Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") is entered into between Vaimanasoft ("Processor," "we," "us," or "our"), a software company registered and operating from Guntur, Andhra Pradesh, India, and the customer who has accepted the Vaimanasoft Terms of Service ("Controller," "you," or "your").

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Controller's use of the Vaimanasoft mobile app analytics platform (the "Services"). It is designed to ensure compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

This DPA supplements and forms an integral part of the Vaimanasoft Terms of Service ("Agreement"). In the event of any conflict between this DPA and the Agreement with respect to data protection matters, this DPA shall prevail.

The parties acknowledge that the Controller determines the purposes and means of the processing of personal data, while the Processor processes personal data solely on behalf of the Controller and in accordance with the Controller's documented instructions as set forth in this DPA and the Agreement.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings ascribed to them in the GDPR or the Agreement.

• Personal Data — Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Processing — Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• Data Subject — An identified or identifiable natural person whose Personal Data is processed under this DPA. In the context of Vaimanasoft's Services, Data Subjects are primarily end users of the Controller's mobile applications.
• Sub-processor — Any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller, in accordance with the Processor's instructions and the terms of this DPA.
• Supervisory Authority — An independent public authority which is established by an EU Member State pursuant to Article 51 of the GDPR, or any equivalent regulatory body under applicable data protection laws in other jurisdictions.
• GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
• Controller — The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Controller is the customer who uses the Vaimanasoft analytics platform.
• Processor — The natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, the Processor is Vaimanasoft.
• Standard Contractual Clauses (SCCs) — The standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR.
• Data Breach — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

3. Scope & Duration

This DPA applies to all processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the provision of the Vaimanasoft analytics platform and related Services.

3.1 Scope of Processing

The Processor shall process Personal Data solely for the purposes of providing the Services as described in the Agreement and this DPA, which include:

• Collection and ingestion of analytics data from the Controller's mobile applications via the Vaimanasoft Android SDK
• Storage and organization of analytics data on the Processor's infrastructure
• Aggregation, analysis, and visualization of analytics data through the Vaimanasoft dashboard
• User segmentation and behavioral analysis based on Controller-defined criteria
• Delivery of push notifications via Firebase Cloud Messaging on behalf of the Controller
• Execution of A/B tests and feature flag evaluations as configured by the Controller
• Generation of AI-powered analytics insights using anonymized and aggregated data

3.2 Duration

This DPA shall remain in effect for the duration of the Agreement between the Controller and the Processor. The obligations of the Processor with respect to the processing of Personal Data shall continue until the Personal Data has been returned to the Controller or deleted in accordance with Section 13 of this DPA.

3.3 Relationship to Terms of Service

This DPA is incorporated into and forms part of the Vaimanasoft Terms of Service. The Controller's acceptance of the Terms of Service constitutes acceptance of this DPA. Any capitalized terms not defined in this DPA shall have the meanings given to them in the Terms of Service.

4. Nature of Processing

The Processor provides a mobile app analytics platform that enables the Controller to collect, store, aggregate, and analyze usage data from the Controller's mobile applications. The nature of the processing activities includes:

• Collection — The Vaimanasoft Android SDK, integrated into the Controller's mobile application, collects analytics data from end-user devices and transmits it to the Processor's servers over encrypted HTTPS connections.
• Storage — Personal Data is stored on the Processor's infrastructure, hosted by authorized Sub-processors, in structured databases with appropriate access controls and encryption.
• Aggregation — Raw analytics data is aggregated to produce statistical summaries, trend analyses, and behavioral reports for the Controller's use through the dashboard.
• Analysis — The Processor applies automated processing to analytics data to generate user segments, A/B test results, feature flag evaluations, and performance metrics.
• AI-Powered Insights — Where enabled by the Controller, aggregated and anonymized analytics data may be processed through third-party AI services (Anthropic Claude) to generate natural-language insights. Individual-level personal data is anonymized before being transmitted to the AI service.
• Notification Delivery — The Processor facilitates the delivery of push notifications to end-user devices via Firebase Cloud Messaging, using FCM tokens stored on the Processor's systems.

