Skip to Data Processing Agreement
Legal information

Data Processing Agreement

This Data Processing Agreement governs how Rudrriv Solutions Private Limited processes personal data on behalf of a client while providing contracted digital growth, technology, data, outsourcing, managed-service, dedicated-talent and business-support services.

1. Status, incorporation and parties

This Data Processing Agreement (the “DPA”) forms part of the written agreement, order form, statement of work, proposal or other contract under which Rudrriv Solutions Private Limited provides services to a client (the “Service Agreement”). It applies only where Rudrriv processes Client Personal Data on behalf of the client in connection with the Services.

The client identified in the Service Agreement is the “Client”. Rudrriv Solutions Private Limited, having its business contact address at Tower B3, Spaze i-Tech Park, Sector 49, Gurugram, Haryana 122018, India, is “Rudrriv”. The Client and Rudrriv are each a “Party” and together the “Parties”.

Contractual effect: publication of this page does not by itself create a client relationship. This DPA becomes binding when it is signed, electronically accepted, attached to, referenced by, or otherwise incorporated into a Service Agreement by authorised representatives of both Parties.

2. Definitions

Capitalised terms not defined here have the meaning given in the Service Agreement. In this DPA:

  • “Applicable Data Protection Law” means any privacy, data-protection, cybersecurity or data-breach law that applies to the relevant processing, including, as applicable, the Digital Personal Data Protection Act, 2023 and rules and commencement notifications made under it; the Information Technology Act, 2000 and applicable rules; the EU General Data Protection Regulation; the United Kingdom data-protection framework; and applicable state or national privacy laws.
  • “Client Personal Data” means personal data that Rudrriv processes on behalf of the Client under the Service Agreement. It excludes data for which Rudrriv independently determines the purposes and essential means of processing.
  • “Data Principal” or “Data Subject” means the identified or identifiable individual to whom personal data relates.
  • “Data Fiduciary”, “Controller”, “Business”, “Processor”, “Service Provider”, “Contractor”, “Personal Data”, “Processing” and similar terms have the meanings assigned by Applicable Data Protection Law.
  • “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data.
  • “Subprocessor” means a third party engaged by Rudrriv to process Client Personal Data on the Client’s behalf in support of the Services.
  • “Restricted Transfer” means a transfer of personal data that requires a recognised transfer mechanism under Applicable Data Protection Law.

3. Roles and scope

For Client Personal Data, the Client generally acts as the Data Fiduciary, Controller or Business and Rudrriv generally acts as the Data Processor, Processor, Service Provider or Contractor, as those terms apply. Where the Client acts as a processor for another organisation, Rudrriv acts as its subprocessor.

Each Party remains independently responsible for determining which laws apply to it and for complying with obligations allocated to it by law. Nothing in this DPA transfers the Client’s statutory responsibility for the lawfulness, fairness, transparency, accuracy or source of Client Personal Data.

Annex 1 describes the subject matter, duration, nature and purpose of processing, categories of personal data, categories of individuals and any project-specific restrictions. A signed order form or statement of work may supplement or replace Annex 1 for a particular engagement.

4. Client obligations and instructions

The Client shall:

  • ensure that its instructions, collection, use, disclosure and transfer of Client Personal Data are lawful and within its authority;
  • provide legally sufficient notices and obtain consents or other lawful authority where required;
  • give Rudrriv documented, complete and consistent processing instructions through the Service Agreement, approved project documentation, authorised systems, tickets, email or other agreed channels;
  • limit Client Personal Data to what is reasonably necessary for the Services and avoid supplying sensitive or regulated data unless expressly agreed in writing;
  • maintain appropriate account, access, authentication, approval, retention and user-management controls for systems under the Client’s control;
  • respond to Rudrriv’s reasonable questions where instructions are unclear, conflicting, incomplete or likely to create security or legal risk; and
  • not instruct Rudrriv to process personal data in a manner that violates Applicable Data Protection Law.

The Client’s use of the Services and configuration of systems, integrations, permissions, audiences, workflows, retention settings and data fields constitute documented instructions to the extent they are consistent with the Service Agreement and this DPA.

