Data Processing Agreement

00 Parties to This Agreement

This DPA is incorporated into and forms part of the Aria CyberShield Service Agreement ("Agreement") between the Customer and AnthroTech. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data processing matters.

01 Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below:

• "Controller" (or "Data Fiduciary" under DPDP Act) means the Customer, who determines the purposes and means of the processing of Personal Data.
• "Processor" (or "Data Processor" under DPDP Act) means AnthroTech, who processes Personal Data on behalf of the Controller.
• "Data Subject" (or "Data Principal" under DPDP Act) means the identified or identifiable natural person to whom the Personal Data relates.
• "Personal Data" (or "Digital Personal Data" under DPDP Act) means any information relating to an identified or identifiable natural person that is processed through the Platform.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Applicable Data Protection Law" means the Digital Personal Data Protection Act, 2023 (India), the General Data Protection Regulation (EU) 2016/679, and any other data protection legislation applicable to the processing of Personal Data under this DPA.

02 Scope of Processing

The Processor shall process Personal Data only to the extent necessary to provide the following services under the Agreement:

2.1 Nature and Purpose of Processing

2.2 Categories of Data Subjects

• Customer employees and authorized users of the Platform
• Customer's end-users whose data may be included in security scan targets
• Third parties whose publicly available data may be processed as part of threat intelligence

2.3 Duration of Processing

Processing shall continue for the duration of the Agreement and for such additional period as required for the Processor to comply with its obligations under this DPA (including data return and deletion obligations).

03 Processor Obligations

The Processor shall:

• Process on Instructions Only: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside India or the EEA, unless required to do so by applicable law. The Processor shall inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
• Confidentiality: Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All AnthroTech personnel with access to Personal Data are bound by non-disclosure agreements.
• Security Measures: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 4 of this DPA.
• Sub-processor Management: Not engage another processor without prior specific or general written authorization of the Controller, as detailed in Section 5 of this DPA.
• Cooperation: Assist the Controller in ensuring compliance with its obligations under Applicable Data Protection Law, taking into account the nature of processing and the information available to the Processor.
• Data Return and Deletion: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data.
• Audit Support: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, as detailed in Section 7.

04 Technical and Organizational Measures

The Processor implements and maintains the following security measures:

4.1 Encryption

• At Rest: AES-256 encryption for all stored Personal Data via Google Cloud Platform managed encryption keys (CMEK available upon request)
• In Transit: TLS 1.2 or higher for all data transmissions; HTTPS enforced on all endpoints
• Application Layer: Additional encryption for sensitive fields (API keys, credentials, tokens) using application-level encryption before database storage

4.2 Access Controls

• Role-based access control (RBAC) with principle of least privilege
• Multi-factor authentication (MFA) mandatory for all administrative and production access
• Unique user accounts for all personnel; no shared credentials
• Automated access reviews conducted quarterly
• Privileged access management (PAM) for infrastructure access

4.3 Audit Logging

• Comprehensive audit trails for all data access, modifications, and administrative actions
• Logs retained for a minimum of 3 years in tamper-evident storage
• Real-time log monitoring and anomaly detection via Wazuh SIEM/XDR
• Automated alerting for suspicious access patterns

4.4 SOC Procedures

• 24/7 security operations monitoring through Wazuh EDR and Grafana Cloud observability
• Documented incident response procedures with defined escalation paths
• Regular tabletop exercises and incident response drills
• Vulnerability management program with defined SLAs for remediation

4.5 Infrastructure Security

• All workloads deployed on Google Cloud Platform (asia-south1, Mumbai, India)
• Network segmentation and firewall rules restricting inter-service communication
• Container-based deployments on Cloud Run with automatic security patching
• Regular penetration testing by qualified third-party assessors (at least annually)
• Automated vulnerability scanning of all dependencies and container images

4.6 Business Continuity

• Automated database backups with point-in-time recovery
• Cross-region backup replication for disaster recovery
• Documented disaster recovery plan with defined RTO and RPO
• Annual disaster recovery testing

05 Sub-processors

The Controller provides general authorization for the Processor to engage the sub-processors listed below. The Processor shall notify the Controller of any intended changes to the list of sub-processors, providing the Controller an opportunity to object.

5.1 Sub-processor Obligations

The Processor shall:

• Impose on each sub-processor data protection obligations no less protective than those set out in this DPA
• Conduct due diligence on sub-processors' security practices before engagement
• Remain fully liable to the Controller for the performance of each sub-processor's obligations
• Provide at least 30 days' notice before engaging a new sub-processor or replacing an existing one
• If the Controller objects to a new sub-processor on reasonable grounds, the parties shall work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the affected services without penalty.

06 Data Breach Notification

6.1 Notification Timeline

In the event of a Data Breach involving Personal Data processed under this DPA, the Processor shall:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, in compliance with the DPDP Act, 2023 and GDPR Article 33
• If notification cannot be achieved within 72 hours, the Processor shall provide reasons for the delay along with the notification

6.2 Notification Content

The breach notification shall include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
• The name and contact details of the Processor's data protection point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
• A timeline of events and a root cause analysis (to be provided within 7 days of breach discovery)

6.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach. The Processor shall not inform any third party of the breach without first obtaining the Controller's written consent, unless required by applicable law.

