Note: This Data Processing Agreement ("DPA") is incorporated by reference into the Servyn AI Terms of Service. By accepting the Terms of Service, the Customer also accepts this DPA. No separate signature is required.
01 —
Parties & Scope
This DPA is entered into between:
- Data Fiduciary / Controller: The Customer — the business entity or sole proprietor who has accepted the Servyn AI Terms of Service ("Customer")
- Data Processor: Servyn AI, a sole proprietorship owned and operated by Rahul Birwadkar, 4A B.D.D. Chawl, Naigaon, Dadar, Mumbai – 400014 ("Servyn AI")
This DPA applies to all personal data processed by Servyn AI on behalf of the Customer through the Servyn AI ERP platform (web application, PWA, and Android APK).
02 —
Definitions
Terms used in this DPA have the meaning given in the Servyn AI Privacy Policy and Terms of Service, and in the Digital Personal Data Protection Act, 2023 (DPDPA 2023). Key terms:
- "Personal Data" — any data about an identifiable individual entered into or generated through the Platform by or on behalf of the Customer
- "Processing" — any operation performed on Personal Data including collection, storage, use, disclosure, and deletion
- "Data Principal" — the individual to whom the Personal Data relates (e.g., the Customer's employees and customers)
- "Sub-Processor" — any third party engaged by Servyn AI to process Personal Data on behalf of the Customer
- "Data Breach" — any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data
03 —
Role of Each Party
| Party | Role | Responsibility |
|---|
| Customer | Data Fiduciary | Determines what personal data is collected from employees/customers; responsible for obtaining valid consent from Data Principals; responsible for lawfulness of data entry |
| Servyn AI | Data Processor | Processes Personal Data only on Customer's documented instructions; implements security measures; notifies Customer of breaches; deletes data on termination |
| Supabase Inc. | Sub-Processor | Hosts the database infrastructure; processes Personal Data on behalf of Servyn AI under the Supabase DPA |
04 —
Nature & Purpose of Processing
| Category | Types of Personal Data | Purpose |
|---|
| Employee records | Name, address, DOB, contact, Aadhaar, PAN, salary, bank details, attendance, leave | HR management, payroll processing, attendance tracking |
| Customer records | Name, phone, email, address, GST number | Service job management, invoicing, AMC contracts |
| User accounts | Name, email, password hash, role | Platform access and authentication |
| Financial records | Invoice amounts, payment status, bank details, GST numbers | Billing, financial reporting, GST compliance |
| Job/work records | Job descriptions, technician assignments, job photos, completion status | Field service management, job history |
Servyn AI will not process Personal Data for any purpose other than those stated above or as documented in writing by the Customer.
05 —
Processor Obligations
Servyn AI agrees to:
- Instructions only: Process Personal Data only on the documented instructions of the Customer, and not for Servyn AI's own purposes
- Confidentiality: Ensure that all personnel with access to Personal Data are bound by written confidentiality obligations
- No unauthorised disclosure: Not disclose Personal Data to any third party except authorised Sub-Processors or as required by Indian law
- No data selling: Never sell, rent, trade, or otherwise commercialise Personal Data
- No AI training: Never use Customer Personal Data to train, fine-tune, or improve AI or machine learning models
- Purpose limitation: Use Personal Data only for the purposes described in Section 4
- Legal requests: Notify the Customer promptly (to the extent permitted by law) before complying with any government, law enforcement, or court order requiring disclosure of Personal Data
- Compliance assistance: Provide reasonable assistance to the Customer in complying with DPDPA 2023 obligations, including responding to Data Principal rights requests
06 —
Security Measures
Servyn AI implements and maintains the following technical and organisational security measures as required under DPDPA 2023 S.8(5) and SPDI Rules 2011 Rule 8:
Technical Measures
- AES-256 encryption of all data at rest in the Supabase database
- TLS 1.2+ encryption for all data in transit (HTTPS enforced)
- Field-level encryption for Aadhaar numbers, PAN numbers, and bank account details
- bcrypt password hashing — passwords never stored in plain text
- JWT-based session management with httpOnly cookies
- Row Level Security (RLS) policies for multi-tenant data isolation
- CSRF protection on all state-changing API requests
- Role-based access control (RBAC) limiting data access by user role
- 30-day rolling automated database backups
- 90-day audit log retention
Organisational Measures
- Production database access restricted to Servyn AI founding personnel only
- Regular review of access controls and security configurations
- Incident response procedure (see Breach Notification Policy)
Servyn AI will maintain these measures throughout the term of this DPA and will notify the Customer of any material downgrade in security measures with at least 30 days' advance notice.
07 —
Sub-Processors
The Customer grants Servyn AI general authorisation to engage the following Sub-Processors:
| Sub-Processor | Purpose | Location | DPA |
|---|
| Supabase Inc. | Database hosting, authentication, file storage | AWS ap-south-1, Mumbai, India | Supabase DPA signed — supabase.com/legal/dpa |
| Google LLC | Business email (support communications only) | Google global infrastructure | Google Workspace Business Terms |
Servyn AI will:
- Notify the Customer at least 14 days before engaging any new Sub-Processor that will process Customer Personal Data
- Give the Customer the opportunity to object to the new Sub-Processor within that 14-day period
- Impose data protection obligations on all Sub-Processors equivalent to those in this DPA
- Remain liable to the Customer for the acts and omissions of its Sub-Processors
08 —
Data Breach Notification
In the event of a Data Breach affecting Customer Personal Data, Servyn AI will:
- Notify the Customer's registered admin email within 24 hours of becoming aware of the breach
- Provide the following information (to the extent available at the time):
- Nature of the breach and categories/approximate number of Data Principals affected
- Categories and approximate volume of Personal Data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact details of the Grievance Officer
- Notify the Data Protection Board of India (DPBI) within 72 hours as required by DPDPA 2023 S.8(6) (once DPBI is operational)
- Cooperate with the Customer in notifying affected Data Principals if required by the DPBI
- Take all reasonable steps to contain and remediate the breach
Servyn AI maintains a separate Breach Notification Policy with detailed procedures.
09 —
Data Principal Rights Assistance
Servyn AI will provide reasonable assistance to the Customer in responding to Data Principal rights requests under DPDPA 2023 Chapter III, including:
- Rights to access, correction, and erasure of Personal Data
- Right to grievance redressal
- Right to nominate
If Servyn AI receives a rights request directly from a Data Principal relating to Customer-controlled data, Servyn AI will forward the request to the Customer within 3 business days and will not independently respond to the request without the Customer's authorisation.
10 —
Audit Rights
The Customer has the right to audit Servyn AI's compliance with this DPA by:
- Requesting a written summary of security practices and data processing activities (to be provided within 15 business days)
- Requesting access to relevant audit logs relating to the Customer's data (subject to confidentiality of other customers' data)
- Conducting an on-site or remote audit with at least 30 days' advance notice, at the Customer's own cost, no more than once per 12-month period
Audit requests must be sent to founder@servynai.in with the subject "DPA Audit Request".
11 —
Return & Deletion of Data
Upon termination or expiry of the Customer's subscription:
- The Customer has a 30-day window to request a full data export in CSV/JSON format
- On Day 31 post-termination, Servyn AI will permanently delete all Customer Personal Data from active databases and backups
- Servyn AI will provide a written deletion confirmation upon request
- Exception — Legal Hold: Financial records (invoices, payment records, GST data) may be retained for up to 7 years as required by Indian tax and company law (Income Tax Act 1961, CGST Act 2017, Companies Act 2013). Such records will be stored in an isolated, access-restricted archive and used solely for legal compliance
12 —
Cross-Border Transfer
Customer Personal Data is stored on AWS ap-south-1 (Mumbai, India) via Supabase. No cross-border transfer of ERP data occurs.
Limited cross-border transfers may occur for: support email communications (Google/Gmail infrastructure) and WhatsApp communications (Meta global infrastructure). These are governed by the respective providers' Data Processing Terms and Standard Contractual Clauses where applicable.
Servyn AI will comply with any cross-border transfer restrictions notified by the Government of India under DPDPA 2023 S.16 and will inform the Customer if any such restriction affects this DPA.
13 —
Duration
This DPA commences on the date the Customer accepts the Servyn AI Terms of Service and continues until the later of:
- Termination or expiry of the Customer's subscription; or
- The date on which Servyn AI has completed deletion of all Customer Personal Data as required under Section 11
Obligations under Sections 5, 6, 8, 11, and 14 survive termination of this DPA.
14 —
Liability
Each party's liability under this DPA is subject to the limitation of liability provisions in the Servyn AI Terms of Service (Section 18).
Servyn AI is liable for damages caused by processing that is not in compliance with this DPA or DPDPA 2023 where it has acted outside or contrary to the Customer's lawful instructions.
The Customer is liable for damages arising from processing instructions that are unlawful or that violate the Customer's own obligations as a Data Fiduciary under DPDPA 2023.
15 —
Governing Law
This DPA is governed by the laws of the Republic of India. Disputes under this DPA are subject to the dispute resolution and arbitration provisions in the Servyn AI Terms of Service (Section 23).