Legal Document

Data Processing Agreement

Effective date: 15 May 2026 · Version: 1.0 · Jurisdiction: India (DPDP Act 2023) & GDPR Article 28 compliant

Data Controller

Customer Organisation

The organisation that has accepted the GRCfy Terms & Conditions and whose authorised users access the Platform.

Referred to herein as "Controller" or "you".

AND

Data Processor

GRCfy Technologies Private Ltd

Innov8 Millenia, 2nd Floor, East Wing, RMZ Millenia Business Park,
Campus 1A, No. 143, Dr. M.G.R. Road (North Veeranam Salai),
Perungudi, Sholinganallur, Chennai – 600096, Tamil Nadu, India

Contact: privacy@grcfy.com

Referred to herein as "Processor" or "we".

How this DPA works: This Data Processing Agreement ("DPA") forms part of the agreement between the Controller and the Processor established by the GRCfy Terms & Conditions. Where personal data is processed by the Processor on behalf of the Controller, this DPA governs that processing. It is designed to satisfy the requirements of GDPR Article 28 and the Digital Personal Data Protection Act 2023 (DPDP Act).

Contents

1. Definitions
2. Subject Matter & Duration
3. Nature & Purpose of Processing
4. Types of Personal Data
5. Controller Obligations
6. Processor Obligations
7. Sub-processors
8. International Data Transfers
9. Security Measures
10. Personal Data Breach
11. Data Subject Rights
12. Data Retention & Deletion
13. Audit & Inspection Rights
14. Liability
15. Governing Law
16. Execution

Section 01

Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meaning given in the GRCfy Terms & Conditions or applicable data protection law.

Term	Meaning
Personal Data	Any information relating to an identified or identifiable natural person ("Data Principal" under the DPDP Act / "Data Subject" under GDPR) that is processed by the Processor on behalf of the Controller in connection with the Platform.
Processing	Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
Controller	The Customer Organisation that determines the purposes and means of processing Personal Data (Data Fiduciary under DPDP Act).
Processor	GRCfy Technologies Private Ltd, which processes Personal Data on behalf of the Controller (Data Processor under DPDP Act).
Sub-processor	Any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
Applicable Data Protection Law	The DPDP Act 2023 and its rules; the EU/UK GDPR where applicable; and any other data protection law applicable to the Controller's jurisdiction.
Security Incident	Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA.
Platform	The GRCfy compliance orchestration software-as-a-service application operated by the Processor.

Section 02

Subject Matter & Duration

This DPA governs the Processor's processing of Personal Data on behalf of the Controller in connection with the Processor's provision of the Platform under the Terms & Conditions.

This DPA takes effect on the date the Controller first accesses the Platform (or the date of any separate written acceptance) and continues for the duration of the subscription agreement, including any data retention period following termination during which Personal Data is retained prior to deletion.

Section 03

Nature & Purpose of Processing

The Processor processes Personal Data solely to provide, maintain, and support the Platform in accordance with the Controller's instructions. The specific processing activities include:

Activity	Purpose	Legal Basis
Account provisioning & authentication	Creating and managing user accounts; verifying identity on login	Contract performance; legitimate interest (security)
Audit & compliance data hosting	Storing and serving controls, findings, evidence, and reports	Contract performance
Role-based access control	Enforcing data visibility boundaries between firms and entities	Contract performance; legitimate interest
Transactional notifications	Sending email alerts for audit assignments, evidence flags, renewals	Contract performance
Immutable audit trail	Recording user actions for compliance, security, and legal accountability	Legal obligation; legitimate interest
Subscription & billing administration	Managing credits, storage quotas, and renewal cycles	Contract performance
Data deletion & recovery operations	Soft-delete, recovery vault, and permanent purge on controller instruction	Legal obligation; contract performance

The Processor shall not process Personal Data for any purpose other than as set out in this DPA and the documented instructions of the Controller, unless required to do so by applicable law.

Section 04

Types of Personal Data & Data Subjects

4.1 Categories of Personal Data

The Personal Data processed under this DPA may include:

Identity & contact data — full name, email address, phone number, job title, department
Authentication data — hashed passwords, SSO identity attributes (name, email, group memberships)
Professional data — role assignments, audit responsibilities, audit findings authored or assigned
Technical data — IP addresses, browser user-agent strings, login timestamps, session identifiers
Compliance content — audit responses, evidence files, and findings uploaded by Controller users; these may incidentally contain personal data depending on the nature of the organisation's compliance programme
Activity logs — immutable records of user actions within the Platform

            Special categories of data: The Platform is not designed to collect or process special categories
            of personal data (e.g., health, biometric, religious, or political data). The Controller must not upload
            such data without prior written agreement with the Processor and appropriate safeguards in place.
        

