPR" means Regulation (EU) 2016/679.
• "DPDP Act" means India's Digital Personal Data Protection Act 2023.
• "Services" means the Datamotive disaster recovery platform as described in the applicable MSA or Order Form.

2. Scope and purpose of processing

Datamotive Technologies Pvt. Ltd. processes personal data solely to provide the Services as instructed by the Controller and in accordance with the applicable agreement. We do not process personal data for our own purposes beyond what is necessary to deliver the Services or comply with legal obligations.

3. Processor obligations

Datamotive Technologies Pvt. Ltd. agrees to:

• Process personal data only on documented instructions from the Controller.
• Ensure personnel authorised to process personal data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (see Section 6).
• Not engage sub-processors without the Controller's prior written consent (general authorisation by accepting these Terms - see Section 5).
• Assist the Controller in responding to Data Subject requests and in fulfilling its obligations under applicable data protection laws.
• Delete or return all personal data upon termination of the Services.
• Make available information necessary to demonstrate compliance and allow for audits.

4. Controller obligations

The Controller is responsible for:

• Ensuring a lawful basis exists for processing personal data in the Services.
• Providing accurate processing instructions.
• Ensuring Data Subjects have been provided adequate notice of processing.
• Notifying Datamotive Technologies Pvt. Ltd. promptly if instructions are believed to violate applicable law.

5. Sub-processors

By using the Services, the Controller provides general written authorisation for Datamotive Technologies Pvt. Ltd. to engage the following categories of sub-processors:

Datamotive Technologies Pvt. Ltd. will notify the Controller of any intended changes to sub-processors with at least 30 days' notice, giving the Controller the opportunity to object.

6. Security measures

Datamotive Technologies Pvt. Ltd. maintains the following technical and organisational security measures:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls and least-privilege principles.
• SOC 2 Type II certification (available on request under NDA).
• Regular penetration testing and vulnerability scanning.
• Incident response plan with notification procedures.
• Business continuity and disaster recovery controls.

7. Personal data breaches

In the event of a personal data breach affecting data processed under this DPA, Datamotive Technologies Pvt. Ltd. will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address it.

8. International transfers

Where personal data is transferred outside the European Economic Area or India, Datamotive Technologies Pvt. Ltd. relies on one or more of the following safeguards: Standard Contractual Clauses (SCCs) approved by the European Commission; adequacy decisions; or equivalent safeguards under the DPDP Act.

9. Duration and termination

This DPA is effective for the duration of the applicable MSA or Order Form. Upon termination, Datamotive Technologies Pvt. Ltd. will, at the Controller's election, delete or return all personal data within 30 days, subject to any legal retention obligations.

10. Contact

For DPA-related enquiries, countersigned agreements, or audit requests, contact legal@datamotive.io.