Data Processing Addendum

For the purposes of the DPDP Act 2023, the customer is the data fiduciary for Customer Data uploaded to the platform. OnGravy acts as the data processor, processing such data only on the customer’s instructions to deliver the service.

OnGravy uses the following sub-processors. Use of each is necessary for the service. By accepting the Terms, you authorise these sub-processors. We will give 30 days’ notice of any new sub-processor; you may object by emailing grievance@ongravy.com.

We will notify you within 72 hours of becoming aware of a personal-data breach affecting your data, with the information required under DPDP §8(6) and follow-up details as the investigation progresses.

On termination, you can export everything for 30 days. After that, personal-identifying fields are anonymised; transaction-level audit records are retained for 7 years per Companies Act §128 (DPDP §17 legal exemption).

You may, no more than once per year, request a copy of our most recent security audit report or a SOC 2 Type II / ISO 27001 certificate (when available). We do not permit on-site audits at our infrastructure provider but will reasonably cooperate with your auditor.

DPA-related queries: support@ongravy.com. Privacy/DPDP rights: grievance@ongravy.com.