Data Processing Agreement (DPA)

Last Updated: 29/05/2026

This Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service, Subscription Agreement, Master Services Agreement, Order Form, or other agreement ("Agreement") entered into between OJOO SOFTWARE SERVICES PRIVATE LIMITED("Ojoo", "Processor", "Service Provider", "we", "our", or "us") and the Customer ("Controller", "Customer", "you", or "your").

This DPA governs the processing of Personal Data by Ojoo on behalf of the Customer in connection with the provision of the Services, including but not limited to ERP, CRM, HRMS, Document Management, Workflow Automation, Low-Code Platform, No-Code Platform, APIs, Artificial Intelligence features, Integrations, and related business applications.

To the extent Ojoo processes Personal Data on behalf of the Customer, the parties agree to comply with the terms of this DPA.

1. Definitions

For purposes of this Data Processing Agreement ("DPA"), the following terms shall have the meanings set forth below:

  • Agreement means the Terms of Service, Subscription Agreement, Master Services Agreement, Order Form, Statement of Work, or other agreement governing the provision of the Services between Ojoo and the Customer.
  • Applicable Data Protection Laws means all applicable privacy, data protection, cybersecurity, data governance, and information security laws, regulations, and governmental requirements applicable to the processing of Personal Data.
  • Controller means the natural person, company, organization, public authority, agency, or other entity that determines the purposes and means of processing Personal Data.
  • Customer means the individual, company, organization, entity, or other legal person that has entered into the Agreement with Ojoo and utilizes the Services.
  • Customer Data means any data, information, content, records, files, documents, communications, or other materials submitted, uploaded, transmitted, stored, generated, processed, or managed by the Customer through the Services.
  • Data Subject means an identified or identifiable natural person to whom Personal Data relates.
  • Personal Data means any information relating to an identified or identifiable individual that is processed by Ojoo on behalf of the Customer under this DPA.
  • Processing means any operation or set of operations performed on Personal Data, whether by automated or non-automated means, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, restriction, deletion, destruction, or any other handling of Personal Data.
  • Processor means the entity that processes Personal Data on behalf of and under the instructions of the Controller.
  • Services means all software, applications, ERP modules, workflow automation tools, low-code and no-code platforms, APIs, integrations, artificial intelligence features, websites, mobile applications, support services, and related offerings provided by Ojoo under the Agreement.
  • Security Incident means a confirmed event resulting in unauthorized access to, acquisition of, disclosure of, alteration of, destruction of, loss of, or compromise of Personal Data processed by Ojoo on behalf of the Customer.
  • Subprocessor means any third party engaged by Ojoo to process Personal Data on behalf of the Customer in connection with the provision of the Services.
  • Supervisory Authority means any governmental, regulatory, judicial, or administrative authority responsible for overseeing compliance with applicable privacy, data protection, cybersecurity, or information security laws.

Capitalized terms not otherwise defined in this DPA shall have the meanings assigned to them in the Agreement, Privacy Policy, or applicable service documentation.

2. Scope and Purpose

This Data Processing Agreement ("DPA") applies whenever Ojoo processes Personal Data on behalf of the Customer in connection with the provision, operation, maintenance, support, security, improvement, and delivery of the Services.

The purpose of this DPA is to establish the rights, responsibilities, and obligations of the parties with respect to the processing of Personal Data and to ensure that such processing is conducted in accordance with applicable data protection and privacy laws.

This DPA supplements and forms an integral part of the Agreement between the Customer and Ojoo. In the event of any conflict between this DPA and the Agreement relating to the processing of Personal Data, the provisions of this DPA shall prevail to the extent of such conflict.

2.1 Applicability

This DPA applies to all Personal Data processed by Ojoo on behalf of the Customer through the Services, including but not limited to:

  • Enterprise Resource Planning (ERP) solutions.
  • Customer Relationship Management (CRM) applications.
  • Human Resource Management Systems (HRMS).
  • Document and Content Management Systems.
  • Workflow Automation and Business Process Management solutions.
  • Low-Code and No-Code application platforms.
  • Application Programming Interfaces (APIs).
  • Artificial Intelligence and automation features.
  • Integrations, reporting, analytics, and related services.
2.2 Purpose of Processing

Ojoo shall process Personal Data solely for the purpose of providing, operating, securing, maintaining, supporting, improving, and delivering the Services in accordance with the Agreement, Customer instructions, platform configurations, user actions, and applicable legal requirements.

2.3 Customer-Controlled Processing

The Customer determines the categories of Personal Data processed, the purposes for which such data is processed, the individuals whose data is processed, and the legal basis for processing. The Customer remains responsible for ensuring that its use of the Services complies with all applicable privacy and data protection laws.

2.4 Exclusions

This DPA does not apply to information processed by Ojoo as a Controller for its own legitimate business purposes, including account administration, billing, subscription management, service monitoring, security operations, fraud prevention, legal compliance, marketing, customer communications, and other activities described in Ojoo's Privacy Policy.

2.5 Compliance with Applicable Laws

Each party shall comply with its respective obligations under applicable privacy, data protection, cybersecurity, and information security laws in relation to the processing of Personal Data governed by this DPA.

3. Roles of the Parties

The parties acknowledge and agree that, with respect to the processing of Personal Data under this DPA, the Customer acts as the Controller and Ojoo acts as the Processor, except where applicable law or the nature of a specific processing activity requires otherwise.

3.1 Customer as Controller

The Customer acts as the Controller and retains responsibility for determining the purposes, legal basis, scope, and means of processing Personal Data through the Services.

The Customer is solely responsible for:

  • Ensuring that Personal Data is collected and processed lawfully.
  • Obtaining all necessary consents, permissions, authorizations, and notices required by applicable law.
  • Establishing a lawful basis for processing Personal Data.
  • Providing privacy notices to Data Subjects where required.
  • Responding to Data Subject requests and regulatory inquiries.
  • Configuring and using the Services in a compliant and secure manner.
  • Determining which categories of Personal Data are processed through the Services.
  • Ensuring that the processing of Personal Data through the Services complies with applicable laws and regulations.
3.2 Ojoo as Processor

Ojoo acts as a Processor and shall process Personal Data solely on behalf of and in accordance with the documented instructions of the Customer, unless otherwise required by applicable law.

Ojoo shall process Personal Data only to:

  • Provide, operate, maintain, support, and secure the Services.
  • Perform obligations under the Agreement and this DPA.
  • Respond to Customer requests and instructions.
  • Maintain system reliability, availability, and security.
  • Comply with applicable legal obligations.
3.3 Independent Controller Activities

The parties acknowledge that Ojoo may process certain information as an independent Controller for its own legitimate business purposes, including:

  • Account administration and customer management.
  • Subscription management and billing.
  • Payment processing and financial recordkeeping.
  • Service monitoring and platform security.
  • Fraud prevention and risk management.
  • Legal, regulatory, and compliance obligations.
  • Customer communications and support activities.
  • Business operations, analytics, and service improvement.

Where Ojoo acts as an independent Controller, the processing of such information shall be governed by Ojoo's Privacy Policy and applicable laws.

3.4 Customer Responsibility for Data Accuracy

The Customer is responsible for ensuring that Personal Data submitted, uploaded, transmitted, stored, or otherwise processed through the Services is accurate, complete, lawful, and up to date.

3.5 Compliance Responsibilities

Each party shall be responsible for complying with its respective obligations under applicable privacy, data protection, cybersecurity, and information security laws relating to the processing activities governed by this DPA.

Nothing in this DPA shall be interpreted as transferring the Customer's legal responsibilities as Controller to Ojoo or imposing Controller obligations upon Ojoo except to the extent expressly required by applicable law.

