EmpTrack AI — Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms and Conditions (the "Agreement") between:
(1) EmpTrack AI, a workforce intelligence / HRMS platform founded and operated by Lakshay Devendra Porchattiwar (Founder & CEO), having its registered office at 53B, Deepakamale Layout, Trilok Nagar, Duttawadi, Wadi, Nagpur - 440021, Maharashtra, India (the "Processor" / "EmpTrack AI"); and
(2) the Customer identified in the Agreement or order form (the "Data Fiduciary" / "Customer").
Effective Date: [Insert Date] Version: 1.0 Platform Status: Under active development (beta / pre-release)
This DPA governs the processing of personal data by EmpTrack AI on behalf of the Customer and is issued in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the SPDI Rules, 2011. In case of conflict on data-protection matters, this DPA prevails over the Agreement.
1. Definitions
1.1. Terms such as "Personal Data", "Data Principal", "Data Fiduciary", "Data Processor", "processing", and "personal data breach" have the meanings given under the DPDP Act, 2023. "SPDI" has the meaning given under the SPDI Rules, 2011. Capitalized terms not defined here have the meaning given in the Agreement.
1.2. "Customer Personal Data" means personal data that EmpTrack AI processes on behalf of the Customer under the Agreement (e.g., employee, applicant, attendance, leave, payroll, performance, and document data).
2. Roles and Scope of Processing
2.1. The parties acknowledge that, for Customer Personal Data, the Customer is the Data Fiduciary and EmpTrack AI is the Data Processor.
2.2. EmpTrack AI shall process Customer Personal Data only on the documented, lawful instructions of the Customer, as set out in the Agreement, this DPA, and Annex A, and as necessary to provide and support the Platform.
2.3. Details of the processing (subject matter, duration, nature, purpose, categories of data and Data Principals) are set out in Annex A.
3. Obligations of EmpTrack AI (Processor)
EmpTrack AI shall:
3.1. process Customer Personal Data only on the Customer's documented instructions, and inform the Customer if, in its opinion, an instruction infringes Applicable Law;
3.2. implement and maintain the technical and organizational security measures set out in Annex B, meeting the "reasonable security practices" standard under Section 43A of the IT Act, 2000 and the SPDI Rules, 2011;
3.3. ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations;
3.4. not disclose Customer Personal Data to any third party except sub-processors permitted under Clause 5 or as required by Applicable Law (with notice to the Customer where lawful);
3.5. assist the Customer, by appropriate technical and organizational measures, in fulfilling the Customer's obligations to respond to Data Principal rights requests under the DPDP Act, 2023;
3.6. assist the Customer with security, breach notification, and, where applicable, data protection impact assessments;
3.7. maintain records of processing activities sufficient to demonstrate compliance; and
3.8. make available to the Customer information reasonably necessary to demonstrate compliance with this DPA (see Clause 9).
4. Obligations of the Customer (Data Fiduciary)
The Customer shall:
4.1. ensure it has a valid lawful basis and consent/notice under the DPDP Act, 2023 for the personal data it uploads and instructs EmpTrack AI to process;
4.2. ensure its instructions comply with Applicable Law;
4.3. be responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it was acquired;
4.4. configure and use the Platform's security features (RBAC, MFA, OTP, access management) appropriately; and
4.5. respond to Data Principals as the Data Fiduciary, using EmpTrack AI's assistance where needed.
5. Sub-Processors
5.1. The Customer provides general authorization for EmpTrack AI to engage sub-processors (e.g., cloud hosting, email, payment processing) to support the Platform.
5.2. EmpTrack AI shall impose data-protection obligations on each sub-processor that are substantially equivalent to those in this DPA and remains responsible for its sub-processors' performance.
5.3. EmpTrack AI shall inform the Customer of any intended addition or replacement of a sub-processor and give the Customer a reasonable opportunity to object on reasonable data-protection grounds.
6. Security Measures
6.1. EmpTrack AI shall implement the measures described in Annex B, which are designed to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, consistent with the SPDI Rules, 2011 and recognized standards (ISO/IEC 27001, ISO/IEC 27701, OWASP, NIST).
6.2. As the Platform is under active development, EmpTrack AI reviews and enhances these measures on an ongoing basis; any changes will not materially reduce the overall level of security.
7. Personal Data Breach
7.1. EmpTrack AI shall notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide available information to help the Customer meet its obligations.