5. Rudrriv processing obligations

Rudrriv shall:

  • process Client Personal Data only on documented instructions from the Client, including with respect to transfers, unless law requires otherwise;
  • inform the Client before processing required by law unless the law prohibits that notice;
  • process Client Personal Data only for delivering, securing, supporting, maintaining and improving the contracted Services, and not for an unrelated independent commercial purpose;
  • not sell Client Personal Data or share it for cross-context behavioural advertising where those concepts apply, unless the Client expressly directs the activity and it is lawful;
  • not combine Client Personal Data with personal data obtained from other clients or from Rudrriv’s own interactions except as permitted by law and necessary for the Services, security, fraud prevention or another documented Client instruction;
  • notify the Client if Rudrriv reasonably believes an instruction violates Applicable Data Protection Law and suspend the affected processing where reasonably necessary while the Parties address the issue; and
  • make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security and proportionality safeguards.

6. Confidentiality and authorised personnel

Rudrriv shall restrict access to Client Personal Data to personnel, contractors and Subprocessors who need access for authorised work. Persons authorised to process Client Personal Data shall be subject to confidentiality obligations by contract, policy, professional duty or law.

Rudrriv shall provide appropriate privacy and security awareness to relevant personnel, apply least-privilege principles, and remove or revise access when a role changes or access is no longer required. The Client remains responsible for access granted through Client-controlled systems and credentials unless Rudrriv administers those controls under the agreed scope.

7. Security measures

Taking into account the state of the art, implementation cost, nature, scope, context and purposes of processing, and the risk to individuals, Rudrriv shall maintain appropriate technical and organisational measures designed to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

The baseline measures are described in Annex 2. They may include access control, multi-factor authentication where supported, secure configuration, encryption in transit, encryption at rest where appropriate and available, logging, backup, vulnerability management, malware protection, change control, incident response, confidentiality commitments and secure deletion.

Security is a shared responsibility. Rudrriv does not warrant that any system is completely secure or that every incident can be prevented. The Client shall promptly notify Rudrriv of suspected credential compromise, unauthorised access or security weaknesses affecting the Services.

8. Personal Data Breach management

Rudrriv shall notify the Client without undue delay after becoming aware of a confirmed Personal Data Breach affecting Client Personal Data. Notification may be delivered to the Client’s designated security, privacy, legal or project contact.

As information becomes reasonably available, Rudrriv shall provide details such as:

  • the nature of the incident and systems or data affected;
  • the known or reasonably estimated categories and volume of affected individuals and records;
  • likely consequences, subject to ongoing investigation;
  • containment, remediation and risk-reduction measures taken or proposed; and
  • a contact point for follow-up.

Rudrriv may provide information in phases where complete information is not initially available. Notice is not an admission of fault or liability. The Client is responsible for deciding whether and how to notify regulators, individuals, customers or other parties, except where law directly requires Rudrriv to notify them. Rudrriv shall reasonably assist the Client with legally required notifications, taking account of the nature of processing and information available to Rudrriv.

9. Subprocessors

The Client gives Rudrriv general written authorisation to engage Subprocessors for the Services. Rudrriv shall impose written data-protection obligations on each Subprocessor that are materially consistent with the obligations applicable to Rudrriv for the relevant processing.

Rudrriv remains responsible to the Client for the performance of a Subprocessor’s data-processing obligations to the extent required by the Service Agreement and Applicable Data Protection Law. A Subprocessor’s independent services or processing outside Rudrriv’s instructions are governed by that Subprocessor’s own terms and legal responsibilities.

Rudrriv shall maintain an applicable Subprocessor list in Annex 3, an order form, a project record or another notice made available to the Client. Where required by law or agreed in the Service Agreement, Rudrriv shall give reasonable advance notice of a material new Subprocessor. The Client may object on reasonable, documented data-protection grounds within ten business days after notice. The Parties shall work in good faith on a commercially reasonable solution. If no reasonable solution is available, either Party may terminate only the affected Service, subject to the Service Agreement.

