# Data Processing Agreement This Data Processing Agreement (the "**DPA**") forms part of and is incorporated into the agreement between the customer ("**Customer**", "you") and Partython Private Limited ("**Partython**", "we", "us") for the use of the Partython AI platform (the "**Service**") (the "**Principal Agreement**"). It governs the processing of Personal Data carried out by Partython on the Customer's behalf in connection with the Service. Where this DPA conflicts with the Principal Agreement on the subject of data protection, this DPA prevails. --- ## 1. Definitions Terms not defined here have the meaning given in the Principal Agreement or in applicable Data Protection Law. - **Data Protection Law** — all laws applicable to the processing of Personal Data under this DPA, including the EU/UK General Data Protection Regulation ("**GDPR**"), the India Digital Personal Data Protection Act, 2023 ("**DPDP Act**"), and the California Consumer Privacy Act, as applicable. - **Personal Data** — any information relating to an identified or identifiable natural person that Partython processes on the Customer's behalf under the Principal Agreement. - **Processing**, **Controller**, **Processor**, **Data Subject**, **Personal Data Breach** — as defined in the GDPR (and the corresponding terms in the DPDP Act). - **Subprocessor** — any third party engaged by Partython to process Personal Data in connection with the Service. ## 2. Roles of the parties The parties acknowledge that, for Personal Data processed under the Principal Agreement: - the **Customer is the Controller** (or a processor acting on behalf of its own controller); and - **Partython is the Processor**. Partython processes Personal Data only as a Processor, acting on the Customer's documented instructions, except where required to do otherwise by law (in which case Partython will inform the Customer unless legally prohibited). The details of the processing — its subject matter, duration, nature and purpose, the types of Personal Data and the categories of Data Subjects — are set out in **Annex 1**. ## 3. Customer instructions 3.1 Partython processes Personal Data only on the Customer's documented instructions. The Principal Agreement, this DPA, and the Customer's configuration and use of the Service constitute the Customer's complete and final instructions. 3.2 If Partython believes an instruction infringes Data Protection Law, it will inform the Customer without undue delay. 3.3 The Customer is responsible for ensuring it has a lawful basis to collect and provide the Personal Data to Partython, and for the accuracy and legality of that data and of its instructions. ## 4. Confidentiality Partython ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and access Personal Data only as needed to perform their duties. ## 5. Security 5.1 Partython implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. A summary of these measures is set out in **Annex 2**. 5.2 Partython may update its security measures from time to time provided the updated measures do not materially reduce the overall level of protection. ## 6. Subprocessors 6.1 The Customer grants Partython **general authorisation** to engage Subprocessors to process Personal Data, subject to this Section 6. 6.2 The current list of Subprocessors is published at **partython.com/subprocessors** and is incorporated into this DPA by reference. 6.3 Partython will give the Customer reasonable prior notice (target: at least **30 days**) of any intended addition or replacement of a Subprocessor — for example by updating the published list and offering a subscription to change notifications. The Customer may object on reasonable, data-protection-related grounds within that notice period; the parties will then work in good faith to resolve the objection, failing which the Customer may terminate the affected part of the Service. 6.4 Partython imposes on each Subprocessor data-protection obligations no less protective than those in this DPA, and remains responsible for each Subprocessor's performance. ## 7. Assistance with Data Subject requests Taking into account the nature of the processing, Partython will assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability and objection). Where a Data Subject contacts Partython directly, Partython will, unless legally required to act, refer the request to the Customer. ## 8. Personal Data Breach 8.1 Partython will notify the Customer **without undue delay, and in any event within 72 hours**, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. 8.2 The notification will describe, to the extent known, the nature of the breach, the likely consequences, and the measures taken or proposed to address it. Partython will provide further information as it becomes available. 8.3 Partython will take reasonable steps to mitigate the breach and assist the Customer with its own notification obligations. ## 9. Data protection impact assessments Partython will provide the Customer with reasonable assistance, taking into account the nature of processing and the information available to Partython, in carrying out data protection impact assessments and prior consultations with supervisory authorities. ## 10. International transfers 10.1 Personal Data processed under the Principal Agreement is primarily hosted in India (AWS ap-south-1, Mumbai). 