Statutory Data Compliance Matrix
Data Processing Addendum (DPA)
Last Updated: May 21, 2026 | Enterprise Revision 5.0
CRITICAL STATUTORY COMPLIANCE NOTICE
This Data Processing Addendum (“DPA”) is an unseverable, legally binding extension of the Master Vendor Agreement of Vyaparies Technologies. Under Indian law, operating a commercial software database handling consumer data without this executed Addendum constitutes a statutory violation. By maintaining an active SaaS subscription or accessing the platform interface, the Vendor fully executes and accepts this DPA, and agrees to the absolute limitation of personal liability protecting the Sole Proprietor.
1. STATUTORY DEFINITIONS & REGULATORY MAPPING
All capitalized terminology utilized within this Addendum carries the exact legal definition prescribed under Section 2 of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and its active Rules:
- Data Fiduciary: The entity determining the purpose and means of data processing. Under this DPA, the Vendor operates as the exclusive Data Fiduciary for all end-consumer records logged in their storefront.
- Data Processor: Any entity processing data strictly on behalf of a Fiduciary. Under this DPA, the Company (Vyaparies Technologies) operates strictly as a technical Data Processor.
- Data Principal: The human individual (the end-consumer, buyer, or debtor) to whom the personal data belongs.
- Personal Data Breach: Any unauthorized system leak, acquisition, or loss of access compromising the confidentiality or availability of the database snapshot.
2. ALLOCATION OF COMPLIANCE ROLES & DATA ASYMMETRY
The Parties contractually agree to the asymmetrical liability structure mandated by the DPDP Act. The Vendor acknowledges that statutory accountability for data collection consent cannot be outsourced to the software provider.
A. Vendor Obligations (The Fiduciary Burden):
The Vendor warrants they are the sole collector of the end-consumer's personal data. The Vendor is legally mandated to ensure a valid lawful basis (unambiguous, itemized, verifiable consent) exists prior to typing, uploading, or routing any customer records through the Platform's infrastructure.
B. Company Obligations (The Processor Pipeline):
The Company shall process data exclusively under the automated, documented instructions of the Vendor (e.g., executing a checkout script or running an NLP calculation). The Company exercises zero independent authority, ownership, or evaluation over the consumer profiles handled within the Vendor's isolated Next.js instance.
3. TRANSIENT BUFFER ISOLATION CHARTER FOR AI PARSING
The Khata Bahi engine incorporates a natural language processing (NLP) parser to transform unstructured text statements typed by the Vendor into structured accounting tables.
THE PIPELINE SEPARATION: The Vendor explicitly acknowledges that conversational strings containing unstructured consumer identities, medical notes, or debt entries are routed inside a highly volatile, short-lived transient system buffer.
Once the mathematical weights convert the unstructured string into a numeric array within the isolated store ledger, the raw unstructured text is immediately, permanently erased and anonymized.
Because the Company does not archive persistent copies of these unstructured inputs, the Vendor assumes 100% legal liability for securing verifiable consumer consent before typing data into the conversational UI. The Vendor fully indemnifies the Sole Proprietor against any DPDP Act statutory fines arising from un-consented conversational entries.
4. ENTERPRISE SECURITY SAFEGUARDS (RULE 6 COMPLIANCE)
To satisfy Rule 6 of the DPDP Rules, 2025, the Company implements enterprise-grade technical controls to secure the Next.js database snapshots against unauthorized extraction:
| Control Dimension | Technical Implementation Safeguard |
|---|---|
| Cryptographic Isolation | Mandatory Transport Layer Security (TLS 1.3) for payloads in transit; Advanced Encryption Standard (AES-256) for Next.js database snapshots at rest. |
| Anti-Scraping / Bot Defense | Deployment of API rate-limiters and IP telemetry tracking to instantly detect and block reverse-engineering or DDoS mass-extraction attempts. |
| Mandatory Log Retention | Automated system action logs are retained securely for a minimum of 1 (one) year to serve cybersecurity and government audit loops. |
5. CONTRACTUAL 24-HOUR BREACH ESCALATION ESCROW
Under Section 8(6) of the DPDP Act, the Data Fiduciary (the Vendor) holds the absolute statutory duty to report data breaches to the Data Protection Board of India (DPBI) and affected consumers within 72 hours.
THE ESCALATION DEADLINE: To secure this statutory window, the Company shall notify the Vendor in writing within 24 (twenty-four) hours of verifying any systemic Personal Data Breach affecting the Vendor's isolated consumer records.
The Company shall deliver an incident summary detailing the estimated extraction size and the immediate cryptographic lockdown measures deployed. The Vendor retains the sole, non-transferable duty to file the final reports with the DPBI. The Company assumes zero liability for regulatory fines if the Vendor fails to file their DPBI notice on time.
6. DATA ERASURE & THE 30-DAY DISCOVERY MITIGATION
Rule 8 Erasure Mandate: In strict alignment with data minimization rules, consumer records must be permanently erased once the subscription loop is broken.
The 30-Day Automated Purge Protocol:
Upon account termination, subscription lapse, or a profile freeze due to AUP violations, the Platform grants the Vendor a strict 30-day grace period. During this window, the Vendor must utilize the manual dashboard buttons to export their ledger metrics into CSV/Excel files.
On the 31st day, the Company's automated scripts execute a permanent, cryptographic shredding of that specific database snapshot. Data deletion is absolute and unrecoverable.
Legal Waiver: The Vendor explicitly waives any legal right to demand custom database discovery actions, data mining, or server log extractions from the Company after this 30-day timeline has expired under claims of “urgent” tax audits or consumer litigation.
7. SUBPROCESSOR DEPLOYMENT & FINTECH ISOLATION
- Infrastructure Authorization: The Vendor grants generalized authorization to the Company to engage enterprise sub-processors (AWS, Google Cloud, Razorpay) to maintain SaaS uptime, provided these entities are bound by equivalent DPDP Act protections.
- UPI Intent Fintech Isolation: As detailed in the Refund Policy, end-consumer payments operate exclusively on P2P UPI Intent payloads. Zero consumer transactional cash or financial routing credentials touch the Company's data processing pipelines. The Company is technically insulated from processing financial chargeback strings.
8. LIABILITY CAPPING & SATNA ARBITRATION VENUE LOCK
The 3-Month Matrix: Any regulatory fines, data loss claims, or privacy breach actions brought by the Vendor against the Company or its Sole Proprietor under this DPA shall be governed strictly by the liability cap detailed in the Master Vendor Agreement. The total aggregate liability is strictly capped at the total SaaS subscription fees actually paid by that Vendor in the 3 (three) months immediately preceding the breach event.
Mandatory Enterprise Arbitration: Any legal controversy, regulatory friction, or data dispute arising from this Addendum shall bypass open civil courts entirely. Disputes will be routed exclusively into confidential, binding arbitration governed by the Arbitration and Conciliation Act, 1996. The tribunal shall consist of a Sole Arbitrator appointed unilaterally by the Company. The seat, venue, and complete jurisdiction of the arbitration shall be locked strictly to Satna, Madhya Pradesh, India.
9. UNIFIED DATA COMPLIANCE GATEWAY
All data protection notices, breach escalations, or subprocessor audit requests arising under this Addendum must be explicitly submitted to our centralized inbox:
Designated Desk: Data Privacy Compliance & DPA Liaison
Corporate Identity: Vyaparies Technologies (Sole Proprietorship Framework)
Official Seat: Satna, Madhya Pradesh, India
Unified Inbox: support@vyaparies.com