10. Individual rights requests

Taking into account the nature of processing, Rudrriv shall provide reasonable assistance through appropriate technical and organisational measures to help the Client respond to requests from Data Principals or Data Subjects to exercise rights such as access, correction, completion, updating, erasure, restriction, portability, objection, consent withdrawal, grievance redressal or nomination, where applicable.

If Rudrriv receives a request relating to Client Personal Data, Rudrriv shall, unless prohibited by law, refer the requester to the Client or forward the request to the Client. Rudrriv shall not independently respond on the Client’s behalf unless authorised by the Client or required by law. The Client remains responsible for verifying identity, evaluating the request and determining the legally required response.

11. Compliance assistance

Taking into account the nature of processing and information available to Rudrriv, Rudrriv shall provide reasonable assistance with the Client’s obligations concerning security, breach response, data-protection impact assessments, transfer assessments, prior consultation, records of processing and regulatory enquiries where the processing relates to the Services.

Assistance beyond standard service documentation, ordinary support and information already available to Rudrriv may require a separate scope, reasonable fees and agreed timelines, unless the need results from Rudrriv’s breach of this DPA.

12. Information, assessments and audits

On reasonable written request, Rudrriv shall provide information reasonably necessary to demonstrate compliance with this DPA. The Parties shall first use existing independent reports, certifications, questionnaires, policies, summaries and other documentation where they reasonably address the request.

If additional verification is legally required and existing documentation is insufficient, the Client may conduct, or appoint an independent qualified auditor to conduct, an audit no more than once in any twelve-month period, except after a material Personal Data Breach or where a competent authority requires more frequent review. Audits shall:

  • be subject to at least thirty days’ prior written notice where practicable;
  • occur during normal business hours without unreasonable disruption;
  • be limited to systems, records and controls relevant to Client Personal Data;
  • avoid access to other clients’ data, source code, privileged material, penetration-test details, employee personal data or information that would weaken security;
  • be subject to confidentiality and security requirements; and
  • be conducted at the Client’s cost unless the audit identifies a material breach by Rudrriv.

Nothing in this section requires Rudrriv to disclose information where disclosure would violate law, contractual confidentiality, legal privilege or security obligations. Rudrriv shall instead provide a reasonable alternative form of assurance where possible.

13. Return, deletion and retention

During the term, the Client may retrieve or request return of Client Personal Data using available export features or agreed delivery methods. On termination or expiry of the affected Services, Rudrriv shall, at the Client’s choice and subject to the Service Agreement, return or delete Client Personal Data within a reasonable period, unless law requires or permits continued retention.

Client Personal Data may remain temporarily in backup, disaster-recovery, logging, security or archival systems until overwritten or deleted under normal retention cycles, provided that it remains protected and is not restored or used except for continuity, security, legal compliance or recovery. Rudrriv may retain evidence of instructions, transactions, approvals, invoices, disputes and compliance actions where reasonably necessary for legal, regulatory, tax, accounting, insurance, security or claims purposes.

14. International and cross-border transfers

Rudrriv may process Client Personal Data in India and in other countries where Rudrriv, its personnel or authorised Subprocessors operate, subject to the Service Agreement, Client instructions and Applicable Data Protection Law.

Where a Restricted Transfer requires a recognised safeguard, the Parties shall use the applicable mechanism, which may include an adequacy decision, approved standard contractual clauses, the United Kingdom international data transfer addendum or agreement, binding corporate rules, certification, consent, contractual necessity or another lawful mechanism. Annex 4 applies where the Parties identify an EU, EEA, Swiss or UK Restricted Transfer requiring contractual safeguards.

Each Party shall reasonably cooperate with transfer assessments and supplementary measures. Rudrriv shall not be required to make a representation concerning foreign surveillance or government access beyond information reasonably available to it and the commitments contained in the applicable transfer mechanism.

15. Government and legal requests

If Rudrriv receives a legally binding request from a public authority for Client Personal Data, Rudrriv shall, to the extent legally permitted, notify the Client before disclosure and provide reasonable information about the request. Rudrriv shall assess the request for apparent validity, disclose only data reasonably required, and challenge or seek clarification where there are reasonable grounds and a lawful basis to do so.

