The DPA you can sign without sending a single email.

When you (the Customer) use Debutap, you act as a Controller (or Data Fiduciary) for the personal data of your end-users — visitors, customers, contacts, and team members — that flow through the Service. We process that personal data on your behalf as your Processor (or Data Processor).

For the personal data we collect about you (account-level data, billing data, support data), we act as an independent Controller / Data Fiduciary. That processing is governed by our Privacy Policy, not this DPA.

Capitalised terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, or the DPDP Act 2023, as applicable. Where the same concept exists under multiple laws, our use is intended to satisfy all of them.

We process personal data only on documented instructions from the Customer. The following documents constitute the Customer's documented instructions:

• This DPA.
• The Terms of Service.
• The Privacy Policy.
• The Service's configuration as set by the Customer in the dashboard.
• Reasonable, documented written instructions provided by the Customer from time to time.

We will inform the Customer if, in our opinion, an instruction infringes applicable data protection law. We are not obliged to take legal advice on the Customer's instructions.

• Subject-matter: the personal data processed in connection with the Customer's use of the Service.
• Nature: hosting, storing, transmitting, displaying, indexing, backing up, securing, debugging, analysing in aggregate, and otherwise processing personal data to deliver the Service.
• Purpose: providing the Service as described in the Terms.
• Duration: the term of the Terms, plus any retention period set out in our Privacy Policy and the Customer's deletion instructions on termination.
• Categories of data subjects: the Customer's visitors, customers, contacts, employees, suppliers and any other individuals whose data the Customer chooses to process through the Service.
• Categories of personal data: identifiers (name, email, phone), contact details, content of inquiries / orders, photos and other media if uploaded by the data subject, IP address, device data, geolocation derived from IP, transaction history.
• Special categories: the Service is not designed to process special-category data; the Customer agrees not to upload such data unless it is necessary and the Customer has a valid lawful basis under Article 9 GDPR or its local equivalent.

We ensure that personnel authorised to process personal data are bound by written confidentiality obligations, are trained on data-protection requirements, and access personal data only as needed to perform their duties.

We implement and maintain the technical and organisational measures listed in Annex II below. These satisfy Article 32 GDPR and equivalent provisions under the UK GDPR, DPDP, LGPD and other laws. See also our Security Policy.

• The Customer authorises us to engage the sub-processors listed at /legal/sub-processors.
• We notify the Customer at least 30 days before adding or replacing a sub-processor that processes the Customer's personal data, and the Customer can object on reasonable data-protection grounds. If the objection cannot be resolved, the Customer may terminate the affected Service for a prorated refund.
• We remain responsible for the acts and omissions of our sub-processors as if they were our own.
• Every sub-processor is bound by a written contract that imposes data-protection terms substantially equivalent to those in this DPA.

We assist the Customer, taking into account the nature of the processing, in fulfilling its obligation to respond to data-subject access, rectification, erasure, restriction, portability, and objection requests. The dashboard exposes self-serve tools for most of these. For requests we receive directly from data subjects, we will forward them to the Customer without responding ourselves (other than acknowledging receipt and informing the data subject that we're a processor).

On becoming aware of a Personal Data Breach affecting Customer Personal Data, we will:

• Notify the Customer without undue delay and in any event within 72 hours.
• Provide reasonable information to allow the Customer to comply with its notification obligations to supervisory authorities and data subjects.
• Take reasonable steps to mitigate and, if possible, remediate the breach.
• Maintain a record of all breaches.

We will provide reasonable cooperation and information to enable the Customer to carry out data-protection impact assessments (DPIAs) and any prior consultation with supervisory authorities required by applicable law (Articles 35 and 36 GDPR).

• On reasonable written request and no more than once per year, we will make available the information necessary to demonstrate compliance with this DPA — including current security reports, the sub-processor list, and a summary of our most recent penetration test.
• If that documentation is insufficient, the Customer may conduct an audit on 30 days' written notice, during business hours, at the Customer's cost, conducted by the Customer or a mutually agreed independent auditor bound to confidentiality, and without disrupting our operations or the privacy of other customers.
• For multi-tenant systems, on-site audits are not generally feasible; we offer a written Q&A and evidence package instead.

