Home/Trust/Data Processing Agreement

Data Processing Agreement.

Effective: 26 May 2026 Version: 2.0 GDPR · UK GDPR · DPDP

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", the Controller) and Autonowmy Technology Pvt Ltd ("Autonowmy", the Processor) for the processing of Personal Data through the Platform.

Request a countersigned copy View sub-processors list

Parties & purpose

This DPA is entered into between Autonowmy Technology Pvt Ltd, a private limited company registered in India with its office at Noida, Uttar Pradesh ("Processor"), and the Customer identified in the Order Form or signed MSA ("Controller"). It governs Autonowmy's processing of Personal Data on the Controller's behalf in connection with the Platform.

This DPA reflects the parties' agreement with regard to the processing of Personal Data under the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, India's Digital Personal Data Protection Act 2023 ("DPDP"), and other applicable data protection laws.

Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person that Autonowmy processes on behalf of the Customer through the Platform.
  • "Processing" — any operation performed on Personal Data, automated or not.
  • "Data Subject" — the individual to whom Personal Data relates.
  • "Sub-processor" — a third party engaged by Autonowmy to process Personal Data on behalf of the Customer.
  • "Personal Data Breach" — a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.
  • "Standard Contractual Clauses" or "SCCs" — the standard contractual clauses approved by the European Commission Implementing Decision 2021/914.

Capitalized terms not defined here have the meaning given in the MSA, Terms, or applicable data protection law.

Scope & instructions

Autonowmy processes Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country, unless required to do so by law. If law requires Autonowmy to process Personal Data otherwise, Autonowmy will inform the Customer first unless the law prohibits doing so.

The Customer's documented instructions are set out in this DPA, the MSA, the Order Form, the Platform's configuration (including connector permissions, retention policies, and the autonomy dial), and any further reasonable written instructions consistent with the foregoing.

The Customer is responsible for ensuring it has lawful basis for the Personal Data routed through the Platform and for obtaining required consents from Data Subjects.

Confidentiality

Autonowmy ensures that personnel authorized to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligation. Access to Personal Data is restricted to the minimum number of personnel required to deliver the Platform.

Security measures

Autonowmy implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
  • Pseudonymization where feasible without impairing the Platform's purpose
  • Tenant-level isolation; per-tenant encryption keys for customers on Single-Tenant deployments
  • Role-based access control, least-privilege, just-in-time elevation, MFA for all production access
  • Comprehensive audit logging — every reasoning step, tool call, and approval is logged and replayable
  • Vulnerability management, secure development lifecycle, third-party penetration testing annually
  • Backup and disaster recovery with documented RPO/RTO
  • Personnel security screening and annual security training

Detailed measures are described in Annex B and the Security & Trust page.

Sub-processors

The Customer grants Autonowmy a general authorization to engage Sub-processors to process Personal Data, subject to the conditions below and the current list at /subprocessors (Annex C).

  • Autonowmy informs the Customer of any intended additions or replacements of Sub-processors at least 30 days in advance via email and the published sub-processor list
  • The Customer may object to a new Sub-processor in writing on reasonable data-protection grounds within 14 days of notice. The parties will work in good faith to resolve the objection; if unresolved, the Customer may terminate the affected service portion
  • Autonowmy imposes on each Sub-processor data protection obligations no less protective than those in this DPA, by written contract
  • Autonowmy remains fully liable to the Customer for the performance of its Sub-processors

Data-subject rights

Taking into account the nature of the processing, Autonowmy assists the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests for the exercise of Data Subject rights (access, rectification, erasure, restriction, portability, objection).

If Autonowmy receives a request directly from a Data Subject relating to Customer Personal Data, Autonowmy will promptly forward it to the Customer and not respond to the request itself, except to acknowledge receipt and direct the Data Subject to the Customer.

Personal-data breach

Autonowmy notifies the Customer without undue delay — and in any case within 72 hours — after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification includes:

  • The nature of the breach, including categories and approximate number of Data Subjects and records affected
  • Likely consequences
  • Measures taken or proposed to address and mitigate
  • The contact point for further information (our Security & Compliance lead via allison@autonowmy.com)

Autonowmy reasonably cooperates with the Customer in any required notifications to supervisory authorities and Data Subjects.

Audit & inspection

Autonowmy makes available to the Customer all information necessary to demonstrate compliance with this DPA, and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

To minimize disruption:

  • Audits occur not more than once per twelve-month period, except following a material Personal Data Breach
  • The Customer gives at least 30 days' written notice and signs a customary NDA
  • The Customer covers reasonable costs of audits requested beyond standard reports
  • The Customer may satisfy its audit right through review of Autonowmy's SOC 2 Type II report, ISO 27001 certification (when issued), and penetration test summaries — provided under NDA

International transfers

To the extent processing of Personal Data subject to GDPR or UK GDPR involves a transfer to a country outside the EEA or UK that does not benefit from an adequacy decision, the parties incorporate the Standard Contractual Clauses (Module 2 — Controller-to-Processor) by reference, and where the UK GDPR applies, the UK International Data Transfer Addendum (IDTA).

For DPDP-governed data, transfers outside India are made only to jurisdictions notified by the Government of India or under contractual safeguards permitted by the Act.

Customer-selected deployment region (AP-South / EU-West / US-East) is the primary determinant of where Personal Data resides at rest.

Return & deletion of data

Upon termination or expiration of the Platform subscription, Autonowmy will, at the Customer's choice, return or delete all Personal Data within 30 days, including copies, unless retention is required by law. On request, Autonowmy provides written confirmation of deletion.

Backup copies are deleted in accordance with Autonowmy's documented backup-retention schedule (maximum 90 days from termination) and remain subject to the security obligations of this DPA until destroyed.

Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the MSA or Terms. Nothing in this DPA limits either party's liability where law prohibits such limitation (including liability to Data Subjects under GDPR Article 82).

General

This DPA supplements and forms part of the MSA or Terms between the parties. In case of conflict, the order of precedence is: this DPA > MSA > Order Form > Terms, but only in respect of the processing of Personal Data. All other matters are governed by the MSA or Terms.

This DPA is governed by the laws of India unless the MSA between the parties specifies otherwise.

Annex A — Processing details

Subject matter
Provision of the Autonowmy AI Operations Platform under the MSA / Terms
Duration
For the term of the Platform subscription plus the period required for return / deletion of data
Nature & purpose
Hosting, processing, analyzing, and acting on operational data including Personal Data, to enable autonomous operations workflows configured by the Controller
Types of Personal Data
Names and contact details of Customer's employees, contractors, end-customers; identifiers in tickets, emails, telemetry; whatever Personal Data the Controller routes via configured connectors
Categories of Data Subjects
Controller's employees, contractors, end-customers, partners, suppliers — as relevant to the workflows the Controller automates
Frequency
Continuous, for the duration of the Platform subscription
Special categories
Not processed by default. If the Controller chooses to route Special Category data, additional safeguards must be agreed in writing
Recipients
Authorized Controller users; Autonowmy personnel under confidentiality; Sub-processors per Annex C

Annex B — Technical & organizational measures

Autonowmy maintains the following measures, which may be updated to reflect industry best practice provided the level of protection is not diminished:

1. Encryption

  • TLS 1.2+ for data in transit
  • AES-256 for data at rest
  • Per-tenant encryption keys for Single-Tenant deployments

2. Access control

  • Role-based access (RBAC) — three-layer gate: authentication, module licence, permission
  • Multi-factor authentication for all production access
  • Just-in-time privilege elevation with audit trail
  • Quarterly access reviews

3. Audit & observability

  • Every agent reasoning step, tool call, and approval is logged and replayable
  • Immutable audit log with cryptographic integrity
  • 30+ days of operational logs retained; longer per contract

4. Operational security

  • Documented incident response plan with 72-hour breach-notification commitment
  • Annual third-party penetration test
  • Vulnerability management with risk-scored SLAs
  • Personnel security screening and annual security training

5. Resilience

  • Multi-AZ deployment within each region
  • Documented Recovery Point Objective (RPO) and Recovery Time Objective (RTO) per tier
  • Tested disaster-recovery plan

6. Vendor management

  • Sub-processor risk assessment before engagement
  • Written terms imposing equivalent obligations
  • Annual reassessment of critical sub-processors

Annex C — Sub-processors

The current sub-processor list is maintained at /subprocessors and incorporated into this DPA by reference. Material additions are notified at least 30 days in advance per Section 6.

Contact & countersignature

To request a countersigned copy of this DPA with your organization's details, or for any DPA-related question, write to:

  • Data Protection & Privacyallison@autonowmy.com
  • Registered office — Autonowmy Technology Pvt Ltd, Noida, Uttar Pradesh, India

Allison routes the request to our Data Protection lead and returns a countersigned PDF within three business days.