4. Processing of Personal Data

Ojoo shall process Personal Data solely on behalf of and in accordance with the documented instructions of the Customer, the Agreement, this DPA, applicable service configurations, user actions, administrative settings, API requests, support requests, and applicable laws.

The Customer authorizes Ojoo to process Personal Data as necessary to provide, operate, maintain, support, secure, improve, and deliver the Services.

4.1 Nature of Processing

The nature of processing may include the collection, recording, organization, storage, retrieval, consultation, use, transmission, disclosure, analysis, modification, backup, deletion, destruction, or other processing activities necessary for the provision of the Services.

4.2 Purpose of Processing

Ojoo shall process Personal Data only for purposes necessary to:

  • Provide and operate the Services.
  • Host, store, and manage Customer Data.
  • Support business applications and workflows.
  • Enable ERP, CRM, HRMS, and business management functions.
  • Support workflow automation and process execution.
  • Provide reporting, dashboards, and analytics.
  • Enable integrations, APIs, and connected services.
  • Provide artificial intelligence and automation features.
  • Perform backup, recovery, and business continuity operations.
  • Provide technical support and troubleshooting services.
  • Maintain platform security, monitoring, and reliability.
  • Comply with applicable legal and regulatory obligations.
4.3 Categories of Personal Data

The categories of Personal Data processed by Ojoo may vary depending on the Services utilized by the Customer and may include:

  • Identification information.
  • Contact information.
  • Employment and workforce information.
  • Customer and client information.
  • Vendor and supplier information.
  • Financial and transaction-related information.
  • Account and authentication information.
  • System usage and audit information.
  • Communications and support information.
  • Documents, files, images, and attachments.
  • Any other Personal Data uploaded or processed by the Customer.
4.4 Categories of Data Subjects

The categories of Data Subjects may include:

  • Employees and workforce personnel.
  • Customers and clients.
  • Vendors and suppliers.
  • Contractors and consultants.
  • Business partners.
  • Applicants and prospective employees.
  • Website visitors and platform users.
  • Any other individuals whose Personal Data is processed by the Customer.
4.5 Duration of Processing

Ojoo shall process Personal Data for the duration of the Agreement and for such additional periods as may be required to provide the Services, comply with legal obligations, maintain backup systems, resolve disputes, enforce contractual rights, or satisfy legitimate business requirements.

4.6 Processing Instructions

The Customer may provide processing instructions through written communications, platform configurations, administrative settings, workflow configurations, API requests, support requests, or other documented means. Ojoo shall process Personal Data in accordance with such instructions unless prohibited by applicable law.

4.7 Unlawful Instructions

If Ojoo reasonably believes that a Customer instruction violates applicable law, regulatory requirements, or contractual obligations, Ojoo may suspend the applicable processing activity and notify the Customer where legally permissible.

4.8 No Sale of Personal Data

Ojoo shall not sell, rent, trade, or otherwise monetize Personal Data provided by the Customer except as necessary to provide the Services or as otherwise authorized by the Customer or required by applicable law.

4.9 Aggregated and De-Identified Information

Nothing in this DPA restricts Ojoo from creating, using, retaining, or disclosing aggregated, anonymized, statistical, or de-identified information that does not identify the Customer, a Data Subject, or any individual for purposes such as analytics, security, service improvement, research, benchmarking, reporting, and product development.

5. Customer Instructions

Ojoo shall process Personal Data only on documented instructions from the Customer, unless otherwise required to do so by applicable law. The Customer authorizes Ojoo to process Personal Data as necessary to provide, operate, maintain, secure, support, and improve the Services in accordance with the Agreement, this DPA, and applicable service documentation.

5.1 Authorized Instructions

The Customer instructs Ojoo to process Personal Data as necessary to:

  • Provide and operate the Services.
  • Host, store, and manage Customer Data.
  • Support workflows, automations, applications, and business processes.
  • Provide technical support and troubleshooting.
  • Enable integrations, APIs, and connected services.
  • Perform backup, disaster recovery, and business continuity activities.
  • Maintain platform security, monitoring, and reliability.
  • Comply with applicable legal, regulatory, and contractual obligations.
5.2 Sources of Instructions

Customer instructions may be communicated through:

  • The Agreement and this DPA.
  • Administrative configurations within the Services.
  • User actions performed through the Services.
  • Workflow configurations and automation settings.
  • API requests and integration configurations.
  • Support requests and service tickets.
  • Written communications authorized by the Customer.
5.3 Customer Responsibility

The Customer represents and warrants that all instructions provided to Ojoo are lawful, valid, accurate, and compliant with applicable privacy, data protection, cybersecurity, employment, and other applicable laws and regulations.

The Customer remains solely responsible for:

  • Determining the purposes and means of processing Personal Data.
  • Establishing a lawful basis for processing.
  • Providing notices to Data Subjects where required.
  • Obtaining required consents, permissions, and authorizations.
  • Ensuring that Customer instructions comply with applicable laws.
5.4 Unlawful Instructions

If Ojoo reasonably believes that a Customer instruction violates applicable law, regulatory requirements, third-party rights, security requirements, or contractual obligations, Ojoo may refuse, suspend, or delay implementation of such instruction and may notify the Customer where legally permissible.

5.5 Changes to Instructions

The Customer may modify processing instructions from time to time through documented communications, platform configurations, or other authorized methods. Where such changes materially affect the Services, security, compliance obligations, or operational requirements, Ojoo may require additional review, implementation time, fees, or contractual amendments.

5.6 Legal Requirements

Where applicable law requires Ojoo to process Personal Data in a manner that differs from Customer instructions, Ojoo may comply with such legal requirements and shall, where legally permitted, notify the Customer before such processing occurs.

5.7 No Obligation to Monitor Customer Compliance

Ojoo is not responsible for monitoring, validating, auditing, or verifying the legality, accuracy, completeness, or appropriateness of Customer instructions, Customer Data, or Customer processing activities. The Customer remains solely responsible for compliance with applicable legal and regulatory requirements.

6. Confidentiality

Ojoo shall maintain the confidentiality of Personal Data processed on behalf of the Customer and shall implement reasonable measures to prevent unauthorized access, use, disclosure, modification, or destruction of such Personal Data.

Ojoo shall ensure that all personnel, contractors, subprocessors, and authorized representatives who may have access to Personal Data are subject to appropriate confidentiality obligations and are authorized to process Personal Data only as necessary to perform their assigned duties.

6.1 Confidentiality Obligations

Ojoo shall take reasonable steps to ensure that Personal Data remains confidential and is accessed only by individuals who require such access for legitimate business, operational, support, security, legal, or compliance purposes.

6.2 Authorized Personnel

Access to Personal Data shall be limited to authorized personnel, contractors, subprocessors, and service providers who:

  • Require access to perform authorized functions.
  • Are informed of the confidential nature of Personal Data.
  • Are subject to confidentiality obligations.
  • Receive appropriate training or guidance regarding privacy and data protection requirements where applicable.
6.3 Use Restrictions

Ojoo shall not access, use, disclose, copy, distribute, transfer, or otherwise process Personal Data except:

  • As necessary to provide the Services.
  • In accordance with documented Customer instructions.
  • As required by applicable law.
  • As otherwise permitted under the Agreement or this DPA.
6.4 Subprocessor Confidentiality

Where Ojoo engages subprocessors to process Personal Data, Ojoo shall require such subprocessors to maintain appropriate confidentiality obligations that are no less protective than those set forth in this DPA.

6.5 Legal Disclosure Requests

If Ojoo receives a legally binding request, court order, subpoena, governmental demand, regulatory request, or similar legal requirement to disclose Personal Data, Ojoo may disclose such information to the extent required by law.

Where legally permitted, Ojoo shall make reasonable efforts to notify the Customer before disclosing such Personal Data so that the Customer may seek appropriate protective measures.

6.6 Survival of Confidentiality Obligations

The confidentiality obligations set forth in this DPA shall survive the termination, expiration, cancellation, or non-renewal of the Agreement for so long as Ojoo retains or has access to Personal Data processed on behalf of the Customer.

6.7 Customer Responsibilities

The Customer remains responsible for ensuring that access permissions, user roles, sharing settings, workflow configurations, integrations, and other platform controls are configured appropriately to protect the confidentiality of Personal Data processed through the Services.

7. Security Measures

Ojoo shall implement and maintain reasonable administrative, technical, organizational, and physical safeguards designed to protect Personal Data against accidental, unlawful, unauthorized, or improper access, disclosure, alteration, destruction, loss, misuse, or other security risks.

Such safeguards shall be appropriate to the nature of the Personal Data processed, the risks associated with the processing activities, the nature of the Services, and applicable legal requirements.

7.1 Information Security Program

Ojoo shall maintain an information security program designed to protect the confidentiality, integrity, and availability of Personal Data processed on behalf of the Customer.

7.2 Access Controls

Ojoo shall implement reasonable access control measures intended to limit access to Personal Data to authorized personnel, contractors, subprocessors, and service providers who require such access to perform legitimate business, operational, support, security, legal, or compliance functions.

Such measures may include:

  • Role-based access controls.
  • User authentication mechanisms.
  • Password and credential management controls.
  • Access provisioning and deprovisioning procedures.
  • Administrative access restrictions.
7.3 Data Protection Controls

Ojoo may implement technical safeguards designed to protect Personal Data during transmission, storage, access, and processing, including secure communication methods, access restrictions, secure system configurations, and other appropriate safeguards.

7.4 Infrastructure and Network Security

Ojoo may utilize security measures intended to protect infrastructure, networks, systems, applications, and hosting environments from unauthorized access, malicious activities, service disruptions, and other security threats.

Such measures may include firewalls, monitoring systems, network segmentation, intrusion detection mechanisms, endpoint protection, vulnerability management activities, and related security controls where appropriate.

7.5 Monitoring and Audit Logging

Ojoo may maintain logs, audit trails, security records, authentication records, operational records, and monitoring systems for purposes including security management, troubleshooting, compliance, fraud prevention, incident investigation, and operational support.

7.6 Personnel Security

Ojoo shall take reasonable steps to ensure that personnel authorized to process Personal Data are subject to confidentiality obligations and receive appropriate security, privacy, and operational guidance relevant to their responsibilities.

7.7 Security Maintenance

Ojoo may perform security reviews, software updates, patch management, maintenance activities, vulnerability assessments, configuration reviews, and other reasonable measures designed to maintain the security and integrity of the Services.

7.8 Backup and Disaster Recovery

Ojoo may maintain backup, redundancy, business continuity, and disaster recovery measures designed to support service resilience, availability, restoration, and recovery following operational failures, service interruptions, or security incidents.

7.9 Security Incident Management

Ojoo shall maintain procedures designed to identify, investigate, manage, document, and respond to suspected or confirmed Security Incidents involving Personal Data processed under this DPA.

Security Incidents shall be handled in accordance with Ojoo's applicable security procedures, legal obligations, and contractual commitments.

7.10 Subprocessor Security Requirements

Where Ojoo engages subprocessors to process Personal Data, Ojoo shall take reasonable steps to ensure that such subprocessors implement appropriate security measures and safeguards consistent with the nature of the services they provide.

7.11 Customer Security Responsibilities

The Customer remains responsible for implementing appropriate security measures within its own environment, including user access management, password policies, endpoint protection, network security, privacy compliance, secure workflow configurations, and appropriate use of the Services.

7.12 No Absolute Security Guarantee

The Customer acknowledges that no security measure, software application, cloud platform, network, infrastructure environment, or electronic transmission method can be guaranteed to be completely secure. While Ojoo implements reasonable safeguards designed to protect Personal Data, Ojoo does not warrant or guarantee absolute security.

8. Subprocessors

The Customer acknowledges and agrees that Ojoo may engage third-party service providers, contractors, affiliates, partners, and vendors ("Subprocessors") to process Personal Data on behalf of the Customer for purposes related to the provision, operation, maintenance, security, support, and improvement of the Services.

Ojoo remains responsible for the performance of its obligations under this DPA and shall take reasonable steps to ensure that any Subprocessor processing Personal Data on behalf of the Customer is subject to appropriate contractual, confidentiality, privacy, and security obligations.

8.1 Authorization to Use Subprocessors

The Customer hereby grants Ojoo general authorization to engage Subprocessors where reasonably necessary to provide, support, maintain, secure, or improve the Services. The specific Subprocessors used may vary depending on whether the Services are deployed within Customer-managed infrastructure or through Ojoo-managed hosting environments.

8.2 Subprocessor Obligations

Ojoo shall require Subprocessors that process Personal Data on behalf of the Customer to maintain obligations regarding privacy, confidentiality, and security that are appropriate to the nature of the processing activities performed.

Such obligations may include:

  • Processing Personal Data only for authorized purposes.
  • Maintaining confidentiality obligations.
  • Implementing reasonable security measures.
  • Restricting unauthorized access to Personal Data.
  • Complying with applicable legal requirements.
8.3 Categories of Subprocessors

Subprocessors engaged by Ojoo may include providers of:

  • Cloud hosting and infrastructure services.
  • Data storage and backup services.
  • Email and communication services.
  • SMS and notification services.
  • Payment processing services.
  • Authentication and identity management services.
  • Analytics and monitoring services.
  • Artificial intelligence and machine learning services.
  • Customer support and ticketing services.
  • Security and fraud prevention services.
  • Integration and API services.
8.4 Changes to Subprocessors

Ojoo may add, replace, suspend, remove, or modify Subprocessors from time to time based on operational, technical, security, legal, or business requirements.

Where appropriate, Ojoo may maintain and make available a list of current Subprocessors through its website, customer portal, privacy documentation, security documentation, or upon reasonable request.

8.5 International Processing by Subprocessors

Subprocessors may process Personal Data in different jurisdictions and countries. Where applicable, Ojoo shall take reasonable steps to ensure that such processing is conducted in accordance with applicable data protection requirements and the provisions of this DPA.

8.6 Liability for Subprocessors

Ojoo shall remain responsible for the actions of its Subprocessors to the extent required by applicable law and subject to the limitations of liability contained in the Agreement and this DPA.

8.7 Customer Objections

If the Customer reasonably believes that a newly appointed Subprocessor presents a material risk to the protection of Personal Data or compliance with applicable laws, the Customer may notify Ojoo in writing. The parties shall work together in good faith to evaluate reasonable alternatives where commercially feasible.

If no reasonable alternative can be implemented, either party may exercise any rights available under the Agreement, including termination rights where applicable.

9. International Data Transfers

The Customer acknowledges and agrees that Personal Data processed by Ojoo may be transferred to, stored in, accessed from, backed up in, or otherwise processed in countries and jurisdictions other than the country in which the Personal Data was originally collected.

Such transfers may occur as part of the provision, operation, maintenance, support, security, disaster recovery, monitoring, integration, analytics, artificial intelligence services, and other activities necessary to provide the Services.

For on-premise deployments, Customer Data is generally stored and processed within infrastructure controlled by the Customer. Any cross-border transfer of Personal Data remains subject to the Customer's infrastructure choices, network configurations, and applicable legal requirements.

9.1 Authorization for International Transfers

The Customer authorizes Ojoo and its approved Subprocessors to transfer, access, process, store, and otherwise handle Personal Data in accordance with this DPA, the Agreement, and applicable laws, including where such processing occurs across multiple jurisdictions.

9.2 Transfer Safeguards

Where required by applicable law, Ojoo shall implement reasonable measures designed to protect Personal Data during international transfers and cross-border processing activities.

Such measures may include:

  • Contractual protections with Subprocessors and service providers.
  • Confidentiality obligations.
  • Security controls and access restrictions.
  • Technical and organizational safeguards.
  • Reasonable privacy and data protection measures.
  • Other lawful transfer mechanisms recognized under applicable laws.
9.3 International Processing by Subprocessors

The Customer acknowledges that authorized Subprocessors may process Personal Data in various countries and regions depending on the location of infrastructure, cloud environments, support operations, service delivery requirements, and operational needs.

9.4 Data Residency

For on-premise deployments, Customer Data is generally stored and processed within infrastructure selected, managed, and controlled by the Customer. Data residency and storage locations are therefore primarily determined by the Customer's infrastructure choices.

Customers that are subject to data localization, residency, sovereign cloud, governmental, industry-specific, contractual, or regulatory requirements remain responsible for determining whether the Services meet such requirements.

9.5 Customer Responsibilities

The Customer is responsible for assessing whether international data transfers associated with the use of the Services comply with the Customer's legal, contractual, regulatory, and organizational obligations.

Where required by applicable law, the Customer shall obtain all necessary consents, permissions, notices, approvals, authorizations, or legal bases necessary to permit international transfers of Personal Data.

9.6 Governmental and Regulatory Requests

Personal Data processed by Ojoo or its Subprocessors may be subject to access requests, disclosure obligations, lawful interception requirements, court orders, governmental requests, regulatory actions, or other legal requirements applicable in the jurisdictions where the data is processed.

Where legally permitted, Ojoo shall make reasonable efforts to notify the Customer of such requests before disclosing Personal Data.

9.7 Compliance with Applicable Laws

Each party shall remain responsible for complying with its respective obligations under applicable privacy, data protection, cybersecurity, and international data transfer laws in connection with the processing activities governed by this DPA.

Nothing in this DPA shall be interpreted as requiring Ojoo to maintain data processing operations within any specific jurisdiction unless expressly agreed in writing between the parties.

10. Data Subject Rights

Ojoo shall, taking into account the nature of the processing and the information available to Ojoo, provide reasonable assistance to the Customer in responding to requests from Data Subjects seeking to exercise their rights under applicable data protection and privacy laws.

The Customer acknowledges that, as the Controller, it remains primarily responsible for receiving, evaluating, and responding to Data Subject requests and for determining whether such requests should be fulfilled.

10.1 Data Subject Requests

Subject to applicable law, Data Subjects may have certain rights regarding their Personal Data, including:

  • Right of access to Personal Data.
  • Right to correction or rectification of inaccurate data.
  • Right to deletion or erasure of Personal Data.
  • Right to restrict or limit processing activities.
  • Right to object to certain processing activities.
  • Right to data portability where applicable.
  • Right to withdraw consent where processing is based on consent.
  • Right to lodge complaints with supervisory authorities.
10.2 Customer Responsibility

The Customer is solely responsible for:

  • Responding to Data Subject requests.
  • Verifying the identity of requesting individuals.
  • Determining the legal validity of requests.
  • Providing required notices and communications.
  • Maintaining records of requests and responses where required.
  • Complying with applicable legal response timelines.
10.3 Assistance by Ojoo

Where reasonably practicable and taking into account the nature of the Services, Ojoo may assist the Customer in responding to Data Subject requests by:

  • Providing access to available platform functionality.
  • Providing relevant information regarding processing activities.
  • Assisting with correction, export, restriction, or deletion requests where technically feasible.
  • Providing information reasonably necessary to support compliance efforts.
10.4 Direct Requests Received by Ojoo

If Ojoo receives a Data Subject request relating to Personal Data processed on behalf of the Customer, Ojoo may:

  • Forward the request to the Customer.
  • Direct the requester to contact the Customer.
  • Respond only as instructed by the Customer or as required by applicable law.

Unless required by law, Ojoo shall not independently respond to such requests without authorization from the Customer.

10.5 Technical Limitations

Ojoo's obligations under this section are limited to the extent that the Customer cannot reasonably fulfill a Data Subject request through the functionality of the Services or information otherwise available to the Customer.

10.6 Costs and Resources

Where a request requires substantial technical effort, custom development, extensive manual work, legal review, consulting services, or significant use of resources, Ojoo may charge reasonable fees for such assistance to the extent permitted under the Agreement and applicable law.

10.7 Compliance with Applicable Laws

Nothing in this DPA shall require Ojoo to take any action that would violate applicable law, infringe the rights of another person, expose Ojoo to legal liability, compromise the security of the Services, or conflict with contractual, regulatory, or legal obligations.

11. Assistance and Cooperation

Taking into account the nature of the processing activities and the information available to Ojoo, Ojoo shall provide reasonable assistance and cooperation to the Customer to help the Customer comply with its obligations under applicable privacy, data protection, cybersecurity, and information security laws.

Such assistance shall be limited to the extent that Ojoo has access to relevant information and can reasonably provide such assistance through available technical, organizational, and operational means.

11.1 Regulatory Compliance Assistance

Upon reasonable request, Ojoo may provide information reasonably necessary to assist the Customer in demonstrating compliance with applicable privacy and data protection requirements relating to the processing of Personal Data under this DPA.

11.2 Data Protection Assessments

Where required by applicable law, Ojoo may provide reasonable information available to it to assist the Customer in conducting:

  • Privacy impact assessments.
  • Data protection impact assessments.
  • Risk assessments.
  • Security assessments.
  • Regulatory compliance evaluations.

Such assistance shall be limited to information relating to the Services and processing activities performed by Ojoo on behalf of the Customer.

11.3 Supervisory Authority Requests

Where reasonably practicable and legally permissible, Ojoo may provide reasonable cooperation in connection with inquiries, investigations, audits, inspections, requests, or proceedings initiated by a Supervisory Authority relating to Personal Data processed under this DPA.

11.4 Security and Incident Assistance

Ojoo may provide reasonable assistance to the Customer in relation to Security Incidents, including the provision of information reasonably available to Ojoo regarding the nature, scope, impact, and status of the Security Incident, subject to legal, confidentiality, and security restrictions.

11.5 Technical and Organizational Information

Upon reasonable request, Ojoo may provide information regarding the technical and organizational measures implemented to protect Personal Data, subject to confidentiality obligations, security requirements, and protection of proprietary information.

11.6 Cooperation Limitations

Ojoo shall not be required to:

  • Disclose confidential information of other customers.
  • Disclose trade secrets or proprietary information.
  • Compromise platform security or operational integrity.
  • Violate applicable laws or contractual obligations.
  • Provide information not reasonably available to Ojoo.
11.7 Customer Cooperation

The Customer shall provide Ojoo with all information, instructions, documentation, and cooperation reasonably necessary to enable Ojoo to provide assistance under this section.

The Customer remains responsible for its own compliance obligations, including regulatory filings, notifications, assessments, legal determinations, and communications with Data Subjects and regulatory authorities.

11.8 Costs of Assistance

Where assistance requested by the Customer requires significant resources, custom development, consulting services, legal review, manual effort, or activities beyond the standard functionality of the Services, Ojoo may charge reasonable fees for such assistance to the extent permitted under the Agreement and applicable law.

11.9 No Assumption of Controller Responsibilities

Nothing in this DPA shall be interpreted as transferring the Customer's obligations as Controller to Ojoo. The Customer remains solely responsible for determining compliance requirements and fulfilling its obligations under applicable privacy and data protection laws.