Nothing in this DPA requires a Party to obstruct lawful process, violate law or place personnel at risk. Rudrriv may preserve data where required by a valid legal hold or lawful authority.

16. Rudrriv’s independent processing

Rudrriv may act independently as a Data Fiduciary or Controller for limited business-administration purposes, including managing the client relationship, contracts, billing, tax, accounting, fraud prevention, security, legal claims, service analytics based on de-identified or aggregated information, personnel administration and compliance.

Such independent processing is governed by Rudrriv’s Privacy Policy and Applicable Data Protection Law, not by the processor obligations in this DPA. Rudrriv shall not use Client Personal Data to create advertising profiles, sell personal data or train a general-purpose model for unrelated customers unless the Client gives specific written authorisation and the processing is lawful.

17. Sensitive, regulated and children’s data

The Client shall not provide or permit access to special-category, sensitive, financial-authentication, health, biometric, precise-location, government-identity, criminal-offence, children’s or other high-risk data unless the Service Agreement or an approved statement of work expressly identifies the data and required safeguards.

Where such processing is approved, the Client remains responsible for establishing lawful authority, age or guardian requirements, notices, consents, purpose limitations and any sector-specific obligations. The Parties shall document additional controls, including access restrictions, encryption, logging, retention, segregation, review or location requirements as appropriate.

18. Artificial intelligence and automated tools

Rudrriv may use software-assisted workflows, automation, analytics or artificial-intelligence tools only as permitted by the Service Agreement, Client instructions and Applicable Data Protection Law. Rudrriv shall apply reasonable data-minimisation, access, confidentiality and vendor controls to approved tools.

Rudrriv shall not submit Client Personal Data to a public or consumer AI service, or use Client Personal Data to train a general-purpose model for Rudrriv or another customer, unless expressly authorised in writing. The Client shall identify any prohibited systems, data-residency requirements, human-review requirements or restrictions on automated decision-making before processing begins.

19. Business continuity and service recovery

Where relevant to the Services, Rudrriv shall maintain proportionate backup, recovery, incident-management and continuity arrangements. Recovery objectives, geographic redundancy, high-availability commitments and disaster-recovery testing apply only where expressly stated in the Service Agreement or relevant platform terms.

The Client is responsible for maintaining its own continuity arrangements, source-data copies and recovery procedures for Client-controlled systems unless those responsibilities are expressly included in Rudrriv’s scope.

20. Costs of assistance

Standard compliance assistance included in the Services is provided without separate charge. Rudrriv may charge reasonable fees for extensive, repetitive, bespoke or out-of-scope assistance, including complex audits, large-scale exports, litigation support, specialised assessments, custom security work or regulator-driven projects, provided Rudrriv gives the Client an estimate or obtains approval where practicable.

21. Liability and indemnity

Liability arising from this DPA is subject to the exclusions, limitations, caps, indemnities and procedures in the Service Agreement, except to the extent a limitation is prohibited by mandatory law. Nothing in this DPA limits an individual’s statutory rights or a regulator’s lawful powers.

Each Party is responsible for fines, damages, claims and costs to the extent caused by its own breach of Applicable Data Protection Law, this DPA or the Service Agreement, subject to applicable law and the agreed allocation of liability.

22. Order of precedence

If documents conflict regarding processing of Client Personal Data, the following order applies unless the Parties expressly agree otherwise: (1) mandatory provisions of an executed transfer mechanism; (2) a signed project-specific data-protection addendum; (3) this DPA; (4) the Service Agreement; and (5) other project documentation.

The DPA supplements rather than replaces the Service Agreement. Commercial terms, service scope, payment, intellectual property, confidentiality and general liability remain governed by the Service Agreement except where this DPA expressly addresses data processing.

23. Term, termination and survival

This DPA begins when it becomes binding under section 1 and continues while Rudrriv processes Client Personal Data under the Service Agreement. Provisions concerning confidentiality, security, return or deletion, audits, transfers, liability, governing law and any obligations that by their nature should survive shall continue after termination for as long as Rudrriv retains Client Personal Data.

