Data Processing Addendum

This Data Processing Addendum (the “DPA”) supplements and forms part of the Terms of Service (the “Terms”) entered into between VentureSpin Private Limited (CIN: U62099TS2025PTC205120; registered office at B-209, 2nd Floor, The Platina, Kondapur Road, Gachibowli, Hyderabad, Telangana, India - 500032), referred to as “VentureSpin”, and the Customer.

The DPA applies to the extent that VentureSpin processes Personal Data on behalf of the Customer in connection with the OneFinOps platform (the “Service”). It is designed to comply with the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), the Information Technology Act, 2000 and applicable supplementary regulations, and to assist Customers that are also subject to the EU General Data Protection Regulation (the “GDPR”) or analogous laws.

1. Definitions

Capitalised terms used in this DPA but not defined here have the meanings given in the Terms. The following additional definitions apply:

“Applicable Data Protection Law” means the DPDP Act and any other privacy or data-protection law that applies to the processing of Personal Data under the Terms, including, where applicable, the GDPR.
“Customer Personal Data” means Personal Data contained in Customer Data that VentureSpin processes on behalf of the Customer.
“Data Fiduciary” has the meaning given in the DPDP Act and corresponds to “Controller” under the GDPR.
“Data Principal” has the meaning given in the DPDP Act and corresponds to “Data Subject” under the GDPR.
“Data Processor” has the meaning given in the DPDP Act and corresponds to “Processor” under the GDPR.
“Data Protection Board” means the Data Protection Board of India established under the DPDP Act, or any successor authority.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data processed by VentureSpin or a Sub-processor.
“Standard Contractual Clauses” or “SCCs” means, where the GDPR applies, the European Commission’s Standard Contractual Clauses for the transfer of personal data to processors established in third countries, as in force from time to time.

2. Roles and instructions

Under this DPA, the Customer is the Data Fiduciary in respect of Customer Personal Data, and VentureSpin is the Data Processor. VentureSpin will process Customer Personal Data only on the documented instructions of the Customer, including with regard to international transfers, except where required by Applicable Data Protection Law (in which case VentureSpin will inform the Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest).

The Customer’s instructions are: (a) the Terms (including this DPA), (b) any Order Form, (c) the Customer’s documented use of the Service through configuration choices, support tickets and authorised written communications, and (d) any other instructions agreed by the parties in writing.

VentureSpin will notify the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, but is not obliged to verify the lawfulness of every instruction.

3. Subject matter, duration and scope

Subject matter: VentureSpin’s processing of Customer Personal Data as a Data Processor in connection with the provision of the Service.
Duration: For the term of the Terms and any retention period required to comply with Applicable Data Protection Law.
Nature and purpose: Hosting, storing, transmitting, transforming, reconciling, generating reports and filings, providing support, securing and otherwise operating the Service for the Customer.
Categories of Data Principals: The Customer’s employees, contractors, vendors, customers, directors, shareholders, board members, auditors and other natural persons whose Personal Data the Customer or its Users submit to or generate through the Service.
Categories of Customer Personal Data: Identification data (name, employee ID, PAN, Aadhaar reference, GSTIN), contact data (email, phone, address), financial data (bank account, salary, expense), employment data (designation, location, joining date), tax data (TDS, GST, ITC entries), and any other categories the Customer submits to the Service.

A non-exhaustive description of processing activities is set out in Annex A to this DPA.

4. Sub-processors

The Customer authorises VentureSpin to engage Sub-processors to provide parts of the Service, subject to this section. A current list of Sub-processors is maintained on the Sub-processors page and is also available on request from privacy@onefinops.com. The list at the date of this DPA is set out in Annex B.

VentureSpin will:

Carry out documented security and privacy due diligence on every Sub-processor before engagement.
Impose on each Sub-processor written contractual obligations no less protective than those in this DPA, including obligations of confidentiality, security and breach notification.
Remain responsible for the acts and omissions of each Sub-processor as if they were VentureSpin’s own.
Provide the Customer with at least 30 days’ prior written notice (which may be by email to the account owner or via the Service) of any new Sub-processor or change to an existing Sub-processor before that Sub-processor begins processing Customer Personal Data, unless the Sub-processor is engaged on an emergency basis to address a security or operational risk.

The Customer may object on reasonable data-protection grounds to a new or changed Sub-processor by writing to privacy@onefinops.com within 30 days of the notice. The parties will work in good faith to resolve the objection. If an acceptable resolution cannot be reached, the Customer’s sole remedy is to terminate the affected portion of the Service for cause and receive a pro-rata refund of prepaid Fees for the unused portion of the Subscription Term.

5. Confidentiality

VentureSpin will ensure that personnel authorised to process Customer Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality, and that access is limited to those personnel who reasonably need access to perform the Service.

6. Security measures

VentureSpin will implement and maintain administrative, technical and organisational measures designed to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. The measures include, at a minimum, those described in the Security Policy and summarised in Annex C to this DPA.

VentureSpin will assess and refresh its security measures periodically, and will not materially decrease the level of protection during the Subscription Term.

7. Assistance with Data Principal rights

Taking into account the nature of the processing, VentureSpin will assist the Customer by appropriate technical and organisational measures, insofar as possible, in the fulfilment of the Customer’s obligations to respond to Data Principal requests under Applicable Data Protection Law (including rights of access, correction, erasure, withdrawal of consent and grievance redressal under the DPDP Act, and the equivalent rights under the GDPR).