12. Security Incidents and Breach Notification

Ojoo shall maintain reasonable procedures designed to identify, investigate, manage, document, mitigate, and respond to Security Incidents involving Personal Data processed on behalf of the Customer under this DPA.

Ojoo shall take commercially reasonable steps to assess the nature, scope, impact, and potential risks associated with a Security Incident and to implement appropriate remedial measures where necessary.

12.1 Security Incident Response

Ojoo shall maintain incident response processes designed to:

  • Identify and assess suspected Security Incidents.
  • Contain, mitigate, and remediate Security Incidents.
  • Investigate the cause and impact of Security Incidents.
  • Document relevant incident response activities.
  • Support business continuity and recovery efforts.
12.2 Notification of Security Incidents

Where Ojoo becomes aware of a confirmed Security Incident involving Personal Data processed on behalf of the Customer, Ojoo shall notify the Customer without undue delay and within a commercially reasonable timeframe after becoming aware of the Security Incident, unless otherwise prohibited by applicable law.

12.3 Notification Information

To the extent reasonably available at the time of notification, Ojoo may provide information regarding:

  • The nature of the Security Incident.
  • The categories of affected Personal Data.
  • The known or suspected impact of the Security Incident.
  • Measures taken or proposed to mitigate the Security Incident.
  • Recommended actions that may be taken by the Customer.

Information may be provided in phases as additional details become available during the investigation process.

12.4 Customer Responsibilities

The Customer remains solely responsible for:

  • Determining whether notification to Data Subjects is required.
  • Determining whether notification to regulators is required.
  • Making required legal, regulatory, or contractual notifications.
  • Assessing the legal consequences of a Security Incident.
  • Managing communications with affected individuals and third parties.
12.5 Cooperation

Subject to applicable law, confidentiality obligations, and security considerations, Ojoo shall provide reasonable cooperation and assistance to the Customer in connection with Security Incidents affecting Personal Data processed under this DPA.

12.6 No Admission of Liability

Notification of a Security Incident by Ojoo shall not be interpreted as an admission of fault, liability, wrongdoing, legal responsibility, or failure to comply with applicable laws, contractual obligations, or security requirements.

12.7 Exclusions

Ojoo shall not be responsible for Security Incidents arising from:

  • Customer systems, devices, or networks.
  • Customer user credentials or account misuse.
  • Customer configurations or workflow settings.
  • Third-party services selected or controlled by the Customer.
  • Acts or omissions of the Customer, its users, employees, contractors, or agents.
12.8 Incident Records

Ojoo may maintain records relating to Security Incidents for security, compliance, audit, legal, operational, business continuity, and risk management purposes in accordance with its applicable retention policies and legal obligations.

12.9 Ongoing Improvements

Following a Security Incident, Ojoo may implement reasonable corrective actions, security improvements, process enhancements, operational changes, or technical safeguards designed to reduce the risk of similar incidents occurring in the future.

13. Audits and Compliance Information

Ojoo shall make available to the Customer reasonable information necessary to demonstrate compliance with the obligations expressly set forth in this DPA, subject to confidentiality obligations, security requirements, protection of proprietary information, and applicable law.

Any audit, inspection, assessment, review, or compliance inquiry conducted under this section shall be performed in a manner that does not unreasonably interfere with Ojoo's business operations, service availability, security controls, or obligations to other customers.

13.1 Compliance Information

Upon reasonable written request, Ojoo may provide available documentation, policies, procedures, summaries, reports, or other information reasonably necessary to demonstrate compliance with the requirements of this DPA.

Such information may include:

  • Information regarding security measures.
  • Privacy and data protection practices.
  • Subprocessor information.
  • Incident response procedures.
  • Business continuity and recovery practices.
  • Other compliance-related documentation reasonably available to Ojoo.
13.2 Audit Requests

Where required by applicable law or contractual obligations, the Customer may request an audit or assessment relating to Personal Data processed under this DPA.

Any such request shall:

  • Be made in writing.
  • Describe the scope and purpose of the audit.
  • Be limited to matters directly related to Personal Data processed under this DPA.
  • Be conducted during normal business hours unless otherwise agreed.
  • Minimize disruption to Ojoo's operations and security.
13.3 Alternative Compliance Evidence

Ojoo may satisfy audit requests by providing existing compliance documentation, security documentation, questionnaires, certifications, attestations, audit reports, policies, or other reasonable evidence instead of permitting an on-site audit where such information adequately addresses the Customer's request.

13.4 Confidentiality of Audit Information

Any information disclosed by Ojoo in connection with an audit, assessment, questionnaire, review, or compliance inquiry shall be considered confidential information and shall be protected in accordance with the Agreement and applicable confidentiality obligations.

13.5 Restrictions on Audits

The Customer shall not be entitled to:

  • Access confidential information relating to other customers.
  • Access trade secrets, proprietary information, source code, or intellectual property.
  • Conduct vulnerability testing, penetration testing, or security scanning without prior written authorization.
  • Interfere with service operations, security controls, or production environments.
  • Access information restricted by law, regulation, or contractual obligations.
13.6 Third-Party Auditors

Where permitted by Ojoo, audits may be conducted by an independent third-party auditor selected by the Customer, provided such auditor is subject to appropriate confidentiality obligations and does not present a conflict of interest.

13.7 Costs of Audits

Unless otherwise required by applicable law or expressly agreed in writing, the Customer shall bear all costs associated with audit activities, assessments, reviews, inspections, questionnaires, and compliance requests initiated by the Customer.

Ojoo may charge reasonable fees for assistance, documentation preparation, personnel time, consulting services, legal review, security review, or other resources required to support such requests.

13.8 No Certification Representation

Unless expressly stated in writing, nothing in this DPA shall be interpreted as a representation or warranty that Ojoo maintains any specific certification, accreditation, audit standard, compliance framework, attestation, or regulatory approval.

13.9 Compliance Responsibilities

The Customer remains solely responsible for determining its own compliance obligations under applicable privacy, data protection, cybersecurity, industry-specific, contractual, and regulatory requirements. Any information provided by Ojoo under this section is for informational purposes only and does not constitute legal, regulatory, security, or compliance advice.

14. Data Retention and Deletion

Ojoo shall retain Personal Data processed on behalf of the Customer only for as long as necessary to provide the Services, fulfill contractual obligations, comply with applicable legal requirements, maintain security, support legitimate business operations, and satisfy the purposes described in the Agreement and this DPA.

The duration of retention may vary depending on the nature of the Personal Data, the Services utilized, operational requirements, security considerations, legal obligations, and Customer instructions.

14.1 Retention During Service Term

During the term of the Agreement, Ojoo shall retain Personal Data as necessary to provide, operate, maintain, secure, support, and improve the Services in accordance with Customer instructions and applicable legal requirements.

14.2 Customer-Controlled Deletion

Where functionality is available within the Services, the Customer may delete, modify, export, archive, or otherwise manage Personal Data through administrative controls, workflows, configurations, APIs, or other available platform features.

14.3 Deletion Upon Termination

Upon expiration, termination, cancellation, or non-renewal of the Agreement, Ojoo may retain Personal Data for a limited period where necessary to:

  • Facilitate Customer data export or recovery.
  • Maintain backup and disaster recovery systems.
  • Resolve disputes and enforce contractual rights.
  • Comply with legal, regulatory, tax, accounting, or audit obligations.
  • Investigate fraud, security incidents, or unlawful activities.
  • Maintain business continuity and operational integrity.
14.4 Deletion Requests

Subject to applicable laws and technical limitations, Ojoo shall take reasonable steps to delete or return Personal Data upon the Customer's written request following termination of the Agreement, unless continued retention is required or permitted by applicable law.