5. Types of Personal Data

The following categories of Personal Data may be processed by the Processor on behalf of the Controller in connection with the Services:

• Device Identifiers — Android ID and other device-level identifiers used to distinguish individual devices. These identifiers are pseudonymous and do not directly identify a natural person without additional information.
• IP Addresses — The IP address of the end-user's device, collected server-side during data transmission. IP addresses are used for country-level geolocation and are not stored in their raw form beyond the initial processing.
• Usage Patterns — Information about how end users interact with the Controller's application, including session frequency, session duration, screen views, feature usage, and behavioral sequences.
• Geolocation (Country-Level) — The country of the end user, derived from the IP address at the time of data collection. No precise GPS coordinates, city-level, or street-level location data is collected.
• App Interaction Events — Custom events defined and configured by the Controller, including event names, event parameters, timestamps, and any associated metadata that the Controller chooses to track.
• FCM Tokens — Firebase Cloud Messaging device tokens, which are unique identifiers assigned to each device by Firebase for the purpose of delivering push notifications.
• Device Metadata — Device brand, model, operating system version, app version name and code, language and locale settings, and network connection type (Wi-Fi or mobile data).
• Segment Assignments — Data reflecting which user segments an end user has been assigned to, based on the Controller's segmentation criteria.
• Experiment Data — A/B test variant assignments, feature flag states, and associated conversion events for end users participating in Controller-configured experiments.

6. Categories of Data Subjects

The Data Subjects whose Personal Data is processed under this DPA are:

• End Users of the Controller's Mobile Applications — Individuals who download, install, and use mobile applications developed or published by the Controller that have integrated the Vaimanasoft Android SDK. These end users generate analytics data through their interactions with the Controller's application.

The Processor does not have a direct relationship with these Data Subjects. The Controller is responsible for providing appropriate privacy notices to its end users, obtaining any necessary consents for data collection, and informing end users of their rights under applicable data protection laws.

The Processor may also process limited Personal Data of the Controller's employees, agents, or representatives who access the Vaimanasoft dashboard, but such processing is governed by the Processor's Privacy Policy rather than this DPA, as the Processor acts as Data Controller for that data.

7. Obligations of the Processor

The Processor shall comply with the following obligations in relation to the processing of Personal Data on behalf of the Controller, in accordance with Article 28 of the GDPR:

7.1 Processing on Documented Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Controller's documented instructions for processing are set forth in this DPA, the Agreement, and the Controller's configuration of the Services through the Vaimanasoft dashboard. The Controller may issue additional written instructions, provided they are consistent with the terms of the Agreement and this DPA.

7.2 Confidentiality

The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall:

• Limit access to Personal Data to personnel who require such access for the performance of the Services
• Ensure that all personnel with access to Personal Data are informed of the confidential nature of the data and understand their obligations under this DPA
• Maintain appropriate confidentiality agreements with all personnel who may have access to Personal Data

7.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in detail in Section 9 of this DPA. These measures include, but are not limited to:

• Encryption of Personal Data in transit and at rest
• Role-based access controls and authentication mechanisms
• Comprehensive audit logging of access to and operations on Personal Data
• Regular security assessments and vulnerability monitoring
• Incident response procedures for the detection and handling of security breaches

7.4 Sub-processor Management

The Processor shall not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. The current list of authorized Sub-processors is set forth in Section 8 of this DPA.

Where the Processor engages a Sub-processor, the Processor shall:

• Impose on the Sub-processor the same data protection obligations as set out in this DPA by way of a contract or other legal act
• Remain fully liable to the Controller for the performance of the Sub-processor's obligations
• Conduct appropriate due diligence to ensure the Sub-processor provides sufficient guarantees of compliance with applicable data protection requirements

7.5 Assistance with Data Subject Rights

The Processor shall assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR. This includes assisting with requests for access, rectification, erasure, restriction, data portability, and the right to object.

