1. Parties and Definitions
This Data Processing Agreement ("DPA") is entered between:
- Data Fiduciary (Customer): The organization subscribing to ElytraNexus
- Data Processor (Elytra Security): Provider of the ElytraNexus platform
This DPA governs the processing of personal data under the Digital Personal Data Protection Act, 2023 (DPDPA) and supplements our Terms of Service.
2. Scope of Processing
Subject Matter: Provision of GRC (Governance, Risk, Compliance) platform services
Nature and Purpose: Storage, processing, and management of compliance-related data
Duration: For the term of the subscription and retention period thereafter
Types of Personal Data:
- User account data (names, emails, roles)
- Organizational compliance data
- Audit logs and usage analytics
- Evidence and documentation uploaded by customers
Categories of Data Subjects: Customer employees, auditors, contractors
3. Processor Obligations
Elytra Security commits to:
- Process data only on documented instructions from the Customer
- Ensure persons authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Engage sub-processors only with prior written consent
- Assist Customer in responding to data subject requests
- Assist Customer with data protection impact assessments
- Delete or return personal data upon contract termination
- Make available information necessary to demonstrate compliance
4. Security Measures
We implement the following security controls:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Multi-tenant data isolation with strict access controls
- Multi-factor authentication (MFA) available
- Regular security audits and vulnerability assessments
- Incident response and breach notification procedures
- Role-based access control (RBAC) with audit logging
- Secure software development lifecycle (SSDLC)
- Data backup and disaster recovery procedures
5. Sub-Processors
Elytra Security may engage the following sub-processors:
- Cloud Hosting: [To be specified based on actual infrastructure]
- Email Services: [To be specified if using third-party email]
Customers will be notified 30 days before any new sub-processor engagement and may object on reasonable grounds.
6. Data Subject Rights
Elytra Security will assist the Customer in fulfilling data subject requests for:
- Access to personal data
- Correction of inaccurate data
- Erasure ("right to be forgotten")
- Data portability
- Withdrawal of consent
- Grievance redressal
Requests should be submitted to: privacy@elytrasecurity.com
Response time: Within 30 days as mandated by DPDPA
7. Data Breach Notification
In the event of a personal data breach, Elytra Security will:
- Notify the Customer within 72 hours of becoming aware
- Provide details of the breach, affected data, and remediation steps
- Cooperate in breach investigation and regulatory notifications
- Implement measures to prevent recurrence
8. Data Transfers
Personal data is primarily stored and processed in India. Any cross-border transfers will comply with DPDPA requirements through:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions by the Indian government
- Customer-approved transfer mechanisms
9. Data Retention and Deletion
Upon contract termination, Elytra Security will:
- Provide Customer with export of all data (30 days)
- Delete all personal data within 90 days unless legally required to retain
- Provide written certification of deletion upon request
10. Audits and Compliance
Customer may audit Elytra Security's compliance with this DPA by:
- Requesting compliance documentation
- Reviewing SOC 2 Type II reports (when available)
- Conducting on-site audits (with reasonable notice and at Customer's expense)
11. Liability and Indemnification
Each party is liable for damages caused by its violation of DPDPA. Elytra Security's liability is limited as specified in the Terms of Service.
12. Term and Termination
This DPA remains in effect for the duration of the subscription and data retention period. Provisions related to data security, deletion, and confidentiality survive termination.
13. Contact Information
Data Protection Officer:
Elytra Security
Email: privacy@elytrasecurity.com
Address: Bengaluru, Karnataka, India
For DPA-related queries: dpa@elytrasecurity.com
← Back to Home