If VentureSpin receives a request from a Data Principal directed at Customer Personal Data, VentureSpin will, unless prohibited by law, promptly forward the request to the Customer and will not respond to the Data Principal except on the Customer’s documented instructions.

VentureSpin may charge a reasonable fee for assistance that exceeds standard support and is not required by Applicable Data Protection Law.

8. Personal Data Breach notification

VentureSpin will notify the Customer of a confirmed Personal Data Breach affecting Customer Personal Data without undue delay, and in any case within 72 hours of becoming aware. The notification will, to the extent reasonably possible, describe:

The nature of the breach, including the categories and approximate number of Data Principals and records affected.
The likely consequences of the breach.
The measures taken or proposed to address the breach and mitigate its possible adverse effects.
A point of contact for further information.

VentureSpin will provide the Customer with reasonable assistance in any notification the Customer is required to make to the Data Protection Board, supervisory authorities or affected Data Principals. The notification of a Personal Data Breach by VentureSpin is not, by itself, an admission of fault or liability.

9. Cross-border transfers

VentureSpin processes Customer Personal Data primarily in Indian regions of leading cloud providers (currently AWS Mumbai). Some operational data (telemetry, error logs, support tickets, billing metadata) may be processed by Sub-processors outside India. Where transfers occur, VentureSpin will rely on transfer mechanisms valid under Applicable Data Protection Law, including, where required:

Compliance with the cross-border transfer requirements of the DPDP Act, including any orders or notifications issued by the Government of India.
Where the GDPR applies, the SCCs (controller-to-processor or processor-to-processor as applicable), supplemented by additional measures where necessary.
A transfer impact assessment, available on request from privacy@onefinops.com.

10. Audits and information rights

VentureSpin will make available to the Customer information necessary to demonstrate compliance with this DPA, including:

The most recent SOC 2 Type II report (under NDA, where available).
Penetration-test executive summaries and remediation evidence (under NDA).
Sub-processor lists, security-questionnaire responses, data-flow diagrams and other evidence reasonably required for the Customer’s audits.

For Customers on Enterprise plans, the Customer (or an independent auditor mandated by the Customer at the Customer’s cost) may conduct an audit of VentureSpin’s compliance with this DPA, no more than once per twelve-month period (except where required by a regulator), on at least 30 days’ written notice, during business hours, with reasonable scope and duration, subject to confidentiality, security and operational protections.

11. Return and deletion

On termination or expiry of the Terms, VentureSpin will, at the Customer’s choice, return or delete Customer Personal Data within 30 days, except to the extent retention is required by Applicable Data Protection Law (including the Income-tax Act, 1961, the Companies Act, 2013, and GST law, which require retention of certain records for up to 8 years). Backup copies of Customer Personal Data are deleted on a rolling 90-day cycle. VentureSpin will certify the deletion in writing on request.

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions in the Terms. For the avoidance of doubt, each Customer’s claims under this DPA are aggregated with the Customer’s claims under the Terms for the purposes of any cap on liability.

13. Order of precedence

In the event of a conflict between this DPA and the Terms, this DPA prevails with respect to the processing of Customer Personal Data. In the event of a conflict between this DPA and the SCCs (where applicable), the SCCs prevail.

14. Changes

VentureSpin may update this DPA from time to time. Material changes will be communicated by email to the account owner at least 30 days before they take effect, unless the change is required by law or by a regulator’s order. Continued use of the Service after the effective date of an update constitutes acceptance.

15. Contact

For DPA-related questions, exercise of audit rights, requests for the Sub-processor list or assistance with Data Principal requests, contact our Data Protection Officer at privacy@onefinops.com or by post at the registered office address above.

Annex A - Description of processing

Item	Description
Subject matter	Provision of the OneFinOps financial operations platform
Duration	Subscription Term plus retention required by law
Purpose	Operating the Service for the Customer’s financial-operations and statutory-compliance workflows
Nature	Hosting, storing, transmitting, processing, reconciling, transforming, reporting, filing, securing
Categories of Data Principals	Customer’s employees, contractors, vendors, customers, directors, shareholders, auditors
Categories of Customer Personal Data	Identification, contact, financial, employment, tax, banking and any data submitted by the Customer
Sensitive Personal Data (where submitted by Customer)	PAN, Aadhaar references, bank account details, salary information
Frequency	Continuous during the Subscription Term

Annex B - Sub-processors

The current list of Sub-processors, their location and the function performed, is published on the Sub-processors page and updated on the schedule set out in section 4. The list at the date of this DPA covers categories including: cloud infrastructure, email delivery, transactional notifications, error monitoring, product analytics, customer-support tooling, billing and invoicing, document storage, and identity and authentication.

Annex C - Summary of security measures

A high-level summary follows; the full description is in the Security Policy.

Encryption of Customer Personal Data at rest (AES-256) and in transit (TLS 1.2+).
Role-based access control with least-privilege defaults; multi-factor authentication required for all employee access to production.
Audit logging of privileged actions, retained for at least 12 months.
Network segmentation, managed WAF, rate limiting and abuse detection.
Vulnerability management with documented remediation SLAs by severity.
Documented incident-response programme with 24x7 on-call rotation.
Encrypted backups with point-in-time recovery and at least quarterly restore drills.
Documented sub-processor due diligence and ongoing monitoring.
Background-screened personnel, mandatory security training and confidentiality agreements.
Independent security testing (SOC 2 Type II in progress; ISO/IEC 27001 in progress; annual penetration tests).