14.5 Backup and Archived Data

The Customer acknowledges that deleted Personal Data may continue to exist in backup systems, disaster recovery systems, archives, logs, audit records, or other operational storage systems for a reasonable period following deletion.

Such retained information shall remain subject to applicable security, confidentiality, and access control measures until permanently deleted or overwritten in accordance with Ojoo's retention practices.

14.6 Legal and Regulatory Retention

Notwithstanding any Customer instruction, Ojoo may retain Personal Data where required or permitted by applicable laws, regulations, court orders, governmental requests, legal proceedings, compliance obligations, tax requirements, accounting requirements, or other legal obligations.

14.7 Aggregated and De-Identified Information

Nothing in this DPA shall require Ojoo to delete, destroy, or return aggregated, anonymized, statistical, or de-identified information that does not identify the Customer, a Data Subject, or any individual, provided such information cannot reasonably be used to identify an individual.

14.8 Certification of Deletion

Where requested by the Customer and reasonably available, Ojoo may provide confirmation that Personal Data subject to deletion requests has been deleted or scheduled for deletion in accordance with its applicable retention and operational procedures.

14.9 Customer Responsibilities

The Customer remains responsible for exporting, downloading, retrieving, or otherwise preserving any Personal Data or Customer Data it wishes to retain prior to termination, cancellation, expiration, or deletion of the Services.

Ojoo shall not be responsible for the loss of Personal Data resulting from Customer-initiated deletions, account closures, expired retention periods, or failure by the Customer to export or preserve data before termination of the Services.

15. Liability

The liability of each party arising out of or relating to this DPA shall be subject to the limitations, exclusions, disclaimers, and liability provisions set forth in the Agreement, unless otherwise required by applicable law.

Nothing in this DPA shall be construed as expanding, increasing, or modifying any liability limitations agreed upon by the parties under the Agreement except to the extent prohibited by applicable law.

15.1 Customer Responsibility

The Customer remains solely responsible for:

  • Determining the legality of processing activities.
  • Establishing an appropriate legal basis for processing Personal Data.
  • Obtaining required notices, consents, permissions, and authorizations.
  • Complying with applicable privacy and data protection laws.
  • Configuring and using the Services in a compliant manner.
  • Responding to Data Subject requests and regulatory obligations.
15.2 Processor Liability

Ojoo shall be responsible only for damages directly resulting from its failure to comply with its obligations under this DPA or applicable law, subject to the liability limitations contained in the Agreement.

Ojoo shall not be liable for any processing activity performed in accordance with the Customer's instructions, configurations, workflows, integrations, API requests, administrative settings, or other actions authorized by the Customer.

15.3 Exclusion of Indirect Damages

To the maximum extent permitted by applicable law, neither party shall be liable to the other for any indirect, incidental, consequential, special, exemplary, punitive, or speculative damages, including loss of profits, loss of revenue, loss of business opportunities, loss of goodwill, loss of anticipated savings, loss of data, business interruption, or reputational harm arising out of or relating to this DPA.

15.4 Third-Party Services

Ojoo shall not be responsible for acts, omissions, failures, security incidents, availability issues, compliance failures, or performance issues attributable to third-party services, integrations, subprocessors, cloud providers, communication providers, payment processors, artificial intelligence providers, or other third parties, except to the extent required by applicable law.

15.5 Customer Data and Instructions

Ojoo shall not be liable for any claim, loss, damage, penalty, fine, regulatory action, or liability arising from:

  • Customer Data uploaded or processed through the Services.
  • Customer instructions or configurations.
  • Customer misuse of the Services.
  • Customer failure to comply with applicable laws.
  • Unauthorized access resulting from Customer credentials or systems.
15.6 Regulatory Actions

The Customer shall remain responsible for regulatory investigations, regulatory penalties, compliance obligations, notices, filings, reporting obligations, and legal requirements arising from the Customer's processing activities except to the extent directly caused by Ojoo's breach of this DPA or applicable law.

15.7 Limitation of Liability

To the fullest extent permitted by applicable law, the total aggregate liability of Ojoo arising out of or relating to this DPA shall not exceed the liability limitations specified in the Agreement between the parties.

If the Agreement does not contain a liability limitation provision, Ojoo's total aggregate liability under this DPA shall not exceed the fees paid by the Customer to Ojoo for the Services during the twelve (12) months immediately preceding the event giving rise to the claim.

15.8 No Waiver of Statutory Rights

Nothing in this DPA shall exclude or limit liability to the extent such exclusion or limitation is prohibited by applicable law.

16. Term and Termination

This DPA shall become effective on the date the Customer first accesses, subscribes to, purchases, or uses the Services and shall remain in effect for so long as Ojoo processes Personal Data on behalf of the Customer under the Agreement.

This DPA forms an integral part of the Agreement and shall terminate automatically upon the termination or expiration of the Agreement, subject to the provisions of this section and any obligations that survive termination.

16.1 Term

The term of this DPA shall commence on the Effective Date and shall continue for the duration of the Agreement and for any additional period during which Ojoo processes or retains Personal Data in accordance with the Agreement, this DPA, applicable law, or legitimate business requirements.

16.2 Termination of Processing Services

Upon termination, cancellation, expiration, suspension, or non-renewal of the Agreement, Ojoo may cease processing Personal Data except to the extent necessary to:

  • Comply with applicable legal obligations.
  • Maintain backup and disaster recovery systems.
  • Resolve disputes and enforce contractual rights.
  • Investigate security incidents or unlawful activities.
  • Fulfill audit, accounting, tax, or compliance requirements.
  • Complete Customer-authorized data export activities.
16.3 Return or Deletion of Personal Data

Following termination of the Agreement and subject to Section 14 (Data Retention and Deletion), the Customer may request the return, export, deletion, or destruction of Personal Data processed by Ojoo, unless retention is required or permitted by applicable law.

Ojoo may satisfy such obligations through deletion, anonymization, archiving, return, export, or other reasonable methods consistent with its operational practices and legal obligations.

16.4 Suspension Rights

Ojoo may suspend processing activities, access to the Services, or certain platform functionality where reasonably necessary to:

  • Protect the security or integrity of the Services.
  • Prevent fraud, abuse, or unlawful activities.
  • Comply with legal or regulatory requirements.
  • Respond to Security Incidents.
  • Address material violations of the Agreement or this DPA.
16.5 Termination for Cause

Either party may exercise termination rights available under the Agreement where the other party materially breaches its obligations under this DPA and fails to remedy such breach within any applicable cure period specified in the Agreement or required by applicable law.

16.6 Survival

The rights and obligations that by their nature are intended to survive termination shall remain in effect after termination of this DPA, including provisions relating to:

  • Confidentiality.
  • Liability and limitations of liability.
  • Data retention and deletion.
  • Audit records and compliance obligations.
  • Dispute resolution.
  • Governing law.
  • Any other provisions intended to survive termination.
16.7 No Waiver of Rights

Termination of this DPA or the Agreement shall not affect any rights, remedies, claims, obligations, or liabilities accrued prior to the effective date of termination.

Nothing in this section shall limit any rights or obligations arising under applicable privacy, data protection, cybersecurity, contractual, or other applicable laws.

17. Changes to this DPA

Ojoo may modify, update, amend, revise, or replace this Data Processing Agreement ("DPA") from time to time to reflect changes in applicable laws, regulatory requirements, industry standards, technology, security practices, business operations, Subprocessors, Services, or other operational requirements.

Any modifications to this DPA shall become effective in accordance with the terms of the Agreement or as otherwise communicated by Ojoo.

17.1 Updates to Legal and Regulatory Requirements

Ojoo may update this DPA where reasonably necessary to comply with:

  • Changes in applicable privacy or data protection laws.
  • Regulatory guidance or governmental requirements.
  • Court decisions or legal interpretations.
  • Industry standards and best practices.
  • Information security requirements.
17.2 Operational and Service Changes

Ojoo may update this DPA to reflect changes to the Services, infrastructure, Subprocessors, security measures, processing activities, support models, operational practices, or other business requirements.

