Data Processing Agreement.

01Roles

You (the Customer) are the Data Fiduciary (DPDP Act) and Controller (GDPR / UK GDPR) for the Personal Data processed in connection with your account. Depra is the Data Processor / processor and processes Personal Data only on your documented instructions - meaning your subscription terms, the configuration choices you make in our dashboard, and any written instructions you send us by email.

02Scope of processing

Subject-matter: providing the Depra AI Revenue Engine and related services (WhatsApp, voice, email AI agents) so you can run revenue plays for your D2C / ecommerce business.

Duration: the term of your subscription, plus a maximum of 30 days for export and deletion.

Nature: automated processing - collecting, storing, transcribing, classifying, responding, routing, analysing, and deleting customer conversations.

Purpose: enabling you to run the configured plays - abandoned-cart recovery, COD-to-prepaid, NDR recovery, refund-to-exchange, post-purchase automation, replenishment, support deflection.

Data subjects: your end-shoppers (and prospects who interact with your channels), your authorised dashboard users, and contacts at your business partners that you choose to import.

Personal Data categories: names, phone numbers, email addresses, order details, payment metadata only (no card numbers), conversation content, voice recordings and transcripts, and inferred attributes like sentiment and language.

03Customer responsibilities

Have a lawful basis under the DPDP Act, GDPR, or UK GDPR to provide the Personal Data to us, including any required consents and notices to your end-shoppers.

Do not send us special-category data (sensitive personal information under the IT Rules 2011, GDPR Article 9 categories, or PCI-DSS scope card data) unless we have separately agreed to handle it with additional safeguards.

Issue instructions through the dashboard or by email; instructions that would breach a data-protection law will be flagged and refused.

Honour your end-shoppers' rights - Depra provides the tooling, you remain the responsible party as Data Fiduciary.

04Our obligations as Processor

Process Personal Data only on your documented instructions. Tell you promptly if any instruction would, in our reasonable opinion, breach a data-protection law.

Confidentiality: every employee or contractor with access to your Personal Data is bound by a written confidentiality obligation and trained on data protection.

Security: maintain the technical and organisational measures listed at https://depra.ai/security - TLS 1.2+, AES-256 at rest, SSO + MFA, RBAC, tenant isolation, encrypted backups, annual penetration tests, continuous vulnerability scanning, 24×7 incident response.

Assist you with Data Subject / Data Principal requests within 5 business days at no charge for routine requests.

Help with data-protection impact assessments and prior consultations with regulators when our processing is in scope.

Notify you of any confirmed Personal Data Breach within 48 hours of discovery, with the facts known at the time and progressive updates.

05Sub-processors

You give us general authorisation to engage sub-processors. The current list is at https://depra.ai/subprocessors - that page is the source of truth.

We give you at least 14 days' written notice before adding or replacing a sub-processor. You can object on reasonable data-protection grounds within that window. If we can't accommodate the objection, you may terminate the affected service for convenience and we'll refund any pre-paid fees on a pro-rata basis.

Every sub-processor that handles Personal Data is bound by a written contract with data-protection obligations no less protective than this DPA. We remain liable to you for our sub-processors' acts and omissions as if they were our own.

06International transfers

Primary processing happens in India (AWS Mumbai, ap-south-1). Some sub-processors operate in the US or EU.

Cross-border transfers are governed by EU Standard Contractual Clauses (Module Two for Controller-to-Processor; Module Three for our onward Processor-to-Processor flows), the UK International Data Transfer Addendum (B1.0, 21 March 2022), and Section 16 of the DPDP Act.

We have run Transfer Impact Assessments for all international transfers. A redacted summary is available to customers under NDA at team@depra.ai.

07Personal Data Breach notification

Within 48 hours of confirmed discovery we notify the customer's primary contact email with: nature of the breach, categories and approximate count of affected data subjects and records, likely consequences, and the measures we have taken or propose to take.

We update you as the investigation develops, cooperate with regulators, and assist with your own notifications under DPDP Act Sec 8(6), GDPR Article 33-34, or other applicable law.

We do not notify third parties (regulators, media, end-shoppers) about a breach affecting your data without your prior written consent, except where required by law.

08Audit rights

We make available to you, under NDA: SOC 2 reports when issued, ISO 27001 certification when issued, redacted summaries of our annual third-party penetration tests, and our latest security questionnaire responses.

On 30 days' written notice (and no more than once in any 12 months unless a confirmed breach has occurred), you may audit our compliance with this DPA - at your cost, during business hours, by an auditor reasonably acceptable to us under our standard NDA, scoped to matters reasonably necessary to verify compliance.

Where a regulator with jurisdiction requests an audit, the frequency cap above does not apply and we cooperate fully.

09Deletion or return on termination

On termination of your subscription, or on your earlier written request, we will (at your election) delete all your Personal Data in our possession or return a complete copy in machine-readable format and then delete it.

Active systems are deleted within 30 days. Backups are purged within the rolling 35-day retention cycle, no later than 90 days. We provide written certification of deletion when complete.

We may retain Personal Data only to the extent and for the period required by law (e.g., tax records under the Indian Income Tax Act and GST Act) - and only for that purpose, with continuing confidentiality.

10Liability and conflict

Liability under this DPA is subject to the caps and exclusions in your subscription terms, except for fraud, death/personal injury caused by negligence, and amounts that cannot be limited by law. If this DPA conflicts with the subscription terms on a data-protection point, this DPA prevails. If this DPA conflicts with the EU SCCs on the points the SCCs cover, the SCCs prevail to the extent required by law.

11Governing law

This DPA is governed by the laws of India. Subject to the SCCs and to data-subject rights to bring proceedings in the courts of their habitual residence, the courts at Aligarh, Uttar Pradesh have exclusive jurisdiction.

12Counter-signed copy for procurement

This DPA auto-applies to your subscription. If your procurement team needs a counter-signed PDF, email team@depra.ai with your entity legal name and registered address - we will send a signed copy within 3 business days.