This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or equivalent contract ("Agreement") between Cyfriq ("Cyfriq", "we" or "us") and the customer ("Customer"). It governs the processing of Personal Data by Cyfriq as Data Processor on behalf of the Customer as Data Fiduciary (DPDP Act 2023) / Data Controller (GDPR).
"Personal Data", "Processing", "Data Principal", "Data Fiduciary", "Significant Data Fiduciary" and "Data Protection Board" have the meanings assigned to them under the DPDP Act. "Personal Data", "Processing", "Controller", "Processor" and "Supervisory Authority" have the meanings assigned to them under the GDPR where applicable.
Customer is the Data Fiduciary / Controller. Cyfriq acts as the Data Processor. Cyfriq processes Personal Data solely on Customer's documented instructions for the purpose of providing the Services.
Customer authorises Cyfriq to engage the sub-processors listed at security.html#subprocessors. Cyfriq will give at least 30 days' prior notice of any new sub-processor and provides the Customer with the right to object on reasonable data-protection grounds.
Cyfriq implements and maintains technical and organisational measures aligned to ISO/IEC 27001 and SOC 2 Type II. Measures include AES-256 encryption at rest with per-tenant KMS keys, TLS 1.3 in transit, RBAC, MFA, immutable WORM audit logging, continuous vulnerability scanning and 24×7 incident response. Detailed controls are described in Annex II of this DPA.
Cyfriq will notify the Customer without undue delay and in any event within six (6) hours of becoming aware of a Personal Data Breach affecting Customer Data, to enable Customer to meet its own notification obligations (including the 72-hour DPB notification requirement under the DPDP Act).
Cyfriq will provide reasonable assistance, taking into account the nature of the processing, to help Customer fulfil its obligations, including responding to data-principal rights requests, conducting DPIAs where applicable, and communicating with supervisory authorities.
Customer Data is processed and stored in AWS ap-south-1 (Mumbai, India) by default. Cross-border transfers occur only with Customer's instructions and are governed by appropriate transfer mechanisms (Standard Contractual Clauses, adequacy decisions, or DPDP Rules 2025 equivalents).
Customer may audit Cyfriq's compliance annually by reviewing current SOC 2 and ISO 27001 reports. For additional audit requirements (on-site, bespoke), Customer may request an audit on 30 days' notice, conducted during business hours and subject to confidentiality obligations.
On termination, Cyfriq provides a 60-day data export window. At T+90 days, all Customer Personal Data is cryptographically erased (key destruction), with an attested certificate of deletion available on request, unless retention is required by law.
Each party's liability under this DPA is subject to the limitations in the underlying Agreement, except that liability for breach of confidentiality or for wilful misconduct is not capped.
This DPA is governed by the same governing law and dispute-resolution provisions as the Agreement. If any provision conflicts with the Agreement, this DPA prevails with respect to processing of Personal Data.
Current list: see security.html#subprocessors.
See security.html for the complete description of controls, including encryption, access management, change management, vulnerability management, personnel security, business continuity and incident response.
For execution-ready copies of this DPA, contact legal@cyfriq.com.