07 Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests exercising their rights under Applicable Data Protection Law, including:

• Right of access / right to information
• Right to rectification / correction
• Right to erasure / deletion
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to grievance redressal (DPDP Act)
• Right to nominate (DPDP Act)

The Processor shall:

• Promptly notify the Controller if it receives a request directly from a Data Subject, and shall not respond to the request without the Controller's prior written authorization unless required by applicable law
• Provide the Controller with the technical ability to fulfil Data Subject requests through the Platform's administrative interface where feasible
• Respond to Controller requests regarding Data Subject rights within 10 business days

08 Audit Rights

8.1 Controller's Right to Audit

The Controller (or its designated independent auditor) shall have the right to audit the Processor's compliance with this DPA, subject to the following conditions:

• The Controller shall provide at least 30 days' written notice before conducting an audit
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
• The Controller shall bear its own costs of the audit, unless the audit reveals material non-compliance by the Processor
• Audit frequency shall not exceed once per calendar year, unless a Data Breach has occurred or there is a regulatory requirement

8.2 Processor's Audit Documentation

The Processor shall maintain and make available upon request:

• Records of all processing activities carried out on behalf of the Controller
• Current security certifications and compliance reports
• Results of recent penetration tests and vulnerability assessments (with sensitive details appropriately redacted)
• Evidence of sub-processor due diligence and contractual protections
• Records of staff training on data protection

09 Data Deletion and Return on Termination

9.1 Controller's Choice

Upon termination or expiration of the Agreement, the Controller may instruct the Processor to either:

• Return all Personal Data to the Controller in a structured, commonly used, machine-readable format (JSON or CSV), or
• Delete all Personal Data and certify such deletion in writing

9.2 Deletion Timeline

• The Controller must exercise its choice within 30 days of termination
• If no instruction is received within 30 days, the Processor shall delete all Personal Data
• Deletion shall be completed within 90 days of receiving instructions (or of the 30-day decision period expiring)
• The Processor shall use cryptographic erasure methods to ensure data cannot be recovered

9.3 Exceptions

The Processor may retain Personal Data to the extent required by applicable law (e.g., tax records, regulatory requirements), provided that:

• The Processor informs the Controller of the legal requirement and the specific data retained
• The retained data is protected in accordance with this DPA for the duration of retention
• The retained data is deleted as soon as the legal obligation is fulfilled

10 Liability and Indemnification

10.1 Processor Liability

The Processor shall be liable for damage caused by processing only where it has not complied with obligations of Applicable Data Protection Law specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions.

10.2 Indemnification

• The Processor shall indemnify the Controller against any losses, damages, costs, or expenses arising from the Processor's breach of this DPA or its obligations under Applicable Data Protection Law
• The Controller shall indemnify the Processor against any losses, damages, costs, or expenses arising from the Controller's instructions that cause the Processor to breach Applicable Data Protection Law

10.3 Limitation of Liability

The total aggregate liability of the Processor under this DPA shall not exceed the total fees paid by the Controller to the Processor under the Agreement during the 12 months immediately preceding the event giving rise to the claim, except in cases of gross negligence, willful misconduct, or Data Breaches caused by the Processor's failure to implement the security measures specified in this DPA.

10.4 No Limitation for Specific Breaches

Nothing in this DPA shall limit either party's liability for: fraud, death or personal injury caused by negligence, or any liability that cannot be excluded or limited under applicable law.

11 Governing Law and Dispute Resolution

11.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of India, without regard to its conflict of laws provisions. The Digital Personal Data Protection Act, 2023 and its rules shall apply to all processing of Personal Data under this DPA.

11.2 Jurisdiction

Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka, India.

11.3 GDPR Applicability

Where the processing of Personal Data is subject to the GDPR, the relevant provisions of the GDPR shall apply in addition to this DPA. In the event of a conflict between the GDPR and Indian law provisions of this DPA, the more protective standard shall prevail with respect to the affected Personal Data.

11.4 Dispute Resolution Process

• The parties shall first attempt to resolve any dispute through good-faith negotiation within 30 days
• If unresolved, the dispute may be referred to mediation under the rules of the Indian Council of Arbitration
• If mediation fails, either party may pursue resolution through the courts as specified above

12 General Provisions

• Entire Agreement: This DPA, together with the Agreement, constitutes the entire agreement between the parties relating to the subject matter hereof and supersedes all prior agreements, understandings, and representations.
• Amendments: This DPA may only be amended in writing, signed by authorized representatives of both parties.
• Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
• Survival: Sections relating to confidentiality, liability, indemnification, data deletion, and audit rights shall survive termination of this DPA.
• No Waiver: Failure to enforce any right under this DPA shall not constitute a waiver of that right.

13 Contact Information

For questions or requests relating to this DPA: