# Data Processing Agreement

**Between**

**[Data Fiduciary — Customer Name]** ("Data Fiduciary")

**and**

**Ninja Money Tech** ("Data Processor"), operating under the domain ninjamoney.tech

---

**Effective Date:** [DD Month YYYY]

---

## 1. Definitions

| Term | Definition |
|------|-----------|
| **Personal Data** | Any data about an individual who is identifiable by or in relation to such data, as defined under Section 3 of the Digital Personal Data Protection Act, 2023 (DPDPA). |
| **Processing** | Any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. |
| **Data Principal** | The individual to whom the Personal Data relates. |
| **Data Fiduciary** | The entity that, alone or jointly with others, determines the purpose and means of processing Personal Data. In this Agreement, the Customer. |
| **Data Processor** | The entity that processes Personal Data on behalf of the Data Fiduciary. In this Agreement, Ninja Money Tech. |

## 2. Scope of Processing

The Data Processor shall process Personal Data solely for the purpose of **compliance auditing of uploaded API collections and video/image content** against the Digital Personal Data Protection Act, 2023 (DPDPA).

Processing is limited to:

- Receiving API request/response collections (JSON format) submitted by the Data Fiduciary
- Receiving video and image file uploads submitted by the Data Fiduciary
- Extracting text from uploaded content via OCR
- Transcribing audio from uploaded video content
- Analysing extracted content for DPDPA compliance violations
- Generating compliance reports and fix recommendations

No other processing activity is authorised under this Agreement.

## 3. Data Categories

The following categories of Personal Data may be processed under this Agreement:

| Category | Description | Source |
|----------|------------|--------|
| API request/response bodies | JSON payloads submitted via the API ingest endpoint | Data Fiduciary upload |
| Video frames | Individual frames extracted from uploaded video files | Derived from Data Fiduciary upload |
| OCR-extracted text | Text programmatically read from video frames and images | Derived from Data Fiduciary upload |
| Audio transcriptions | Speech-to-text output from uploaded video audio tracks | Derived from Data Fiduciary upload |

## 4. Purpose Limitation

The Data Processor shall process Personal Data **only** for the purpose stated in Section 2 (DPDPA compliance assessment). The Data Processor shall not:

- Use Personal Data for marketing, advertising, or promotional purposes
- Profile Data Principals or conduct behavioural analysis
- Share Personal Data with any third party not authorised by this Agreement
- Use Personal Data for training machine learning models
- Process Personal Data for any purpose unrelated to DPDPA compliance assessment

## 5. Retention

| Data Category | Retention Period |
|--------------|-----------------|
| Raw processing artifacts (frames, audio segments, embedding vectors) | Deleted immediately upon scan completion |
| Analysis evidence (findings, analysis units, OCR excerpts) | 90 days from scan completion |
| Compliance reports and summaries | 1 year from scan completion |
| All data upon customer deletion request | Deleted within 30 days of request |

The Data Processor shall automatically purge data in accordance with the schedule above. The Data Fiduciary may request earlier deletion at any time by contacting support@regvision.agency.

## 6. Sub-processors

**As of the Effective Date, the Data Processor engages no sub-processors.**

The Data Fiduciary will be notified in writing (email to the address on file) at least 30 days before engaging any sub-processor. The Data Fiduciary may object to the appointment of a sub-processor, in which case the Data Processor will either find an alternative or the Data Fiduciary may terminate this Agreement.

## 7. Security Measures

The Data Processor implements the following security measures to protect Personal Data:

| Measure | Status |
|---------|--------|
| Encryption in transit (TLS 1.2+) | Implemented |
| Access-controlled storage (scoped per API key) | Implemented |
| Role-based access control for internal staff | Implemented |
| Encryption at rest | Planned — post-MVP |
| Raw artifact auto-purge after scan completion | Implemented |

The Data Processor will notify the Data Fiduciary within 72 hours of becoming aware of a Personal Data breach that is likely to result in adverse effects on Data Principals.

## 8. Data Subject Rights

The Data Processor shall assist the Data Fiduciary in responding to requests from Data Principals exercising their rights under the DPDPA, including:

- **Right to erasure** — Upon the Data Fiduciary's instruction, the Data Processor will delete all Personal Data associated with the specified Data Principal within 30 days.
- **Right to access** — The Data Processor will provide the Data Fiduciary with a copy of all Personal Data held for the specified Data Principal.
- **Access to compliance reports** — The Data Fiduciary may export compliance reports in JSON, CSV, or text format at any time via the dashboard or API.

## 9. Audit Rights

The Data Fiduciary may request processing activity logs from the Data Processor at any time by emailing support@regvision.agency. The Data Processor will provide:

- A record of all processing activities performed on behalf of the Data Fiduciary
- Timestamps and categories of data processed
- Confirmation of data deletion in accordance with the retention schedule

The Data Processor will respond to audit requests within 14 business days.

## 10. Termination

Upon termination or expiration of this Agreement:

1. The Data Processor will delete **all** Personal Data belonging to the Data Fiduciary within **30 days** of the Agreement's end date.
2. The Data Processor will provide written confirmation of deletion upon request.
3. No Personal Data will be retained beyond the 30-day post-termination period except where retention is required by applicable law.

## 11. Governing Law

This Agreement is governed by and construed in accordance with the laws of India, specifically the Digital Personal Data Protection Act, 2023.

---

### Signatures

**Data Fiduciary (Customer)**

Name: ___________________________

Title: ____________________________

Date: ____________________________

Signature: ________________________


**Data Processor — Ninja Money Tech**

Name: ___________________________

Title: ____________________________

Date: ____________________________

Signature: ________________________
