DATA PROCESSING AGREEMENT (DPA)
This Data Processing Agreement (“Agreement”) forms part of the agreement between the Customer and Sharaa Innovations Private Limited for the use of the HubbleMeet platform.
1. PARTIES
Data Processor:
Sharaa Innovations Private Limited
A company incorporated under the laws of India
Registered Office: [As per MCA records]
(“Processor” / “Sharaa”)
Authorized Signatory:
Name: Rajesh Reddy Telur
Title: Director
Email: rajesh@hubblemeet.com
Product: HubbleMeet
Data Controller:
The customer using HubbleMeet services (“Controller”).
2. DEFINITIONS
- “Applicable Data Protection Laws” means GDPR and any other applicable privacy laws.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” has the meaning given under GDPR.
- “Sub-processor” means any third party engaged by Processor to process Personal Data.
3. SCOPE & ROLES
3.1
The Controller determines the purposes and means of Processing Personal Data.
3.2
The Processor processes Personal Data solely on documented instructions from the Controller.
3.3
The parties agree that:
- Controller acts as Data Controller
- Sharaa Innovations Pvt Ltd acts as Data Processor
4. DETAILS OF PROCESSING
(As required under GDPR Article 28)
Details are specified in Annex I.
5. PROCESSOR OBLIGATIONS
The Processor shall:
- Process Personal Data only on documented instructions
- Ensure confidentiality of personnel
- Implement appropriate technical and organizational measures
- Assist Controller in responding to Data Subject requests
- Assist with compliance obligations under GDPR
- Delete or return Personal Data upon termination
- Make information available to demonstrate compliance
6. SECURITY MEASURES
6.1
The Processor implements security controls aligned with ISO 27001 and SOC 2 principles.
6.2
Security measures are described in Annex II.
6.3
Personal Data is protected against unauthorized access, disclosure, alteration, or loss.
7. PERSONAL DATA BREACH
7.1
The Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach.
7.2
The notification shall include:
- Nature of breach
- Categories of data affected
- Mitigation steps taken
8. SUB-PROCESSORS
8.1
The Controller authorizes the use of Sub-processors listed in Annex III.
8.2
The Processor shall:
- Enter into written agreements with Sub-processors
- Impose equivalent data protection obligations
- Notify Controller of material changes with reasonable notice
9. INTERNATIONAL DATA TRANSFERS
9.1
Personal Data is currently processed only in India.
9.2
Any future international transfers shall occur only with:
Mechanism of Data Transfers
- The Processor processes Personal Data primarily within India using infrastructure hosted on Amazon Web Services (AWS) located in the Mumbai region.
- Where Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland is transferred to or accessed from a country that does not ensure an adequate level of data protection as determined by applicable data protection laws, such transfers shall be conducted in accordance with approved transfer mechanisms.
- The approved transfer mechanisms include:
- Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR, as incorporated by reference into this Agreement;
- Any replacement or updated clauses approved by a competent authority;
- Any other lawful data transfer mechanism recognized under Applicable Data Protection Laws.
- The Processor shall ensure that appropriate technical and organizational safeguards are implemented to protect Personal Data transferred internationally, including encryption, access controls, and incident response procedures.
- The Processor shall not transfer Personal Data internationally without ensuring that such transfer complies with Applicable Data Protection Laws and without providing reasonable notice to the Controller, where required.
10. DATA SUBJECT RIGHTS
The Processor shall assist the Controller in fulfilling obligations related to:
- Access
- Rectification
- Erasure
- Restriction
- Portability
- Objection
11. AUDIT & COMPLIANCE
11.1
The Processor maintains compliance oversight via Scrut.
11.2
The Controller may request:
- Compliance questionnaires
- Certifications or audit summaries
11.3
On-site audits are limited to legally required circumstances.
12. DATA RETENTION & DELETION
12.1
Personal Data is retained only for the duration of the active account.
12.2
Upon termination, data shall be:
- Deleted, or
- Returned upon request
13. LIABILITY
Each party’s liability under this DPA shall be subject to the liability limitations set forth in the primary agreement between the parties.
14. GOVERNING LAW
This Agreement shall be governed by the laws of India, without prejudice to mandatory GDPR protections.
15. TERMINATION
This DPA shall terminate automatically upon termination of the underlying service agreement.
ANNEX I – PROCESSING DETAILS
Nature of Processing:
Secure messaging and professional networking
Purpose:
- Messaging and professional connections
- Account management
- Platform security
- Customer support
Categories of Personal Data:
- Name
- Email address
- Phone number
- Profile photo
Special Categories:
None
Data Subjects:
- Platform users
- Professional users
- Customer employees
ANNEX II – TECHNICAL & ORGANISATIONAL MEASURES
Technical Measures
- Encryption in transit (TLS)
- Encrypted storage
- Role-based access control
- AWS security controls
- Logging and monitoring
Organizational Measures
- Employee confidentiality obligations
- Least-privilege access
- Incident response procedures
- Vendor risk management
ANNEX III – APPROVED SUB-PROCESSORS
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Hosting & infrastructure | India (Mumbai) |
| Google Workspace | Employee email & collaboration | Global |
| Razorpay | Payment processing | India |
16. SIGNATURES
For Sharaa Innovations Private Limited
Name: Rajesh Reddy Telur
Title: Director