Legal
Data Processing Addendum
The terms that govern how Spexx processes personal data on your behalf when you use our services.
Last updated: [Effective date]
This Data Processing Addendum (the "DPA") forms part of the agreement between you (the "Customer") and [Spexx Technologies legal name], having its registered office at [Registered office address] ("Spexx", "we", or "us"), GSTIN [GSTIN], CIN [CIN]. It applies whenever Spexx processes personal data on behalf of the Customer in connection with the Spexx services. This DPA is intended to operate alongside the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, as applicable.
1. Roles of the parties
For the purposes of this DPA, the Customer is the Data Fiduciary (and, where another framework applies, the Controller) in respect of the personal data it submits to or collects through the services. The Customer determines the purposes and means of processing that personal data.
Spexx acts as a Data Processor (and, under the DPDP Act, as a Data Processor engaged by the Data Fiduciary). Spexx processes personal data only to provide the services and only in accordance with the Customer's documented instructions, as set out in this DPA and the underlying agreement.
Each party is responsible for its own compliance obligations. The Customer is responsible for the lawful basis of collection, for providing required notices to data principals, and for the accuracy of the personal data it provides.
2. Scope and purpose of processing
Spexx processes personal data solely to deliver, maintain, secure, and support the services the Customer has subscribed to. The subject matter of the processing is the operation of those services. The duration of the processing is the term of the agreement, plus any period required by law or this DPA for deletion or return of data.
- Nature of processing: hosting, storage, transmission, retrieval, display, and support of Customer data within the services.
- Categories of data principals: the Customer's end users, staff, patients, students, and other individuals whose data the Customer chooses to enter.
- Categories of personal data: contact details, account credentials, and any records the Customer stores in the services, which may include health or other sensitive data depending on the product used.
3. Processor obligations
Spexx undertakes the following obligations in respect of personal data processed on the Customer's behalf:
- Processing on instructions: we process personal data only on the Customer's documented instructions, including with regard to transfers, unless required to do otherwise by applicable law, in which case we will inform the Customer where permitted.
- Confidentiality: we ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations and access data only as needed to perform their duties.
- Security: we implement and maintain reasonable technical and organisational security measures, including encryption in transit, access controls, and logging, consistent with the IT Rules and the standard of care expected under the DPDP Act.
- Assistance with rights: we assist the Customer, to the extent reasonably possible, in responding to requests from data principals to access, correct, update, or erase their personal data.
- Assistance with incidents: we assist the Customer in meeting its obligations relating to security of processing and personal data breaches, taking into account the information available to us.
- Deletion or return:on termination of the services, and at the Customer's choice, we delete or return the personal data we hold, save where applicable law requires us to retain a copy.
4. Sub-processors
The Customer authorises Spexx to engage the sub-processors listed below to support the delivery of the services. Each sub-processor is bound by data protection obligations no less protective than those in this DPA. We will give the Customer reasonable notice of any intended addition or replacement of a sub-processor so that the Customer may object on reasonable grounds.
| Sub-processor | Service | Purpose |
|---|---|---|
| Amazon Web Services | S3, ap-south-1 | File and object storage |
| Razorpay | Payments | Billing and payment processing |
| Zoho Mail | Transactional email | Account and service notifications |
| Google Firebase | Phone verification | One-time password delivery |
| [Hosting provider] | Compute | Application hosting and processing |
5. Data residency
Spexx stores and processes Customer personal data within India. Primary storage and compute are located in Indian data centre regions, including the Amazon Web Services ap-south-1 (Mumbai) region. Where any sub-processor processes limited data outside India in the course of providing its service, we take reasonable steps to ensure such processing is consistent with applicable Indian law and with this DPA.
6. Breach notification
If Spexx becomes aware of a personal data breach affecting Customer personal data, we will notify the Customer without undue delay after becoming aware of it. Our notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data principals and records affected, the likely consequences, and the measures taken or proposed to address it. We will cooperate with the Customer and, where required, support reporting to the Data Protection Board of India and affected data principals.
7. Audit
On reasonable prior written request, and no more than once per year unless required by a regulator or following a confirmed breach, Spexx will make available information necessary to demonstrate compliance with this DPA. Audits will be conducted during business hours, subject to confidentiality obligations, and in a manner that does not unreasonably disrupt our operations or the data of other customers. We may satisfy audit requests by providing relevant certifications or third-party assessment reports where available.
8. Contact
Questions about this DPA, or requests relating to it, may be directed to our Grievance Officer, [Grievance Officer name], at grievance@spexx.in. We will acknowledge and respond to requests within the timelines required by the DPDP Act and the IT Rules.