Data Processing Agreement (DPA)

Last Updated: 21 June, 2021

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("ToS") between PurpleJelly Developers Private Limited (operating as Triveni Developers) ("Company," "Processor," "we," "us," or "our") and the client or entity ("Client," "Controller," "you," or "your") that has engaged us for software development services. This DPA outlines how we process, store, and protect personal data in compliance with applicable data protection laws, including but not limited to:

  • - General Data Protection Regulation (GDPR) (EU) 2016/679
  • - California Consumer Privacy Act (CCPA) (as amended by CPRA)
  • - India's Digital Personal Data Protection Act (DPDPA)
  • - Other applicable data protection regulations

By using our services, you agree to this DPA. If you do not agree, you should discontinue using our services.

1. Definitions

For the purposes of this DPA, the following terms apply:

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, modification, transfer, or deletion.
  • "Controller" refers to the entity (Client) that determines the purposes and means of Processing Personal Data.
  • "Processor" refers to the entity (Triveni Developers) that processes Personal Data on behalf of the Controller.
  • "Subprocessor" refers to any third party engaged by the Processor to process Personal Data.
  • "Data Subject" refers to the individual whose personal data is being processed.
  • "Applicable Laws" means any laws governing data protection, including GDPR, CCPA, and other relevant regulations.

2. Scope & Roles

  • The Client (Controller) determines what Personal Data is processed.
  • Triveni Developers (Processor) processes Personal Data solely on behalf of the Client, in accordance with this DPA.
  • We do not own or sell Personal Data processed for our Clients.

3. Types of Data Processed

We process the following types of Personal Data as directed by the Client:

3.1 User-Provided Data:

  • Names, email addresses, phone numbers, and job titles.
  • Account registration and login details (hashed passwords).
  • Payment information (processed via Stripe; we do not store card details).
  • Uploaded files, documents, and other project-related data.

3.2 Automatically Collected Data:

  • IP addresses, browser types, device IDs, and system logs.
  • Usage analytics and behavior tracking via cookies (subject to Client preferences).
  • Error logs and security monitoring data.

3.3 No Special Categories of Data:

  • We do not intentionally process sensitive personal data (e.g., racial, political, biometric, or health data) unless explicitly required and agreed upon in writing.

4. Processing Activities

We process Personal Data strictly for the following purposes:

  • Providing & Improving Services - Ensuring smooth functionality of software applications.
  • Security & Fraud Prevention - Detecting unauthorized access and securing data.
  • Technical Support – Troubleshooting and responding to Client requests.
  • Legal & Compliance Obligations - Meeting legal, tax, and regulatory requirements.
  • Service Analytics & Enhancements - Improving features based on aggregated data.

We do not use Personal Data for advertising or marketing without explicit consent.

5. Data Security Measures

We implement industry-leading security standards to protect Personal Data:

5.1 Encryption & Security Controls

  • AES-256-GCM encryption for stored data.
  • TLS 1.2+ encryption for data transmission.
  • Hashed passwords (we never store plain-text passwords).
  • Multi-factor authentication (MFA) for access control.

5.2 Access Controls & Audit Logs

  • Least Privilege Access (LPA): Only authorized personnel can access Personal Data.
  • Role-Based Access Control (RBAC): Restricting access based on job responsibilities.
  • Activity Logging: All actions on Personal Data are logged for security audits.

5.3 Data Retention & Deletion

  • We retain Personal Data only as long as required for the Client'spurposes.
  • Clients can request deletion of data at any time.
  • Upon contract termination, all Personal Data is permanently deleted within 30 days unless required for legal compliance.

6. Subprocessors & Data Transfers

6.1 Approved Subprocessors

We engage trusted Subprocessors to provide specific services, including:

SubprocessorPurposeLocation
StripePayment processingUSA / EU
AWS / DigitalOceanCloud hostingMultiple Regions
Google AnalyticsWebsite analyticsUSA
SentryError loggingUSA
  • All Subprocessors are contractually bound to maintain GDPR-compliant security and data protection measures.
  • Clients will be notified of any new Subprocessors before onboarding them.

6.2 Data Transfers

  • Personal Data may be transferred to servers in India, the USA, or the EU, based on service requirements.
  • We ensure compliance with EU Standard Contractual Clauses (SCCs) for cross-border transfers.

7. Data Subject Rights & Requests

We support Clients in fulfilling their obligations under GDPR, CCPA, and similar laws.

7.1 Rights of Data Subjects

Data Subjects have the right to:

  • Access & Correct Personal Data - Request copies or corrections.
  • Data Portability – Obtain data in a structured format.
  • Erasure ("Right to be Forgotten") - Request data deletion.
  • Object to Processing – Restrict or object to data usage.

7.2 Client's Responsibilities

  • The Client is responsible for responding to Data Subject Requests.
  • If we receive a direct request, we will notify the Client and act per their instructions.

8. Breach Notification & Incident Response

8.1 Security Incident Response

  • We have a 24/7 security monitoring system for breach detection.
  • In case of a data breach, we will:
    1. Investigate & Contain the breach.
    2. Notify the Client within 24-72 hours (depending on the severity).
    3. Provide a detailed impact report and mitigation steps.

8.2 Client Responsibilities

  • Clients must immediately inform us of any suspected vulnerabilities or security concerns.

9. Term & Termination

  • This DPA remains in effect as long as we process Personal Data for the Client.
  • Upon termination of our services, we will:
    • Delete all Personal Data within 30 days (unless legally required to retain it).
    • Provide the Client with data export options if requested.

10. Liability & Indemnification

  • Our liability is limited to direct damages up to the amount paid by the Client for services involving Personal Data processing.
  • Clients agree to indemnify us against third-party claims resulting from unlawful data usage or breaches caused by Client negligence.

11. Governing Law & Dispute Resolution

  • This DPA is governed by the laws of India (or other applicable jurisdiction).
  • Disputes will be resolved through mediation/arbitration before legal proceedings.

12. Contact Information

For questions about this DPA, contact us at:

Last Updated: 21 June, 2021 | PurpleJelly Developers Private Limited (operating as Triveni Developers)