Data Processing Agreement (DPA)
This Agreement forms an integral part of the Service Agreement, Statement of Work (SOW), or Master Services Agreement This Data Processing Agreement (“Agreement” or “DPA”) is entered into between:
(1) Vedhunt InfoTech, a company incorporated under the laws of India, having its registered office in Pune, Maharashtra, India (“Processor” or “Service Provider”),
and
(2) The Client who engages Vedhunt InfoTech for IT, Digital Marketing, Automation, or Business Process Services (“Controller” or “Client”).
Both parties are referred (MSA) executed between the Parties.
The purpose of this DPA is to ensure that any personal or sensitive data processed by Vedhunt InfoTech on behalf of the Client is handled in compliance with applicable data protection laws, including but not limited to the Information Technology Act, 2000, GDPR, and other international regulations.
| Term | Meaning |
|---|---|
| Personal Data | Any information that identifies or can identify an individual (e.g., name, ID, email, health data, IP address). |
| Processing | Any operation performed on data, such as collection, storage, use, modification, or deletion. |
| Controller | The entity that determines the purposes and means of processing personal data (the Client). |
| Processor | The entity that processes personal data on behalf of the Controller (Vedhunt InfoTech). |
| Sub-Processor | Any third-party vendor engaged by Vedhunt InfoTech to assist with processing data. |
| Applicable Law | Includes the Indian IT Act, GDPR, CCPA, and other relevant data protection legislation. |
Vedhunt InfoTech may process data solely for the following business purposes:
- Website & App development services
- Automation, Analytics, and Reporting (SQL, Power BI, Python, BI tools)
- Digital Marketing and Lead Management (Google, Meta, LinkedIn, etc.)
- Accounting & Financial MIS Automation
- Healthcare and Insurance Vendor Analytics (non-clinical data)
- Any additional service explicitly defined in the client’s project scope
Vedhunt shall not process or use the Client’s data for any purpose other than what is contractually agreed.
4.1 Client (Data Controller)
The Client determines:
- The categories of data processed.
- The lawful basis for processing.
- Instructions provided to Vedhunt InfoTech.
The Client ensures data shared is obtained lawfully and does not violate any third-party rights.
4.2 Vedhunt InfoTech (Data Processor)
Vedhunt agrees to:
- Process data only on documented instructions from the Client.
- Implement technical and organizational measures to protect data.
- Ensure confidentiality of all personnel with access to data.
- Not engage any sub-processor without written consent.
- Assist the Client in ensuring compliance with applicable laws.
Depending on the service, Vedhunt may process:
- Contact details (name, email, phone, company info)
- Project data and reports
- Transaction or performance data
- System or log data (e.g., Power BI logs, SQL transactions)
- Non-clinical healthcare data (member IDs, claim reference IDs — anonymized)
Sensitive Personal Data (if applicable):
In limited cases (e.g., healthcare vendors), only pseudonymized or masked data is used, ensuring no direct identifiers are accessible.
Vedhunt may use third-party service providers (e.g., AWS, Azure, Google Cloud, Microsoft Power BI, Sendinblue, or Zoho) to perform specific functions.
Vedhunt ensures that:
- Sub-processors are bound by written contracts ensuring equivalent data protection.
- Clients are informed and may object to specific sub-processors.
Data transfers comply with international standards (Standard Contractual Clauses or similar).
Vedhunt InfoTech implements reasonable security practices under Indian IT Rules and industry-standard measures, including:
- SSL/TLS encryption for all transmissions
- Encrypted storage for client files and databases
- Role-based access control (RBAC)
- Regular security audits and firewall protection
- Daily backups and disaster recovery systems
- 2FA and VPN-based access for internal operations
If a data breach occurs, Vedhunt will promptly notify the Client (within 72 hours) with full details and corrective actions.
- All data, project information, and deliverables are treated as confidential.
- Employees, contractors, and partners are bound by NDAs.
- Confidentiality obligations remain effective even after contract termination.
Vedhunt retains client data only as long as necessary for the project or as required by law.
Upon completion or termination of the engagement:
- All personal data will be securely deleted, anonymized, or returned to the Client.
- Backup copies will be purged within 30 to 60 days unless required for legal compliance.
Vedhunt assists the Client in fulfilling requests from data subjects, including:
- Access, correction, or deletion of their personal data.
- Restriction or objection to processing.
- Data portability (where applicable).
Vedhunt shall not respond directly to such requests without prior approval from the Client.
If data is transferred outside India (e.g., hosting or cloud services), Vedhunt ensures:
- The transfer complies with applicable legal safeguards.
- Only GDPR-compliant cloud providers (e.g., AWS, Azure, GCP) are used.
- Data remains encrypted during and after transfer.
- Vedhunt will make available all information necessary to demonstrate compliance.
- The Client may, upon reasonable notice, audit Vedhunt’s data handling procedures (once per year).
- Vedhunt will cooperate fully and correct any non-compliance promptly.
In the event of an actual or suspected breach:
- Vedhunt will notify the Client within 72 hours.
- The notice will include:
- Nature and scope of the breach.
- Data affected.
- Steps taken to mitigate risks.
- Vedhunt will work closely with the Client to contain and remediate the issue.
Vedhunt InfoTech’s total liability arising out of data processing shall not exceed the total amount paid by the Client under the service contract during the 6-month period preceding the claim, unless caused by gross negligence or willful misconduct.
This DPA remains in effect:
- For as long as Vedhunt processes data on behalf of the Client; or
- Until the termination of all service agreements.
Upon termination:
- Vedhunt will delete or return all client data (as per Section 9).
- Any surviving confidentiality and security obligations remain binding.
This Agreement shall be governed by and construed under the laws of India.
All disputes shall be subject to the exclusive jurisdiction of the courts in Pune, Maharashtra, India.
For data protection inquiries or concerns:
📧 Email: privacy@vedhunt.com
📞 Phone: +91 86524 10289
🏢 Address: Vedhunt InfoTech, Pune, Maharashtra, India
By signing a Service Agreement or engaging Vedhunt InfoTech’s services, the Client acknowledges that:
- They have reviewed and accepted this Data Processing Agreement.
- This DPA forms part of the binding contractual relationship between Vedhunt and the Client.
Vedhunt InfoTech is committed to protecting the integrity, confidentiality, and security of all client data — ensuring full compliance with Indian and international data protection laws.