Data Processing Addendum

(India‑First, Global‑Ready)

Effective Date: 30 September 2025

Entity: ZopDev Technologies Pvt. Ltd. (“ZopDev”)


These appendices accompany and are incorporated into the ZopDev Master Terms (Core Terms). Unless stated otherwise, these appendices are governed by the same law and dispute resolution provisions as the Core Terms and use Bengaluru, Karnataka as the arbitration seat and venue.

1.1 Purpose & Parties

This DPA governs how ZopDev Technology Private Limited ("ZopDev", "we", "us") Processes Personal Data on behalf of Customer when providing the Services under the Subscription Agreement.

1.2 Key Definitions

  • Applicable Data Protection Laws: all privacy/data‑protection laws that apply to the Processing of Personal Data in connection with the Services, including India’s Digital Personal Data Protection Act, 2023 (DPDP) and implementing rules, and any other laws that apply by virtue of Customer’s locations, data subjects, or usage.

  • Controller / Data Fiduciary: the party that determines the purposes and means of Processing Personal Data (here, Customer).

  • Processor / Data Processor: the party that Processes Personal Data on behalf of the Controller (here, ZopDev and its Sub‑processors).

  • Personal Data: any data about an identified or identifiable individual that is Processed by ZopDev on Customer’s behalf.

  • Processing / Process: any operation performed on Personal Data, including collecting, recording, storing, using, disclosing, transferring, deleting, or otherwise handling.

  • Sub‑processor: a third party engaged by ZopDev to Process Personal Data on ZopDev’s behalf.

  • Security Incident: an unauthorized or unlawful access to, or loss, alteration, or disclosure of, Personal Data Processed by ZopDev that compromises its confidentiality, integrity, or availability.

1.3 Roles & Instructions

  • Customer is Controller/Data Fiduciary; ZopDev is Processor/Data Processor.

  • ZopDev will Process Personal Data solely on documented instructions from Customer, including via the Services’ configuration and APIs, except where required by law.

  • If ZopDev believes an instruction violates Applicable Laws, it will promptly inform the customer.

1.4 Nature, Purpose, and Duration

  • Nature/Purpose: to provide, maintain, secure, and support the Services (including hosting, storage, transmission, display, backup, logging, and troubleshooting).

  • Duration: for the Subscription Term and any post‑termination period required to return/delete data.

1.5 Confidentiality and Security

  • ZopDev ensures that authorized personnel are bound by confidentiality obligations and receive appropriate privacy/security training.

  • ZopDev maintains administrative, technical, and physical safeguards appropriate to the risk, as summarized in Appendix 4 — Security Practices and any product documentation. ZopDev will not materially reduce the overall security of the Services during a Subscription Term.

  • Certifications & Control Frameworks. ZopDev maintains SOC 2 Type II and ISO/IEC 27001 certifications for in‑scope systems supporting the Services. Independent auditors assess controls at least annually (SOC 2) and per the ISO 27001 certification cycle (annual surveillance with triennial recertification). Upon reasonable request and under NDA, ZopDev will provide the current SOC 2 Type II report (or summary), ISO 27001 certificate and scope statement, and the Statement of Applicability (or summary).

  • Scope Changes & Notice. If certification scope materially changes or a certification lapses, ZopDev will update its Security page and, where Customer is materially impacted, provide timely notice along with any compensating controls.

1.6 Sub‑processors

  • Customer authorizes ZopDev to appoint Sub‑processors. ZopDev will maintain a public list of current Sub‑processors at /legal/subprocessors and provide advance notice of new Sub‑processors.

  • ZopDev will enter into written terms with each Sub‑processor that provides materially no less protection than this DPA and remains responsible for their performance.


1.7 Cross‑Border Transfers

  • ZopDev may Process Personal Data in India and other jurisdictions where it or its Sub‑processors operate.

  • ZopDev will implement appropriate contractual, technical, and organizational safeguards required by Applicable Laws for cross‑border transfers (for example, encryption in transit/at rest, access controls, data minimization).

  • Customer instructs ZopDev to transfer Personal Data as necessary to provide the Services, subject to these safeguards and any Customer regionalization settings or written instructions.

1.8 Assistance & Data Subject Rights

Taking into account the nature of Processing, ZopDev will assist customers with reasonable technical and organizational measures to fulfill individuals’ rights requests (access, correction, erasure, portability, objection/consent management) as required by Applicable Laws. If ZopDev receives a request directly, it will forward it to the Customer without undue delay.

1.9 Government & Third‑Party Requests

Unless prohibited by law, ZopDev will notify Customer of any legally binding request for disclosure of Personal Data. ZopDev will challenge unlawful or overbroad requests where reasonable.

1.10 Security Incidents

ZopDev will notify Customer without undue delay after becoming aware of a Security Incident involving Personal Data, provide information reasonably available for Customer to meet its obligations, and take reasonable steps to contain and remediate the incident.

1.11 Return & Deletion

At termination/expiry, Customers may export Personal Data via the Services. Upon Customer’s written request within 30 days, ZopDev will return available Personal Data in a reasonable format and then delete it from active systems, subject to legal holds and routine backups (which are later overwritten per retention schedules).

1.12 Audits

ZopDev will make available information demonstrating compliance (e.g., security summaries or independent assessment reports). Audit rights are primarily satisfied by third‑party audits. On reasonable notice and under NDA, ZopDev will provide:

  • the current SOC 2 Type II report (or executive summary),

  • the ISO/IEC 27001 certificate and scope statement, and the Statement of Applicability (or summary), and

  • executive summaries of recent third‑party penetration tests.

If, after reviewing these materials, Customer reasonably determines they are insufficient to meet a non‑delegable regulatory obligation, Customer may request an on‑site audit once per year (unless mandated by a regulator or following a Security Incident) upon 30 days’ notice, during business hours, subject to confidentiality and reasonable cost‑recovery. The parties will agree in advance on scope, duration, and personnel.

1.13 Precedence

In case of conflict between this DPA and other documents, this DPA controls for Processing of Personal Data.


Prepared by:
Talvinder Singh — CEO & CMO, ZopDev Technologies Pvt. Ltd.
Date: 30 September 2025