Data Processing Agreement

For the purposes of this Data Processing Agreement ("DPA"), the following terms have the meanings set out below:

• Controller: The entity (you, the customer) that determines the purposes and means of processing personal data. In the context of this DPA, the Controller is the Rach Dev LLP account holder.
• Processor: Rach Dev LLP, which processes personal data on behalf of the Controller in connection with providing the Services.
• Sub-processor: A third-party entity engaged by the Processor to assist in processing personal data on behalf of the Controller.
• Personal Data: Any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Services.
• Processing: Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

This DPA applies to all processing of personal data that Rach Dev LLP performs on behalf of the Controller in connection with the Rach Dev LLP platform and Services. We process personal data solely for the following purposes:

• Providing, operating, and maintaining the Rach Dev LLP platform Services as described in our Terms of Service
• Storing and managing data in the Controller's managed databases
• Processing API requests and executing AI agent interactions on behalf of the Controller
• Generating usage analytics, logs, and performance reports for the Controller
• Providing technical support and troubleshooting when requested by the Controller

We will not process personal data for any purpose other than those specified in this DPA or as otherwise instructed in writing by the Controller.

Types of Personal Data

The types of personal data processed depend on the Controller's use of the Services and may include:

• Names, email addresses, and contact information stored in managed databases
• Authentication credentials and session data
• Content submitted to AI agents (text inputs, conversation history)
• Technical identifiers such as IP addresses and device information
• Any other personal data the Controller chooses to store or process through the Services

Categories of Data Subjects

Data subjects may include the Controller's customers, employees, contractors, end users, or any other individuals whose data the Controller stores or processes through the Services.

Duration of Processing

Processing continues for the duration of the Controller's use of the Services. Upon termination or expiration of the service agreement, we will delete or return all personal data within 30 days, unless retention is required by applicable law.

As the Processor, Rach Dev LLP commits to the following:

Security Measures

• Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access controls ensuring only authorized personnel can access personal data
• Regular vulnerability assessments, penetration testing, and security audits
• Intrusion detection and prevention systems on all production infrastructure
• Automated backups with geographic redundancy and point-in-time recovery

Confidentiality

All Rach Dev LLP personnel with access to personal data are bound by confidentiality obligations. Access is granted on a need-to-know basis and is regularly reviewed.

Data Breach Notification

In the event of a confirmed data breach affecting the Controller's personal data, Rach Dev LLP will:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
• Provide details including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
• Cooperate with the Controller in investigating and mitigating the breach
• Document all breaches, including facts, effects, and remedial actions taken

Rach Dev LLP engages the following categories of sub-processors to deliver the Services. Each sub-processor is bound by data processing agreements that impose obligations no less protective than those in this DPA:

We will notify the Controller at least 30 days before engaging a new sub-processor or making material changes to an existing sub-processor. The Controller may object to a new sub-processor by notifying us within 14 days of receiving the notice. If the objection cannot be resolved, the Controller may terminate the affected Services without penalty.

Personal data may be transferred to and processed in countries outside the Controller's jurisdiction. When transferring personal data internationally, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by relevant regulatory authorities for transfers to countries without an adequacy decision
• Transfer impact assessments conducted for each destination country to evaluate the level of data protection
• Technical measures such as encryption and pseudonymization to supplement legal safeguards
• Binding data processing agreements with all sub-processors regardless of location

The Controller may request information about the specific safeguards in place for any data transfer by contacting dpa@rachdev.com.

Rach Dev LLP will assist the Controller in fulfilling its obligations to respond to data subject rights requests. This includes requests for:

• Access to personal data
• Rectification of inaccurate data
• Erasure of personal data ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

If Rach Dev LLP receives a data subject request directly, we will promptly redirect the individual to the Controller and notify the Controller of the request. We will not respond to data subject requests directly unless instructed to do so by the Controller.

We provide self-service tools in the dashboard for data export and deletion. For requests that require our assistance, we will respond within 10 business days.

Rach Dev LLP will make available to the Controller information necessary to demonstrate compliance with data processing obligations and allow for audits and inspections. Specifically:

• We conduct annual independent security audits of our infrastructure and processes
• Audit reports and certifications are available to customers on paid plans upon request under NDA
• We are actively pursuing SOC 2 Type II certification, with expected completion by Q3 2026
• The Controller may conduct or commission a third-party audit of our data processing activities with 30 days' written notice, subject to reasonable scope, timing, and confidentiality requirements

The costs of audits initiated by the Controller are borne by the Controller, unless the audit reveals a material breach of this DPA by Rach Dev LLP.

This DPA takes effect when the Controller begins using the Rach Dev LLP Services and remains in force for the duration of the service relationship. It co-terminates with the main service agreement (the Terms of Service).

Upon termination:

• We will cease all processing of personal data on behalf of the Controller, except as required to complete the termination process
• The Controller will have 30 days to export their data through the dashboard or by requesting a data export from support
• After the 30-day export window, we will securely delete all personal data from our systems, including backups, within an additional 30 days
• We will provide written confirmation of deletion upon request

Obligations that by their nature should survive termination (including confidentiality, liability, and breach notification) will continue to apply.

For questions about this Data Processing Agreement or to exercise any rights under it, contact us at:

• Email: dpa@rachdev.com
• Company: Rach Dev LLP
• Location: Noida, India