Aerele → Data Processing Agreement

Data Processing Agreement

Last updated: March 12, 2025

This DPA is entered into by and between the entity agreeing to these terms as the data controller ("Controller") and Aerele Technologies Pvt Ltd as the data processor ("Processor"). This DPA supplements and forms part of any service agreement between the parties.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1) and DPDPA Section 2(t).
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data.
  • "Processor" means Aerele Technologies Pvt Ltd, which processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "SCCs" means the Standard Contractual Clauses approved by the European Commission for international data transfers.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only as necessary to perform the services contracted by the Controller, which may include:

  • Software development and customization
  • Technical support and maintenance
  • System integration and data migration
  • Bug fixing, performance optimization, and code review
  • Any other services as specified in the service agreement

The categories of data subjects and types of Personal Data processed are determined by the Controller and the nature of the services. These may include but are not limited to: names, email addresses, business contact information, system user data, transaction data, and support ticket content.

3. Obligations of the Processor

The Processor shall:

  1. Process on instructions: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law – in which case the Processor shall inform the Controller of that legal requirement before processing, unless legally prohibited from doing so.
  2. Confidentiality: Ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Security measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32, including:
    • Encryption of Personal Data in transit and at rest
    • Access controls limiting data access to authorized personnel
    • Regular assessment of security measures
    • Ability to restore availability and access to data in a timely manner
  4. Sub-processing: Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. Where general written authorization is given, the Processor shall inform the Controller of any intended changes and provide the Controller an opportunity to object.
  5. Assistance: Assist the Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection).
  6. Breach notification: Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach. The notification shall include:
    • Description of the nature of the breach
    • Categories and approximate number of data subjects affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach
  7. Deletion or return: At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
  8. Audit: Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other applicable data protection provisions.

4. Sub-Processors

The Processor may engage the following categories of sub-processors in the performance of its services:

  • Cloud infrastructure providers – for hosting and data storage
  • Communication tools – for team collaboration and client communication

Where the Processor engages a sub-processor:

  • The Processor shall impose equivalent data protection obligations on the sub-processor by way of a contract
  • The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations
  • The Controller will be notified of any new sub-processors with sufficient advance notice to object

5. International Data Transfers

The Processor is located in India. Where Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland is transferred to the Processor, the parties agree that:

  • The Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) shall apply to such transfers and are hereby incorporated by reference
  • For Module Two (Controller to Processor): the Controller is the "data exporter" and the Processor is the "data importer"
  • For Module Three (Processor to Sub-processor): where the Controller is itself a processor, the Processor is the "data exporter" and sub-processors are "data importers"
  • The Processor shall implement supplementary measures where necessary to ensure the level of protection required by EU law

6. DPDPA Compliance (India)

Where the Processing of Personal Data falls within the scope of India's Digital Personal Data Protection Act, 2023:

  • The Processor shall process Personal Data only for the purposes authorized by the Controller (as Data Fiduciary)
  • The Processor shall implement reasonable security safeguards to protect Personal Data
  • The Processor shall assist the Controller in responding to Data Principal rights requests
  • The Processor shall notify the Controller of any Personal Data breach in accordance with Section 8 of the DPDPA
  • The Processor shall delete Personal Data upon the Controller's instruction or upon completion of the processing purpose

7. Security Measures

The Processor maintains the following technical and organizational security measures:

Technical Measures

  • Encryption of data in transit using TLS 1.2+
  • Encryption of data at rest where applicable
  • Role-based access controls with least-privilege principle
  • Multi-factor authentication for access to systems containing Personal Data
  • Secure software development lifecycle practices
  • Regular security assessments and vulnerability management

Organizational Measures

  • Confidentiality agreements with all personnel
  • Data protection awareness and training
  • Access limited to personnel who require it for service delivery
  • Incident response and data breach procedures
  • Regular review and updates of security measures

8. Duration and Termination

This DPA shall remain in effect for the duration of the service agreement between the parties. Upon termination of the service agreement:

  • The Processor shall, at the Controller's election, return or delete all Personal Data within 30 days
  • The Processor shall certify in writing that all Personal Data has been deleted, unless applicable law requires continued storage
  • Obligations regarding confidentiality and data protection survive termination

9. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the service agreement between the parties. Nothing in this DPA limits either party's liability for breaches of data protection obligations that cannot be limited under applicable law.

10. Governing Law

This DPA shall be governed by the laws that govern the service agreement between the parties. For matters specifically related to GDPR, the applicable provisions of EU law shall apply. For matters related to the DPDPA, the laws of India shall apply.

11. Contact

For questions or requests regarding this Data Processing Agreement:

Aerele Technologies Pvt Ltd
Data Protection Contact: privacy@aerele.in
General: hello@aerele.in
Phone: +91 77908 44832
Address: Tiruppur, Tamil Nadu, India