17.3 Notification of Changes

Where reasonably practicable, Ojoo may provide notice of material changes to this DPA through one or more of the following methods:

  • Email notifications.
  • Customer account notifications.
  • Service announcements.
  • Website publication.
  • Updates within the Services.
17.4 Customer Review

The Customer is responsible for periodically reviewing the most recent version of this DPA and ensuring continued compliance with applicable requirements relating to its use of the Services.

17.5 Objections to Changes

If the Customer reasonably believes that a material modification to this DPA adversely affects its legal rights or compliance obligations, the Customer may notify Ojoo in writing within a reasonable period after receiving notice of such change.

The parties shall work together in good faith to discuss reasonable solutions. If no mutually acceptable resolution can be reached, either party may exercise any applicable rights available under the Agreement, including termination rights where permitted.

17.6 Continued Use of the Services

To the extent permitted by applicable law, the Customer's continued use of the Services after the effective date of a revised DPA constitutes acceptance of the updated DPA.

17.7 No Retroactive Effect

Unless required by applicable law, modifications to this DPA shall apply prospectively from their effective date and shall not retroactively alter rights or obligations that arose prior to such effective date.

18. Governing Law

This Data Processing Agreement ("DPA") shall be governed by and construed in accordance with the laws governing the Agreement, without regard to any conflict of law principles that would require the application of the laws of another jurisdiction.

Where the Agreement specifies a governing law and jurisdiction, such governing law and jurisdiction shall apply to this DPA unless otherwise required by applicable law.

18.1 Applicable Law

Unless otherwise agreed in writing between the parties, this DPA shall be governed by the laws of India.

18.2 Jurisdiction

Subject to any dispute resolution procedures contained in the Agreement, the parties agree that the courts located in Bengaluru, Karnataka, India shall have exclusive jurisdiction to hear and resolve any dispute, claim, controversy, proceeding, or legal action arising out of or relating to this DPA.

18.3 Compliance with Local Laws

Nothing in this DPA shall relieve either party of its obligation to comply with applicable privacy, data protection, cybersecurity, consumer protection, employment, or other laws that may apply to its processing activities.

18.4 Mandatory Legal Rights

Where applicable law grants mandatory rights, protections, remedies, or obligations that cannot legally be waived or modified by contract, such rights and obligations shall prevail to the extent required by law.

18.5 International Customers

Customers located outside India acknowledge that the Services may be provided, operated, supported, monitored, and maintained from India and other jurisdictions where Ojoo or its authorized Subprocessors conduct business operations.

Nothing in this section shall prevent either party from seeking injunctive relief, equitable remedies, or other urgent legal remedies from a court of competent jurisdiction where necessary to protect confidential information, intellectual property rights, security interests, or other legal rights.

19. Contact Information

If the Customer has any questions, concerns, requests, notices, or communications relating to this Data Processing Agreement ("DPA"), privacy matters, data protection practices, security matters, or the processing of Personal Data, the Customer may contact Ojoo using the contact information provided below.

Ojoo shall use commercially reasonable efforts to respond to inquiries within a reasonable timeframe, subject to verification requirements, legal obligations, security considerations, and operational constraints.

OJOO SOFTWARE SERVICES PRIVATE LIMITED

Website:
https://ojoo.app

General Support:
support@ojoo.org

Privacy and Data Protection:
support@ojoo.org

Legal and Compliance:
support@ojoo.org

Registered Office Address:
FRF1, Mithra Enclave,
Doddakallasandra,
Bengaluru, Karnataka – 560062,
India

Business Hours:
Monday – Friday, 9:00 AM – 6:00 PM IST

19.1 Notices

Unless otherwise specified in the Agreement, notices relating to this DPA may be provided through email, customer account notifications, support tickets, written correspondence, or other communication methods reasonably designated by either party.

19.2 Privacy and Security Requests

Requests relating to privacy, Personal Data, data protection, security incidents, Data Subject rights, compliance matters, or other processing activities may be submitted using the contact information provided above.

19.3 Verification Requirements

Ojoo may require reasonable verification of identity, authority, authorization, or account ownership before responding to requests, disclosing information, or taking actions relating to Personal Data, Customer Data, or security-related matters.

This Data Processing Agreement forms part of the Agreement between the Customer and Ojoo and applies to the processing of Personal Data in connection with the Services. This DPA shall remain effective for so long as Ojoo processes Personal Data on behalf of the Customer, subject to the terms set forth herein.

Appendix A – Description of Processing Activities

This Appendix A forms part of the Data Processing Agreement ("DPA") and describes the nature, scope, purpose, and categories of Personal Data processed by Ojoo on behalf of the Customer in connection with the Services.

A.1 Subject Matter of Processing

Ojoo processes Personal Data as necessary to provide, operate, maintain, secure, support, improve, and deliver the Services, including ERP solutions, CRM applications, HRMS platforms, document management systems, workflow automation solutions, low-code and no-code platforms, APIs, integrations, artificial intelligence features, analytics services, and related business applications.

A.2 Nature of Processing

Processing activities may include:

  • Collection and receipt of Personal Data.
  • Storage and hosting of Customer Data.
  • Organization and management of records.
  • Retrieval and access of information.
  • Transmission and sharing of data as directed by the Customer.
  • Workflow automation and business process execution.
  • Application processing and data management.
  • Reporting, analytics, and dashboard generation.
  • Artificial intelligence and automation processing.
  • Technical support and troubleshooting.
  • Backup, recovery, and disaster recovery activities.
  • Monitoring, logging, auditing, and security management.
  • Deletion, destruction, anonymization, or archival of data.

A.3 Purpose of Processing

Personal Data is processed solely for the purpose of:

  • Providing the Services to the Customer.
  • Executing Customer-configured workflows and automations.
  • Managing business operations and processes.
  • Supporting integrations and APIs.
  • Maintaining platform functionality and security.
  • Providing customer support and technical assistance.
  • Maintaining business continuity and disaster recovery capabilities.
  • Complying with legal, regulatory, and contractual obligations.

A.4 Categories of Data Subjects

Depending on the Customer's use of the Services, Personal Data may relate to the following categories of Data Subjects:

  • Employees and workforce personnel.
  • Customers and clients.
  • Prospective customers and leads.
  • Applicants and job candidates.
  • Contractors and consultants.
  • Vendors and suppliers.
  • Business partners.
  • Authorized users of the Services.
  • Website visitors.
  • Any other individuals whose Personal Data is submitted by the Customer.

A.5 Categories of Personal Data

Depending on the Customer's use of the Services, Personal Data may include:

  • Name and identification information.
  • Email addresses and contact details.
  • Employment and organizational information.
  • User account and authentication information.
  • Customer and client information.
  • Vendor and supplier information.
  • Communication records and correspondence.
  • Documents, files, attachments, and images.
  • Transaction and business records.
  • Workflow, application, and operational data.
  • System usage, audit logs, and activity records.
  • Location, device, browser, and technical information.
  • Any other Personal Data submitted by the Customer.

A.6 Special Categories of Personal Data

Ojoo does not intentionally require or request the processing of special categories of Personal Data unless such processing is explicitly enabled, configured, or authorized by the Customer.

Where the Customer chooses to process sensitive, confidential, regulated, or special category data through the Services, the Customer remains solely responsible for ensuring compliance with applicable laws, obtaining required consents, and implementing appropriate legal and organizational safeguards.

A.7 Processing Duration

Personal Data shall be processed for the duration of the Agreement and for any additional period necessary to:

  • Provide the Services.
  • Comply with Customer instructions.
  • Maintain backups and disaster recovery systems.
  • Comply with legal and regulatory obligations.
  • Resolve disputes and enforce contractual rights.
  • Support legitimate business and operational requirements.

A.8 Frequency of Processing

Processing activities may occur continuously, periodically, automatically, manually, or on demand depending on Customer usage, system configurations, workflows, integrations, and operational requirements.

A.9 Geographic Scope

Personal Data may be processed, stored, accessed, transmitted, backed up, or otherwise handled in jurisdictions where Ojoo or its approved Subprocessors operate infrastructure, personnel, systems, or services, subject to the provisions of the DPA and applicable laws.

A.10 Deployment Models

Ojoo may provide Services through either customer-managed infrastructure (on-premise deployments) or Ojoo-managed hosting environments, depending on the service offering selected by the Customer.

For on-premise deployments, Customer Data is generally stored, processed, managed, and controlled within infrastructure owned, managed, or designated by the Customer. In such cases, the Customer retains primary responsibility for infrastructure management, security controls, backups, disaster recovery, access management, network security, and compliance obligations relating to the hosting environment.

For cloud-hosted or Ojoo-managed deployments, Customer Data may be processed using infrastructure, hosting providers, and authorized Subprocessors engaged by Ojoo in accordance with this DPA.

The applicable processing activities, hosting arrangements, infrastructure providers, and Subprocessors may vary depending on the deployment model selected by the Customer.

Appendix B – Technical and Organizational Security Measures

This Appendix B forms part of the Data Processing Agreement ("DPA") and describes the technical, organizational, administrative, and operational measures implemented by Ojoo to protect Personal Data processed on behalf of the Customer.

The security measures described herein are designed to support the confidentiality, integrity, availability, resilience, and security of Personal Data processed through the Services. Security measures may be updated, enhanced, modified, or replaced from time to time based on business, operational, technical, legal, and security requirements.

B.1 Information Security Governance

Ojoo maintains policies, procedures, operational practices, and security controls intended to support the secure operation of the Services and the protection of Personal Data.

  • Information security management practices.
  • Operational security procedures.
  • Risk management activities.
  • Security awareness initiatives.
  • Incident response processes.
  • Business continuity planning.

B.2 Access Control Measures

Ojoo implements reasonable access control measures intended to limit access to Personal Data to authorized individuals who require such access for legitimate business, operational, support, security, legal, or compliance purposes.

  • Role-based access controls where applicable.
  • User authentication mechanisms.
  • Password and credential management controls.
  • Administrative access restrictions.
  • User account provisioning and deprovisioning processes.
  • Periodic review of access privileges where appropriate.

B.3 Authentication and Identity Management

Ojoo may implement authentication and identity management controls designed to verify authorized access to the Services.

  • User authentication procedures.
  • Password protection mechanisms.
  • Session management controls.
  • Account recovery processes.
  • Identity verification procedures where applicable.

B.4 Data Protection Measures

Ojoo implements reasonable safeguards designed to protect Personal Data during storage, access, transmission, processing, backup, and deletion activities.

  • Secure communication methods.
  • Access restrictions to Personal Data.
  • Data segregation mechanisms where appropriate.
  • Secure storage and processing practices.
  • Controlled deletion and disposal procedures.

B.5 Network and Infrastructure Security

Ojoo utilizes infrastructure and network security measures intended to protect systems, applications, and hosted environments from unauthorized access, malicious activity, service disruptions, and other security threats.

  • Network access controls.
  • Firewall protections where applicable.
  • Infrastructure monitoring.
  • Security event monitoring.
  • Threat detection and prevention mechanisms.
  • Endpoint protection measures where appropriate.

B.6 Application Security

Ojoo applies reasonable security practices during the development, deployment, maintenance, and operation of the Services.

  • Secure development practices.
  • Application configuration management.
  • Software update and patch management processes.
  • Security reviews where appropriate.
  • Vulnerability remediation activities.

B.7 Monitoring and Logging

Ojoo may maintain monitoring systems, audit logs, operational records, security logs, authentication logs, and activity records for security, compliance, troubleshooting, operational, and business continuity purposes.

  • System activity monitoring.
  • User access logging.
  • Security event logging.
  • Error and diagnostic logging.
  • Audit trail capabilities where applicable.

B.8 Backup and Disaster Recovery

Ojoo may maintain backup, redundancy, disaster recovery, and business continuity measures designed to support service availability, resilience, recovery, and restoration following service interruptions, system failures, or Security Incidents.

  • Data backup procedures.
  • Recovery processes.
  • Disaster recovery planning.
  • Business continuity measures.
  • Infrastructure resilience practices.

B.9 Personnel Security

Ojoo takes reasonable measures to ensure that personnel with access to Personal Data understand their responsibilities relating to privacy, security, confidentiality, and acceptable use requirements.

  • Confidentiality obligations.
  • Role-based access authorization.
  • Security awareness initiatives.
  • Operational and security guidance.
  • Access revocation procedures upon role changes or termination.

B.10 Vendor and Subprocessor Management

Ojoo takes reasonable steps to evaluate and manage Subprocessors and service providers that may process Personal Data on behalf of the Customer.

  • Contractual confidentiality obligations.
  • Privacy and security requirements.
  • Vendor risk assessment activities where appropriate.
  • Subprocessor oversight procedures.

B.11 Security Incident Management

Ojoo maintains procedures intended to identify, investigate, document, manage, contain, mitigate, and respond to suspected or confirmed Security Incidents affecting Personal Data.

  • Incident detection and reporting procedures.
  • Incident investigation processes.
  • Containment and remediation activities.
  • Incident documentation and tracking.
  • Customer notification procedures where applicable.

B.12 Security Reviews and Improvements

Ojoo may periodically review, assess, update, improve, and enhance its security measures to address evolving threats, operational requirements, technological developments, legal requirements, and business needs.

B.13 Customer Responsibilities

The Customer remains responsible for implementing appropriate security controls within its own environment, including user access management, endpoint protection, network security, password management, privacy compliance, workflow configurations, integration security, and secure use of the Services.

B.14 No Absolute Security Guarantee

The Customer acknowledges that no security program, technology environment, cloud platform, software application, network, or method of electronic transmission can be guaranteed to be completely secure. While Ojoo implements reasonable safeguards designed to protect Personal Data, Ojoo does not guarantee absolute security.

Appendix C – Authorized Subprocessors

This Appendix C forms part of the Data Processing Agreement ("DPA") and identifies Subprocessors that may be engaged by Ojoo to process Personal Data on behalf of Customers in connection with the Services.

As of the Last Updated date of this DPA, Ojoo does not engage any third-party Subprocessors to process Customer Personal Data on behalf of Customers as part of the Services.

C.1 Current Authorized Subprocessors

As of the Last Updated date of this DPA, Ojoo does not currently engage any third-party Subprocessors to process Customer Personal Data for on-premise deployments where the Services are hosted within the Customer's own infrastructure and environment.

C.2 Future Subprocessors

Ojoo may engage third-party service providers, vendors, cloud providers, communication providers, payment processors, artificial intelligence providers, infrastructure providers, analytics providers, security providers, or other Subprocessors in the future to support the provision of the Services.

Where applicable, Ojoo shall take reasonable steps to ensure that such Subprocessors are subject to appropriate contractual, confidentiality, privacy, and security obligations consistent with the requirements of the DPA.

C.3 Updates

Ojoo reserves the right to add, replace, remove, or modify Subprocessors from time to time based on business, operational, technical, security, legal, or service delivery requirements.

An updated list of authorized Subprocessors may be made available through Ojoo's website, customer portal, service documentation, or upon reasonable request.