/ legal / dpa

Data Processing Agreement

Effective date: 13 May 2026 · Template version: 1.0 — 27 May 2026
Working draft, pending counsel review. This DPA template will be offered to business customers as a signed counterparty agreement. Until reviewed and finalised, treat it as indicative only. To execute a DPA today, email legal@kashilabs.ai.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kashi Technologies Private Limited ("Kashi", "Processor") and the customer identified in the relevant Order Form or sign-up record (the "Customer", "Controller"). It governs how Kashi processes Personal Data on the Customer's behalf when providing the Services.

On this page
  1. Definitions
  2. Scope & roles
  3. Subject matter, nature & purposes
  4. Instructions & compliance
  5. Confidentiality
  6. Security measures
  7. Subprocessors
  8. Data-subject rights
  9. Personal-data breaches
  10. International transfers
  11. Audits
  12. Term, deletion & return
  13. Liability
  14. Governing law
  15. Annex A: Processing details
  16. Annex B: Subprocessors

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR, the UK GDPR, or the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act"), as applicable.

  • Applicable Data Protection Law: the GDPR, UK GDPR, DPDP Act, and any other data-protection law applicable to a party's processing under this DPA.
  • Personal Data: Customer Data (as defined in the Terms) that constitutes personal data under Applicable Data Protection Law.
  • Subprocessor: any third party engaged by Kashi to process Personal Data.

2. Scope & roles

For Customer Personal Data, the Customer is the Controller (Data Fiduciary under the DPDP Act) and Kashi is the Processor (Data Processor). Kashi will process Personal Data only on documented instructions from the Customer — the Terms of Service and this DPA constitute those instructions.

3. Subject matter, nature, purposes

See Annex A for the categories of data subjects, types of Personal Data, processing operations, and duration.

4. Instructions & compliance

  • Kashi will inform the Customer if an instruction infringes Applicable Data Protection Law.
  • The Customer warrants that it has all necessary consents and legal bases to provide Personal Data to Kashi.

5. Confidentiality

Kashi will ensure that personnel authorised to process Personal Data are bound by confidentiality obligations.

6. Security measures

Kashi will implement and maintain the technical and organisational measures described in section 8 of the Privacy Policy — including TLS in transit, column-level encryption at rest, IAM least- privilege, 2FA availability, audit logging, and automated security scans. We may update these measures provided they do not materially decrease the security of Personal Data.

7. Subprocessors

The Customer authorises Kashi to engage the subprocessors listed in Annex B. Kashi will:

  • Impose contractual obligations on each subprocessor that are no less protective than this DPA;
  • Remain liable for the acts and omissions of subprocessors as if they were its own;
  • Notify the Customer at least 30 days before adding or replacing a subprocessor. The Customer may object on reasonable grounds; if Kashi cannot accommodate the objection, the Customer may terminate the affected portion of the Services.

8. Data-subject rights

Kashi will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to data- subject requests. Where Kashi receives such a request directly, it will promptly forward it to the Customer.

9. Personal-data breaches

Kashi will notify the Customer without undue delay — and in any event within 72 hours — of becoming aware of a Personal Data breach affecting the Customer's data. The notice will include the nature, scope, likely consequences, and the measures taken or proposed to address it.

10. International transfers

Kashi processes most Personal Data in India (AWS ap-south-1, Mumbai region). Some subprocessors operate outside India — see Annex B. For each cross-border transfer the Customer authorises Kashi to rely on:

  • The European Commission's Standard Contractual Clauses (Module 2 / Module 3 as applicable) plus, where required, the UK International Data Transfer Addendum;
  • For transfers from India, the mechanisms permitted under the DPDP Act and any restrictions published by the Central Government.

11. Audits

Kashi will make available all information reasonably necessary to demonstrate compliance with this DPA. The Customer may, on reasonable prior written notice (at least 30 days, except in emergencies) and during business hours, conduct an audit of Kashi's processing activities relevant to this DPA, no more than once per year unless required by a supervisory authority. The Customer will bear its own audit costs and comply with Kashi's reasonable security and confidentiality requirements.

12. Term, deletion & return

This DPA runs for the duration of the Services. On termination Kashi will, at the Customer's choice, return or delete all Personal Data within the retention windows set out in the Privacy Policy, save for copies that we are legally required to keep.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

14. Governing law

This DPA is governed by the same law as the Terms of Service. To the extent the GDPR applies, the parties agree that the courts of Vadodara, Gujarat, India have exclusive jurisdiction subject to mandatory law of the data exporter's location.

Annex A — Processing details

  • Subject matter: Provision of the Cloudbrief and Paperbrief Services to the Customer.
  • Duration: Term of the Services subscription plus the retention periods in the Privacy Policy.
  • Nature & purpose: Hosting Customer Data; running AI-assisted analyses and chat over that data; sending operational and report emails; processing payments via subprocessors.
  • Categories of data subjects: Customer's authorised users (employees, contractors, invited collaborators).
  • Types of Personal Data: Name (where supplied), email address, IP address, authentication metadata; any Personal Data embedded in documents the Customer uploads to Paperbrief or in AWS data the Customer authorises Cloudbrief to read.
  • Special categories: None intentionally processed. The Customer must not upload special-category data without first agreeing additional safeguards with Kashi in writing.

Annex B — Subprocessors

The current subprocessor list mirrors the Privacy Policy subprocessor table. A change-notification list is available — email legal@kashilabs.ai to subscribe.

Execution

To execute this DPA as a counterparty, email legal@kashilabs.ai with your company's legal name, registered address, and signatory. We will counter-sign and return.