4.2 Categories of Data Subjects

Employees and contractors of the Controller's organisation who are assigned as users of the Platform
Employees and contractors of the Controller's audit firm (where the Controller is a client entity)
Any individuals whose personal data is incidentally included in compliance evidence or audit documentation uploaded by the Controller

Section 05

Controller Obligations

The Controller represents, warrants, and undertakes that:

It has a valid legal basis under Applicable Data Protection Law for sharing Personal Data with the Processor for processing under this DPA.
It has provided all required notices to, and obtained all required consents from, Data Subjects (where consent is the legal basis).
It will only instruct the Processor to process Personal Data in ways that are consistent with Applicable Data Protection Law.
It will promptly notify the Processor of any change in applicable legal requirements that may affect the Processor's processing activities.
It will configure the Platform's role-based access controls appropriately to minimise the exposure of Personal Data to unauthorised users.
It will not upload special categories of personal data without prior written authorisation from the Processor and execution of supplementary safeguards.
Where the Controller configures a company-hosted or client-hosted database, it accepts full responsibility for the security and compliance of that infrastructure.

Section 06

Processor Obligations

The Processor shall:

6.1 Process Only on Instructions

Process Personal Data only on documented instructions from the Controller (as set out in this DPA and the Terms & Conditions), unless required to do so by applicable law, in which case the Processor shall inform the Controller before processing (unless prohibited by law from doing so).

6.2 Confidentiality

Ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations and receive appropriate data protection training.

6.3 Security

Implement and maintain technical and organisational security measures as described in Section 9 of this DPA, appropriate to the risk presented by the processing.

6.4 Sub-processors

Not engage sub-processors without the prior general or specific written authorisation of the Controller, as further described in Section 7.

6.5 Data Subject Rights Assistance

Taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organisational measures to fulfil the Controller's obligations to respond to requests for the exercise of Data Subject rights (access, correction, erasure, portability, restriction, objection).

6.6 Compliance Assistance

Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and information available to the Processor.

6.7 Deletion or Return of Data

At the Controller's choice, on termination of the DPA, delete or return all Personal Data (and copies) to the Controller, unless applicable law requires continued storage. The Processor will inform the Controller of any such legal requirement.

6.8 Cooperation with Supervisory Authorities

Cooperate with applicable supervisory authorities (including the Data Protection Board of India and EU Supervisory Authorities, as relevant) as required by law.

DPDP Act compliance note: The Processor maintains an immutable activity log (compliance_logs database) recording all significant data processing actions with timestamps, user identifiers, IP addresses, and DPDP Act 2023 section references. This log is available to the Controller for audit purposes on request.

Section 07

Sub-processors

7.1 General Authorisation

By entering into this DPA, the Controller grants the Processor general authorisation to engage sub-processors for the categories of processing described in Section 3. The current list of sub-processors is maintained at privacy@grcfy.com and is available on request.

7.2 Sub-processor Categories

Category	Purpose	Data Transferred
Sub-processor	Category	Purpose	Data Transferred
Squarebrothers Chennai, Tamil Nadu, India	Data centre / Infrastructure hosting	Hosting the Platform application and databases within India (Chennai data centre)	All platform data (encrypted at rest and in transit); data does not leave India
Hosting Raja Maharashtra, India	Transactional email	Sending platform notifications (audit assignments, alerts, renewals, invoices) via mail.grcfy.com	Name, email address, notification content; data remains within India
Self-hosted (OpenObserve + Vector)	Application monitoring	Log aggregation, error tracking, and performance monitoring — operated by GRCfy on its own infrastructure	Technical/log data only — no audit content; PII pseudonymised (IP hashed)

7.3 Sub-processor Obligations

The Processor shall impose data protection obligations on sub-processors equivalent to those set out in this DPA. The Processor remains fully liable to the Controller for the performance of sub-processors' obligations.

