This Addendum governs the processing of personal data we handle on your behalf when you use Whatrite. It supplements our Terms and Privacy Policy.
This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Customer”) and Whatrite, operated by Techvanch Innovations (“Whatrite”, “we”, “us”) for use of the Whatrite platform (the “Service”).
By accepting our Terms, you also accept this DPA. Customers who require a counter-signed copy can request one — see Section 14.
For Customer Data, Customer is the Data Fiduciary (and the controller for the purposes of GDPR-style frameworks where applicable) and Whatrite is the Data Processor. Whatrite processes Customer Data only on Customer's documented instructions and as needed to deliver the Service.
The categories below describe Personal Data processed in normal use of the Service. Customer controls what is sent to the Service.
Whatrite will process Customer Data only (i) to provide the Service in line with the agreement, (ii) on Customer's documented instructions given through normal use of the product or in writing, and (iii) as required by applicable law. Whatrite will inform Customer if, in its reasonable opinion, an instruction violates the DPDP Act or other applicable law, unless prohibited from doing so.
Whatrite ensures that personnel authorised to process Customer Data are bound by confidentiality obligations and trained on their data-handling responsibilities.
Whatrite implements appropriate technical and organisational measures to protect Customer Data, including encryption in transit (TLS 1.2+), AES-256-GCM encryption at rest for sensitive fields, Argon2id password hashing, signed webhooks, least-privilege access, rate limiting and continuous error monitoring. A current description of our security practices is published at whatrite.dev/security.
Customer authorises Whatrite to engage Sub-processors to process Customer Data. The current list of Sub-processors — including each Sub-processor's name, purpose, location, and link to its DPA — is published at whatrite.dev/sub-processors.
Whatrite imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA. Whatrite remains liable to Customer for the performance of its Sub-processors. We will update the Sub-processors page when we add or remove a Sub-processor; Customer can subscribe to notifications of such changes by writing to hello@whatrite.dev.
Some Sub-processors may process Customer Data outside India. Whatrite relies on transfer mechanisms permitted under the DPDP Act and on contractual safeguards (including the Sub-processors' published data-processing addenda and standard contractual clauses where applicable) to ensure an adequate level of protection. The geographic region of each Sub-processor is disclosed on the Sub-processors page.
Whatrite provides functionality within the Service that enables Customer to access, export, correct and delete Customer Data, so that Customer can respond to requests from its Data Principals. If Whatrite receives a request directly from a Data Principal that relates to Customer Data, we will redirect the request to Customer rather than respond to it ourselves, and assist Customer to the extent reasonably required.
Whatrite maintains procedures to detect and respond to incidents affecting Customer Data. We will notify Customer without undue delay, and in any event within 72 hours of confirming a Personal Data breach affecting Customer Data, using the email on file for the Customer account. The notification will describe, to the extent known, the nature of the breach, the likely consequences, the measures taken or proposed, and a contact point for further information.
On Customer's reasonable written request and no more than once per calendar year, Whatrite will make available information necessary to demonstrate compliance with this DPA — typically through written responses to a security questionnaire, the publicly available certifications and DPAs of our Sub-processors, and our published security documentation. On-site audits, if required by law, will be conducted at Customer's expense, on reasonable advance notice, under an NDA, during business hours, and in a way that does not disrupt the Service.
On termination or expiry of the agreement, Whatrite will, at Customer's option and within 30 days, either (i) return Customer Data through standard export tooling provided by the Service or (ii) delete it from production systems. Backups will be overwritten in the ordinary backup-rotation cycle. Whatrite may retain Customer Data as required by applicable law.
Each party's liability under this DPA is subject to the limitation of liability set out in the underlying agreement. In case of conflict, this DPA prevails over the underlying agreement to the extent of the conflict, and only with respect to the processing of Personal Data.
Customers who require a counter-signed PDF of this DPA — for example, for procurement files — should email hello@whatrite.dev with the subject line “DPA execution request” and include:
We will return a counter-signed copy within five business days, with no materially different terms unless agreed in writing.
