Data Processing Addendum

Last updated: 14 June 2026

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Terms of Service, Master Services Agreement, Subscription Agreement, Order Form, or other written agreement ("Agreement") between Cafiyn ("Processor", "Service Provider", "we", "our", or "us") and the Customer ("Controller", "Business", "Customer", "you", or "your").

This DPA governs the processing of Personal Data by Cafiyn on behalf of Customer .

Purpose

The purpose of this DPA is to establish obligations regarding the processing, protection, confidentiality, and security of Personal Data processed by Cafiyn in connection with the Services.

Definitions

For purposes of this DPA:

  • Applicable Data Protection Laws
  • Means all applicable privacy and data protection laws, including where applicable:
  • Digital Personal Data Protection Act, 2023 (India)
  • GDPR
  • UK GDPR
  • CCPA/CPRA
  • Other applicable privacy regulations
  • Personal Data
  • Any information relating to an identified or identifiable individual.
  • Processing
  • Any operation performed on Personal Data including:
  • Collection
  • Recording
  • Organization
  • Storage
  • Use
  • Disclosure
  • Transfer
  • Deletion
  • Data Subject
  • The individual to whom Personal Data relates.
  • Security Incident

Any confirmed unauthorized access, disclosure, destruction, alteration, or loss of Personal Data.

Subprocessor

A third party engaged by Cafiyn to process Personal Data on behalf of Customer .

Scope of processing

Customer appoints Cafiyn as a processor of Personal Data solely for purposes of providing the Services.

Cafiyn shall process Personal Data only:

  • As necessary to provide Services
  • According to Customer instructions
  • As required by applicable law

Customer responsibilities

Customer represents and warrants that:

  • It has lawful authority to collect Personal Data.
  • Appropriate notices have been provided to Data Subjects.
  • Required consents have been obtained.
  • Processing instructions comply with applicable laws.
  • Personal Data submitted is relevant and necessary for intended purposes.
  • Customer remains responsible for determining the legal basis for processing.

Categories of personal data

Depending on Customer use of Services, Personal Data may include:

  • Identification Data
  • First name
  • Last name
  • Full name
  • Contact Information
  • Email address
  • Telephone number
  • Professional Information
  • Job title
  • Employer
  • Department
  • Demographic Information
  • Country
  • Region
  • Industry classification
  • Technical Information
  • IP address
  • Browser information
  • Device information
  • Usage information

Customer shall not submit sensitive personal data unless expressly authorized by written agreement.

Purposes of processing

Personal Data may be processed for:

  • Service delivery
  • Customer support
  • Account administration
  • Security monitoring
  • Service improvement
  • Analytics
  • Compliance obligations
  • Incident response

Processing shall be limited to purposes reasonably necessary to provide the Services.

Confidentiality

Cafiyn shall ensure that personnel with access to Personal Data:

  • Are subject to confidentiality obligations
  • Receive appropriate security awareness training
  • Access Personal Data only where necessary
  • Confidentiality obligations survive termination of employment or engagement.

Security measures

Cafiyn shall maintain reasonable administrative, technical, and organizational safeguards designed to protect Personal Data.

Security measures may include:

  • Access Controls
  • Role-based access
  • Authentication controls
  • Account management procedures
  • Encryption
  • Encryption in transit using TLS
  • Encryption at rest where applicable
  • Monitoring
  • Security logging
  • Audit trails
  • Alerting mechanisms
  • Operational Controls
  • Change management
  • Backup procedures
  • Incident response procedures
  • Cafiyn reserves the right to improve or modify security measures provided overall security is not
  • materially reduced.

Subprocessors

Customer authorizes Cafiyn to engage subprocessors as necessary to provide Services.

Potential subprocessors may include providers of:

  • Cloud hosting
  • Analytics
  • Customer support
  • Monitoring
  • Infrastructure services
  • Cafiyn shall:
  • Maintain appropriate agreements with subprocessors
  • Require confidentiality obligations
  • Require reasonable security measures

Cafiyn remains responsible for subprocessors to the extent required by applicable law.

International data transfers

Personal Data may be processed in countries outside the country of origin.

Where required by applicable law, Cafiyn shall implement reasonable safeguards for such transfers.

Customer acknowledges and authorizes such transfers where necessary to provide Services.

Data subject rights

To the extent legally required, Cafiyn shall provide reasonable assistance to Customer in responding to

requests relating to:

  • Access
  • Correction
  • Deletion
  • Restriction
  • Objection
  • Portability
  • Withdrawal of consent
  • Customer remains responsible for responding to Data Subject requests.

Security incidents

Cafiyn shall maintain procedures designed to identify and manage Security Incidents.

Upon becoming aware of a confirmed Security Incident involving Customer Personal Data, Cafiyn shall:

  • Investigate the incident
  • Take reasonable containment measures
  • Notify Customer without undue delay
  • Provide available information reasonably necessary for Customer response
  • Notification does not constitute admission of fault or liability.

Audits and information requests

Upon reasonable written request, and subject to confidentiality obligations, Cafiyn may provide information regarding its security practices sufficient to demonstrate compliance with this DPA.

Any audit rights shall:

  • Be reasonable in scope
  • Avoid disruption of operations
  • Protect confidential information
  • Be subject to mutually agreed procedures
  • Cafiyn may satisfy audit requests through:
  • Security documentation
  • Questionnaires
  • Certifications
  • Independent assessments

Data retention

Personal Data shall be retained only for:

  • Duration of Services
  • Legitimate business purposes
  • Compliance obligations
  • Security requirements
  • Retention periods may vary depending upon legal and operational requirements.

Return or deletion of data

Upon termination of Services and written request from Customer , Cafiyn shall:

  • Return Customer Personal Data where feasible; or
  • Delete Customer Personal Data
  • except where retention is required:
  • By law
  • For security purposes
  • For legitimate business records
  • For dispute resolution
  • Residual copies contained in backups may be retained until overwritten through normal retention
  • cycles.

Compliance with law

Each party shall comply with applicable privacy and data protection laws relevant to its role and responsibilities.

Nothing in this DPA shall require either party to violate applicable law.

Liability

Liability arising under this DPA shall be subject to the limitations and exclusions contained in the governing Agreement unless prohibited by applicable law.

Term and termination

This DPA becomes effective upon processing of Personal Data by Cafiyn and remains effective for the duration of such processing.

Termination of the Agreement automatically terminates this DPA except for obligations that survive by their nature.

Changes to this dpa

Cafiyn may update this DPA from time to time to:

  • Reflect legal developments
  • Improve security practices
  • Address operational requirements
  • Material changes shall be communicated through appropriate channels.

Contact information

Privacy, Security and Data Protection Requests

Email: infosec@cafiyn.com

Requests relating to Personal Data, privacy rights, security incidents, or data protection matters should be directed to the above address.

Questions about this policy? Email infosec@cafiyn.com.

← Back to Privacy