Status and parties
This standard DPA is a starting point between TerraGrid Tech Private Limited and the business customer identified in an executed agreement. Viewing it alone does not execute or bind either party. Contact legal@terragridtech.com to execute a DPA.
Scope, duration and roles
It applies when TerraGridTech processes personal data on the customer’s documented instructions to provide receipt services, for the agreement’s duration plus lawful return, deletion and retention periods. The customer is controller/data fiduciary and TerraGridTech is processor/service provider for that data, unless a specific activity requires another lawful role.
Instructions and customer duties
TerraGridTech processes data only on documented instructions, including service configuration and lawful support requests, unless law requires otherwise. The customer must have authority and lawful grounds, give notices, minimise fields and avoid prohibited sensitive credentials.
Confidentiality and security
Authorised personnel are bound by confidentiality. Measures include encrypted transport, authentication, access controls, business isolation, restricted key visibility, audit logging, production-access controls, incident handling and secure development practices. These are risk-based controls, not a certification or disclosure of exploitable detail.
Subprocessors and transfers
Approved subprocessors are listed on the Subprocessor page. TerraGridTech remains responsible for required contractual protections. International transfers use appropriate safeguards where applicable, including applicable contractual clauses. Customer instructions cannot require unlawful transfer.
Rights, incidents and compliance assistance
Taking account of the processing and information available, TerraGridTech will reasonably assist with rights requests, security incidents, assessments and regulatory enquiries required by applicable law. Each party will notify the other through agreed channels without an unsupported universal deadline.
Return and deletion
At the customer’s lawful choice after service ends, TerraGridTech will return or delete processor data where practicable, except records retained for law, security, disputes, claims or legal holds. Retained data remains protected and limited to the retention purpose.
Audit information
TerraGridTech will provide reasonable existing compliance information and address justified questions. On-site or intrusive audits require advance agreement, confidentiality, security protections, reasonable scope and cost allocation, except where mandatory law requires otherwise.
Liability, precedence and law
Liability follows the commercial agreement and mandatory law. If this DPA conflicts with the commercial agreement on data processing, the executed DPA prevails for that issue; applicable transfer clauses prevail for covered transfers. Indian law governs except where mandatory data-protection law or transfer terms require otherwise.
Annex A — processing details
Subject: business receipt services. Nature: collection, validation, storage, transmission, retrieval, support, security and deletion. Data subjects may include customer personnel and receipt recipients. Data includes account, business, receipt, usage, device, audit and support information. Frequency and duration follow service use and the retention schedule.
Annex B — security measures
Measures include encrypted transport, identity and role controls, tenant/business isolation, secrets and key handling, logging, change review, backups where applicable, incident response, vendor review, vulnerability handling and personnel access restriction. Exact implementation may evolve without materially reducing required protection.