Our primary data location is India. When we transfer Customer Personal Data from the EEA, UK, Switzerland or another jurisdiction with cross-border restrictions into India or to a sub-processor located elsewhere, we rely on the following transfer mechanisms:

• EEA transfers: the European Commission's Standard Contractual Clauses (SCCs, 2021/914), Module Two (controller to processor) or Module Three (processor to processor), executed as part of this DPA.
• UK transfers: the SCCs as supplemented by the UK International Data Transfer Addendum.
• Swiss transfers: the SCCs as supplemented by the FDPIC's guidance.
• Where adequacy decisions exist (e.g. for transfers from the UK to certain "adequate" countries), we rely on the decision.

The SCCs are deemed incorporated by reference and the choices, options and docking clauses in Annex III apply.

On termination of the Terms, the Customer can export its content from the dashboard for 30 days. After that period, we delete the content from active systems within 30 days and from backups within a further 30 days (so up to 90 days total). Personal data we are required by law to retain (e.g. tax invoices) is kept for the legally required period and only used for that purpose.

Each party's liability under or in connection with this DPA is subject to the limitations of liability set out in the Terms. If there is a conflict between this DPA and the Terms, this DPA prevails for matters within its scope. If there is a conflict between the SCCs and any other part of this DPA, the SCCs prevail.

Annex I — Details of processing

List of parties. Data exporter: the Customer (named in the account record). Data importer: Deburise Solutions, Bengaluru, Karnataka, India, contact [email protected].

Description of transfer. Categories of data subjects, categories of personal data, frequency, nature, purpose, duration and recipients: as described in Sections 4 and 7 of this DPA.

Competent supervisory authority. For EEA transfers under SCCs Module Two/Three, the competent authority is the lead supervisory authority of the data exporter; absent that, the Irish Data Protection Commission acts as the supervisory authority where the data exporter is established outside the EEA.

Annex II — Technical and organisational measures

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
• Strict access controls — MFA-enforced for engineers; role-based authorisation; just-in-time elevation for privileged actions.
• Network security — VPC isolation, firewalled databases, secure SSH bastion, regular patching.
• Logging and monitoring — auth, API and admin actions logged for 12 months; security alerts on anomalies.
• Backups — daily encrypted backups, 30-day rolling retention, restore tested quarterly.
• Personnel — confidentiality contracts, role-appropriate training, background checks for sensitive roles.
• Vendor management — every sub-processor is contractually bound to equivalent measures.
• Incident response — documented playbook, 72-hour notification commitment, post-mortem within 14 days.
• Resilience — N+1 redundancy for hot components; disaster-recovery plan with RTO of 4 hours and RPO of 24 hours for the platform; tested annually.
• Secure software development lifecycle — code review, dependency scanning, secrets scanning, annual penetration test.
• Vulnerability disclosure — public process at /legal/security.

Annex III — Sub-processors

The Customer authorises engagement of the sub-processors listed at /legal/sub-processors, on the terms described in Section 7.

SCCs — Module-specific clauses

• Clause 7 (Docking clause): applies.
• Clause 9 (Use of sub-processors): Option 2 (general written authorisation) with a 30-day prior notice period.
• Clause 11(a) (Redress): the optional clause is included; data subjects may lodge a complaint with an independent dispute-resolution body.
• Clause 17 (Governing law): the law of Ireland (or, if Ireland is unavailable, the law of another EU Member State that allows third-party-beneficiary rights).
• Clause 18 (Forum and jurisdiction): the courts of Ireland (or, if unavailable, the chosen EU Member State).

This DPA is deemed executed and binding when the Customer accepts the Terms of Service. No signature is required for it to be effective. If your organisation requires a signed copy for procurement purposes, email [email protected] with the subject "DPA signature request" and we will counter-sign within 5 business days.