Data Intellect

Data Processing Addendum

Last updated: 2026-05-12

[INPUT NEEDED — legal review pending.] This is a draft DPA structure. Final language must be reviewed by counsel and tailored to specific engagement contracts before signing with any client.

1. Purpose

This DPA supplements the Master Services Agreement (MSA) between Data Intellect (Processor) and the Client (Controller). It governs how Data Intellect processes personal data provided by the Client during an engagement.

2. Scope of processing

  • Categories of data subjects: as specified in the relevant SOW (e.g. Client's end users, employees, customers).
  • Categories of personal data: as specified in the SOW.
  • Processing purposes: only as instructed by Client, limited to the deliverables in the SOW.
  • Processing duration: the term of the engagement plus any retention period explicitly authorised by Client.

3. Sub-processors

Data Intellect may engage sub-processors (cloud providers, LLM API vendors, etc.) as needed for the engagement. The current list will be disclosed in the engagement's technical scoping document. Client will be notified of material additions or removals.

4. Security measures

  • Encryption at rest and in transit for client data we hold.
  • Access controls limiting personal-data access to engagement personnel.
  • Audit logging on access to client data.
  • For sensitive workloads, deployment of open-weight models inside Client infrastructure so data does not leave Client's perimeter.

5. International transfers

Engineering operations are based in India; sales operations are based in UAE. International transfers, where required, are governed by appropriate transfer mechanisms (Standard Contractual Clauses for EU/EEA data, adequacy frameworks where applicable).

6. Data-subject rights

Data Intellect will provide reasonable cooperation to Client in responding to data-subject rights requests (access, rectification, erasure) under GDPR / DPDP Act 2023 / UAE PDPL.

7. Breach notification

Data Intellect will notify Client without undue delay (and in no event later than 72 hours) of any confirmed personal-data breach affecting Client data.

8. Audit rights

Client may audit Data Intellect's compliance with this DPA upon reasonable notice, no more than once per year unless triggered by a security incident.

9. Return or deletion

On termination of the engagement, Data Intellect will return all Client personal data or destroy it, at Client's option, except where retention is required by law.

10. Contact

DPA inquiries: connect@dataintellect.in