Data Processing Addendum

You (the client) are the Controller (or business in CCPA terms); Sachaltech is the Processor (or service provider). Where you are yourself a processor for an upstream controller, Sachaltech acts as a sub-processor and will flow these terms upstream on request.

Sachaltech will: (a) process personal data only on the Controller's documented instructions; (b) ensure persons authorised to process are bound by confidentiality; (c) implement appropriate technical and organisational measures (Schedule A) per GDPR Art. 32; (d) not engage sub-processors without prior general written authorisation (Schedule B) and 30-day notice of additions; (e) assist the Controller with data subject rights (access, rectification, erasure, restriction, portability, objection under GDPR Arts. 15–22 and equivalents); (f) assist with DPIAs (Art. 35), prior consultation (Art. 36) and breach notification; (g) at the Controller's choice, delete or return all personal data at end of services; (h) make available all information necessary to demonstrate compliance and allow audits, including inspections, by the Controller or an independent auditor mandated by it (with reasonable notice and confidentiality).

Where personal data is transferred from the EEA, UK or Switzerland to a country without an adequacy decision (which currently includes Nepal), the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Sub-Processor), and the UK International Data Transfer Addendum (issued under DPA 2018 s. 119A). The Swiss FDPIC's adaptations are deemed integrated for Swiss data. Sachaltech has performed a Transfer Impact Assessment using the EDPB Recommendations 01/2020 methodology and has implemented the supplementary measures listed in Schedule A (encryption in transit and at rest, access logging, key management, vendor due diligence) which we deem to provide an essentially equivalent level of protection. Transfers from Canada, Quebec, India, Brazil, Australia and Nepal use the comparable mechanisms recognised under each regime.

Sachaltech notifies the Controller without undue delay and in any event within 48 hours after becoming aware of a personal data breach affecting the Controller's data, providing the information required by GDPR Art. 33(3) so the Controller can meet its 72-hour regulator notification obligation (and any equivalent duty under PIPEDA Breach of Security Safeguards Regulations, Quebec Law 25, India DPDP, Brazil LGPD, Australia NDB scheme).

Sachaltech: (i) does not sell or share personal information; (ii) does not retain, use or disclose personal information for any purpose other than performing the services or as permitted by the CCPA/CPRA; (iii) does not combine personal information received from the Controller with personal information from any other source; and (iv) certifies that it understands these restrictions.

Current production sub-processors include: a managed Postgres + edge-runtime infrastructure provider (project hosting), an outbound email-sending provider for transactional mail, an object-storage provider for file uploads, and an AI gateway for LLM features when contracted. The full live list with locations is provided on request.

Liability for breach of this DPA is governed by the liability cap and exclusions in the underlying agreement, except where mandatory data-protection law forbids such cap. In case of conflict between this DPA and the underlying agreement, this DPA prevails on data-protection matters; in case of conflict between this DPA and the SCCs, the SCCs prevail.

TLS 1.2+ in transit, AES-256 at rest, role-based access control, principle of least privilege, MFA on all admin accounts, audit logging, regular dependency scanning, incident-response runbook, encrypted backups, key rotation, access reviews, secure SDLC, vulnerability disclosure policy (see Acceptable Use), background checks for staff with access to Controller data.

To countersign or request a redlined Word version, email legal@sachaltech.com with your entity's legal name, registered address, signatory and the Controller / Processor jurisdiction.