7.4 Changes to Sub-processors

The Processor shall notify the Controller at least 30 days in advance of adding or replacing a sub-processor. The Controller may object to the change in writing within 14 days of notification. If the Processor proceeds with the change over a timely objection, either party may terminate the subscription without penalty on 30 days' written notice.

Section 08

International Data Transfers

Personal Data processed under this DPA is primarily stored on servers located in India. Where Personal Data is transferred outside of India or the EEA (for example, to a sub-processor's infrastructure in another country), the Processor shall ensure that an appropriate transfer mechanism is in place, which may include:

Transfer to a country recognised as having adequate data protection under the DPDP Act or GDPR
Standard Contractual Clauses (SCCs) approved by the European Commission
Binding corporate rules (BCRs) approved by a competent supervisory authority
Any transfer mechanism approved by the Data Protection Board of India

Company-hosted & client-hosted databases: Where the Controller has configured the Platform to use a database server in a specific country or data centre, data is stored in that location under the Controller's own infrastructure. In this case, the Controller is solely responsible for ensuring that the storage location complies with applicable data transfer requirements.

Section 09

Security Measures

The Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risks of the processing:

9.1 Encryption

All data in transit is encrypted using TLS 1.2 or higher (HTTPS enforced)
Passwords are hashed using bcrypt (minimum cost factor 10) — plaintext is never stored or logged
Sensitive configuration values (database credentials, SSO secrets, SFTP passwords) are encrypted at rest using AES-256-CBC

9.2 Access Control

Granular role-based access control (11 distinct roles) enforces least-privilege access
Platform admin roles (super_admin, app_admin) are structurally excluded from accessing tenant audit data (GDPR/DPDP boundary)
Production system access is restricted to authorised personnel and requires multi-factor authentication
All significant access events are recorded in the immutable audit trail

9.3 Audit Trail & Immutability

All material user actions are recorded in an append-only compliance log stored in an isolated database
Log entries include: user ID, tenant ID, IP address, user agent, timestamp, action type, and DPDP Act 2023 section reference
Log records cannot be modified or deleted from within the application
Daily rotating JSON logs provide a secondary ELK-compatible audit trail with 90-day retention

9.4 Data Isolation

Each audit firm and client organisation's data is logically isolated — no cross-tenant data access is permitted by application design
Database-per-client architecture is supported for organisations requiring physical data isolation

9.5 Vulnerability Management

Platform dependencies are monitored for known vulnerabilities (CVE tracking)
Security patches are applied on a risk-prioritised basis
The Processor accepts responsible disclosure reports at security@grcfy.com

9.6 Business Continuity

Regular automated backups of the platform database
Backup restoration procedures are tested periodically

Section 10

Personal Data Breach

10.1 Notification to Controller

The Processor shall notify the Controller without undue delay — and where feasible within 72 hours — after becoming aware of a Security Incident involving Personal Data processed under this DPA.

The notification shall include, to the extent then known:

A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected
The name and contact details of the Data Protection Officer or other contact point
The likely consequences of the Security Incident
The measures taken or proposed to address the incident and mitigate its effects

Where all information cannot be provided at once, the Processor shall provide it in phases without undue further delay.

10.2 Cooperation

The Processor shall cooperate with and assist the Controller in notifying the relevant supervisory authority and, where required, the affected Data Subjects, in accordance with the Controller's obligations under Applicable Data Protection Law.

10.3 Breach Contact

Security incidents should be reported to the Processor immediately at security@grcfy.com. The Processor will acknowledge all inbound security reports within 24 hours.

Section 11

Data Subject Rights

The Controller is responsible for responding to Data Subject rights requests. The Processor shall, taking into account the nature of the processing, assist the Controller in complying with such requests by providing the technical capabilities described below:

Right	Platform Capability
Access / Portability	Report exports (PDF/CSV) are available for all audit data. User profile data is accessible via the My Profile page. Full structured data export is available on written request to support@grcfy.com — the Processor will deliver the export within 30 days of receiving a valid request.
Correction	Users can update their own personal data (name, email, phone, job title, department) via the My Profile page. Administrators can update user records via the user management screens.
Erasure	Soft-delete is supported for all user, audit, and entity records. Permanent deletion ("force delete") is available to authorised platform administrators via the Recovery Vault, with mandatory reason logging. The Processor will process erasure requests from the Controller within 30 days.
Restriction	User accounts can be deactivated (access blocked) without deletion, preserving data in a restricted state.
Objection	Requests to cease specific processing activities should be directed to privacy@grcfy.com. The Processor will assess and respond within 30 days.

