Data Processing Agreement (DPA) - Modulo AI

DATA PROCESSING AGREEMENT (DPA) - for EU/UK

Modulo AI - GitHub Application

Effective Date:
Version: 1.0
Last Updated: December 22, 2025

PREAMBLE

WHEREAS, Modulo AI Pvt Ltd, a company organized under the laws of India with its principal place of business in Noida, Uttar Pradesh 201301, India ("Data Processor" or "Processor"); and

WHEREAS, the Customer identified in the Master Service Agreement or Order Form ("Data Controller" or "Controller"); and

WHEREAS, the Parties wish to comply with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable Data Protection Laws;

WHEREAS, this Data Processing Agreement ("DPA") sets forth the terms and conditions under which Processor will process Personal Data on behalf of Controller in accordance with GDPR Article 28 and other applicable Data Protection Laws;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the Parties agree as follows:

1. DEFINITIONS

1.1 Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below:

  • "Affiliate" means any entity that controls, is controlled by, or is under common control with a Party.

  • "Competent Authorities" means the data protection authorities and supervisory authorities in the EU, UK, and other relevant jurisdictions.

  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

  • "Data Protection Laws" means the GDPR, UK GDPR, the Digital Personal Data Protection Act 2023 (India), and all other applicable data protection laws and regulations in any relevant jurisdiction.

  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission under Decision (EU) 2010/87 and (EU) 2021/914, as amended or supplemented.

  • "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • "Processing" means any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  • "Processor" means the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

  • "Sub-processor" means any natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Processor.

  • "Services" means the Bug Fixer GitHub Application and related services provided by Processor to Controller as described in the Master Service Agreement.

2. SCOPE AND SUBJECT MATTER

2.1 Subject Matter and Duration

This DPA applies to the Processing of Personal Data in connection with the provision of the Services under the Master Service Agreement between the Parties. The Processing shall commence upon the Effective Date and continue for the duration of the Services, unless earlier terminated in accordance with the terms of this DPA.

2.2 Nature and Purpose of Processing

The Processor shall process Personal Data for the following purposes:
- Providing the Services (bug detection, analysis, and code modification)
- Maintaining and improving the Services
- Generating analytics and usage reports
- Preventing abuse and ensuring security
- Complying with legal obligations

2.3 Types of Personal Data

The Personal Data processed shall include:
- GitHub user identifiers and repository metadata
- Email addresses and contact information
- Repository code and documentation (if publicly accessible or authorized)
- GitHub issue and pull request information
- Usage analytics and service performance data
- IP addresses and technical identifiers
- Any other Personal Data provided by Controller or its users

2.4 Categories of Data Subjects

The categories of Data Subjects whose Personal Data is processed include:
- Individual developers and maintainers of repositories
- Repository owners and administrators
- Contributors and collaborators
- End users whose repositories are analyzed
- Support contacts and account administrators

2.5 Duration of Processing

Processing shall commence upon subscription activation and continue until:
- Expiration or termination of the Services, plus
- 90 days following termination (for data deletion and account closure), plus
- Such longer periods as may be required by applicable law (e.g., 7 years for billing records, 1 year for security logs)

3. PROCESSOR OBLIGATIONS

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law. Such instructions shall include:
- The purpose and subject-matter of Processing
- The types of Personal Data and Data Subjects
- The nature and duration of Processing
- The use of Sub-processors

The Processor shall notify the Controller if an instruction infringes Data Protection Laws.

3.2 Confidentiality of Personnel

The Processor shall ensure that persons authorized to Process Personal Data have committed to confidentiality or are under an appropriate legal obligation of confidentiality, whether before or after cessation of their engagement.

3.3 Technical and Organizational Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:
- Encryption of Personal Data in transit using TLS 1.2 or higher
- Encryption of Personal Data at rest using AES-256 or equivalent
- Secure authentication mechanisms (multi-factor authentication where applicable)
- Network security and firewalls
- Intrusion detection and prevention systems
- Vulnerability scanning and patch management
- Secure disposal and destruction of data

Organizational Measures:
- Designated Data Protection Officer and security personnel
- Data Protection by Design and by Default principles
- Security awareness training for personnel
- Incident response procedures and business continuity plans
- Regular security assessments and audits (at least annually)
- Written policies and procedures for data handling
- Access controls and role-based permissions
- Activity logging and monitoring

3.4 Sub-processor Management

3.4.1 Authorization
The Processor shall not engage Sub-processors without prior specific or general written authorization from the Controller.

