LEGAL ยท DPDP-COMPLIANT

Data Processing Agreement

Last updated: May 3, 2026 ยท DPDP Act 2023 compliant
๐Ÿ‡ฎ๐Ÿ‡ณ Template DPA for B2B clients. Customers needing a counter-signed DPA should email legal@ongravy.in with company details โ€” turnaround 5 business days.

1. Parties + scope

This Data Processing Agreement ("DPA") is entered into between the OnGravy customer ("Data Fiduciary" / "Controller") and OnGravy Technologies Pvt. Ltd., Goa, India ("Data Processor") and is incorporated by reference into the OnGravy Terms of Service. It governs personal data and business data processed by OnGravy on behalf of the customer.

2. Definitions

  • "DPDP Act" means the Digital Personal Data Protection Act, 2023.
  • "Data Principal" means an individual to whom personal data relates (Sec 2(j) DPDP Act).
  • "Data Fiduciary" means the customer who alone or jointly determines the purpose and means of processing personal data (Sec 2(i) DPDP Act).
  • "Data Processor" means OnGravy Technologies Pvt. Ltd., processing personal data on behalf of a Data Fiduciary (Sec 2(k) DPDP Act).
  • "Personal Data" includes any data about an identifiable individual โ€” names, phone numbers, PAN, GSTIN of proprietors, employee details, etc.
  • "Sensitive Personal Data" โ€” financial information, medical records, biometrics, official identifiers.
  • "Sub-processor" โ€” any third party engaged by OnGravy to process personal data (e.g., Supabase for storage, Razorpay for payments).

3. Subject matter + duration

OnGravy processes personal data only to provide the contracted services. Processing duration matches the customer's subscription term plus 90-day data retention thereafter for export, after which data is permanently deleted.

4. Nature + purpose of processing

  • Storage and processing of accounting + tax data
  • Generation of GST / TDS / ITR returns and filings
  • Bank reconciliation + invoice processing
  • Communication via WhatsApp / email / SMS / web push
  • Customer-side AI features (bill OCR, anomaly detection)
  • Compliance reporting to government portals (GSTN, MCA21, TRACES) at customer's direction

5. Categories of Data Principals + data

  • Customer's own employees, directors, partners โ€” names, contact, PAN, Aadhaar (only when required), salary
  • Customer's clients/customers โ€” name, GSTIN, address, contact, transaction history
  • Customer's vendors โ€” name, GSTIN, contact, transaction history
  • Bank statements + financial transactions (sensitive)
  • Documents uploaded by customer (invoices, bank statements, contracts)

6. Customer (Fiduciary) obligations

  • Obtain valid consent from Data Principals (Sec 6 DPDP Act) before submitting their personal data to OnGravy
  • Provide accurate notice to Data Principals about purpose of processing (Sec 5 DPDP Act)
  • Respond to Data Principal rights requests (access / correction / erasure / grievance)
  • Notify OnGravy if a Data Principal exercises rights affecting data on OnGravy systems
  • Customer is the Data Fiduciary; OnGravy will act only on documented instructions

7. OnGravy (Processor) obligations

  • Process personal data only for the contracted purposes โ€” no secondary use, no sale
  • Maintain technical + organisational security measures (Sec 8(5) DPDP Act): encryption in transit (TLS 1.2+) + at rest (AES-256), access controls, audit logging, 7-year audit-log retention
  • Notify customer of any personal-data breach without undue delay (Sec 8(6)) โ€” within 72 hours of detection
  • Delete or return personal data on termination (90-day export window, then permanent deletion)
  • Sub-processor list maintained at /privacy/sub-processors with 30 days advance notice of additions
  • Annual security review + incident response runbook (available on request)

8. Data residency

Personal Data is stored in India (Mumbai region โ€” AWS ap-south-1 via Supabase). Transit through services located outside India only when essential (e.g., WhatsApp Cloud API which routes through Meta's infrastructure). Customer is notified of all cross-border transfers in our sub-processor list.

9. Sub-processors

OnGravy uses the following sub-processors. Customer consent to these is implied on signup; new additions require 30 days notice and right to object.

  • Supabase (database + auth) โ€” Mumbai region
  • Vercel (hosting) โ€” Mumbai + Singapore edges
  • Razorpay (payments) โ€” India
  • AWS S3 (file storage) โ€” Mumbai
  • Resend (email delivery) โ€” global
  • Twilio / Meta WhatsApp Business API โ€” India + global
  • Sentry (error tracking) โ€” opt-out available
  • Anthropic + OpenAI (AI inference) โ€” when customer enables AI features

10. Data Principal rights

Data Principals have the right to (Sec 11-13 DPDP Act): access their personal data, request correction, request erasure, nominate a representative, and grievance redressal. OnGravy supports these via the customer's admin panel (/dashboard/settings/privacy) and the Data Principal can also write to privacy@ongravy.in directly. Where the customer is the Data Fiduciary, primary responsibility is the customer's; OnGravy assists.

11. Security measures

  • TLS 1.2+ for all data in transit
  • AES-256 at rest (Supabase managed, customer-side encryption available for sensitive fields)
  • Role-based access control with audit log of every access
  • Multi-factor authentication for staff access
  • Network isolation โ€” service-role keys never exposed to browser
  • Annual penetration testing
  • SOC 2 Type 2 audit window opens June 2026

12. Audit rights

Customer may audit OnGravy's compliance with this DPA on 30 days written notice, no more than once per year, at customer's expense, during normal business hours and subject to NDA. Where audit findings disclose material breach, OnGravy will remediate within 60 days and refund the audit cost.

13. Liability

Liability for personal-data breaches is limited as set out in the OnGravy Terms of Service (capped at 3 months' subscription fees). Where the breach is caused by OnGravy's gross negligence or wilful misconduct, this cap does not apply.

14. Term + termination

This DPA is in force for the duration of the OnGravy subscription. On termination, customer can export all personal data within 90 days. After 90 days, OnGravy permanently deletes all customer data unless legal retention obligations apply (e.g., 7 years for audit logs under Cos Act).

15. Governing law

This DPA is governed by the laws of India. Disputes are resolved in courts of Goa, India. Conflicts with the OnGravy Terms of Service: this DPA prevails on personal-data matters.

16. Contact

Privacy Officer: privacy@ongravy.in ยท Grievance: grievance@ongravy.in (response within 30 days per DPDP Act Sec 13).