DPA for AutoCops customers

This Data Processing Addendum (“DPA”) forms part of the Master Service Agreement between AutoCops (a Brand associated with Techium Solution Pvt Ltd), and the customer (referred to as “you” or “the Customer”). It governs how AutoCops processes personal data on behalf of the Customer in the course of providing the AutoCops platform and services.

Under the DPDP Act, the Customer is the Data Fiduciary for personal data of its Data Principals. AutoCops acts as a Data Processor under Section 2(k) of the Act, processing personal data only on documented instructions from the Customer. AutoCops does not determine the purpose or means of processing customer personal data.

AutoCops shall process customer personal data only:

• To provide the AutoCops platform and services as agreed in the Master Service Agreement
• To comply with the Customer's reasonable written instructions
• To meet legal obligations under Indian law (with prior notice to the Customer where permitted)

AutoCops shall not use customer personal data for its own purposes, including marketing, profiling, or model training, without the Customer's explicit prior consent.

AutoCops shall ensure that all personnel authorised to process customer personal data are bound by confidentiality obligations and have completed appropriate privacy training. Access to customer personal data is restricted to a minimum number of named individuals on the AutoCops production support team, all of whom undergo background checks and use multi-factor authentication.

AutoCops shall implement and maintain reasonable security safeguards in line with Section 8(5) of the DPDP Act, including but not limited to:

• Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access control with named-user attribution
• Multi-factor authentication for all privileged accounts
• Network isolation between application and data tiers
• Audit logging of all access to customer personal data
• Regular vulnerability assessments and penetration testing
• Documented incident response and disaster recovery procedures

The full technical detail of AutoCops' security controls is published in our Trust Center and updated as the controls evolve.

AutoCops may engage sub-processors to deliver the service. The current list of sub-processors is published in the Trust Center. AutoCops shall:

• Notify the Customer at least 30 days before adding any new sub-processor
• Ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA
• Remain responsible to the Customer for the acts and omissions of sub-processors with respect to customer personal data

The Customer may object to a new sub-processor on reasonable grounds. If AutoCops cannot accommodate the objection, the Customer may terminate the affected portion of the service with a pro-rata refund.

AutoCops shall provide the Customer with the technical and organisational means to fulfil Data Principal rights under Sections 11-13 of the DPDP Act — access, correction, erasure, grievance redressal, and nomination. Where a Data Principal contacts AutoCops directly with a rights request that should be addressed to the Customer, AutoCops shall promptly forward the request to the Customer without responding substantively.

AutoCops shall notify the Customer without undue delay (and in any case within 24 hours) upon becoming aware of a personal data breach affecting customer personal data. The notification shall include the nature of the breach, the categories and approximate number of Data Principals affected, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach. AutoCops shall cooperate with the Customer's own breach notification obligations under Section 8(6) of the DPDP Act.

AutoCops shall make available to the Customer all information necessary to demonstrate compliance with this DPA. The Customer may request, no more than once per year, an audit of AutoCops' relevant processing activities, conducted at the Customer's expense and at a mutually agreed time. AutoCops may, at its option, satisfy the audit obligation by providing a recent third-party audit report (such as SOC 2 Type II) covering the relevant controls.

AutoCops shall not transfer customer personal data outside India without the prior written consent of the Customer, except as required to deliver the service and only to countries notified as permissible under Section 16 of the DPDP Act. Where transfers occur, AutoCops shall ensure appropriate contractual safeguards are in place with the receiving party.

On termination of the Master Service Agreement, AutoCops shall, at the Customer's choice, return all customer personal data to the Customer in standard formats or delete it. AutoCops shall provide written confirmation of deletion within 30 days of the termination date, except where retention is required by law.

Each party's liability under this DPA is subject to the limitations set out in the Master Service Agreement. AutoCops shall indemnify the Customer against losses arising from AutoCops' breach of this DPA, subject to those limitations.

This DPA is governed by the laws of India. Any disputes arising from it shall be subject to the exclusive jurisdiction of the courts of New Delhi, India.