APPHOX Technologies
Login
Home / Legal / Data Processing Addendum

Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement (MSA) between Customer (Data Controller / Data Fiduciary) and APPHOX Technologies (Data Processor / Data Processor under DPDP), and governs the processing of Personal Data under EU GDPR and India's Digital Personal Data Protection Act (DPDP 2023).

Updated 2025 • GDPR (EU) + DPDP (India) aligned.

1. Definitions

Terms such as "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" follow GDPR Article 4. Under India DPDP, the terms "Data Fiduciary" and "Data Principal" apply, with equivalent meaning.

2. Roles of Parties

Customer acts as the Controller (GDPR) / Data Fiduciary (DPDP). APPHOX acts as the Processor (GDPR) / Data Processor (DPDP).

3. Processing on Documented Instructions

APPHOX processes Personal Data strictly on documented instructions from Customer, including configuration, integration, storage, support, analytics, and operational needs.

4. Confidentiality & Staff Controls

Only authorized APPHOX personnel, bound by confidentiality agreements, may access Customer Personal Data, strictly on a need-to-know basis.

5. Sub-Processors

APPHOX may engage vetted cloud infrastructure partners and approved sub-processors. Customer will be notified of additions, and may object on reasonable grounds.

6. Security Measures & Technical Safeguards

APPHOX follows industry-leading safeguards described in the Security Whitepaper.

  • AES-256 encryption at rest
  • TLS 1.3 in transit
  • SIEM + 24×7 security monitoring
  • Role-based access control
  • Frequent vulnerability and penetration testing

7. Data Subject / Data Principal Rights

APPHOX assists Customer in fulfilling requests related to:

  • Access, correction and deletion requests
  • Consent withdrawal (DPDP Section 6)
  • Right to Data Portability (GDPR Article 20)
  • Objection and restriction (Articles 18 & 21)

8. Data Retention & Return

Upon contract termination, APPHOX will delete or return Customer Data within 30–90 days unless legally required otherwise.

9. International Data Transfers

Data may be processed in India, EU, UK, Middle East, or other approved regions. For EU clients, transfers follow GDPR Chapter V using SCCs or equivalent safeguards.

10. Breach Notification

If APPHOX becomes aware of a Personal Data Breach, it will notify Customer without undue delay, including preliminary assessment, impact, and remediation steps.

11. Contact

Data protection queries:
dpo@apphoxtech.com