Data Processing Agreement

This Data Processing Agreement ("DPA") governs the processing of Personal Data by AhuraSense AI Pvt Ltd on behalf of Customer in connection with AhuraSense's cloud infrastructure, AI inference, AI training, compute, GPU pod, Kubernetes, database, object storage, security, domain, application deployment, support, and related services.

This DPA applies where AhuraSense processes Personal Data as a processor, service provider, or equivalent role on behalf of Customer.

This DPA does not apply where AhuraSense processes personal data as an independent data fiduciary/controller — such as for account registration, billing, fraud prevention, legal compliance, security monitoring, or business administration. Such processing is governed by the Privacy Policy.

• "Agreement" means The Terms of Service, Order Form, Master Services Agreement, statement of work, or other written agreement between the parties.
• "Customer" means The entity or individual that has entered into the Agreement with AhuraSense.
• "Customer Personal Data" means Personal Data processed by AhuraSense on behalf of Customer through the services.
• "Data Protection Laws" means Applicable privacy, data protection, cybersecurity, and data security laws, including where applicable the Digital Personal Data Protection Act 2023, GDPR, UK GDPR, and other relevant laws.
• "Data Subject" means An identified or identifiable individual to whom Personal Data relates.
• "Personal Data" means Information relating to an identified or identifiable individual, or equivalent definition under applicable Data Protection Laws.
• "Processing" means Any operation performed on Personal Data, including collection, storage, use, transmission, disclosure, deletion, organization, retrieval, or other handling.
• "Processor" means AhuraSense where it processes Customer Personal Data on behalf of Customer.
• "Controller" means Customer where it determines the purposes and means of processing Customer Personal Data.
• "Subprocessor" means A third party engaged by AhuraSense to process Customer Personal Data on behalf of Customer.
• "Security Incident" means A confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by AhuraSense.

Customer is the controller, data fiduciary, business, or equivalent entity responsible for determining the purposes and means of processing Customer Personal Data.

AhuraSense is the processor, data processor, service provider, or equivalent entity processing Customer Personal Data on behalf of Customer.

Customer is responsible for ensuring that:

• It has a lawful basis for processing Customer Personal Data.
• It has provided required notices and obtained required consents.
• Its instructions to AhuraSense are lawful.
• Customer Personal Data may be processed through the services.
• It has selected suitable services, regions, safeguards, and configurations.
• It complies with Data Protection Laws.

AhuraSense will process Customer Personal Data only as described in this DPA, the Agreement, Customer's documented instructions, or as required by law.

Customer instructs AhuraSense to process Customer Personal Data as necessary to provide the services — including hosting workloads, storing Customer Data, processing API requests, providing compute and GPU resources, running AI inference and training workloads, operating Kubernetes, databases, object storage, domains, and application deployment features, providing technical support, securing the services, and preventing abuse.

Customer may provide additional instructions through account settings, dashboard configurations, API calls, support requests, written instructions, and Order Forms.

AhuraSense may decline or suspend instructions that it reasonably believes violate law, the Agreement, supplier requirements, security requirements, or acceptable use rules.

5.1 Subject Matter

The provision of cloud infrastructure and related technical services by AhuraSense to Customer.

5.2 Duration

Processing continues for the term of the Agreement and any period required for deletion, return, backup retention, legal compliance, billing, security, or dispute resolution.

5.3 Nature and Purpose

Processing may include hosting, storage, transmission, retrieval, compute processing, AI inference, AI training, fine-tuning, embedding generation, database processing, Kubernetes orchestration, application deployment, security monitoring, backup and recovery, technical support, billing support, abuse prevention, and incident response.

5.4 Categories of Data Subjects

Customer Personal Data may relate to customer employees, contractors, administrators, developers, end users, business contacts, support users, and individuals included in datasets, files, logs, databases, prompts, outputs, or workloads uploaded by Customer.

5.5 Categories of Personal Data

Customer Personal Data may include names, email addresses, user IDs, IP addresses, device identifiers, account identifiers, application data, log data, support data, prompt and output data, dataset records, database records, files and documents, images, audio, or text submitted by Customer, and metadata.

5.6 Sensitive Data

Customer must not submit sensitive, regulated, children's, biometric, health, financial, payment card, government secret, or special-category data unless the applicable Agreement expressly permits such processing and Customer has implemented appropriate safeguards.

AhuraSense will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

AhuraSense will limit access to Customer Personal Data to personnel who need access to provide, secure, support, or maintain the services.

AhuraSense will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data. These may include:

• Role-based access controls, authentication controls, and least-privilege practices.
• Encryption in transit and at rest where supported.
• Logging, monitoring, network security controls, and abuse detection.
• Vulnerability management, incident response procedures, and security testing.
• Segregation of customer environments, backup and recovery measures, and supplier security review.

Customer remains responsible for securing accounts, API keys, SSH keys, passwords, secrets, containers, applications, databases, Kubernetes roles, firewalls, network policies, domain settings, AI models, training datasets, and end-user access.

Customer authorizes AhuraSense to engage Subprocessors to provide the services, including providers of data center services, cloud infrastructure, network connectivity, GPU hardware or managed capacity, storage, security monitoring, support systems, error monitoring, payment and billing systems, email delivery, identity verification, domain registration and DNS, and analytics and product operations.