7.6 Assistance with Compliance Obligations

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

• Security of processing (Article 32)
• Notification of a personal data breach to the supervisory authority (Article 33)
• Communication of a personal data breach to the data subject (Article 34)
• Data protection impact assessments (Article 35)
• Prior consultation with the supervisory authority (Article 36)

7.7 Deletion After Termination

At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless Union or Member State law requires storage of the Personal Data. The specific procedures for return and deletion are set forth in Section 13 of this DPA.

7.8 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The specific terms of audit rights are set forth in Section 14 of this DPA.

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions.

8. Sub-processors

The Controller provides general written authorization for the Processor to engage the Sub-processors listed below. The Processor shall notify the Controller of any intended changes to the list of Sub-processors at least 30 days before the addition or replacement takes effect, thereby giving the Controller the opportunity to object.

8.1 Authorized Sub-processors

The following Sub-processors are authorized to process Personal Data on behalf of the Controller as of the effective date of this DPA:

• Hostinger International Ltd.
  Purpose: Web hosting, server infrastructure, and data storage
  Data Processed: All analytics data, account data, and related infrastructure data
  Location: European Union / United States (data center locations)
  Safeguards: Standard Contractual Clauses, ISO 27001 certification
• Google LLC (Firebase / Google Cloud Platform)
  Purpose: Firebase Cloud Messaging (FCM) for push notification delivery
  Data Processed: FCM tokens, notification delivery metadata
  Location: United States / Global (Google Cloud infrastructure)
  Safeguards: Standard Contractual Clauses, SOC 2 Type II, ISO 27001, EU-U.S. Data Privacy Framework
• Stripe, Inc.
  Purpose: Payment processing and subscription billing
  Data Processed: Billing-related data (subscription identifiers, payment confirmation). Stripe does not receive or process end-user analytics data.
  Location: United States
  Safeguards: PCI DSS Level 1, SOC 2 Type II, Standard Contractual Clauses, EU-U.S. Data Privacy Framework
• Anthropic PBC
  Purpose: AI-powered analytics insights generation (Claude AI)
  Data Processed: Anonymized and aggregated analytics summaries only. Individual-level personal data is anonymized before transmission to Anthropic. No device identifiers, IP addresses, or directly identifying information is shared.
  Location: United States
  Safeguards: Data anonymization prior to processing, SOC 2 Type II, contractual data processing terms prohibiting use of input data for model training

8.2 Objection to Sub-processors

If the Controller objects to a new Sub-processor on reasonable grounds related to data protection, the Processor shall use reasonable efforts to make available to the Controller an alternative solution that avoids the processing of Personal Data by the objected-to Sub-processor. If the Processor is unable to provide such an alternative within a reasonable timeframe, either party may terminate the affected Services by providing written notice to the other party.

8.3 Sub-processor Liability

The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations under this DPA. Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain liable to the Controller for the Sub-processor's failure.

9. Security Measures

The Processor implements and maintains the following technical and organizational security measures, in accordance with Article 32 of the GDPR, to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage:

9.1 Technical Measures

• Encryption in Transit — All data transmitted between the SDK and the Processor's servers, and between the Controller's browser and the dashboard, is encrypted using TLS 1.2 or higher. All API endpoints enforce HTTPS.
• Encryption at Rest — Personal Data stored in databases and file systems is encrypted using AES-256 encryption. Database backups are also encrypted at rest.
• Password Hashing — Account passwords are hashed using bcrypt with a minimum cost factor, ensuring that plaintext passwords are never stored or logged.
• Rate Limiting — API endpoints are protected by rate limiting mechanisms to prevent brute-force attacks, denial-of-service attempts, and abuse.
• Input Validation — All user inputs and API requests are validated and sanitized to prevent injection attacks, cross-site scripting (XSS), and other common web application vulnerabilities.
• Secure Authentication — The dashboard uses JWT (JSON Web Token) based authentication with secure token generation, rotation, and expiration policies.
• Network Security — Server infrastructure is protected by firewalls, intrusion detection systems, and network segmentation to isolate sensitive data processing environments.
• Vulnerability Management — Regular security scans and dependency audits are performed to identify and remediate vulnerabilities in the Processor's software and infrastructure.

