Data Processing Agreement (DPA)

1.1. Applicable Data Protection Laws: All regional, national, and international privacy and data protection laws applicable to the processing of Personal Data under this DPA, including but not limited to the Digital Personal Data Protection Act, 2023 (India), and other applicable statutory frameworks.

1.2. Personal Data: Any information relating to an identified or identifiable natural person processed by OptyStack on behalf of the Customer under this DPA.

1.3. Services: The SaaS optimization, discovery, and analytics services provided by OptyStack to the Customer as described in the Agreement, including integration with third-party applications (e.g., Google Workspace, Microsoft 365, Slack) via secure OAuth.

1.4. Sub-processor: Any third-party data processor engaged by OptyStack to assist in fulfilling its obligations with respect to providing the Services.

2.1. Role of the Parties: For the purposes of this DPA, the Customer is the Data Controller and OptyStack is the Data Processor acting strictly on the documented instructions of the Customer.

2.2. Subject Matter and Nature: OptyStack processes data to provide real-time SaaS visibility, usage analytics, shadow IT detection, and AI-powered cost recommendations.

2.3. Categories of Data: The Personal Data processed may include, but is not limited to, employee/user names, email addresses, department structures, roles, software access statuses, and application login timestamps.

2.4. Data Retention: OptyStack shall retain log data only for the duration specified by the Customer's subscription tier (e.g., 30 days for Starter, 90 days for Growth, 180 days for Scale, and 1+ years for Enterprise).

3.1. Lawful Basis: The Customer warrants and represents that it has obtained all necessary consents, rights, and lawful bases required under Applicable Data Protection Laws to collect, process, and transfer Personal Data to OptyStack.

3.2. Compliance: The Customer is solely responsible for ensuring that its use of the Services complies with all Applicable Data Protection Laws. While OptyStack is designed to be HIPAA-ready, the Customer assumes full responsibility for configuring the Services securely and legally according to its industry-specific compliance frameworks.

3.3. Indemnification: The Customer agrees to indemnify and hold harmless OptyStack Tech Pvt Ltd against all losses, fines, and damages arising from the Customer's failure to establish a lawful basis for processing or failure to comply with Applicable Data Protection Laws.

4.1. Processing Instructions: OptyStack shall process Personal Data solely in accordance with the Customer's documented instructions, which are exhaustively set out in the Agreement and this DPA.

4.2. Confidentiality: OptyStack shall ensure that its personnel authorized to process Personal Data are subject to strict confidentiality obligations.

4.3. No Sale of Data: OptyStack shall not sell, rent, or lease the Customer's Personal Data to any third party under any circumstances.

5.1. General Authorization: The Customer grants OptyStack a general written authorization to engage Sub-processors to deliver the Services.

5.3. Liability for Sub-processors: OptyStack shall ensure that all Sub-processors are bound by data protection obligations materially similar to those in this DPA. OptyStack remains liable for the acts and omissions of its Sub-processors to the extent defined in the Limitation of Liability section of this DPA.

6.1. Technical and Organizational Measures:OptyStack implements and maintains bank-level security measures to protect Personal Data against unauthorized or accidental access, loss, alteration, or disclosure.

7.1. Notification: In the event of a confirmed security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data ("Data Breach"), OptyStack shall notify the Customer without undue delay.

7.2. No Admission of Liability: Such notification shall not be interpreted or construed as an admission of fault, liability, or indemnification obligation on the part of OptyStack.

7.3. Cooperation: OptyStack shall provide reasonable cooperation and information to assist the Customer in fulfilling its own data breach reporting obligations to regulatory authorities or data subjects.

8.1. Assistance: Taking into account the nature of the processing, OptyStack shall assist the Customer, using appropriate technical measures, to fulfill the Customer's obligations to respond to requests from Data Subjects exercising their rights (e.g., access, deletion, correction).

8.2. Direct Requests: If OptyStack receives a direct request from a Data Subject regarding their Personal Data, OptyStack will promptly redirect the Data Subject to the Customer and will not independently respond to the request unless legally required to do so.

9.1. Upon termination or expiration of the Agreement, or upon the Customer's written request, OptyStack shall securely delete or return all Personal Data in its possession or control.

9.2. OptyStack may retain a copy of the Personal Data strictly to the extent required by applicable law, provided that such retained data remains subject to the confidentiality requirements of this DPA.

10.1. Aggregate Liability Cap: OptyStack operates a freemium platform offering "Free to start" tiers and performance-based pricing (charging a percentage of realized savings). Consequently, the total aggregate liability of OptyStack Tech Pvt Ltd (including its officers, directors, and Sub-processors) arising out of or related to this DPA, whether in contract, tort, or otherwise, shall be strictly limited to the actual fees paid by the Customer to OptyStack in the twelve (12) months immediately preceding the event giving rise to the claim. If the Customer is utilizing a free Starter plan, OptyStack's maximum liability shall not exceed USD $100.

10.2. Exclusion of Consequential Damages: Under no circumstances shall OptyStack be liable for any indirect, incidental, special, punitive, or consequential damages, including but not limited to loss of profits, loss of revenue, business interruption, or regulatory fines imposed on the Customer by data protection authorities.

11.1. Governing Law: This DPA and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of India.

11.2. Exclusive Jurisdiction: Both parties irrevocably agree that the competent courts located in Gurgaon, Haryana, India, shall have exclusive jurisdiction to settle any dispute, controversy, or claim arising out of or relating to this DPA, including its validity, interpretation, breach, or termination.