Data Processing Agreement & Data Security Policy

1. Subject Matter, Term, and Deployment Scope

1.1. Subject Matter This Data Processing Agreement ("DPA") supplements the Master Services Agreement ("Main Contract") concluded between YOXA Technologies Private Limited ("Data Processor") and the Enterprise Customer ("Data Fiduciary") regarding the provision of the YOXA multi-agent orchestration platform.

1.2. Term The term of this DPA aligns with the term of the Main Contract.

1.3. Deployment-Specific Processing Scope (Crucial) The extent of data processing depends strictly on the Customer's chosen deployment model: YOXA Cloud means YOXA acts as a Data Processor for the data inputted into the multi-agent swarms (e.g., PDFs, prompts, API keys). YOXA Local means that for self-hosted deployments within the Customer's Virtual Private Cloud (VPC), YOXA has zero access to workflow data. In this model, YOXA is not a Data Processor for operational data, and acts only as a Processor for pseudonymized billing/telemetry data (e.g., agent counts).

2. Specification of the Scope of Processing

2.1. Nature and Purpose of Processing The Data Fiduciary's data shall be processed by YOXA solely for the purpose of executing automated multi-agent workflows as configured by the Customer in the Application.

2.2. The "Absolute Wall" on AI Training YOXA explicitly warrants that no data processed under this DPA (including uploaded files, user names, agent interactions, or generated outputs) shall ever be used to train, fine-tune, or improve YOXA’s foundational AI models or any third-party models.

2.3. Type of Data and Data Principals The specific categories of personal data and Data Principals (end-users) are detailed in Annex 1.

3. Technical and Organizational Measures (TOMs)

3.1. YOXA shall establish and maintain reasonable security practices and procedures pursuant to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the DPDP Act, 2023.

3.2. The technical and organizational measures implemented by YOXA are documented in Annex 2. The Data Fiduciary agrees these measures provide an appropriate level of security for B2B orchestration.

3.3. YOXA reserves the right to modify these measures to reflect technological advancements, provided the overall level of security is never degraded.

4. Rights of Data Principals (Correction, Erasure)

4.1. As a Data Processor, YOXA may not independently rectify, erase, or restrict the processing of data. YOXA acts exclusively on the documented instructions of the Data Fiduciary.

4.2. If a Data Principal (e.g., an employee or client of the Customer) contacts YOXA directly to assert their rights under the DPDP Act, YOXA will promptly forward the request to the Data Fiduciary.

5. Quality Assurance and Processor Obligations

5.1. Confidentiality of Personnel: YOXA ensures that all employees authorized to process the Data Fiduciary's data have committed themselves to strict confidentiality and have undergone data security training.

5.2. Regulatory Cooperation: YOXA and the Data Fiduciary shall cooperate with the Data Protection Board of India or other competent regulatory authorities upon request.

5.3. Breach Notification: In the event of a personal data breach or cyber security incident, YOXA shall notify the Data Fiduciary without undue delay (and in compliance with CERT-In reporting timelines) to enable the Data Fiduciary to fulfill its legal reporting obligations.

5.4. DPIA Support: YOXA will assist the Data Fiduciary in conducting Data Protection Impact Assessments (DPIA) where required by law, reasonably charging for exceptional administrative efforts.

6. Sub-Processors

6.1. The Data Fiduciary generally authorizes YOXA to engage the Sub-Processors listed in Annex 3 for cloud hosting and third-party LLM API routing.

6.2. YOXA shall notify the Data Fiduciary in writing of any intended changes concerning the addition or replacement of Sub-Processors. The Data Fiduciary has fourteen (14) days to object.

6.3. If the Data Fiduciary objects on reasonable data protection grounds, and the parties cannot find a resolution, YOXA may terminate the Main Contract extraordinarily.

6.4. YOXA ensures all Sub-Processors are bound by written agreements that impose the same rigorous data protection obligations as this DPA.

7. Control and Audit Rights

7.1. YOXA Cloud Audits: The Data Fiduciary has the right to verify YOXA's compliance with this DPA once per calendar year. YOXA fulfills this obligation primarily by providing current, independent attestations or SOC2 Type II audit reports.

7.2. YOXA Local Audits: Because YOXA cannot access Local deployments, YOXA retains the right to audit the Data Fiduciary’s systems (with 10 days' notice) strictly to ensure compliance with agent licensing limits and to prevent unauthorized reverse engineering of the orchestration engine.

8. Erasure and Return of Data

8.1. Upon termination of the Main Contract, YOXA shall, at the choice of the Data Fiduciary, return or securely delete all personal data processed on behalf of the Data Fiduciary, unless Indian law requires longer retention.

8.2. A certificate of secure data destruction will be provided upon request.

9. Liability

9.1. Liability between the Parties in relation to this DPA shall be governed exclusively by the Limitation of Liability clauses established in the YOXA Master Services Agreement.

9.2. The Data Fiduciary is solely liable for the legal justification of uploading any personal data into the YOXA platform and configuring autonomous agents to process it.

10. Final Provisions

10.1. In the event of contradictions between this DPA and the Main Contract regarding data protection, the provisions of this DPA shall prevail.

10.2. This DPA is governed by the laws of India. Exclusive jurisdiction for any disputes shall lie with the courts of Pune, Maharashtra, India.

Annex 1: Categories of Data and Data Principals

a) Categories of Data Principals: Employees, contractors, and authorized users of the Data Fiduciary. Clients, customers, or business partners of the Data Fiduciary whose data is included in uploaded files.

b) Categories of Personal/Corporate Data: Account Data includes names, corporate email addresses, and IP addresses. Orchestration Data includes text prompts, multi-agent logic chains, uploaded documents (e.g., PDFs, CSVs), and third-party API keys provided by the Data Fiduciary.

Appendix 2: Technical and Organizational Measures (TOMs)

1. Access Control to Systems: Multi-factor authentication (MFA) required for all YOXA engineering staff. Zero-trust architecture with role-based access control (RBAC). Logging of all administrative system accesses.

2. Data Encryption (Integrity and Transfer Control): At Rest, all Customer Data in YOXA Cloud is encrypted using AES-256 standard. In Transit, all external and internal data transmissions are encrypted using TLS 1.2 or higher.

3. Separation Control: Logical tenant isolation ensures Customer A's data cannot be accessed by Customer B's agents or workflows. Strict separation of development, staging, and production environments.

4. Availability and Resilience: Automated daily database backups stored in geographically redundant locations. Containerized orchestration engine allowing for rapid spin-up and disaster recovery. Rate-limiting and automated "Circuit Breakers" prevent Runaway Agent Events from crashing platform infrastructure.

5. Processing Control: Strict adherence to the "Absolute Wall" policy: API endpoints and vector databases are hard-coded to bypass training pipelines for any base AI models.

Annex 3: Authorized Sub-Processors

The Data Fiduciary agrees to the commissioning of the following Sub-Processors, provided a compliant contractual agreement is in place.

Amazon Web Services (AWS) India: Cloud Infrastructure & Hosting (Mumbai Region) - Purpose: Primary secure hosting for YOXA Cloud.

Microsoft Azure (India Region): Azure OpenAI Service - Purpose: Secure, enterprise-fenced routing for LLM processing (Data is explicitly opted out of model training).

Stripe India: Payment Gateway - Purpose: Secure processing of B2B subscription payments.