3.4.2 List of Sub-processors
A current list of Sub-processors is available upon request at contact@moduloware.ai.

3.4.3 Notification of Changes
The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, providing sufficient time for the Controller to object to such changes.

3.4.4 Right to Object
If the Controller objects to the engagement of a new Sub-processor on reasonable grounds relating to Data Protection Law compliance, the Processor shall either:
- Suspend Processing of the Personal Data affected, or
- Terminate the contract between the Processor and the Controller

The Processor shall not continue Processing the affected Personal Data without an agreed alternative Sub-processor or termination of the Services.

3.4.5 Sub-processor Obligations
The Processor shall impose the same data protection obligations on Sub-processors as are contained in this DPA, in particular with regard to confidentiality, security, and data subject rights. The Processor shall be liable for any failure by a Sub-processor to fulfill its data protection obligations.

3.5 Confidentiality and Security

The Processor shall:
- Treat all Personal Data and information related to Processing as confidential
- Not disclose Personal Data to third parties except as authorized by the Controller or required by law
- Return or delete Personal Data upon termination of the Services (see Section 8)
- Implement security measures to prevent unauthorized Processing

3.6 International Data Transfers

The Processor acknowledges that Personal Data collected from the EU/EEA may be transferred outside the EEA. Such transfers shall be protected by:
- Standard Contractual Clauses (Module Two: Controller to Processor), which are incorporated by reference
- Supplementary technical and organizational measures as described in this DPA
- Mechanisms to ensure adequacy of protection in recipient countries

The Processor shall not transfer Personal Data to non-adequate countries unless:
- Standard Contractual Clauses are in place
- The Controller has provided prior written authorization
- No legal prohibition exists in the relevant jurisdiction

4. DATA SUBJECT RIGHTS AND ASSISTANCE

4.1 Assisting with Data Subject Rights

The Processor shall, taking into account the nature of Processing, assist the Controller by implementing appropriate technical and organizational measures to ensure it can fulfill its obligations to respond to Data Subject rights requests, including:

  • Right of Access (GDPR Article 15): Providing Personal Data in a portable, machine-readable format
  • Right to Rectification (GDPR Article 16): Correcting inaccurate or incomplete Personal Data
  • Right to Erasure (GDPR Article 17): Deleting Personal Data upon lawful request
  • Right to Restrict Processing (GDPR Article 18): Limiting how Personal Data is processed
  • Right to Data Portability (GDPR Article 20): Providing data in a portable format
  • Right to Object (GDPR Article 21): Ceasing processing based on objections

4.2 Implementation of Data Subject Requests

Upon receiving a request from the Controller regarding a Data Subject right:
- The Processor shall promptly notify the Controller
- The Processor shall not respond directly to the Data Subject unless instructed by the Controller
- The Processor shall provide the Controller with sufficient information to respond to the request
- The Processor shall assist the Controller in responding within statutory timeframes (typically 30 calendar days)
- The Processor shall not charge additional fees unless requests are manifestly unfounded or excessive

4.3 Timeframes for Assistance

The Processor shall provide reasonable assistance in responding to Data Subject rights requests within the following timeframes:
- Acknowledgment of request: Within 3 business days
- Detailed response: Within 20 calendar days (to allow Controller to meet the 30-day statutory deadline)

4.4 Data Deletion and Destruction

Upon termination of the Services or upon instruction from the Controller, the Processor shall:
- Securely delete or return Personal Data as instructed by the Controller
- Complete deletion within 90 days of termination or request
- Provide certification of deletion upon request
- Retain Personal Data only where legally required (e.g., for tax, legal, or regulatory purposes)

5. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

5.1 DPIA Support

The Processor shall assist the Controller in preparing a Data Protection Impact Assessment (DPIA) if required under GDPR Article 35 by:
- Providing information about Processing activities
- Identifying risks to Data Subjects
- Describing security measures
- Participating in consultation with supervisory authorities if necessary

5.2 Prior Consultation

If the Controller is required to consult with Competent Authorities before engaging the Processor, the Processor shall provide all necessary information and documentation to enable such consultation.

6. DATA BREACH NOTIFICATION

6.1 Breach Notification Obligation

The Processor shall notify the Controller without undue delay upon becoming aware of a Data Breach affecting Personal Data processed under this DPA. Notification shall be made within 24 hours of discovery, or as promptly as reasonably practicable.

6.2 Information to be Provided

Notification shall include:
- Description of the Data Breach
- Likely consequences of the breach
- Categories of Personal Data and Data Subjects affected
- Estimated number of affected Data Subjects
- Name and contact details of the Data Protection Officer or security contact
- Measures taken or proposed to address the breach and mitigate harm
- Technical details and timeline of the breach
- Assessment of risk to Data Subjects

6.3 Processor's Actions

The Processor shall:
- Investigate the Data Breach and determine its scope
- Implement emergency measures to contain the breach
- Preserve evidence and log files
- Cooperate fully with the Controller and Competent Authorities
- Not publicly disclose the breach without prior consent from the Controller (except as required by law)
- Provide regular updates on the investigation and remediation

6.4 Notification to Supervisory Authorities

For Personal Data originating from the EU/EEA:
- The Controller is responsible for notifying Competent Authorities if required by GDPR Article 33
- The Processor shall provide the Controller with all information necessary for such notification
- The Processor shall notify the Data Protection Board of India as required by the DPDP Act Rule 6

7. AUDIT AND COMPLIANCE

7.1 Right to Audit

The Controller shall have the right to:
- Audit the Processor's Processing activities
- Verify compliance with Data Protection Laws and this DPA
- Inspect relevant facilities and systems
- Request documentation and records
- Engage independent auditors on behalf of the Controller

7.2 Audit Procedures

7.2.1 Notice
The Controller shall provide reasonable notice (at least 15 calendar days) before conducting an audit, except in case of emergency or suspected breach.

7.2.2 Frequency
- Routine audits: Once per calendar year (standard practice)
- Additional audits: May be conducted if compliance issues are identified
- Emergency audits: Immediately, if breach is suspected

7.2.3 Audit Scope
Audits shall cover:
- Security measures and controls
- Sub-processor compliance
- Data subject rights fulfillment
- Breach response procedures
- Data retention and deletion procedures
- Compliance with Processing instructions

7.3 Processor's Cooperation

The Processor shall:
- Provide reasonable access to facilities, systems, and data
- Respond to audit inquiries within 10 business days
- Assist in remedying any identified deficiencies
- Bear the reasonable costs of audits (Controller-initiated audits only; multiple audits by the same Controller in a year may be charged to the Controller)

7.4 Certifications and Reports

The Processor shall provide:
- Annual SOC 2 Type II or equivalent audit reports
- ISO 27001 certification (where applicable)
- Regular security assessments and penetration testing results
- Compliance certifications requested by the Controller

8. DELETION AND RETURN OF DATA

8.1 Deletion Upon Termination

Upon termination or expiration of the Services, or upon instruction from the Controller, the Processor shall:

8.1.1 Timeline
- Cease all Processing of Personal Data (except where legally required to continue)
- Delete or return Personal Data within 90 days of termination
- Provide written confirmation of deletion

8.1.2 Methods of Deletion
- Secure, irreversible deletion of electronic data (e.g., secure wiping, cryptographic destruction)
- Physical destruction of any data carriers containing Personal Data
- Anonymization of data where deletion is not technically feasible

8.1.3 Exceptions to Deletion
Personal Data may be retained where:
- Required by applicable law (e.g., tax laws, regulatory requirements)
- Retention is necessary for legal proceedings or defense
- Retention is necessary for security purposes
- Data is anonymized and no longer identifiable as Personal Data

8.2 Certification of Deletion

The Processor shall provide the Controller with written certification that:
- All Personal Data has been deleted or returned
- All copies have been destroyed
- The deletion was performed in accordance with this DPA
- Any exceptions are documented and explained

8.3 Return of Data

If the Controller requests return of Personal Data instead of deletion:
- The Processor shall provide Personal Data in a machine-readable, structured format
- The return shall be completed within 60 days
- The Processor shall ensure secure transmission (encrypted)
- The Processor shall delete retained copies within 30 days of return (except where legally required to retain)

9. STANDARD CONTRACTUAL CLAUSES

9.1 Incorporation of SCCs

To the extent that Personal Data is transferred from the EEA to a non-adequate country, the Parties incorporate by reference the Standard Contractual Clauses (Module Two: Controller to Processor) approved by the European Commission, which are available at:
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

9.2 Supplementary Measures

The Parties acknowledge that the Standard Contractual Clauses alone may not provide adequate protection in all circumstances. Accordingly, the Processor shall implement supplementary technical and organizational measures as described in Section 3.3 (Technical and Organizational Measures) of this DPA.

9.3 Data Transfer Mechanisms

9.3.1 Within EEA
Personal Data shall generally be processed within the EEA. Where processing outside the EEA is necessary:
- The Processor shall notify the Controller in advance
- Standard Contractual Clauses shall apply
- The Processor shall assess and document the legal landscape in the recipient country

9.3.2 To India
The Processor operates from India. Personal Data may be transferred to India for processing purposes. Such transfers are protected by:
- Standard Contractual Clauses as incorporated by reference
- Compliance with the Digital Personal Data Protection Act 2023 (India)
- Technical and organizational security measures described in this DPA

9.3.3 Assessment of Adequacy
The Processor shall conduct impact assessments on the legal framework of recipient countries and implement appropriate safeguards to ensure that the level of protection is essentially equivalent to that in the EEA.

10. PROCESSOR LIABILITY

10.1 Liability of Processor

The Processor shall be liable to the Controller for damages caused by Processing that infringes Data Protection Laws and this DPA, except where:
- The Processor proves that it is not responsible for the event giving rise to the loss
- The Processor has implemented appropriate technical and organizational measures
- The Processor followed the Controller's instructions

10.2 Limitation of Liability

Notwithstanding the general liability limitations in the Master Service Agreement:
- Liability for data breach or gross negligence in data protection shall not be limited
- Liability for breaching specific obligations under Articles 32, 33, or 34 of the GDPR shall not be limited
- Liability for unlawful transfer of Personal Data outside the EEA shall not be limited

10.3 Joint and Several Liability

Where both the Processor and Sub-processors cause damage, the Processor shall be liable for the full amount of damages, with the right to seek contribution from Sub-processors.

11. AMENDMENT AND MODIFICATION

11.1 Amendment of DPA

This DPA may be amended:
- By written agreement of both Parties
- To comply with changes in Data Protection Laws (effective immediately or upon notice)
- To implement requirements of Competent Authorities or supervisory bodies

11.2 Material Changes

If changes to Data Protection Laws materially affect the obligations under this DPA:
- The Processor shall notify the Controller within 10 business days
- The Parties shall negotiate amendments in good faith
- If amendments cannot be agreed, the Controller may terminate the Services without penalty

12. TERM AND TERMINATION

12.1 Term

This DPA shall commence on the Effective Date and continue for the duration of the Services or until termination of the Master Service Agreement, whichever is earlier.

12.2 Termination Rights

Either Party may terminate this DPA:
- Upon termination of the Master Service Agreement
- For material breach of data protection obligations (with 30 days' notice to cure)
- If the Processor engages in Processing that violates Data Protection Laws

12.3 Survival

Upon termination of this DPA:
- All obligations regarding data protection shall survive
- The Processor shall complete data deletion or return procedures
- Confidentiality obligations shall survive indefinitely
- Sections 4, 6, 7, 8, and 10 shall survive indefinitely

13. CONTACT INFORMATION

13.1 Controller's Data Protection Contact

[Customer Name]
[Address]
[Email]
[Phone]
[Data Protection Officer Name and Contact] (if applicable)

13.2 Processor's Data Protection Contact

Data Protection Officer:
Name: (to be designated)
Title: Data Protection Officer
Company: Modulo AI Pvt Ltd
Address: Noida, Uttar Pradesh 201301, India
Email: contact@moduloware.ai
Phone: (to be provided)

