Data Processing Agreement (DPA)

    Last Updated: January 15, 2025
    Effective Date: January 15, 2025

    This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Actuals ("Processor," "we," "our," or "us") and you ("Controller," "Customer," or "you") regarding the processing of personal data in connection with our AI-powered analytics services.

    1. Definitions

    For the purposes of this DPA:

    • "Controller" means the entity that determines the purposes and means of processing personal data
    • "Processor" means the entity that processes personal data on behalf of the Controller
    • "Personal Data" has the meaning given in applicable Data Protection Laws
    • "Data Subject" means an identified or identifiable natural person
    • "Data Protection Laws" means GDPR, CCPA, and other applicable privacy regulations
    • "Processing" has the meaning given in applicable Data Protection Laws
    • "Sub-processor" means any third party engaged by Actuals to process personal data

    2. Scope and Applicability

    This DPA applies to all personal data processed by Actuals on behalf of the Customer in connection with our Services, including but not limited to:

    • Employee data uploaded for HR analytics
    • Customer data processed for business intelligence
    • Financial data containing personal identifiers
    • Any other personal data within business datasets

    3. Roles and Responsibilities

    3.1 Customer as Data Controller

    The Customer acts as the Data Controller and is responsible for:

    • Determining the purposes and means of processing personal data
    • Ensuring lawful basis for processing under applicable Data Protection Laws
    • Obtaining necessary consents from data subjects
    • Providing appropriate privacy notices to data subjects
    • Responding to data subject requests and complaints
    • Conducting Data Protection Impact Assessments (DPIAs) where required
    • Ensuring data accuracy and minimization

    3.2 Actuals as Data Processor

    Actuals acts as the Data Processor and will:

    • Process personal data only on documented instructions from the Customer
    • Ensure confidentiality of personal data
    • Implement appropriate technical and organizational measures
    • Assist with data subject requests and regulatory compliance
    • Notify the Customer of any data breaches without undue delay
    • Delete or return personal data upon termination of services
    • Maintain records of processing activities

    4. Processing Instructions

    4.1 Documented Instructions

    Actuals will process personal data only on the basis of documented instructions from the Customer, including:

    • Initial instructions set out in the Terms and Conditions
    • Additional instructions provided through the platform interface
    • Written instructions provided via email or support channels
    • Configuration settings within the analytics platform

    4.2 Prohibited Processing

    Actuals will not:

    • Process personal data for purposes other than those instructed
    • Sell, rent, or otherwise commercialize personal data
    • Use personal data for marketing purposes without consent
    • Combine personal data with other datasets without authorization
    • Transfer personal data to unauthorized third parties

    5. Technical and Organizational Measures

    5.1 Security Measures

    Actuals implements the following security measures:

    • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
    • Access Controls: Role-based access control with multi-factor authentication
    • Network Security: Firewalls, intrusion detection, and network segmentation
    • Monitoring: 24/7 security monitoring and incident response
    • Backup and Recovery: Regular backups with tested recovery procedures
    • Vulnerability Management: Regular security assessments and penetration testing

    5.2 Organizational Measures

    • Staff Training: Regular privacy and security training for all employees
    • Background Checks: Screening of personnel with access to personal data
    • Confidentiality: Contractual confidentiality obligations for all staff
    • Data Minimization: Processing only necessary personal data
    • Retention Policies: Automated deletion based on retention schedules

    6. Sub-processing

    6.1 Authorized Sub-processors

    The Customer provides general authorization for Actuals to engage sub-processors, subject to the conditions set out in this DPA. Current sub-processors include:

    • Amazon Web Services (AWS): Cloud hosting and infrastructure
    • Google Cloud Platform: AI/ML services and analytics
    • Microsoft Azure: Additional cloud services
    • Stripe: Payment processing services

    6.2 Sub-processor Requirements

    All sub-processors must:

    • Provide sufficient guarantees of data protection compliance
    • Enter into written agreements with equivalent data protection obligations
    • Implement appropriate technical and organizational measures
    • Allow for audits and inspections

    6.3 Changes to Sub-processors

    Actuals will notify the Customer of any intended changes to sub-processors at least 30 days in advance. The Customer may object to such changes within 14 days of notification.

