Data Processing Agreement (DPA)

1. Definitions

"Controller" means you, the customer, who determines the purposes and means of processing personal data via the Aditya Labs platform.

"Processor" means B Mohan, trading as Aditya Labs, which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person processed through the Services.

"Sub-processor" means any third party engaged by Aditya Labs to process Personal Data.

2. Scope of Processing

Aditya Labs processes Personal Data solely to provide the Services as described in the Terms of Service, including:

• Chat conversations between AI agents and end-users (visitors, leads, customers)
• Lead capture data submitted through widgets (name, email, phone, company)
• Account data for authentication and billing
• Usage analytics and agent performance metrics

3. Data Protection Obligations

Aditya Labs shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure all personnel processing data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures (256-bit AES encryption at rest and in transit, DLP engine, access controls)
• Not engage another processor without prior written authorisation
• Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability)
• Delete or return all Personal Data upon termination, within 30 days
• Make available all information necessary to demonstrate compliance and allow audits

4. Sub-processors

Aditya Labs uses the following sub-processors:

All sub-processors maintain their own DPAs and comply with GDPR requirements. We will notify you of any changes to sub-processors with 30 days' notice.

5. International Transfers

Where Personal Data is transferred outside the UK/EEA, Aditya Labs ensures appropriate safeguards via Standard Contractual Clauses (SCCs) as approved by the European Commission and the UK ICO's International Data Transfer Agreement (IDTA).

6. Data Breach Notification

Aditya Labs will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach (GDPR Article 33). Notification includes: nature of breach, categories and approximate number of data subjects affected, likely consequences, and measures taken.

7. Data Retention & Deletion

• Chat data: retained for 90 days for analytics, then auto-purged
• Account data: retained while account is active
• Execution logs: retained for 1 year
• Upon account closure: all data deleted within 30 days
• Data subject deletion requests: processed within 30 days

8. Security Measures

• 256-bit AES encryption at rest and TLS 1.3 in transit
• Data Loss Prevention (DLP) engine scanning all inputs for sensitive data patterns
• Row-level security (RLS) in database for data isolation between customers
• HMAC-SHA256 webhook signature verification on all inbound integrations
• Circuit breaker architecture preventing cascading failures
• Automated self-healing health checks with incident management
• Middleware security layers including CSRF protection and rate limiting
• Immutable audit trail for all data access and modifications

9. Contact

For DPA-related queries, data subject requests, or to request a countersigned copy:

Email: legal@adityalabs.ai
General: hello@adityalabs.ai
Website: adityalabs.ai