EU/UK Representative (Article 27 GDPR):
Name: (to be appointed)
Company: Modulo AI Pvt Ltd
Address: (to be appointed)
Email: contact@moduloware.ai
Phone: (to be provided)

Data Security and Compliance:
Email: contact@moduloware.ai
Phone: (to be provided)

14. GOVERNING LAW AND DISPUTE RESOLUTION

14.1 Governing Law

This DPA shall be governed by and interpreted in accordance with the laws of India, subject to the requirements of GDPR Article 28, UK GDPR, and other applicable Data Protection Laws.

14.2 Dispute Resolution

Disputes arising from this DPA shall be resolved as follows:

14.2.1 Informal Resolution
The Parties shall first attempt to resolve disputes through good-faith negotiation between senior representatives of each Party within 30 days.

14.2.2 Formal Mediation
If informal resolution fails, the Parties shall engage in mediation administered by [Mediation Provider] before pursuing litigation.

14.2.3 Jurisdiction
- Disputes shall be resolved in the courts of Noida, Uttar Pradesh, India
- Subject to applicable data protection laws and the right of the Controller to pursue claims in courts of the EU/EEA

14.3 Role of Supervisory Authorities

Notwithstanding this dispute resolution clause, either Party may lodge a complaint with a Competent Authority regarding alleged violations of Data Protection Laws.

15. ADDITIONAL PROVISIONS

15.1 Entire Agreement

This DPA, together with the Master Service Agreement and Privacy Policy, constitutes the entire agreement regarding data processing and supersedes all prior understandings.

15.2 Severability

If any provision of this DPA is found invalid or unenforceable:
- The provision shall be modified to the minimum extent necessary to make it valid
- If modification is not possible, the provision shall be severed
- All remaining provisions shall remain in full force

15.3 No Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by both Parties.

15.4 Relationship to Master Service Agreement

This DPA is entered into pursuant to and supplements the Master Service Agreement. In case of conflict:
- Data protection obligations under this DPA shall prevail
- All other provisions of the Master Service Agreement remain in effect

15.5 Order of Precedence

In case of conflict between documents, the following order of precedence applies:
1. GDPR and applicable Data Protection Laws
2. This Data Processing Agreement
3. Standard Contractual Clauses (Module Two)
4. Master Service Agreement
5. Other documents and policies

15.6 Notices

All notices under this DPA shall be in writing and delivered to the contact information specified in Section 13, and shall be effective upon receipt.

16. REGULATORY REQUIREMENTS AND COMPLIANCE

16.1 DPDP Act Compliance (India)

The Processor acknowledges its obligations under the Digital Personal Data Protection Act, 2023 (India) and shall:
- Maintain accurate records of processing activities
- Notify the Data Protection Board of India of data breaches
- Cooperate with investigations by the DPA
- Implement technical and organizational measures as required

16.2 GDPR Compliance (EU/EEA)

The Processor shall comply with all GDPR obligations including:
- Processing instructions and lawfulness of processing
- Data subject rights and assistance
- Data breach notification (without undue delay, within 72 hours to authorities)
- Deletion and return of personal data
- Security and confidentiality

16.3 UK GDPR Compliance (United Kingdom)

For Personal Data of UK residents, the Processor shall comply with UK GDPR requirements, which are substantially similar to GDPR.

16.4 California Consumer Privacy Act (CCPA) - Optional

To the extent applicable, the Processor shall comply with CCPA requirements for processing Personal Data of California residents, including:
- Honoring consumer rights (access, deletion, opt-out)
- Not selling personal information
- Providing transparency notices

APPENDIX A: PROCESSING DETAILS

1. Subject Matter of Processing

Bug detection, analysis, and code modification services provided through the Bug Fixer GitHub Application.

2. Duration of Processing

From the Effective Date of subscription until termination plus 90 days for data deletion, with specified exceptions for legal retention.