9.2 Organizational Measures

• Access Control — Access to Personal Data is restricted on a need-to-know basis using role-based access control (RBAC). Administrative access to production systems is limited to authorized personnel and requires multi-factor authentication.
• Audit Logging — All access to and operations on Personal Data are logged in comprehensive audit trails. Logs include the identity of the accessor, the action performed, the timestamp, and the data affected. Audit logs are retained for a minimum of 12 months and are protected against tampering.
• Incident Response — The Processor maintains a documented incident response plan that includes procedures for identifying, containing, investigating, and remediating security incidents. The plan includes escalation procedures and communication protocols for notifying the Controller and relevant authorities.
• Personnel Security — All personnel with access to Personal Data are subject to confidentiality obligations and receive training on data protection requirements and security best practices.
• Business Continuity — The Processor maintains backup and disaster recovery procedures to ensure the availability and resilience of Personal Data processing systems.
• Vendor Assessment — Sub-processors are assessed for their security posture and data protection compliance before engagement and are subject to ongoing monitoring.

10. Data Breach Notification

The Processor shall notify the Controller of any Data Breach affecting Personal Data processed under this DPA in accordance with the following procedures:

10.1 Notification Timeline

The Processor shall notify the Controller without undue delay, and in any event within 48 hours after becoming aware of a Data Breach. "Becoming aware" means the point at which the Processor has a reasonable degree of certainty that a security incident has occurred that has compromised Personal Data.

10.2 Contents of Notification

The Data Breach notification shall include, to the extent reasonably available at the time of notification, the following information:

• A description of the nature of the Data Breach, including, where possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Processor's data protection contact point where more information can be obtained
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to be taken by the Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects
• Where it is not possible to provide all information at the same time, the information may be provided in phases without further undue delay

10.3 Processor's Obligations Following a Breach

Upon becoming aware of a Data Breach, the Processor shall:

• Take immediate steps to contain and investigate the breach
• Preserve all evidence and logs related to the breach
• Cooperate with the Controller in investigating the breach and fulfilling the Controller's notification obligations to supervisory authorities and Data Subjects under Articles 33 and 34 of the GDPR
• Implement remedial measures to prevent recurrence of similar breaches
• Provide the Controller with regular updates on the investigation and remediation progress

10.4 Controller's Notification Obligations

The Processor acknowledges that the Controller is responsible for determining whether a Data Breach requires notification to the relevant supervisory authority and/or affected Data Subjects under applicable law. The Processor shall assist the Controller in making this determination and fulfilling its notification obligations.

11. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under Chapter III of the GDPR, taking into account the nature of the processing.

11.1 Supported Rights

The Processor shall provide reasonable assistance to the Controller in responding to the following types of Data Subject requests:

• Right of Access (Article 15) — The Processor shall, upon the Controller's request, provide the Controller with a copy of the Personal Data relating to the Data Subject that is held in the Processor's systems, in a commonly used and machine-readable format.
• Right to Rectification (Article 16) — The Processor shall correct or update Personal Data in its systems upon documented instruction from the Controller.
• Right to Erasure (Article 17) — The Processor shall delete Personal Data relating to a specific Data Subject upon documented instruction from the Controller, unless retention is required by applicable law.
• Right to Data Portability (Article 20) — The Processor shall, upon the Controller's request, export the relevant Personal Data in a structured, commonly used, and machine-readable format for transmission to another controller.
• Right to Restriction of Processing (Article 18) — The Processor shall restrict the processing of specific Personal Data upon documented instruction from the Controller.
• Right to Object (Article 21) — The Processor shall cease processing specific Personal Data upon documented instruction from the Controller when the Controller has determined that a valid objection has been raised.

