Not legal advice. This page is a templated baseline aligned with DPDP Act 2023 + IT Rules 2011. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.
1. Definitions
"Controller", "Processor", "Personal Data", "Processing", "Data Subject" and other terms have the meanings set out in DPDP Act 2023 + IT Rules 2011. "Customer Personal Data" means Personal Data within Customer Data that we process on your behalf.
2. Roles and instructions
You are the Controller of Customer Personal Data. We are the Processor. We process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do so by applicable law (in which case we will inform you of that legal requirement before processing, where allowed).
3. Confidentiality and personnel
We ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations and have received appropriate data-protection training. We restrict access on a need-to-know basis governed by role-based access controls.
4. Security measures
We implement appropriate technical and organisational measures, including (a) encryption of data at rest and in transit; (b) regular vulnerability scanning and penetration testing; (c) network segmentation, least-privilege access, and centralised logging; (d) incident detection and response procedures; (e) background checks for personnel with production access. The current measures are documented in our Security Whitepaper, available on request.
5. Sub-processors
You authorise us to engage sub-processors to provide the service. We maintain a current list of sub-processors and inform you at least 30 days before adding or replacing one (subject to a reasonable objection right). We remain liable for our sub-processors' performance of data-protection obligations.
6. Data subject rights
We assist you in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) by providing self-service export tools and, where needed, dedicated processor support. You remain responsible for primary communication with the data subject.
7. Data breach notification
We notify you without undue delay upon becoming aware of any Personal Data Breach affecting Customer Personal Data, providing the information you reasonably need to comply with your notification obligations to the Data Protection Board of India and to affected Data Principals. We will not unreasonably delay notification pending completion of our own investigation.
8. International transfers
Where we transfer Customer Personal Data outside India, we rely on the list of trusted countries notified by the Central Government under Section 16 of the DPDP Act 2023 or, where a country is not on that list, on standard contractual clauses or another lawful transfer mechanism approved under applicable rules. Specific transfer details are set out in our sub-processor list.
9. Audits
You may audit our compliance with this DPA, on reasonable notice and at your cost, no more than once per 12 months (or following a Personal Data Breach). We will provide our SOC 2 Type II report and ISO 27001 certificate to satisfy most audit requirements without on-site visits, where you accept these as adequate.
10. Return or deletion of data
On termination of the service, we will (at your election) return Customer Personal Data to you in a structured machine-readable format and/or delete it from our systems (subject to backup retention up to 35 days and any statutory retention requirements applicable to invoices).
11. Liability and conflicts
This DPA forms part of, and is subject to, our Terms of Service. In the event of any conflict between this DPA and the Terms, this DPA prevails on data-protection matters. Liability under this DPA is subject to the limitations in the Terms.
12. Effective date
This DPA is effective as of the date you accept the Terms of Service or sign a separate order form referencing it. We may update this DPA from time to time; material changes are notified at least 30 days in advance.