DPDPOne.← Legal index

Legal Documentation

Data Processing Agreement

Document CodeDPDP-LEGAL-DPA-001
Version1.0
DateJune 2026
ClassificationCustomer-facing — to be accepted at account creation
Governing lawLaws of India — Digital Personal Data Protection Act 2023
Issued byStratops Solutions Pvt Ltd, Bengaluru, Karnataka, India

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Stratops Solutions Pvt Ltd ("DPDPOne") and the Customer. By using the DPDPOne platform, the Customer accepts the terms of this DPA.

1.Parties

Data Processor: Stratops Solutions Pvt Ltd, operating as DPDPOne, a company incorporated under the Companies Act 2013, with registered address in Bengaluru, Karnataka, India.

Data Fiduciary (Customer): The organisation or individual that has created a DPDPOne account and accepted the Terms of Service. The Customer acts as the Data Fiduciary under the DPDPA for the personal data it enters into, or that is collected through, the DPDPOne platform.

2.Definitions

Terms used in this DPA carry the meanings assigned to them in the Digital Personal Data Protection Act 2023 ("DPDPA") and the DPDP Rules. In addition:

"Personal Data" — Any data about an individual who is identifiable by or in relation to such data, as defined in Section 2(t) of the DPDPA.

"Processing" — Any operation performed on personal data, including collection, storage, use, sharing, disclosure, deletion, or destruction.

"Data Principal" — The individual to whom the personal data relates, as defined in Section 2(j) of the DPDPA.

"Customer Data" — All personal data that the Customer, or its authorised users, inputs into, generates within, or transmits through the DPDPOne platform in connection with its use of the service.

"Sub-Processor" — Any third party engaged by DPDPOne to process Customer Data in connection with the provision of the DPDPOne service.

3.Subject Matter, Duration, and Nature of Processing

Subject matter: DPDPOne provides a DPDPA compliance management platform. In the course of providing this service, DPDPOne processes Customer Data on behalf of the Customer.

Duration: This DPA applies for the duration of the Customer's active subscription to DPDPOne and for the retention period specified in Clause 11.

Nature of processing: Storage, retrieval, display, analysis, and transmission of Customer Data as necessary to provide the DPDPOne platform services.

Purpose of processing: To provide the DPDPOne DPDPA compliance management service as described in the product documentation and Terms of Service.

3.1 Categories of personal data processed

The following categories of personal data may be processed by DPDPOne on behalf of the Customer:

  • Account and profile data — names, email addresses, designations of the Customer's authorised users
  • RoPA data — descriptions of the Customer's data processing activities, which may reference categories of personal data the Customer processes
  • Rights request data — names, email addresses, and request details of Data Principals submitting rights requests through the Customer's rights portal
  • Breach incident data — descriptions of incidents reported through the breach workflow module
  • Evidence documents — files uploaded by the Customer to the Evidence Library, which may contain personal data
  • Assessment data — responses to compliance assessment questions, which may contain organisational and operational details

3.2 Categories of data subjects

  • The Customer's authorised platform users (employees, contractors)
  • Data Principals who submit rights requests through the Customer's rights portal
  • Any individuals whose personal data is referenced in Customer-created records (RoPA entries, breach reports, evidence documents)

4.Customer Obligations

The Customer, as the Data Fiduciary, is responsible for:

  1. Ensuring it has a lawful basis (consent or legitimate use under DPDPA Section 7) for all personal data it enters into the DPDPOne platform.
  2. Providing accurate and complete information to Data Principals about the use of DPDPOne in processing their data, including in the Customer's own privacy notice.
  3. Ensuring that its authorised users access the platform only for legitimate purposes within the scope of this DPA.
  4. Promptly notifying DPDPOne if it becomes aware of any unauthorised use of its account or any breach involving Customer Data.
  5. Complying with all applicable provisions of the DPDPA and DPDP Rules in connection with its use of the platform.

5.DPDPOne Obligations as Data Processor

5.1 Processing on instructions only

DPDPOne shall process Customer Data only on the documented instructions of the Customer as set out in this DPA and the Terms of Service. DPDPOne shall not process Customer Data for any purpose other than providing the DPDPOne service. If DPDPOne is required by law to process Customer Data for any other purpose, it shall notify the Customer before doing so, unless prohibited by law.

5.2 Confidentiality

DPDPOne shall ensure that all personnel authorised to process Customer Data are bound by appropriate confidentiality obligations. Access to Customer Data is restricted to personnel who require it for the provision of the DPDPOne service.

5.3 Security measures

DPDPOne implements and maintains appropriate technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

  • Encryption of Customer Data in transit using TLS 1.2 or higher
  • Encryption of Customer Data at rest within the Supabase database
  • Row-level security controls ensuring each Customer can access only their own data
  • Access controls with authentication requirements for all platform users
  • Regular security reviews of the platform infrastructure
  • Data stored exclusively within India on AWS Mumbai (ap-south-1) infrastructure

5.4 Data Principal rights assistance

DPDPOne shall assist the Customer in fulfilling its obligations to respond to Data Principal rights requests, by providing the technical capabilities within the platform (Rights Portal) to receive, track, and respond to access, correction, erasure, and nomination requests. The Customer remains responsible for the substantive response to each rights request.