24. Changes to this DPA

Rudrriv may publish an updated standard DPA to reflect changes in law, regulatory guidance, Services, security practices or approved transfer mechanisms. An update does not materially reduce contractual data-protection commitments for an active engagement without the Client’s agreement, unless the change is required by law or necessary to preserve legal validity.

The version incorporated into the Service Agreement governs until the Parties accept a later version or the Service Agreement provides an agreed update mechanism.

25. Governing law and disputes

This DPA is governed by the governing law and dispute-resolution provisions in the Service Agreement. If the Service Agreement does not specify them, this DPA is governed by the laws of India and disputes shall be subject to the competent courts in Gurugram, Haryana, India, without limiting mandatory rights, regulatory jurisdiction or the governing-law provisions of an applicable transfer mechanism.

26. Data-protection contact

Contractual notices should be sent through the notice method in the Service Agreement. Privacy, security and data-processing questions may also be sent to:

Rudrriv Solutions Private Limited

Email: support@rudrriv.com

Address: Tower B3, Spaze i-Tech Park, Sector 49, Gurugram, Haryana 122018, India

Annex 1 — Processing details

This Annex applies unless a signed order form or statement of work provides more specific processing details. The Client should ensure that project documentation accurately identifies any regulated, sensitive or unusual processing before data is made available.

ItemDefault description
Subject matterProcessing necessary to provide the Services described in the Service Agreement, order form or statement of work.
DurationFor the term of the affected Services and any limited post-termination retention permitted by this DPA or law.
Nature of processingCollection, receipt, access, recording, organisation, structuring, storage, hosting, retrieval, consultation, use, transmission, disclosure to authorised recipients, alignment, analysis, support, troubleshooting, correction, export, restriction, deletion and destruction, as required for the Services.
PurposesProject delivery, managed services, dedicated talent, software or website development, hosting, maintenance, support, digital marketing operations, analytics, data operations, business-process support, security, quality assurance, reporting, authorised automation and other purposes documented in the Service Agreement.
IndividualsClient personnel, authorised users, customers, prospects, website or application users, suppliers, contractors, business contacts, applicants and other individuals whose data the Client lawfully makes available for the Services.
Personal-data categoriesIdentity and contact data; professional and employment data; account and authentication data; customer and support records; transaction, order, invoice and operational data; website, device, cookie and analytics data; communications; content and files; project-specific data identified by the Client.
Sensitive dataNot authorised by default. Any special-category, sensitive, financial-authentication, health, biometric, government-identity, criminal-offence, children’s or similar data must be expressly approved and documented.
FrequencyContinuous, periodic, event-driven or one-time, according to the Service scope and Client instructions.
RetentionAs configured or instructed by the Client, stated in the Service Agreement, required for delivery, or permitted under section 13 of this DPA.
Processing locationsIndia and other authorised locations used by Rudrriv or approved Subprocessors, subject to section 14.

Annex 2 — Technical and organisational measures

The following measures are applied proportionately according to the Service, system capability, data type, risk and responsibilities allocated between the Parties. Not every measure applies to every engagement.

Control areaIllustrative measures
GovernanceAssigned security and privacy responsibilities; documented policies; risk review; incident procedures; supplier review; periodic control assessment.
Access controlNamed accounts; role-based access; least privilege; approval workflows; multi-factor authentication where available; timely access removal; periodic review.
ConfidentialityContractual confidentiality obligations; need-to-know access; privacy and security awareness; restrictions on unauthorised copying or disclosure.
Encryption and transmissionEncrypted transport using current secure protocols; encryption at rest where appropriate and supported; secure file-transfer or collaboration methods; controlled key and credential handling.
System and application securitySecure configuration; patching; malware protection; vulnerability management; code and change review where relevant; environment separation where appropriate; dependency and secret management.
Logging and monitoringAuthentication, administrative, application, security or workflow logs where supported; alerting and investigation procedures; time-limited log retention according to risk and system capability.
Availability and recoveryBackup and restoration arrangements where in scope; redundancy or recovery procedures appropriate to the Service; incident escalation; continuity planning.
Data minimisationCollection and access limited to approved fields, systems and purposes; masking, aggregation or pseudonymisation where practical; avoidance of unnecessary local copies.
Deletion and media handlingControlled deletion; retention rules; secure disposal or sanitisation appropriate to media and system capability; access restrictions for backup data.
Supplier controlsDue diligence proportionate to risk; written processing and confidentiality terms; restricted access; breach and assistance obligations; change and termination controls.
Physical securityReasonable premises, device, visitor and equipment safeguards for locations used to deliver the Services, taking into account remote-work arrangements.
Testing and improvementPeriodic review, testing, assessment or evaluation appropriate to risk; issue tracking; corrective action; updates in response to incidents, material system changes or legal requirements.

