Data Processing Agreement

enabling authorised Users to access and use the Platform and its features;

facilitating BOM creation, cost analysis, and supplier management workflows;

sending transactional and operational emails and notifications to Users and contacts;

providing customer support and responding to queries raised by Users;

generating usage analytics to improve product quality, stability, and performance;

maintaining security, preventing fraud, and ensuring the integrity and availability of the Services.

Emithran shall not process Personal Data for its own purposes, including for purposes of training machine-learning models, constructing benchmarks, or for any marketing or commercial purpose, unless Personal Data has been fully anonymised and aggregated such that individual data subjects cannot be identified.

Any processing of Personal Data beyond the scope of the Controller’s instructions shall require prior written agreement between the parties in the form of an amendment to this DPA or a separate processing agreement.

are subject to binding confidentiality obligations (whether contractual or arising by operation of law) that are at least as protective as those in this DPA;

access Personal Data only to the extent strictly necessary for the performance of their duties in connection with the Services;

have received appropriate training in data protection obligations relevant to their role and the Personal Data they handle;

are made aware of this DPA and the Controller’s instructions to the extent relevant to their duties.

the pseudonymisation and encryption of Personal Data at rest and in transit;

the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

a description of the nature of the Security Incident, including the categories and approximate number of data subjects and Personal Data records concerned;

the name and contact details of Emithran’s data protection point of contact from whom further information can be obtained;

a description of the likely consequences of the Security Incident;

a description of the measures taken or proposed to be taken by Emithran to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

Notice of changes. Emithran shall provide the Controller with at least 10 calendar days’ prior written notice of any intended addition or replacement of a Sub-processor by updating Schedule C and notifying the Controller by email to the address registered on the Controller’s account.

Objection rights. The Controller may object to the addition or replacement of a Sub-processor on reasonable data protection grounds by notifying Emithran in writing within the notice period. Where the Controller objects, the parties shall discuss the objection in good faith. If Emithran proceeds with the change and the Controller maintains a reasonable objection, the Controller may terminate the Agreement in respect of those Services that cannot be provided without the relevant Sub-processor, subject to any notice obligations in the Agreement.

Sub-processor obligations. Where Emithran engages a Sub-processor, it shall impose on that Sub-processor data protection obligations equivalent to those imposed on Emithran under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures such that the processing will meet applicable Data Protection Law requirements.

Liability. Emithran shall remain fully liable to the Controller for the performance of the Sub-processor’s data protection obligations to the extent that Emithran is responsible under this DPA.

the right of access to Personal Data (including provision of copies);

the right to rectification of inaccurate or incomplete Personal Data;

the right to erasure (“right to be forgotten”);

the right to restriction of processing;

the right to data portability in a structured, commonly used, and machine-readable format;

the right to object to processing;

rights related to automated individual decision-making, including profiling.

where the transfer is to a country in respect of which an adequacy decision has been adopted by the European Commission or the competent UK authority under applicable Data Protection Law;

where the transfer is subject to appropriate safeguards in the form of Standard Contractual Clauses (SCCs) adopted by the European Commission, incorporated herein by reference as Annex to this DPA, with Emithran as the data importer and the Controller as the data exporter, or such other SCCs as may be applicable;

where the transfer is subject to binding corporate rules, approved codes of conduct, or approved certification mechanisms recognised under applicable Data Protection Law;

where the transfer is otherwise permitted under applicable Data Protection Law.

providing information about the processing operations conducted by Emithran in connection with the Services, including the technical and organisational security measures described in Schedule B;

where requested in writing, reviewing and providing comments on draft DPIA documentation prepared by the Controller relating to the Services.

Lawful basis. The Controller has and will maintain throughout the Subscription Term a valid lawful basis under applicable Data Protection Law for all processing of Personal Data that it instructs Emithran to carry out on its behalf, including any necessary consents, legitimate interests assessments, or contractual necessity grounds.

Notices and transparency. The Controller has provided, and will continue to provide, all necessary privacy notices and transparency information to Data Subjects whose Personal Data is processed through the Services, in accordance with applicable Data Protection Law, including information about Emithran as a Processor.

Accuracy. The Controller shall take reasonable steps to ensure that Personal Data submitted to the Services is accurate, up to date, and adequate for the purposes for which it is processed. The Controller shall promptly notify Emithran of any inaccuracies of which it becomes aware.

Data minimisation. The Controller shall not submit Personal Data to the Services beyond what is reasonably necessary for the purposes of using the Services, and shall not upload categories of Personal Data that are not described in Schedule A without first agreeing an amendment to this DPA with Emithran.

Compliance with Data Protection Law. The Controller shall comply with all applicable Data Protection Law in connection with its use of the Services and its instructions to Emithran as Processor, including its obligations as a Controller with respect to Data Subject rights, security, and breach notification.

Authorised instructions. The Controller’s instructions to Emithran shall at all times comply with applicable Data Protection Law. The Controller shall be responsible for ensuring that any instruction it provides to Emithran is lawful and does not put Emithran in breach of applicable Data Protection Law.

Third-party data. Where the Controller uploads Personal Data of third parties (including supplier contacts) to the Services, the Controller warrants that it has the authority to do so and that the processing of such data by Emithran as Processor is lawful under applicable Data Protection Law.

Frequency. The Controller may exercise its audit rights under this Section 6 no more than once per calendar year, unless: (i) a Security Incident has occurred that is reasonably related to the scope of the audit; or (ii) a supervisory authority requires more frequent audits.

Notice. The Controller shall give Emithran at least 30 calendar days’ prior written notice of any intended audit or inspection, specifying the scope, duration, and start date. Emithran may request that the Controller use a mutually agreed qualified third-party auditor rather than the Controller’s own personnel, provided that Emithran acts reasonably in doing so.

Confidentiality. Any auditor mandated by the Controller shall be subject to binding confidentiality obligations acceptable to Emithran prior to commencing the audit. The audit shall be conducted in a manner that minimises disruption to Emithran’s business operations and shall not compromise the security, confidentiality, or integrity of other customers’ data.

Costs. All costs associated with an audit or inspection under this Section 6, including Emithran’s reasonable internal costs for facilitating the audit, shall be borne by the Controller. Emithran shall provide the Controller with a reasonable estimate of such costs prior to commencement.

Certifications. In lieu of, or in addition to, an on-site audit, the Controller may request that Emithran provide copies of relevant third-party security certifications, penetration test executive summaries, or audit reports (such as SOC 2 Type II reports), subject to applicable confidentiality restrictions. Emithran shall use commercially reasonable efforts to maintain ISO 27001 certification or an equivalent standard throughout the Subscription Term.

Return. Provide the Controller with a copy of all Personal Data processed on its behalf in a structured, commonly used, and machine-readable format (such as CSV or JSON export), within 30 calendar days of the request or termination date; or

Delete. Securely delete or destroy all Personal Data processed on behalf of the Controller, including all copies held on backup systems, within 30 calendar days of the request or termination date.

Uncapped liability for certain Security Incidents. Where a Security Incident arising directly from Emithran’s failure to comply with its security obligations under Section 4.3 and Schedule B results in a binding fine, penalty, or administrative sanction imposed by a supervisory authority on the Controller under applicable Data Protection Law, Emithran’s liability in respect of such fine, penalty, or sanction shall not be subject to the aggregate liability cap set out in the Agreement, but shall be limited to the portion of the supervisory authority’s determination attributable to Emithran’s breach. For the avoidance of doubt, this clause does not apply where the Security Incident was caused or contributed to by the Controller’s own failure to comply with its obligations under this DPA or applicable Data Protection Law.

Contribution. Where both parties are responsible for damage caused by processing in breach of applicable Data Protection Law, each party shall be liable for that part of the damage for which it is responsible. A party shall be exonerated from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Data Subject claims. Where a Data Subject pursues a claim against Emithran as Processor in respect of processing carried out on behalf of the Controller, Emithran shall promptly notify the Controller and, if Emithran is liable, the Controller shall indemnify and hold Emithran harmless from the proportion of such liability that is attributable to the Controller’s instructions or breach of this DPA.

Term and termination. This DPA shall enter into force on the effective date of the Agreement and shall remain in force for the duration of the Agreement. This DPA shall terminate automatically upon termination or expiry of the Agreement, subject to the survival of obligations set out in Section 9(d).

Conflicts. In the event of any conflict or inconsistency between this DPA and the Agreement in relation to the processing of Personal Data, the provisions of this DPA shall prevail. In all other respects, the Agreement shall govern.

Governing law. This DPA is governed by the same governing law as applies to the Agreement under the applicable Regional Terms (as defined in the Agreement). For Controllers in India, this DPA is governed by the laws of India; for Controllers in the EEA, by the laws of Ireland; for Controllers in the United Kingdom, by the laws of England and Wales.

Survival. Sections 7 (Return and Deletion), 8 (Liability), and 9 (General) shall survive termination or expiry of this DPA and the Agreement.

Amendments. This DPA may only be amended by a written instrument signed by authorised representatives of both parties. Emithran may update this DPA from time to time to reflect changes in applicable Data Protection Law by providing the Controller with at least 30 days’ prior written notice, provided that such updates do not materially reduce the Controller’s rights or increase its obligations without its consent.

Entire agreement. This DPA, together with its Schedules and the Agreement, constitutes the entire agreement between the parties with respect to the processing of Personal Data by Emithran on behalf of the Controller, and supersedes all prior agreements, representations, and understandings relating to that subject matter.

Contact. Questions or requests relating to this DPA should be directed to [email protected].