Data Processing Addendum

• Customer — the entity that has signed up for a Workspace (Aurex ERP subscription).
• Provider — Avatar Technologies.
• Personal Data — any data relating to an identified or identifiable natural person that the Customer uploads or enters into the Service.
• Data Fiduciary / Data Controller — the Customer.
• Data Processor — the Provider, when processing Personal Data on behalf of the Customer.
• Sub-processor — a third party engaged by the Provider that processes Personal Data on behalf of the Customer.
• Data Principal — the natural person to whom the Personal Data relates.
• Applicable Privacy Law — DPDPA 2023, IT Act and Rules, and any other privacy law applicable to either party.

The Customer is the Data Fiduciary in respect of Personal Data uploaded into the Service. The Provider is the Data Processor and processes Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to act otherwise by law.

The Customer's documented instructions are: (a) the Terms of Service and this DPA, and (b) the Customer's use of the Service through its standard features.

• Process only on instructions. The Provider processes Personal Data only on the Customer's documented instructions, including for international transfers.
• Confidentiality. Personnel authorised to process Personal Data are bound by confidentiality obligations.
• Security. The Provider implements appropriate technical and organisational measures (Section 7) to protect Personal Data.
• Sub-processors. The Provider engages sub-processors only as permitted in Section 6.
• Assistance. The Provider assists the Customer, taking into account the nature of the processing, in: (i) responding to Data Principal requests, (ii) conducting Data Protection Impact Assessments where applicable, (iii) notifying authorities and Data Principals of breaches.
• Return or delete. On termination, the Provider returns or deletes Personal Data in accordance with Section 9.
• Make information available. The Provider makes available to the Customer information necessary to demonstrate compliance with this DPA, including audits as set out in Section 8.

• The Customer warrants that it has a lawful basis under Applicable Privacy Law for the Personal Data it uploads and the processing it instructs.
• The Customer is responsible for providing notice to its Data Principals and obtaining any required consents.
• The Customer keeps its login credentials secure and is responsible for the actions of its users.
• The Customer will not upload special-category data (health, biometric, etc.) unless agreed with the Provider in writing.

6.1 General authorisation

The Customer authorises the Provider to engage sub-processors to assist in providing the Service, subject to the conditions in this Section.

6.2 Conditions

For each sub-processor, the Provider will:

• Carry out due diligence to ensure the sub-processor can deliver the level of protection required.
• Enter into a written agreement imposing data-protection obligations no less protective than this DPA.
• Remain fully liable to the Customer for the sub-processor's performance of those obligations.

6.3 Current list

The Provider's current sub-processors are:

6.4 Notification of changes

The Provider will give the Customer at least 30 days' notice of any new sub-processor, by updating this DPA and notifying the Customer's billing email. The Customer may object on reasonable grounds within 14 days; if the parties cannot agree, the Customer may terminate the affected services.

The Provider maintains the following safeguards:

• Encryption — TLS 1.2+ in transit; encryption at rest for the primary database.
• Access control — least-privilege role-based access; separate production and staging environments; multi-factor authentication for production access.
• Tenant isolation — multi-tenant data is logically separated by tenant ID with row-level checks on every read and write.
• Audit logs — sensitive actions (rate changes, invoice edits, payments, settings changes) are recorded with user, timestamp, and metadata.
• Backups — automated daily backups, point-in-time recovery, restore drills.
• Vulnerability management — regular dependency scanning, security patches applied promptly, penetration testing on a recurring basis.
• Personnel — confidentiality undertakings; security awareness training.
• Incident response — documented plan with on-call rotation.

For the current detail, see our Security page.

The Provider will, on reasonable written request and not more than once per twelve (12) months (unless required by a regulator), make available information necessary for the Customer to verify compliance with this DPA. This may take the form of:

• Written responses to a security questionnaire.
• Sharing of third-party audit reports or certifications, where available.
• An on-site audit at the Provider's premises during business hours, with at least 30 days' notice, conducted in a manner that does not disrupt the Provider's operations.

Audit costs are borne by the Customer. The Customer will treat anything learnt during an audit as the Provider's confidential information.

The Provider will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach affecting the Customer's data. The notice will include:

• The nature of the breach and, where possible, the categories and approximate number of Data Principals concerned.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate adverse effects.
• The contact point for further information.

The Provider will assist the Customer in any breach notifications the Customer is required to make to authorities or Data Principals.

To the extent that Personal Data is transferred outside India, the Provider will ensure transfers are made under contractual safeguards with the recipient that provide equivalent protection, and will comply with any applicable transfer restrictions under DPDPA and any future regulations issued under it.

On termination of the subscription, the Provider will:

• Make the Customer's Personal Data available for export for at least 30 days after termination.
• Delete Personal Data from active systems within 30 days after the export window.
• Delete Personal Data from backups in the ordinary course, within 90 days of termination.
• Retain only what is necessary to comply with legal obligations (e.g. tax invoices for 8 years under Indian tax law).

The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service.

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict on data-protection matters.

Avatar Technologies
F7, Savitri Arcade, Karwar, Karnataka 581301, India
Privacy: privacy@aurexerp.com
Legal: legal@aurexerp.com