Annex 3 — Subprocessor framework

Project-specific Subprocessors may be listed in the Service Agreement, order form, statement of work, security documentation or a notice supplied to the Client. Because vendors vary by project and region, this public DPA does not represent that every category below is used for every Client.

Service categoryPotential purposeLocation and safeguards
Cloud hosting and infrastructureCompute, storage, database, backup, content delivery and security.As documented for the engagement; transfer safeguards applied where required.
Communications and collaborationEmail, messaging, meetings, project coordination and file exchange.As documented for the engagement; access limited to authorised users.
Development and operationsSource control, deployment, monitoring, testing, error tracking and support.As documented for the engagement; repository and environment permissions restricted.
Customer support and CRMTicketing, account administration, client communications and service management.As documented for the engagement; purpose and field restrictions applied.
Analytics and marketing platformsClient-authorised measurement, campaign operations, audience management and reporting.Only where within scope and lawful; project-specific instructions and platform terms apply.
Professional and specialist providersSecurity, legal, audit, accounting, translation, recruitment or specialist delivery support.Need-to-know access and confidentiality obligations; processing details documented where material.

Annex 4 — Restricted-transfer terms

4.1 European Economic Area transfers

Where Client Personal Data protected by the EU GDPR is transferred to Rudrriv or a Subprocessor in a country that does not benefit from an applicable adequacy decision and no other lawful mechanism applies, the current European Commission standard contractual clauses for international transfers are incorporated by reference in the module appropriate to the Parties’ roles.

Unless a signed transfer addendum states otherwise: the Client is the data exporter; Rudrriv is the data importer; the docking clause applies; optional independent dispute resolution does not apply; general authorisation for subprocessors applies with the notice period in section 9; the governing law is the law of an EU Member State that permits third-party beneficiary rights, selected in the applicable order form; and the competent courts and supervisory authority are determined under the clauses and the exporter’s establishment or representative.

4.2 United Kingdom transfers

Where UK data-protection law requires a transfer mechanism, the then-current UK International Data Transfer Addendum to the EU standard contractual clauses or the UK International Data Transfer Agreement is incorporated or executed as appropriate. The information in the Service Agreement and Annexes 1 to 3 completes the relevant tables to the extent applicable.

4.3 Switzerland and other jurisdictions

For Swiss transfers, references in the applicable clauses shall be adapted as required by Swiss law, including references to the competent Swiss authority and Swiss data subjects. For another jurisdiction, the Parties shall execute or incorporate the recognised mechanism required by that jurisdiction.

4.4 Supplementary measures and conflict

The Parties shall document reasonably necessary supplementary technical, contractual or organisational measures. If this DPA conflicts with a mandatory provision of an executed transfer mechanism, the transfer mechanism controls for the Restricted Transfer.

Annex 5 — Optional execution block

The Parties may execute this DPA through a Service Agreement, electronic acceptance platform or the signature block below. Electronic signatures and counterparts are permitted to the extent allowed by applicable law.

For the ClientFor Rudrriv Solutions Private Limited
Legal name: ______________________________Legal name: Rudrriv Solutions Private Limited
Authorised signatory: ______________________Authorised signatory: ______________________
Title: ____________________________________Title: ____________________________________
Signature: _________________________________Signature: _________________________________
Date: _____________________________________Date: _____________________________________
Back to top