    7. International Data Transfers

    7.1 Transfer Mechanisms

    For transfers of personal data outside the EEA, Actuals ensures appropriate safeguards through:

    • Standard Contractual Clauses (SCCs) approved by the European Commission
    • Adequacy decisions by the European Commission
    • Binding Corporate Rules where applicable
    • Certification schemes and codes of conduct

    7.2 Transfer Impact Assessment

    Actuals conducts Transfer Impact Assessments (TIAs) for all international transfers to ensure adequate protection of personal data in the destination country.

    8. Data Subject Rights

    8.1 Assistance with Data Subject Requests

    Actuals will assist the Customer in responding to data subject requests, including:

    • Access requests: Providing copies of personal data
    • Rectification requests: Correcting inaccurate personal data
    • Erasure requests: Deleting personal data where required
    • Portability requests: Providing data in a structured format
    • Restriction requests: Limiting processing of personal data
    • Objection requests: Stopping processing based on legitimate interests

    8.2 Response Timeline

    Actuals will respond to Customer requests for assistance within 10 business days and provide all necessary information to enable the Customer to respond to data subjects within the required timeframes.

    9. Data Breach Notification

    9.1 Breach Notification Process

    In the event of a personal data breach, Actuals will:

    • Notify the Customer without undue delay and within 24 hours of becoming aware
    • Provide all available information about the breach
    • Assist with regulatory notifications where required
    • Implement immediate containment and remediation measures
    • Provide regular updates on the investigation and remediation

    9.2 Breach Information

    Breach notifications will include:

    • Description of the nature of the breach
    • Categories and approximate number of data subjects affected
    • Categories and approximate number of personal data records affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach

    10. Audits and Inspections

    10.1 Audit Rights

    The Customer has the right to conduct audits and inspections of Actuals' data processing activities, subject to:

    • Reasonable advance notice (at least 30 days)
    • Execution of appropriate confidentiality agreements
    • Limitation to normal business hours
    • Reimbursement of reasonable costs incurred by Actuals

    10.2 Audit Alternatives

    Instead of on-site audits, Actuals may provide:

    • Third-party security certifications (SOC 2, ISO 27001)
    • Penetration testing reports
    • Security questionnaires and assessments
    • Compliance documentation and policies

    11. Data Retention and Deletion

    11.1 Retention Period

    Actuals will retain personal data only for the duration necessary to provide the Services and as instructed by the Customer, unless longer retention is required by law.

    11.2 Data Deletion

    Upon termination of the Services or upon Customer request, Actuals will:

    • Delete all personal data within 30 days
    • Provide certification of deletion upon request
    • Ensure deletion from all systems and backups
    • Require the same deletion from all sub-processors

    12. Liability and Indemnification

    12.1 Liability Allocation

    Each party will be liable for damages caused by its own breach of this DPA. Actuals' liability is limited to damages directly caused by its failure to comply with this DPA.

    12.2 Regulatory Fines

    Each party will be responsible for regulatory fines imposed due to its own non-compliance with Data Protection Laws.

    13. Term and Termination

    This DPA will remain in effect for the duration of the Terms and Conditions and will automatically terminate upon termination of the Services. Provisions relating to data deletion, confidentiality, and liability will survive termination.

    14. Amendments

    This DPA may only be amended in writing and signed by both parties. Actuals may update this DPA to reflect changes in Data Protection Laws, provided that such updates do not materially reduce the level of protection.

    15. Governing Law and Jurisdiction

    This DPA is governed by the laws of India. For EU customers, this DPA is also governed by the GDPR and the laws of the Customer's jurisdiction where more protective.

    16. Contact Information

    Data Protection Officer

    Name: Saurabh Srivastava

    Email: privacy@actuals.co.in

    Phone: +91 8073 879 031

    Address: L 148, 5TH MAIN, HSR LAYOUT, 6TH SECTOR, BANGALORE SOUTH HSR LAYOUT, BANGALORE-560102, India

    Related Documents