10.2 Where the provision of the Service requires a transfer of Personal Data to a country without an adequacy decision — including transfers to AI and payment Subprocessors — the parties will ensure an appropriate transfer mechanism is in place, including, where applicable, the **EU Standard Contractual Clauses** (to be appended as a separate annex) and the transfer mechanisms required by the DPDP Act. ## 11. Return and deletion of Personal Data 11.1 On termination or expiry of the Principal Agreement, Partython will, at the Customer's choice, delete or return all Personal Data processed on the Customer's behalf, and delete existing copies, unless retention is required by law. 11.2 The Customer may export its data through the Service before termination. Following termination, Personal Data is deleted in accordance with the retention periods described in the Privacy Policy. Backups are purged on their ordinary rotation cycle. ## 12. Audits 12.1 Partython will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party certifications and audit reports where available. 12.2 Where such information is not sufficient, the Customer may, no more than once per year and on reasonable prior written notice, conduct (or appoint an independent auditor to conduct) an audit limited to Partython's processing of the Customer's Personal Data, during business hours, without unreasonable disruption to Partython's operations, and subject to confidentiality obligations. ## 13. Liability and precedence The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement. In the event of a conflict, the order of precedence is: (1) the EU Standard Contractual Clauses (where they apply), (2) this DPA, (3) the Principal Agreement. ## 14. General This DPA takes effect on the date the Principal Agreement takes effect (or, if later, the date it is signed) and remains in force for as long as Partython processes Personal Data on the Customer's behalf. It is governed by the law and jurisdiction stated in the Principal Agreement (the laws of India, with jurisdiction in Chennai). --- ## Annex 1 — Details of the processing | Item | Detail | |---|---| | **Subject matter** | Provision of the Partython AI conversational AI platform. | | **Duration** | The term of the Principal Agreement, plus any retention period described in the Privacy Policy. | | **Nature and purpose** | Hosting, processing and storing end-user conversations; generating AI agent responses; delivering messages across connected channels; account and billing administration. | | **Types of Personal Data** | Account identifiers (name, email, role); end-user conversation content; end-user identifiers (e.g. phone number, social platform user ID); learned preferences/facts; usage and technical metadata; billing contact and tokenised payment data. | | **Categories of Data Subjects** | The Customer's authorised users; the Customer's own end customers who interact with the Customer's AI agents. | | **Special category data** | Not intentionally processed. The Customer should not configure agents to solicit special category data. | ## Annex 2 — Technical and organisational measures A current summary is maintained on the Security page (partython.com/security). Measures include, at the time of this DPA: - Encryption in transit (TLS 1.2+ with HSTS) and at rest (AES-256). - Tenant isolation enforced by PostgreSQL row-level security and application-layer tenant scoping. - Hashed API keys; role-based access control; least-privilege access for personnel. - Automatic outbound redaction of common personal identifiers from AI responses. - Append-only audit logging of security-relevant events. - Idempotent webhook processing to prevent duplication of Personal Data. - Daily backups; documented disaster-recovery procedures. - Short default retention windows with per-tenant configuration. ## Annex 3 — Subprocessors The current list of Subprocessors, including each one's purpose, the data it processes and its processing location, is published and kept up to date at: **partython.com/subprocessors** --- ## Execution **Effective Date:** 26 May 2026 By signing below, the parties agree to be bound by this Data Processing Agreement. ### Partython (Processor) **Partython Private Limited** CIN: U52391TN2022PTC154615 Registered Address: No. 5, 2nd Street, Devi Nagar, Ayappakkam, Chennai - 600077, Tamil Nadu, India Contact Email: support@partython.com Signature: _______________________________ Name: Mariyannan Priya Jenifer Title: Director and Founder Email: support@partython.com Date: _______________________________ ### Customer (Controller) Legal Entity Name: _______________________________ Registered Address: _______________________________ Signature: _______________________________ Name: _______________________________ Title: _______________________________ Email: _______________________________ Date: _______________________________