AhuraSense will ensure Subprocessors are bound by written obligations that provide appropriate protection for Customer Personal Data.

Where required by applicable law, AhuraSense will provide notice of new Subprocessors and allow Customer to object on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may stop using the affected service or terminate the affected Order as permitted by the Agreement.

Customer may request a list of current Subprocessors by contacting [email protected].

Customer acknowledges that AhuraSense and its Subprocessors may process Customer Personal Data in India and other jurisdictions where services, infrastructure, support, or suppliers operate.

Where Customer Personal Data is subject to transfer restrictions, the parties will use appropriate safeguards including standard contractual clauses, transfer impact assessments, data processing terms, customer-approved regions, contractual safeguards, and other lawful transfer mechanisms.

For EU/EEA transfers, the parties may rely on applicable EU standard contractual clauses where required.

Taking into account the nature of processing and information available to AhuraSense, AhuraSense will provide reasonable assistance to Customer in responding to Data Subject requests, including requests to access, correct, delete, export, restrict, or object to processing, or to withdraw consent.

Customer is responsible for responding to Data Subject requests. If AhuraSense receives a request directly relating to Customer Personal Data, AhuraSense may direct the requester to Customer unless legally required to respond.

AhuraSense will provide reasonable assistance to Customer for security obligations, data protection impact assessments, prior consultations with regulators where applicable, breach response, data deletion or export, audit requests, transfer safeguards, and compliance documentation.

AhuraSense may charge reasonable fees for assistance that is outside standard support or requires significant engineering, legal, compliance, or operational effort.

AhuraSense will notify Customer without undue delay after becoming aware of a confirmed Security Incident affecting Customer Personal Data. The notice may include, where available:

• Nature of the incident and affected services.
• Categories of affected data and approximate number of affected records, where known.
• Likely consequences and measures taken or proposed.
• Recommended customer actions and contact point for follow-up.

Customer acknowledges that initial notices may be based on incomplete information and may be updated as investigation progresses. Customer is responsible for determining whether it must notify regulators, Data Subjects, customers, or other parties.

Customer must secure account credentials, use strong passwords and MFA where available, rotate keys and secrets, restrict administrative access, configure IAM and RBAC properly, avoid public exposure of private data, encrypt sensitive data where appropriate, maintain backups, test disaster recovery, monitor workloads, patch customer-managed software, review logs, remove inactive users, and report suspected incidents promptly.

AhuraSense is not responsible for Security Incidents caused by Customer misconfiguration, exposed credentials, insecure code, vulnerable containers, public buckets, excessive permissions, unsupported software, or Customer failure to use available safeguards.

Upon termination or expiry of the Agreement, AhuraSense will delete or return Customer Personal Data in accordance with the Agreement, service functionality, and Customer instructions. Unless otherwise agreed:

• Customer should export Customer Data before termination.
• AhuraSense may delete or disable access to Customer Data after the applicable post-termination period.
• Backups may be retained until overwritten or expired according to backup cycles.
• Logs, billing records, security records, and legal records may be retained as required for compliance, security, fraud prevention, dispute resolution, and legitimate business purposes.

AhuraSense will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and commercial sensitivity restrictions. Customer may request audit information no more than once annually unless a Security Incident or legal requirement justifies additional review.

Audit requests must be reasonable in scope, subject to confidentiality, non-disruptive to AhuraSense operations, and limited to controls relevant to Customer Personal Data. AhuraSense may satisfy audit obligations through security documentation, certifications, summaries, questionnaires, third-party audit reports, or written responses.

If AhuraSense receives a legal request for Customer Personal Data, AhuraSense will, where legally permitted and practical: notify Customer, direct the requester to Customer, challenge or narrow unlawful or excessive requests where appropriate, and disclose only the information legally required.

AhuraSense may disclose Customer Personal Data where required by law, court order, regulator, law enforcement, registry requirement, sanctions authority, or other valid legal process.

Where Customer uses AhuraSense services for AI workloads, Customer is responsible for lawful collection and use of training data, dataset rights, consent and notice, personal data minimization, sensitive data safeguards, bias and safety testing, output validation, model license compliance, human review where required, end-user disclosures, and regulatory compliance.

Unless separately agreed in writing, AhuraSense will not use Customer Personal Data or Customer Data to train foundation models for AhuraSense or third parties.

AhuraSense may process operational telemetry, logs, usage metrics, and de-identified or aggregated data to provide, secure, improve, and measure the services, provided such processing does not identify Customer or disclose Customer Data.

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, unless prohibited by applicable law. Nothing in this DPA limits liability that cannot legally be limited.

If there is a conflict between this DPA and the Agreement, this DPA controls only with respect to processing of Customer Personal Data. If there is a conflict between this DPA and mandatory Data Protection Laws, the mandatory Data Protection Laws control.

This DPA remains in effect for as long as AhuraSense processes Customer Personal Data on behalf of Customer. Sections that by their nature should survive termination will continue to apply, including confidentiality, deletion, audit, liability, and legal compliance provisions.

AhuraSense may use Subprocessors to provide infrastructure, support, security, billing, analytics, communications, and operational services.

Before allowing a Subprocessor to process Customer Personal Data, AhuraSense will require the Subprocessor to enter into written obligations that provide appropriate protection for Customer Personal Data.

Customer may request a list of current Subprocessors by contacting [email protected].

Customer is responsible for configuring and securing: