Data Processing Agreement
Processor obligations when Zantras processes personal data on behalf of a Customer — security measures, breach notification, sub-processor governance, audit rights, and data localisation. Required by Section 8(8) of the DPDPA 2023.
1.Parties & Incorporation#
This Data Processing Agreement ("DPA") is between SIMAYU SOLUTIONS PRIVATE LIMITED ("Zantras", "Processor") and the entity that has accepted the Terms of Service ("Customer", "Fiduciary"). This DPA is incorporated by reference into, and forms part of, the Terms of Service. In the event of conflict between this DPA and the Terms, this DPA prevails on data-protection matters.
2.Roles & Scope#
With respect to personal data of the Customer's end-customers processed through the Platform, the Customer is the Data Fiduciary and Zantras is the Data Processor under Sections 2(i) and 2(k) of the DPDPA 2023. Zantras processes personal data only on the documented instructions of the Customer, the documented instructions being the technical specifications of the API calls made by the Customer.
3.Details of processing#
| Item | Description |
|---|---|
| Subject matter | Identity verification, liveness detection, and document OCR services |
| Duration | Term of the Terms of Service, plus the retention periods in the Privacy Policy |
| Nature & purpose | To deliver the Platform features the Customer integrates with |
| Categories of data | Facial images, identity-document images, extracted KYC fields, session metadata |
| Data Principals | The Customer's end-customers who submit identity data through the Customer's onboarding flow |
4.Processor obligations#
- Process personal data only on Customer's documented instructions and for the purposes described in Section 3.
- Ensure that persons authorised to process the data are bound by confidentiality obligations.
- Implement the technical and organisational security measures in Section 6.
- Assist the Customer in responding to Data Principal requests under Sections 11–14 of the DPDPA.
- Notify Customer of any binding legal request from a government authority that seeks disclosure of Customer data, unless legally prohibited.
- Delete or return all personal data on termination, subject to Section 11.
5.Data localisation#
6.Security measures#
Zantras maintains the following safeguards, consistent with SPDI Rule 8 and ISO/IEC 27001 control objectives:
- Encryption. TLS 1.2 or higher in transit; AES-256 at rest (S3 SSE-KMS).
- Access control. AWS IAM least-privilege; MFA on administrative access; quarterly access review; credential rotation every 90 days.
- Network. Private VPC, security groups restricted, no public S3 ACLs.
- Logging & monitoring. CloudWatch + CloudTrail; alerting on anomalous patterns; 180-day retention.
- Vulnerability management. Continuous SAST/DAST/SCA scanning; annual third-party VAPT.
- Backup & recovery. Daily backups; RTO 4 hours, RPO 1 hour.
- Personnel. Background checks; annual security training; documented onboarding/offboarding.
7.Personal data breach notification#
On becoming aware of a personal data breach affecting Customer data, Zantras will notify the Customer without undue delay and in any event within 24 hours. The initial notice will contain the information then known; a complete report will follow within 72 hours.
Zantras will independently notify CERT-In within the 6-hour window required by the CERT-In Directions of 28 April 2022, where the incident falls within scope.
8.Sub-processors#
The Customer authorises Zantras to engage the sub-processors listed at zantras.com/legal/sub-processors on the date the Customer accepts the Terms. Zantras will give the Customer 30 days' prior notice of any addition or replacement. The Customer may object on reasonable data-protection grounds; if Zantras cannot accommodate the objection, the Customer may terminate the affected service.
Each sub-processor is bound by a written contract that imposes data-protection obligations no less protective than this DPA.
9.Audit rights#
Zantras will, on request, provide the Customer with sufficient information to demonstrate compliance with this DPA, including the most recent SOC 2 / VAPT executive summary. The Customer may conduct an audit (on its own behalf or through a mutually-agreed third-party auditor) once per twelve-month period, on at least 30 days' written notice, during business hours, without disrupting Zantras's operations or other customers, at the Customer's expense. Where Zantras provides a SOC 2 Type II report (or equivalent), it satisfies the Customer's audit right for that period.
10.Assistance with Data Principal rights, DPIAs, and regulator queries#
Zantras will provide reasonable assistance to the Customer in: (a) responding to Data Principal requests; (b) conducting Data Protection Impact Assessments; (c) consultations with the Data Protection Board of India or other competent authorities; and (d) complying with security and breach-notification obligations.
11.Return or deletion on termination#
Within 30 days of termination of the Terms of Service the Customer may export its data through the Platform. Following that 30-day window, Zantras will delete all Customer personal data within 60 days, except where retention is required by law (in which case the data will be protected under this DPA until lawful deletion is possible).
12.Liability#
The aggregate liability limits set out in the Terms of Service apply to claims under this DPA, except that liability arising from a data breach attributable to Zantras is subject to the separate cap set out in the Terms.
13.Order of precedence#
In the event of conflict between this DPA, the Terms of Service, the Acceptable Use Policy, and the Privacy Policy in respect of data-protection matters, the order of precedence is: (i) this DPA; (ii) the Terms of Service; (iii) the Privacy Policy; (iv) the Acceptable Use Policy.
14.Changelog#
- v1.0 — 5 June 2026. Initial publication.