Data Processing Addendum
Last updated: February 2026 · StudAI Technologies Pvt. Ltd.
1. Scope
This Data Processing Addendum (“DPA”) forms part of the agreement between the subscribing organization (“Customer,” “Controller”) and StudAI Technologies Pvt. Ltd. (“StudAI,” “Processor”) for the provision of the StudAI BOS platform.
This DPA applies to all processing of personal data and organization data that StudAI performs on behalf of the Customer in connection with the Service. It supplements the Terms of Service and Privacy Policy and shall prevail in the event of any conflict with those documents regarding data processing matters.
2. Definitions
- “Controller” means the Customer that determines the purposes and means of processing personal data through the Service.
- “Processor” means StudAI Technologies Pvt. Ltd., which processes personal data on behalf of the Controller.
- “Personal Data” means any data relating to an identified or identifiable natural person, as defined under the Digital Personal Data Protection Act, 2023.
- “Processing” means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
- “Sub-processor” means any third party engaged by StudAI to process personal data on behalf of the Controller.
- “Data Subject” / “Data Principal” means the identified or identifiable natural person to whom the personal data relates.
3. Processing Instructions
StudAI shall process personal data only in accordance with the Controller’s documented instructions, which are constituted by this DPA, the Terms of Service, and any additional written instructions provided by the Controller through the Service’s administrative interface.
StudAI shall not process personal data for any purpose other than providing the Service to the Controller. If StudAI is required by applicable law to process personal data beyond the Controller’s instructions, StudAI will inform the Controller of such requirement before processing (unless prohibited by law from doing so).
StudAI shall immediately inform the Controller if, in its opinion, an instruction infringes the DPDP Act or other applicable data protection legislation.
4. Security Measures
StudAI implements and maintains the following technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage:
- Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit.
- Access Control: Role-based access control (RBAC) and attribute-based access control (ABAC) with least-privilege principles.
- Authentication: Multi-factor authentication for all administrative and internal system access.
- Network Security: Virtual network isolation, web application firewalls (WAF), and distributed denial-of-service (DDoS) protection.
- Audit Logging: Comprehensive, immutable audit logs of all data access events and administrative actions.
- Backup & Recovery: Automated encrypted backups with tested recovery procedures and defined RTO/RPO targets.
- Vulnerability Management: Regular vulnerability scanning, penetration testing, and timely patching.
- Personnel Controls: Background checks, security awareness training, and confidentiality agreements for all personnel with access to personal data.
- Physical Security: Data hosted in Azure India data centers with ISO 27001, SOC 2 Type II, and other certifications.
5. Sub-processors
The Controller authorizes StudAI to engage the following sub-processors for the purposes of providing the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, compute, storage, and database services | India (Central & South) |
| Twilio SendGrid | Transactional email delivery | Processing in India where available; metadata may transit through US infrastructure |
StudAI will notify the Controller at least 30 days in advance of any intended changes to sub-processors, including additions or replacements. The Controller may object to a new sub-processor within 15 days of notification. If the objection cannot be reasonably resolved, the Controller may terminate the affected services without penalty.
6. Data Transfer
StudAI does not transfer personal data outside of India in the ordinary course of providing the Service. All data is processed and stored within Microsoft Azure India regions.
In the event that an international data transfer becomes necessary (for example, at the Customer’s request for integration with international services), StudAI will:
- Obtain the Controller’s explicit written consent prior to any transfer.
- Ensure that the transfer complies with the DPDP Act and any regulations notified by the Government of India regarding cross-border data transfers.
- Implement appropriate supplementary safeguards, including contractual protections and technical measures.
7. Data Subject Requests
StudAI will assist the Controller in fulfilling its obligations to respond to Data Principal/Data Subject requests under the DPDP Act, including requests for access, correction, erasure, and portability.
If StudAI receives a request directly from a Data Principal regarding data processed on behalf of the Controller, StudAI will promptly redirect the Data Principal to the Controller and notify the Controller of the request within 48 hours, unless prohibited by law.
StudAI provides self-service tools within the platform to enable Controllers to respond to data subject requests, including data export, correction, and deletion functionalities.
8. Audit Rights
The Controller has the right to audit StudAI’s compliance with this DPA, subject to the following conditions:
- The Controller must provide at least 30 days’ written notice prior to any audit.
- Audits shall be conducted during normal business hours and shall not unreasonably interfere with StudAI’s operations.
- The Controller may engage an independent third-party auditor, subject to StudAI’s reasonable approval and the auditor’s execution of appropriate confidentiality agreements.
- Audit frequency shall not exceed once per 12-month period, unless a data breach or regulatory inquiry necessitates an additional audit.
- StudAI will make available relevant documentation, certifications (such as SOC 2 Type II reports), and records to support the audit.
9. Breach Notification
In the event of a personal data breach affecting data processed on behalf of the Controller, StudAI will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
- Provide the following information: (a) nature of the breach, (b) categories and approximate number of data subjects affected, (c) likely consequences of the breach, and (d) measures taken or proposed to address the breach.
- Cooperate with the Controller in investigating the breach, mitigating its effects, and fulfilling any notification obligations to the Data Protection Board of India or affected Data Principals.
- Maintain records of all data breaches, including the facts, effects, and remedial actions taken.
10. Term & Deletion
This DPA shall remain in effect for the duration of the Controller’s subscription to the Service and for as long as StudAI retains any personal data processed on behalf of the Controller.
Upon termination of the Service agreement:
- StudAI will provide the Controller with a 30-day data export period during which all Customer Data can be exported in structured, machine-readable formats (JSON, CSV).
- After the export period, StudAI will permanently and irreversibly delete all personal data processed on behalf of the Controller within 30 days, including all copies, backups, and replicas.
- StudAI will provide written confirmation of deletion upon request.
- Data may be retained beyond this period only where required by applicable law, in which case StudAI will isolate and protect the data and limit processing to the legally required purpose.