3. Nature and Purpose of Processing

  • Analyzing code repositories to identify bugs and security issues
  • Creating GitHub issues and pull requests with fix suggestions
  • Maintaining service logs and analytics
  • Preventing abuse and ensuring service security
  • Responding to data subject rights requests

4. Types of Personal Data

  • GitHub user identifiers, usernames, and profile information
  • Email addresses and contact information
  • Repository metadata and code content (as authorized)
  • GitHub issues, pull requests, and discussion data
  • IP addresses and technical identifiers
  • Usage analytics and service performance data

5. Categories of Data Subjects

  • Repository owners and administrators
  • Developers and contributors
  • End users of analyzed repositories
  • Support contacts and account managers

6. Location of Processing

  • Primary processing: India (Noida)
  • EU/EEA Personal Data: May be transferred to India under Standard Contractual Clauses
  • Backup and redundancy: [Specify backup locations, if any]

7. Sub-processors

Current list available upon request:
- GitHub (API integration) - Repository hosting and access
- [Cloud Provider] - Data storage and backup
- [Analytics Provider] - Usage analytics
- [Support Tool Provider] - Customer support systems

APPENDIX B: SECURITY MEASURES

1. Technical Security Measures

  • TLS 1.2+ encryption for data in transit
  • AES-256 encryption for data at rest
  • Multi-factor authentication for administrative access
  • Secure key management and rotation
  • Intrusion detection and prevention systems
  • DDoS protection and mitigation
  • Regular vulnerability scanning and patch management
  • Code review and secure development practices
  • Secure APIs with rate limiting and authentication

2. Organizational Security Measures

  • Designated Data Protection Officer and security team
  • Security policies and procedures
  • Employee background checks and confidentiality agreements
  • Regular security awareness training
  • Incident response and disaster recovery plans
  • Business continuity procedures
  • Regular security audits and assessments
  • Access controls and role-based permissions
  • Activity logging and monitoring
  • Data retention and secure destruction procedures

3. Frequency of Reviews

  • Security measures reviewed: Quarterly
  • Penetration testing: Annually
  • Audit compliance: Annually
  • Vulnerability scanning: Continuously

APPENDIX C: STANDARD CONTRACTUAL CLAUSES (SCC) - MODULE TWO

Note: The full text of the Standard Contractual Clauses (Module Two: Controller to Processor) is incorporated by reference from the European Commission decision. The following is a summary of key elements:

Parties:
- Data Exporter (Controller): The Customer as identified in the Master Service Agreement
- Data Importer (Processor): [Your Company Name], based in Noida, Uttar Pradesh, India

Processing Details:
- Subject Matter: Bug detection and code analysis services
- Duration: For the term of the Services
- Nature of Processing: As described in Appendix A
- Types of Personal Data: As described in Appendix A
- Categories of Data Subjects: As described in Appendix A

Processor's Obligations:
- Process data only on documented instructions from Controller
- Ensure persons authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Not engage Sub-processors without prior authorization
- Assist with data subject rights requests
- Assist with security and compliance obligations
- Delete or return personal data upon termination

Data Subject Rights:
- Data Subjects retain all rights under GDPR/UK GDPR
- Controller shall handle data subject requests, with Processor's assistance
- Data Subjects may lodge complaints with supervisory authorities

Liability:
- Processor is liable for breaches of data protection obligations
- Liability is not limited for gross negligence, willful misconduct, or fraud

Termination:
- Upon termination of Services, Processor shall delete or return Personal Data
- Data Breach shall be grounds for immediate termination

Competent Authority:
- For EU Personal Data: Relevant EU Data Protection Authority
- For UK Personal Data: UK Information Commissioner's Office
- For Indian Personal Data: Data Protection Board of India

END OF DATA PROCESSING AGREEMENT

SIGNATURES:

By signing below, both Parties acknowledge and agree to the terms and conditions set forth in this Data Processing Agreement.

FOR THE CONTROLLER:

Name: ____________________________

Title: ____________________________

Company: ____________________________

Date: ____________________________

Signature: ____________________________

FOR THE PROCESSOR:

Name: ____________________________

Title: ____________________________

Company: Modulo AI Pvt Ltd

Address: Noida, Uttar Pradesh 201301, India

Date: ____________________________

Signature: ____________________________

Last Updated: December 22, 2025
Version: 1.0
Effective:

Back to Top