11.2 Response Process

If the Processor receives a request directly from a Data Subject regarding Personal Data processed under this DPA, the Processor shall:

• Promptly notify the Controller of the request within 5 business days
• Not respond to the Data Subject directly unless instructed or authorized to do so by the Controller
• Provide the Controller with such assistance as is reasonably necessary to enable the Controller to respond to the request within the timeframes required by applicable law

11.3 Technical Capabilities

The Processor shall maintain technical capabilities to support the Controller in fulfilling Data Subject requests, including the ability to search for, extract, modify, and delete Personal Data relating to individual Data Subjects within its systems.

12. International Transfers

The Processor may transfer Personal Data to countries outside the European Economic Area ("EEA") in connection with the provision of the Services. Such transfers shall only be made in compliance with Chapter V of the GDPR and applicable data protection laws.

12.1 Transfer Mechanisms

Where Personal Data is transferred to a country that has not been deemed to provide an adequate level of data protection by the European Commission, the Processor shall ensure that one or more of the following safeguards are in place:

• Standard Contractual Clauses (SCCs) — The Processor has entered into Standard Contractual Clauses (as approved by the European Commission) with its Sub-processors located in third countries, ensuring that the transferred data receives an equivalent level of protection as required under the GDPR.
• EU-U.S. Data Privacy Framework — Where applicable, the Processor relies on Sub-processors that are certified under the EU-U.S. Data Privacy Framework for transfers to the United States.
• Adequacy Decisions — Where the European Commission has issued an adequacy decision for the recipient country, transfers may be made on the basis of that decision.

12.2 Transfers to India

The Processor is headquartered in India. As of the effective date of this DPA, there is no adequacy decision by the European Commission with respect to India. Accordingly, transfers of Personal Data from the EEA to the Processor's facilities in India are governed by the Standard Contractual Clauses incorporated into this DPA.

12.3 Supplementary Measures

In addition to the transfer mechanisms described above, the Processor implements the following supplementary measures to protect Personal Data during international transfers:

• Encryption of Personal Data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest using AES-256
• Strict access controls limiting access to authorized personnel on a need-to-know basis
• Comprehensive audit logging of all access to Personal Data
• Contractual commitments from Sub-processors to maintain equivalent security standards

13. Return and Deletion

Upon termination or expiry of the Agreement, the Controller may elect to have its Personal Data returned or deleted in accordance with the following provisions:

13.1 Controller's Election

Within 30 days following termination or expiry of the Agreement, the Controller may request in writing that the Processor either:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (such as CSV or JSON), together with any existing copies; or
• Delete all Personal Data and existing copies from the Processor's systems and infrastructure.

13.2 Deletion Timeline

If the Controller requests deletion, or if no instruction is received within 30 days following termination, the Processor shall:

• Delete all Personal Data from its active production systems within 30 days of receiving the deletion request or the expiry of the 30-day election period
• Delete all Personal Data from backup systems within a reasonable timeframe consistent with the Processor's standard backup rotation schedules, not to exceed 90 days
• Provide the Controller with written confirmation of deletion upon request

13.3 Retention Exceptions

The Processor may retain Personal Data beyond the deletion timeline only where retention is required by applicable law (such as tax, accounting, or regulatory obligations). In such cases, the Processor shall:

• Inform the Controller of the legal requirement and the specific data retained
• Continue to protect the retained data in accordance with this DPA
• Delete the retained data as soon as the legal requirement no longer applies
• Not use the retained data for any purpose other than compliance with the legal requirement

13.4 Aggregated and Anonymized Data

This Section 13 does not apply to data that has been irreversibly anonymized or aggregated such that it no longer constitutes Personal Data within the meaning of the GDPR. The Processor may retain such anonymized or aggregated data for statistical analysis, service improvement, and benchmarking purposes.

14. Audit Rights

The Controller has the right to audit the Processor's compliance with the obligations set forth in this DPA, in accordance with the following provisions:

14.1 Audit Frequency and Notice

• The Controller may conduct or commission an audit of the Processor's data processing activities and security measures once per calendar year
• The Controller must provide at least 30 days' prior written notice before conducting an audit
• The notice shall specify the proposed scope, duration, and start date of the audit
• Additional audits may be conducted in the event of a Data Breach or where required by a Supervisory Authority, with reasonable notice under the circumstances

14.2 Audit Scope and Conduct

Audits may encompass:

• Review of the Processor's data protection policies, procedures, and practices
• Assessment of technical and organizational security measures
• Verification of Sub-processor management and compliance
• Review of Data Breach records and incident response procedures
• Examination of audit logs and access records

Audits shall be conducted during normal business hours and shall be performed in a manner that minimizes disruption to the Processor's operations. The Controller shall ensure that any third-party auditor engaged for the audit is bound by appropriate confidentiality obligations.

14.3 Audit Costs

The Controller shall bear the costs of any audit it initiates, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear the reasonable costs of the audit.

14.4 Alternative Audit Mechanisms

At the Processor's discretion, the Processor may satisfy the Controller's audit rights by providing:

• Copies of relevant third-party audit reports or certifications (such as SOC 2 Type II reports or ISO 27001 certificates)
• Completed data protection questionnaires or self-assessment documentation
• Evidence of compliance with recognized industry standards and frameworks

The Controller may still request an on-site audit if the alternative mechanisms are insufficient to demonstrate compliance with this DPA.

15. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set forth in the Vaimanasoft Terms of Service.

15.1 Processor's Liability

The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the lawful instructions of the Controller, in accordance with Article 82 of the GDPR.

15.2 Controller's Liability

The Controller shall be liable for damage caused by processing which infringes the GDPR, including but not limited to failure to provide adequate privacy notices to Data Subjects, failure to obtain necessary consents, and issuing unlawful processing instructions to the Processor.

15.3 Indemnification

Each party shall indemnify the other party against any claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from the indemnifying party's breach of its obligations under this DPA or applicable data protection laws, subject to the limitations of liability in the Agreement.

15.4 No Limitation for Intentional Breaches

Nothing in this DPA or the Agreement shall limit either party's liability for intentional or grossly negligent breaches of data protection obligations, or for liability that cannot be limited by applicable law.

16. Amendments

This DPA may only be amended or modified by a written instrument executed by authorized representatives of both parties.

16.1 Written Requirement

Any amendments, modifications, or supplements to this DPA must be:

• In writing
• Clearly identified as amendments to this DPA
• Signed or otherwise formally accepted by authorized representatives of both the Controller and the Processor

16.2 Regulatory Updates

The Processor may update this DPA from time to time to reflect changes in applicable data protection laws, regulatory guidance, or the Processor's data processing practices. The Processor shall notify the Controller of any material changes at least 30 days before they take effect. If the Controller does not object to the changes within 30 days of receiving notice, the updated DPA shall be deemed accepted.

16.3 Severability

If any provision of this DPA is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid provision shall be replaced by a valid provision that most closely achieves the economic and legal intent of the original provision.

17. Governing Law

This DPA shall be governed by and construed in accordance with the laws of India, without regard to its conflict of laws principles.

17.1 Jurisdiction

Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts located in Guntur, Andhra Pradesh, India.

17.2 GDPR Compliance

Notwithstanding the governing law and jurisdiction provisions above, to the extent that the GDPR applies to the processing of Personal Data under this DPA, the provisions of the GDPR shall take precedence over any conflicting provisions of Indian law. Both parties acknowledge their obligations under the GDPR and agree to cooperate in good faith to ensure compliance.

17.3 Regulatory Cooperation

The Processor shall cooperate with any Supervisory Authority that has jurisdiction over the processing activities described in this DPA and shall comply with the advice or orders of such authority with respect to the processing of Personal Data under this DPA.