Last updated: April 9, 2026
This Data Processing Agreement ("DPA") is executed between Ramanathan Software Private Limited ("Data Processor") and the Customer ("Data Fiduciary") identified in the Master Sales Agreement ("MSA"), and governs the processing of Personal Data carried out by the Processor on behalf of the Fiduciary in connection with the Services.
This DPA becomes effective on the date last signed by both parties.
Ramanathan Software Private Limited
IndiQube Ascent, 420, Mahakavi Vemana Rd, KHB Block, Koramangala, Bengaluru, Karnataka 560034, India
Customer
As specified in the Master Sales Agreement signature page.
The Processor provides Services under the MSA and may receive, maintain, or transmit digital personal data on behalf of the Fiduciary. The parties are committed to complying with the Digital Personal Data Protection Act 2023 ("DPDPA"), the Information Technology Act 2000, and the rules and regulations issued thereunder.
This DPA sets out the rights and obligations of each party with respect to the processing of Personal Data.
The capitalized terms used in this DPA have the meanings set out below.
The Processor shall not use or disclose Personal Data except as permitted by this DPA, by the Fiduciary's written instructions, or by applicable law. The Processor will promptly inform the Fiduciary if it believes a Fiduciary instruction may infringe applicable law.
Processing will continue until the Fiduciary issues written cessation instructions. Upon receipt, the Processor will cease processing and restrict further use of the Personal Data in accordance with Section 5(g).
The Processor agrees to implement and maintain appropriate administrative, physical, and technical safeguards complying with the Security Standards for Protection of Digital Personal Data. Any sub-processor engaged by the Processor shall use safeguards no less stringent than those of the Processor.
Upon discovery of an actual Personal Data Breach, the Processor will report the breach in writing to the Fiduciary within five (5) business days. The notification will include:
Unsuccessful attempts at unauthorized access that do not result in a Personal Data Breach are not required to be reported.
The Processor will maintain and provide, upon the Fiduciary's request, the information necessary for the Fiduciary to provide Data Principals with an accounting of disclosures of their Personal Data.
The Processor will ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations and comply with the Processor's obligations under this DPA.
(a) Consent given by a Data Principal must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action signifying agreement to processing for a specified purpose.
(b) A Data Principal may withdraw consent at any time. The Fiduciary manages consent withdrawal and issues cessation instructions to the Processor as required.
(c) Upon receipt of the Fiduciary's written cessation instructions, the Processor will cease processing and restrict further use of the Personal Data in accordance with Section 5(g).
Processing without consent is permitted only for the following legitimate uses recognized under the DPDPA:
The Fiduciary carries the compliance duties and responsibility regarding the processing of Personal Data under the DPDPA.
The Fiduciary may engage the Processor only under a valid contract. This DPA constitutes a valid contract for the purposes of the DPDPA.
The Fiduciary will notify the Processor in writing when a Data Principal invokes correction, completion, updating, or erasure rights with respect to their Personal Data.
Where Personal Data forms the basis of a decision affecting the Data Principal, or is disclosed to another fiduciary, the Fiduciary ensures the Personal Data is complete, accurate, and consistent.
The Fiduciary implements appropriate technical and organizational measures and reasonable security safeguards to prevent Personal Data Breaches.
Upon discovering a Personal Data Breach, the Fiduciary notifies the Data Protection Board of India and the affected Data Principals in the form and manner prescribed by applicable law.
Upon receipt of cessation instructions, the Processor restricts active processing of the affected Personal Data. Where complete erasure is technically infeasible (for example, data stored in routine backups, archives, or audit logs), the Processor will extend the protections under this DPA to such retained data, restrict its use solely to the purposes that necessitated retention, and maintain those protections indefinitely. This obligation survives termination.
The Fiduciary ensures that Personal Data is retained only for as long as is necessary or as legally required, and issues timely written instructions to the Processor for restriction or return of the Personal Data.
The Processor will notify the Fiduciary prior to any cross-border data transfer or remote access from outside India, specifying the destination country, nature of the Personal Data, and purpose of transfer. All transfers shall comply with the DPDPA. The Processor ensures that equivalent data protection standards apply in the destination country. Remote access employs encryption, access controls, and audit logging. The Processor maintains records of all cross-border transfers.
The Fiduciary authorizes the Processor to engage the sub-processors set out in Schedule A. The Processor may not engage any sub-processor not on the list without the prior consent of the Fiduciary.
The Processor will provide the Fiduciary with at least fifteen (15) business days' notice of any intended addition to or removal from Schedule A. The Fiduciary may object within the notice period. If the objection cannot be resolved within a further fifteen (15) business days, either party may terminate the affected Services on thirty (30) days' notice without liability.
The Processor imposes obligations on each sub-processor no less stringent than the Processor's obligations under this DPA, by way of a written agreement. The Processor remains fully liable for the performance of its sub-processors.
