Smartsoochi – Data Processing Addendum (DPA)

Effective Date, 01 January 2020
Last Updated, 22 November 2025

This Data Processing Addendum (“DPA”) forms part of the Smartsoochi End User License Agreement (“Agreement”) between Smartsoochi, a unit of Smart 24×7 Response Private Limited (“Processor” or “Smartsoochi”) and the Licensee (“Controller”) whenever Smartsoochi processes Personal Data on behalf of the Controller. Capitalized terms not defined herein have the meaning given in the Agreement or Regulation (EU) 2016/679 (“GDPR”).

1. Subject Matter and Duration

This DPA applies to all Personal Data processed by Smartsoochi while providing the Platform. It remains effective for the duration of the Subscription Term and thereafter until all Personal Data is deleted or returned in accordance with Section 9.

2. Nature, Purpose and Scope

Smartsoochi processes Personal Data solely to,

(a) provide the Platform and related technical support,

(b) perform analytics, troubleshooting, and maintenance,

(c) improve and develop the Platform (including machine learning), and
(d) comply with Controller’s documented instructions or applicable law.

3. Types of Personal Data and Categories of Data Subjects

Controller may upload any Personal Data to the Platform. Typical categories include names, contact details, location data, device identifiers, employee records, customer data, and any other data Controller chooses to process. Data subjects may include Controller’s employees, customers, end-users, and any other individuals.

4. Obligations of Controller

Controller shall,

(a) ensure all Personal Data is collected and processed lawfully with a valid legal basis under GDPR and other applicable laws,

(b) provide all required privacy notices and obtain all necessary consents,
(c) issue lawful, documented instructions to Smartsoochi.

5. Obligations of Smartsoochi

5.1 Smartsoochi shall process Personal Data only on Controller’s documented instructions, including with regard to international transfers, unless required by EU or Member State law (in which case Smartsoochi shall inform Controller prior to processing, unless prohibited).

5.2 Smartsoochi shall immediately inform Controller if, in its opinion, an instruction infringes GDPR or other applicable data protection laws.
5.3 Smartsoochi shall maintain confidentiality of Personal Data and ensure persons authorized to process it are bound by appropriate confidentiality obligations.

6. Security of Processing

Smartsoochi implements and maintains appropriate technical and organizational measures as described in Annex 1 (including AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, regular penetration testing, and ISO 27001-aligned practices) to ensure a level of security appropriate to the risk.

7. Sub-processing

7.1 Controller grants general written authorization for Smartsoochi to engage sub-processors listed at https,//smartsoochi.com/subprocessors (updated from time to time).

7.2 Smartsoochi shall inform Controller of any intended new sub-processor at least thirty (30) days in advance via email or Platform notification. Controller may object on reasonable data-protection grounds within fourteen (14) days, failure to object constitutes consent.

7.3 Smartsoochi shall impose the same data-protection obligations on sub-processors via written contract.

8. Data Subject Rights and Cooperation

Smartsoochi shall, taking into account the nature of processing, assist Controller by appropriate technical and organizational measures to fulfill Controller’s obligations to respond to data subject requests (including access, rectification, erasure, and restriction). Smartsoochi shall promptly forward any data subject requests received directly to Controller.

9. Data Deletion and Return

Upon termination of the Agreement, Smartsoochi shall, at Controller’s choice within ninety (90) days, (i) securely delete or anonymize all Personal Data, or (ii) return it in a standard format. After such period, Smartsoochi shall irreversibly delete all copies unless required by law to retain them.

10. Audits and Demonstrations of Compliance

Upon reasonable request and no more than once per year (unless required by a supervisory authority or following a security incident), Smartsoochi shall make available information necessary to demonstrate compliance with this DPA and allow for audits by Controller or an independent auditor appointed by Controller (subject to reasonable confidentiality obligations and at Controller’s cost).

11. International Transfers

Where Personal Data originates from the EEA, UK, or Switzerland, Smartsoochi shall ensure transfers to third countries occur only under, (i) an adequacy decision, or (ii) the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) 2021/914, incorporated herein by reference, with India as the data importer country.

12. Liability and Governing Law

Each party’s liability under this DPA shall be subject to the limitations and exclusions in the Agreement. This DPA is governed by the laws of India.

By using the Platform, Controller accepts this DPA.

Smartsoochi Technologies Private Limited

New Delhi, India | legal@smartsoochi.com