The Processor shall notify the Controller promptly if it receives any Data Subject rights request directly and shall not respond to such requests without the Controller's authorisation (except where required by applicable law).

Section 12

Data Retention & Deletion

12.1 Retention During Agreement

The Processor retains Personal Data for the duration of the active subscription agreement and as further described in the Privacy Policy.

12.2 Post-Termination Retention

Following subscription cancellation or expiry, a configurable grace period (default: 30 days) applies during which user accounts are deactivated but data remains accessible to authorised platform administrators. After the grace period, data enters the retention window (default: 90 days), at the end of which it becomes eligible for permanent deletion.

12.3 Deletion on Instruction

The Controller may request earlier deletion of specific records or all data at any time by contacting privacy@grcfy.com. The Processor shall permanently delete such data within 30 days of receiving a valid request, unless continued retention is required by law, and shall confirm deletion in writing.

12.4 Legal Retention Obligations

Certain records — including immutable audit trail logs, deletion request records, and subscription transaction records — may be retained by the Processor for longer periods where required by applicable law (e.g., DPDP Act Section 12 erasure records). The Processor shall identify any such obligations when responding to a deletion request.

12.5 Deletion Verification

All permanent deletions (force deletes) are logged immutably in the recovery_logs compliance database with a mandatory reason, the identity of the actor, timestamp, IP address, and the entity name. The Controller may request a copy of relevant deletion log entries.

Section 13

Audit & Inspection Rights

13.1 Documentation

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA on written request and with reasonable notice (not less than 30 days).

13.2 Third-Party Audits

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits shall:

Be conducted no more than once per 12-month period (unless required by a supervisory authority)
Be subject to reasonable advance notice (minimum 30 days)
Be conducted during normal business hours with minimum disruption to operations
Be bound by the confidentiality obligations in the Terms & Conditions
Be at the Controller's cost, unless the audit reveals material non-compliance by the Processor

13.3 Audit Trail Access

The Processor shall provide the Controller with read access to activity log exports (CSV) relating to the Controller's own tenant data on request, covering all events in the compliance log database for the Controller's organisation and its users.

Section 14

Liability

Each party shall be liable to the other for damages caused by a breach of this DPA in accordance with Applicable Data Protection Law and the liability limitations set out in the Terms & Conditions.

Where both parties are responsible for damage caused by processing in breach of Applicable Data Protection Law, each party shall be held liable for the damage caused by their own breach.

The Processor shall not be liable for any breach of this DPA that is caused by the Controller's instructions, configuration decisions, or failure to comply with the Controller's own obligations under this DPA or Applicable Data Protection Law.

The aggregate liability of either party under this DPA is subject to the same cap and exclusions as set out in Section 10 of the Terms & Conditions. This DPA does not expand either party's maximum liability beyond that cap.

Section 15

Governing Law

This DPA is governed by and construed in accordance with the laws of India. Disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms & Conditions.

Where the Controller is established in the European Economic Area or the United Kingdom and processes Personal Data subject to the GDPR, the parties acknowledge that this DPA is intended to satisfy the requirements of GDPR Article 28. In the event of any conflict between this DPA and GDPR requirements, the more protective provision shall prevail.

Nothing in this DPA modifies or limits the rights or obligations of supervisory authorities under Applicable Data Protection Law.

Section 16

Execution & Updates

This DPA is incorporated by reference into the GRCfy Terms & Conditions. By accepting the Terms & Conditions (including through account creation, invitation acceptance, or continued use of the Platform), the Controller agrees to be bound by this DPA.

The Processor may update this DPA from time to time to reflect changes in applicable law, the sub-processor list, or platform capabilities. Material changes will be notified to the Controller with at least 30 days' notice. Continued use of the Platform after the effective date of any update constitutes acceptance.

For custom DPA execution (signed document, company letterhead, or supplementary clauses required by your procurement or legal team), contact legal@grcfy.com.

Execution Record

This DPA is accepted electronically by accepting the GRCfy Terms & Conditions. For organisations requiring a countersigned physical or PDF copy, contact legal@grcfy.com.

On behalf of the Controller

Customer Organisation

Authorised signatory / date

Name & title

On behalf of the Processor

GRCfy Technologies Private Ltd

Authorised signatory / date

Name & title