7.2. EmpTrack AI shall report reportable cyber incidents to CERT-In as required under the CERT-In Directions, 2022 (Section 70B, IT Act, 2000).
7.3. The Customer, as Data Fiduciary, is responsible for notifying the Data Protection Board of India and affected Data Principals where required under the DPDP Act, 2023; EmpTrack AI shall provide reasonable assistance.
8. Cross-Border Transfers
8.1. Customer Personal Data is primarily processed in India. Any transfer or hosting outside India will be carried out in accordance with the DPDP Act, 2023 and any restrictions notified by the Central Government, with appropriate safeguards. EmpTrack AI shall inform the Customer of the hosting location(s).
9. Audit and Compliance
9.1. EmpTrack AI shall, on reasonable prior written notice and no more than once per year (unless required by a regulator or following a breach), make available information and, where appropriate, relevant third-party audit reports/certifications to demonstrate compliance with this DPA.
9.2. Audits shall be conducted during business hours, subject to confidentiality, and in a manner that does not disrupt EmpTrack AI's operations or other customers' data.
10. Return and Deletion of Data
10.1. On expiry or termination of the Agreement, EmpTrack AI shall, at the Customer's choice, return or delete Customer Personal Data within a reasonable period (e.g., [30] days), and delete existing copies, except where retention is required by Applicable Law.
10.2. Backup copies are deleted in the ordinary course of backup rotation.
11. Liability, Shared Responsibility, and Indemnity
11.1. Liability under this DPA is subject to the Limitation of Liability and Indemnification provisions of the Agreement.
11.2. Consistent with the shared-responsibility model, each party is responsible for losses arising from its own acts, omissions, negligence, or breach. EmpTrack AI is responsible for security of the Platform infrastructure within its control and its Processor obligations; the Customer is responsible for lawful basis/consent, data accuracy, user access management, and its use of the Platform and AI outputs.
12. Governing Law and Jurisdiction
12.1. This DPA is governed by the laws of India and subject to the exclusive jurisdiction of the competent courts at Nagpur, Maharashtra, consistent with the Agreement.
13. Grievance / Data Protection Contact
- Name: Lakshay Devendra Porchattiwar
- Designation: Founder & CEO / Grievance Officer & Data Protection Contact
- Email: user.support@emptrackai.online
- Address: 53B, Deepakamale Layout, Trilok Nagar, Duttawadi, Wadi, Nagpur - 440021, Maharashtra, India
Annex A — Details of Processing
| Item | Description |
|---|---|
| Subject matter | Provision of the EmpTrack AI HRMS / workforce-intelligence Platform |
| Duration | For the term of the Agreement plus any legally required retention period |
| Nature and purpose | Hosting, storage, processing, analytics, and AI-assisted insights to deliver HR modules (Employee, Attendance, Leave, Payroll, Recruitment, Performance, Documents, Assets, Reporting, etc.) |
| Categories of Data Principals | Customer's employees, job applicants, contractors, and administrators |
| Categories of Personal Data | Identification and contact data; employment and role data; attendance and leave data; payroll and financial (SPDI) data; performance data; documents and asset records; authentication and audit-log data |
| Sensitive data (SPDI) | Financial/payroll data and any other sensitive categories the Customer chooses to upload |
| Processing operations | Collection, storage, organization, retrieval, use, analysis, disclosure to authorized users/sub-processors, retention, and deletion |
Annex B — Technical and Organizational Security Measures
- Encryption of data in transit (TLS) and at rest.
- Access control: Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA), OTP verification, least-privilege access, and secure credential management.
- Audit logging of critical activity to support accountability and digital evidence.
- Network and application security: API security, rate limiting, input validation, and protection against common vulnerabilities (informed by OWASP and the NIST Cybersecurity Framework).
- Secrets management and separation of environments.
- Backups, disaster recovery, and business continuity aligned with the goals of ISO 22301.
- Personnel measures: confidentiality obligations, access on a need-to-know basis, and security awareness.
- Incident response procedures consistent with the CERT-In Directions, 2022.
- Alignment with recognized standards (ISO/IEC 27001, ISO/IEC 27701, SOC 2 control objectives) as the Company matures; certification status is stated separately in the Company's security documentation.
Legal Disclaimer: This DPA is a professionally structured template aligned with Indian law as of its drafting date and does not constitute legal advice. Complete all bracketed placeholders and have it reviewed by a qualified advocate/attorney licensed in India before execution. Confirm the currently commenced provisions of the Digital Personal Data Protection Rules with counsel.