Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

Data Fiduciary: [Organisation Name], a [type of entity, e.g., registered society / company] registered at [registered address] ("Client" or "Data Fiduciary"); and

Data Processor: Dataworx, operating the FieldGovern platform, registered at [Dataworx registered address] ("Processor").

Together referred to as the "Parties." This DPA supplements and forms part of the FieldGovern Subscription Agreement between the Parties.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person (data principal) processed under this DPA, including but not limited to: name, phone number, address, GPS location, photograph, survey responses.

"Processing" means any operation on Personal Data including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.

"DPDP Act" means the Digital Personal Data Protection Act 2023 and all rules, regulations, and guidelines issued thereunder.

"Data Principal" means the individual to whom Personal Data relates (typically the survey respondent).

2. Subject matter and duration

The Processor will process Personal Data on behalf of the Data Fiduciary for the purpose of providing the FieldGovern field data collection, analysis, and reporting platform ("Services").

This DPA commences on the effective date of the Subscription Agreement and continues until termination of those Services, subject to the survival obligations in Clause 8.

3. Nature and purpose of processing

1. Purpose: Processing is limited to enabling the Data Fiduciary's authorised users to: (a) design and deploy digital survey forms; (b) collect responses from Data Principals in the field; (c) store, manage, and analyse collected data; (d) export data for the Data Fiduciary's reporting and monitoring obligations.
2. Data categories: The Processor will process only data that the Data Fiduciary's users submit through the platform. The Data Fiduciary is solely responsible for ensuring data minimisation — that only necessary Personal Data is collected.
3. Instructions: The Processor will process Personal Data only on documented instructions from the Data Fiduciary. This DPA and the Subscription Agreement constitute the initial set of instructions. Instructions that would put the Processor in breach of the DPDP Act may be declined with written notice.

4. Processor obligations

1. Confidentiality: The Processor will ensure all personnel authorised to process Personal Data are under a duty of confidentiality.
2. Security: The Processor will implement and maintain appropriate technical and organisational security measures including: (a) JWT-based access control with bcrypt password hashing; (b) row-level tenant isolation ensuring no cross-tenant data access; (c) TLS encryption in transit; (d) encrypted offline storage (OPFS/IndexedDB) on field devices; (e) audit log for all data access and modification events; (f) automated 7-day local and 30-day offsite backups.
3. Sub-processors: The Processor may engage sub-processors for infrastructure services. Current sub-processors: (a) Hetzner / Oracle Cloud — server hosting (India region); (b) Cloudflare R2 — backup storage; (c) Sentry — error monitoring (error metadata only, no Personal Data). The Data Fiduciary will be notified of any change to sub-processors with 30 days' notice.
4. Data principal rights: The Processor will assist the Data Fiduciary (within its technical capabilities) to honour rights under Sections 11–13 of the DPDP Act — access, correction, erasure, and grievance redressal — upon written request from the Data Fiduciary.
5. Deletion: On termination, the Processor will delete or return all Personal Data within 30 days of written request, except where retention is required by applicable law.
6. Audit: The Processor will make available all information necessary to demonstrate compliance with this DPA and will allow audits by the Data Fiduciary or its designated auditor, with 15 days' written notice.

5. Data Fiduciary obligations

1. Obtain valid, informed, and documented consent from Data Principals before collecting Personal Data through the platform.
2. Ensure the platform is configured to collect only data necessary for the stated purpose.
3. Maintain an up-to-date privacy policy accessible to Data Principals before and after data collection.
4. Notify the Processor immediately of any withdrawal of consent by a Data Principal so that the Processor can action erasure/restriction.
5. Not instruct the Processor to process Personal Data in any manner that would violate the DPDP Act or any other applicable law.
6. Appoint a designated point of contact for data protection matters and grievance redressal.

6. Data breach notification

1. The Processor will notify the Data Fiduciary within 6 hours of becoming aware of a Personal Data breach affecting the Data Fiduciary's data.
2. The notification will include: (a) nature of the breach; (b) categories and approximate number of Data Principals affected; (c) likely consequences; (d) measures taken or proposed to address the breach.
3. The Data Fiduciary is responsible for notifying the Data Protection Board and affected Data Principals within the 72-hour window required by the DPDP Act.
4. The Processor will co-operate fully with the Data Fiduciary and regulatory authorities in investigating and remedying the breach.

7. Data transfers and localisation

All Personal Data will be stored and processed on servers located within India unless the Data Fiduciary provides explicit written instructions otherwise. The Processor will not transfer Personal Data outside India without prior written consent from the Data Fiduciary and confirmation that the transfer complies with applicable provisions of the DPDP Act.

8. Termination and survival

On termination of this DPA or the Subscription Agreement, the Processor's obligation to protect Personal Data and assist with Data Principal rights survives until all Personal Data has been returned or verifiably deleted. Audit rights survive for 2 years post-termination.

9. Liability

Each Party's liability under this DPA for any breach of its data protection obligations shall be governed by the limitations and exclusions in the Subscription Agreement, save that neither Party may limit liability for breaches that result in regulatory fines under the DPDP Act imposed on the other Party due to the breaching Party's default.

10. Governing law and disputes

This DPA is governed by the laws of India. Any dispute shall first be escalated to the designated data protection contacts of each Party. If unresolved within 30 days, disputes shall be referred to arbitration under the Arbitration and Conciliation Act 1996, with the seat of arbitration in Bangalore, India.

11. Contact

Processor Data Protection Contact: Pallavi Deshetty · pallavi@dataworx.co.in · FieldGovern / Dataworx

Data Fiduciary Data Protection Contact: [Name] · [email] · [Organisation]

This template is provided for reference. Please have your legal counsel review before execution. For a pre-executed copy, email pallavi@dataworx.co.in.