The Processor maintains Schedule A and provides the current version to the Fiduciary upon request.
(a) Processing of Personal Data of Children must be carried out in a manner that is verifiably safe. The Fiduciary obtains verifiable parent or guardian consent prior to processing Personal Data of a Child, as required by applicable law.
(b) Neither party conducts tracking, behavioural monitoring, or targeted advertising directed at Children in connection with the Services.
The Fiduciary may audit the Processor's processing activities and security measures with at least thirty (30) calendar days' notice, no more than once per year (except where a Personal Data Breach has occurred).
Primary audit mechanism: the Processor will provide third-party audit reports, ISO 27001 and/or SOC 2 Type II certifications, and completed security questionnaires.
Secondary mechanism: where the documentation provided is insufficient to resolve a Fiduciary concern, the Fiduciary may request an on-site audit conducted during normal business hours in a manner that minimizes disruption, subject to reasonable confidentiality undertakings.
The Fiduciary bears the costs of audits unless a material breach is found, in which case the Processor bears the costs.
The Processor may use or disclose Personal Data for the functions specified by the Fiduciary, as permitted by applicable law and consistent with the Fiduciary's instructions.
The Processor may use Personal Data for its proper management and administration or to carry out its legal responsibilities, to the extent permitted by applicable law and consistent with the Fiduciary's instructions.
The Processor may disclose Personal Data to third parties for its proper management or administration or to fulfil legal responsibilities, provided that the disclosure is either required by law or that the third party provides written assurances of confidentiality, limited use, and breach notification.
The Processor may create de-identified or anonymized data in accordance with the Fiduciary's instructions and applicable law. The Processor may use de-identified data for data aggregation related to the Fiduciary's operations.
The Processor is not liable where the Data Principal or the Fiduciary: fails to comply with applicable law; impersonates another person; suppresses material information; registers a frivolous or vexatious grievance; or furnishes unverifiable information.
This DPA commences on the effective date and terminates upon termination of the MSA and any related agreements.
Upon becoming aware of a material breach of this DPA, the non-breaching party may: (i) immediately terminate this DPA if the breach creates a continuing and unmitigable risk to the confidentiality, integrity, or availability of Personal Data; or (ii) provide a thirty (30) calendar day cure notice, and terminate if the breach is not cured within that period.
Upon termination, the Processor will, at the Fiduciary's election, either return or restrict active processing of all Personal Data. Where return or complete erasure is infeasible (for example, data in backups, archives, or audit logs), the Processor will extend the protections of this DPA to such data, limit its use to the purposes that necessitated retention, and maintain those protections indefinitely. The Fiduciary bears the costs of any return. This section survives termination.
This DPA may be modified only by a written instrument executed by both parties. The parties will take such action as is necessary to amend this DPA as required to comply with applicable law.
A waiver of any breach by either party does not constitute a continuing waiver or a waiver of any subsequent breach.
This DPA confers no rights, remedies, obligations, or liabilities upon any party other than the Fiduciary and the Processor.
Each party indemnifies the other from claims arising from its acts or omissions in respect of the processing or disclosure of Personal Data. The Processor is not liable for the Fiduciary's configuration decisions, Fiduciary instructions, or the Fiduciary's failure to comply with applicable law.
Each party's aggregate liability under this DPA is limited to the fees paid by the Fiduciary under the MSA in the twelve (12) months preceding the event giving rise to the liability. This limitation does not apply to willful misconduct, gross negligence, or breach of confidentiality.
Written notices to the Processor should be sent to IndiQube Ascent, 420, Mahakavi Vemana Rd, KHB Block, Koramangala, Bengaluru, Karnataka 560034, India, marked for the attention of the Data Protection Officer (dpo@ramsoft.com). Notices to the Fiduciary should be sent to the address on the MSA signature page. Notices are deemed delivered on the date of personal delivery, on the third business day after dispatch by registered post, or on the next business day after dispatch by overnight courier.
Except as expressly set out in this DPA for the purpose of its implementation, the terms of the MSA remain in full force and effect. In the event of conflict regarding the processing of Personal Data, this DPA prevails.
This DPA is governed by the laws of India. The parties irrevocably submit to the exclusive jurisdiction of the courts of Bengaluru, Karnataka.
If any provision of this DPA is held to be invalid, the remaining provisions continue in full force and effect. The parties will negotiate in good faith a replacement provision that achieves the original intent.
This DPA, together with the MSA and Schedule A, constitutes the entire agreement between the parties regarding the processing of Personal Data, and supersedes all prior agreements on the subject.
Schedule A sets out the sub-processors authorized by the Fiduciary under Section 6(a). The current version of Schedule A is maintained by the Processor and is provided to the Fiduciary upon request.
To obtain the current Schedule A, contact the Data Protection Officer at dpo@ramsoft.com. Changes to Schedule A are subject to the notice and objection process described in Section 6(b).
For all matters relating to this DPA, contact the Data Protection Officer:
