Data Processing Agreement

Last Updated: February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between CorpDesk ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)
  • Data Subject: An individual whose personal data is processed
  • Sub-processor: A third party engaged by us to process personal data on your behalf
  • Applicable Laws: The Information Technology Act, 2000, IT Rules, 2011, and any applicable data protection regulations in India

2. Scope and Purpose

2.1 Scope

This DPA applies to all personal data processed by CorpDesk on your behalf in connection with our compliance management services.

2.2 Purpose

We process personal data solely for:

  • Providing and maintaining our services
  • Sending compliance reminders and notifications
  • Processing payments
  • Improving our platform
  • Complying with legal obligations

2.3 Categories of Data

We process the following categories of personal data:

  • User Data: Names, email addresses, phone numbers
  • Company Data: Director names, DINs, company officer information
  • Document Data: Uploaded documents that may contain personal information
  • Usage Data: Log files, IP addresses, device information

3. Controller Obligations

As the Controller, you are responsible for:

  • Ensuring you have a lawful basis to collect and share personal data with us
  • Providing appropriate privacy notices to data subjects
  • Responding to data subject requests where applicable
  • Ensuring data accuracy before uploading to our platform
  • Complying with applicable data protection laws

4. Processor Obligations

As the Processor, we will:

4.1 Processing Instructions

  • Process personal data only on your documented instructions
  • Inform you if we believe an instruction violates applicable law

4.2 Confidentiality

  • Ensure all personnel processing personal data are bound by confidentiality obligations
  • Limit access to personal data to authorized personnel only

4.3 Security Measures

Implement appropriate technical and organizational measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls with role-based permissions
  • Regular security assessments and vulnerability testing
  • Audit logging of data access and modifications
  • Secure cloud infrastructure with SOC 2 compliant providers

4.4 Sub-processors

  • Obtain your consent before engaging sub-processors
  • Ensure sub-processors are bound by equivalent data protection obligations
  • Remain liable for sub-processor compliance

4.5 Assistance

  • Assist you in responding to data subject requests
  • Assist with data protection impact assessments if required
  • Notify you of any data breach without undue delay

5. Sub-processors

We use the following sub-processors:

| Sub-processor | Purpose | Location | |--------------|---------|----------| | Vercel | Hosting and deployment | Global (US primary) | | Supabase | Database and authentication | Singapore | | Razorpay | Payment processing | India | | Resend | Email delivery | US | | AWS S3 / Supabase Storage | Document storage | Singapore / India |

We will notify you of any changes to sub-processors with at least 30 days' notice.

6. Data Subject Rights

Under applicable Indian law, data subjects may have the right to:

  • Access their personal data
  • Correct inaccurate data
  • Request deletion (subject to legal retention requirements)
  • Withdraw consent

We will assist you in fulfilling these requests within the timeframes required by law.

7. Data Transfers

Personal data may be transferred to and processed in countries outside India. We ensure appropriate safeguards for such transfers including:

  • Standard contractual clauses with sub-processors
  • Verification that sub-processors maintain adequate security measures
  • Compliance with applicable cross-border transfer requirements

8. Data Retention

We retain personal data for:

  • Active accounts: As long as the account remains active
  • After termination: 30 days for personal data export, then deletion
  • Compliance records: Up to 8 years as required by Indian company and tax laws
  • Audit logs: Retained indefinitely for security and compliance purposes
  • Anonymized data: May be retained indefinitely for analytics

9. Security Incidents

9.1 Notification

We will notify you of any personal data breach without undue delay, and in any event within 72 hours of becoming aware of it.

9.2 Breach Notification Contents

Notification will include:

  • Nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences
  • Measures taken or proposed to address the breach

9.3 Cooperation

We will cooperate with your investigation and any required notifications to authorities or data subjects.

10. Audit Rights

Upon reasonable notice, you may:

  • Request documentation of our security practices
  • Request results of third-party audits or certifications
  • Conduct or commission an audit (at your cost) with appropriate confidentiality agreements

11. Data Deletion

Upon termination of our agreement:

  • We will provide you 30 days to export your data
  • After 30 days, we will delete personal data from active systems
  • Some data may be retained in backups for up to 90 days before complete deletion
  • Data required for legal compliance will be retained as specified in Section 8

12. Liability

Our liability under this DPA is subject to the limitations set forth in our Terms of Service.

13. Term and Termination

This DPA:

  • Becomes effective when you agree to our Terms of Service
  • Remains in effect as long as we process personal data on your behalf
  • Survives termination with respect to ongoing confidentiality and data deletion obligations

14. Changes to This DPA

We may update this DPA to reflect changes in our practices or legal requirements. Material changes will be notified at least 30 days in advance.

15. Governing Law

This DPA is governed by the laws of India. Disputes shall be subject to the exclusive jurisdiction of courts in Bengaluru, Karnataka.

16. Contact

For questions about this DPA or data processing:

  • Data Protection Contact: privacy@corpdesk.in
  • Address: Bengaluru, Karnataka, India