5.5 Breach notification

In the event of a personal data breach involving Customer Data, DPDPOne shall notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include, to the extent known at the time: the nature of the breach, the categories and approximate volume of Customer Data affected, the likely consequences, and the measures taken or proposed to address the breach. DPDPOne shall cooperate with the Customer in meeting the Customer's own breach notification obligations under Section 8(6) of the DPDPA.

6.Sub-Processors

The Customer grants DPDPOne a general authorisation to engage the following sub-processors in connection with the provision of the DPDPOne service. DPDPOne shall ensure that each sub-processor is bound by data protection obligations equivalent to those in this DPA.

Sub-ProcessorServiceLocationData Processed
Amazon Web ServicesCloud infrastructure (EC2, S3)India (ap-south-1)All Customer Data — primary storage
SupabaseDatabase and authenticationIndia (via AWS Mumbai)Customer Data, user accounts, session data
RazorpayPayment processingIndiaBilling and payment data only — no compliance data
ZeptoMail (Zoho)Transactional emailIndiaEmail addresses, notification content
Anthropic PBCAI drafting assistanceUnited StatesOrganisation name and sector only — see Clause 7

DPDPOne shall notify the Customer of any intended addition or replacement of sub-processors by updating this DPA. The Customer may object to a new sub-processor within 14 days of notification.

7.International Data Transfers — Anthropic Claude API

Important disclosure — cross-border data transfer

DPDPOne uses the Anthropic Claude API (Anthropic PBC, United States) to provide AI-assisted notice drafting and action plan personalisation within the platform.

When a Customer uses the Notice Generator or AI-assisted action plan features, the following limited data is transmitted to the Anthropic Claude API:

  • The Customer's organisation name
  • The Customer's sector/industry type
  • The compliance gap identifiers relevant to the action plan

The following data is never transmitted to the Anthropic Claude API: any personal data of Data Principals, any individual names or contact details, any sensitive personal data, any breach details, any rights request information, or any data from the Evidence Library.

Anthropic PBC processes API data under its API Data Processing terms. Anthropic does not use API input or output to train its models by default. Data transmitted to the API is not stored by Anthropic beyond the processing of the specific request.

Customers who do not wish to use features that involve the Anthropic Claude API may use all other DPDPOne modules without triggering any cross-border data transfer.

8.Audit Rights

The Customer may, upon reasonable notice of not less than 30 days and at the Customer's expense, request an audit of DPDPOne's data processing activities relevant to Customer Data. DPDPOne may satisfy this obligation by providing a written summary of its security and data protection measures, third-party audit reports (where available), or by allowing a mutually agreed independent auditor to conduct an assessment. Audits shall be conducted in a manner that does not unreasonably disrupt DPDPOne's business operations or compromise the data of other customers.

9.Data Retention and Deletion on Termination

Upon termination or expiry of the Customer's subscription, DPDPOne shall:

  1. Retain Customer Data for 30 days following the termination date, during which the Customer may export their data through the platform's export functions.
  2. After the 30-day period, permanently delete Customer Data from all active production systems within 60 days of termination.
  3. Backup copies of Customer Data will be purged in accordance with DPDPOne's standard backup rotation schedule, which completes within 90 days.
  4. Upon the Customer's written request, provide a written confirmation that Customer Data has been deleted.

The Customer is responsible for exporting all data it requires before the end of the 30-day retention window. DPDPOne provides data export functionality within the platform for this purpose.

10.Liability

DPDPOne's liability under this DPA shall be subject to the limitations and exclusions set out in the Terms of Service. Each party shall be responsible for its own violations of applicable data protection law. DPDPOne's total aggregate liability under this DPA shall not exceed the fees paid by the Customer to DPDPOne in the 12 months preceding the event giving rise to the claim.

11.Governing Law and Jurisdiction

This DPA shall be governed by the laws of India, including the Digital Personal Data Protection Act 2023 and the DPDP Rules. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Bengaluru, Karnataka, India.

12.Entire Agreement and Amendments

This DPA, together with the Terms of Service, constitutes the entire agreement between the parties with respect to the processing of Customer Data. DPDPOne may amend this DPA to reflect changes in applicable law, new sub-processors, or changes to the platform. Material amendments will be notified to Customers with 30 days' notice. Continued use of the platform after the notice period constitutes acceptance of the amended DPA.

Data Processing Agreement v1.0 · June 2026 · Stratops Solutions Pvt Ltd · hello@dpdpone.com

Data Residency Statement →Terms of Service →
Stratops Solutions Pvt Ltd · Bengaluru, Karnataka, India · hello@dpdpone.com