Data Processing Addendum
Last updated: [DATE]
These are draft documents and should be reviewed by a licensed attorney before use. This DPA is intended for business customers (such as wellness coaches) who deploy Maria to their clients. Individual consumer users do not need to sign this document.
This Data Processing Addendum ("DPA") forms part of the agreement between Tinkr Labs Private Limited ("Tinkr Labs", "Processor") and the business customer ("Customer", "Controller") that uses Maria to process personal data relating to Customer's end users (for example, clients of a wellness coach). It applies in addition to our Terms of Service and Privacy Policy.
1. Definitions
- Controller: the Customer, which determines the purposes and means of processing personal data of its end users (for example, the wellness coach and their clients).
- Processor: Tinkr Labs, which processes personal data on behalf of the Controller.
- Sub-processor: a third party engaged by Tinkr Labs to process personal data as part of delivering Maria.
- Personal Data: any information relating to an identified or identifiable natural person processed through Maria on behalf of the Controller.
- Data Protection Laws: the GDPR, the India DPDP Act 2023, and any other applicable laws governing personal data.
2. Roles of the Parties
For personal data processed through Maria on behalf of the Customer, the Customer is the Controller (data fiduciary under DPDP) and Tinkr Labs is the Processor (data processor under DPDP). Each party will comply with its obligations under applicable Data Protection Laws.
The Customer is responsible for establishing a lawful basis for the processing (for example, obtaining consent from its end users), for providing required notices, and for ensuring its instructions to Tinkr Labs comply with law.
3. Subject-matter and scope
- Subject-matter: provision of Maria as an AI Executive Assistant service.
- Duration: for as long as the Customer's subscription remains active, plus the return/deletion period below.
- Nature and purpose: processing messages, calendar data, contacts, tasks, and reminders to respond to end-user requests, send proactive notifications, and operate the Service.
- Types of personal data: names, phone numbers, email addresses, calendar event content, message content (text, images, PDFs, voice if enabled), contacts, tasks, reminders, and inferred preferences.
- Categories of data subjects: the Customer's end users and individuals they interact with through Maria.
4. Processor obligations
Tinkr Labs will:
- Process personal data only on documented instructions from the Controller, including as necessary to provide Maria as described in our Terms, unless required to do otherwise by law.
- Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organizational measures to protect personal data (see Section 6).
- Only engage sub-processors in accordance with Section 5.
- Assist the Controller in responding to data-subject requests (access, correction, deletion, portability, objection) by providing reasonable tools or support.
- Assist the Controller with data protection impact assessments and consultations with supervisory authorities, where required.
- Notify the Controller without undue delay of any personal data breach affecting the Controller's data (see Section 7).
- Make available the information reasonably necessary to demonstrate compliance with this DPA, and permit audits as described in Section 8.
5. Sub-processors
The Customer authorizes Tinkr Labs to engage the sub-processors listed below to provide the Service. We impose data-protection obligations on each sub-processor that are substantially the same as those in this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Twilio, Inc. | WhatsApp message delivery | United States |
| Meta Platforms / WhatsApp | Messaging surface | Global |
| Google LLC | Google Calendar (per user OAuth) | United States / Global |
| Anthropic PBC | Claude AI models (LLM inference) | United States |
| Stripe, Inc. | Subscription billing | United States |
| Railway Corp. | Application hosting, database | United States |
| Vercel Inc. | Website hosting | United States |
Tinkr Labs will inform the Customer of any intended changes to sub-processors at least 30 days in advance, giving the Customer the opportunity to object. If the Customer reasonably objects to a new sub-processor on data-protection grounds, Tinkr Labs may, at its option, suggest a workaround or allow the Customer to terminate the relevant portion of the Service.
6. Technical and organizational measures
Tinkr Labs maintains the following safeguards, reviewed periodically:
- Encryption in transit: TLS 1.2 or higher for all network traffic.
- Encryption at rest: database storage and Google OAuth tokens encrypted at rest.
- Access controls: role-based access, multi-factor authentication for administrative accounts, and the principle of least privilege.
- Secret management: credentials stored in a managed secret store, rotated periodically, and never checked into source control.
- Audit logging: administrative and production access is logged; logs are retained for 90 days.
- Isolation: per-user data isolation at the application layer; shared database with logical separation by user ID.
- Patch management: security updates applied promptly; automated dependency scanning.
- Backups: encrypted backups taken regularly and tested periodically; retention up to 30 days.
- Business continuity: infrastructure runs on providers with high-availability architectures (Railway, Vercel).
- Personnel: personnel with access to personal data are bound by confidentiality obligations and receive security training.
7. Breach notification
If Tinkr Labs becomes aware of a personal data breach affecting the Customer's data, we will notify the Customer without undue delay, and in any case within 72 hours of becoming aware. Our notification will include, to the extent known:
- A description of the nature of the breach.
- The categories and approximate number of data subjects and records affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
- Contact details for our response team.
Tinkr Labs will reasonably cooperate with the Customer's investigation and any regulator notifications required of the Customer.
8. Audit rights
Tinkr Labs will make available to the Customer, upon reasonable written request, the information necessary to demonstrate compliance with this DPA. The Customer may conduct an audit or inspection no more than once per 12-month period, at Customer's expense, on at least 30 days' prior written notice, during normal business hours, and subject to reasonable confidentiality obligations. An audit conducted by a mutually agreed independent third-party auditor under a confidentiality agreement is preferred.
If Tinkr Labs has a current third-party audit report (for example, a SOC 2 Type II report) that covers the requested scope, the Customer will accept that report in place of an on-site audit.
9. International transfers
Providing Maria involves transfers of personal data to the United States and other jurisdictions where our sub-processors operate. For GDPR-governed transfers, the parties agree to rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, which are incorporated by reference. For DPDP-governed transfers, the parties will comply with the applicable notified framework. The Customer authorizes these transfers as part of the Service.
10. Return and deletion of data on termination
On termination of the Customer's subscription:
- The Customer may request an export of the personal data processed through Maria in a structured, commonly used, machine-readable format within 30 days of termination.
- Unless legally required to retain it, Tinkr Labs will delete the personal data from its primary systems within 30 days of termination (or within 30 days of the Customer's export request, whichever is later).
- Encrypted backups containing the data will be overwritten on the normal rotation schedule, within a further 30 days.
- Tinkr Labs may retain minimum records required by law (for example, Indian tax and accounting records for up to 8 years). Those records will be protected by the same safeguards as active data.
11. Data-subject requests
If Tinkr Labs receives a request directly from an end user seeking to exercise data-protection rights in relation to data processed on the Customer's behalf, Tinkr Labs will forward that request to the Customer and will not respond on the Customer's behalf except where required by law. Tinkr Labs will provide reasonable assistance to help the Customer respond.
12. Liability and precedence
The liability provisions in the main Terms of Service apply to this DPA. In the event of a conflict between this DPA and the Terms, this DPA governs solely with respect to the subject matter of data processing.
13. How to sign this DPA
This DPA is effective upon the earlier of (a) the Customer entering into a paid subscription to Maria for business use, or (b) the Customer countersigning a copy and returning it to hello@tinkrlabs.ai. If you require a signed copy for your records, please contact us and we will provide one.
Last updated: [DATE]. These are draft documents and should be reviewed by a licensed attorney before use.