Data Processing Agreement

"Data Subject", "Personal Data", "Processing", "Processor", and "Supervisory Authority" have the meanings given in applicable Data Protection Law.

"Controller" means the party determining the purpose and means of Processing Personal Data.

"Customer Personal Data" means any Customer Data constituting Personal Data and processed by Company to provide the Services.

"Data Protection Law" means all applicable laws and regulations relevant to Company's Processing of Customer Personal Data, including GDPR, UK data protection laws, India DPDP Act, CCPA and similar laws.

"Data Subject Rights" means rights to access, correction, deletion, portability, restriction, objection and related rights under applicable law.

"International Data Transfer" means any transfer requiring safeguards under applicable law.

"Personal Data Breach" means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

"Services" means services provided by Company under the Agreement.

"Subprocessor" means a Processor engaged by Company processing Customer Personal Data on behalf of Company.

"Standard Contractual Clauses" means EU SCCs, UK Addendum, UK IDTA, or similar lawful transfer mechanisms.

This DPA applies to Processing of Customer Personal Data by Company to provide Services as described in this DPA, the Agreement, and any statement of work.

The subject matter, nature, purpose of Processing, data types, and categories of Data Subjects are described in Appendix 1.

Where Customer is Controller and Company is Processor, controller-to-processor obligations apply.

Where Customer is Processor and Company acts on behalf of Customer, processor-to-processor obligations apply where required.

Company will notify Customer if Company believes a legal obligation requires Processing contrary to documented instructions.

Company will not sell Customer Personal Data or use it outside the purposes stated in the Agreement and this DPA.

If Company receives a Data Subject request relating to Customer Personal Data, Company will promptly notify Customer.

Company will not independently respond except where required by law or to redirect the requester to Customer.

Where Customer cannot respond itself, Company will provide reasonable assistance upon request.

Authorized personnel are subject to confidentiality obligations.

Company complies with security obligations under applicable law.

Company maintains commercially reasonable technical and organisational security measures including those in Appendix 2.

Security measures may be updated provided overall security is not materially reduced.

Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data.

Company will investigate incidents and take reasonable remediation steps.

Company will provide timely available information including categories of affected Personal Data and Data Subjects where known.

Customer grants general authorization for Company to engage Subprocessors.

Company will enter written agreements imposing protections no less protective than this DPA.

Customer may object to a new Subprocessor on reasonable material data protection grounds by written notice.

The parties will work in good faith to resolve objections.

If unresolved, Customer may terminate the affected portion of Services as sole remedy.

Upon written request no more than once every twelve (12) months, Company may make available information reasonably necessary to demonstrate compliance.

This may include summaries, internal controls documentation, certifications, or similar materials.

Company may satisfy requests through reports or summaries at its discretion.

Company maintains ISO-aligned internal controls.

This section applies where international transfers require safeguards.

Customer authorizes transfers to adequate jurisdictions, lawful safeguards, or Standard Contractual Clauses.

All transfers remain subject to ongoing compliance with applicable law.

If law changes materially, parties will work in good faith to implement alternatives.

All notices under this DPA shall be made to Customer using contact information in the Agreement.

Notices to Company may be sent to info@digia.tech.

This DPA terminates automatically upon termination or expiration of the Agreement.

Customer may request return or deletion of Customer Personal Data up to ninety (90) days after termination.

Company may retain data where required by law or backup retention obligations.

Data Exporter: Customer and authorized affiliates. Role: Controller / Processor.

Data Importer: Tinkerbox Technology Private Limited, Building No. 618P, Durga Colony, Jharsa Village, Sector 39, Gurugram, Haryana 122002, India. Contact: info@digia.tech. Role: Processor.

Categories of Data Subjects: Prospects, customers, app users, employees, contractors, vendors, and parties whose data is submitted by Customer.

Categories of Personal Data: Name, email, device IDs, internal user IDs, in-app events, campaign engagement metrics, contact details, usage data.

Purpose: To provide Digia Services.

Frequency of Transfers: Continuous during the Agreement term.