GDPR Article 28, India DPDP, International Transfers
Version: 1.0
|Effective Date: 17-06-2026
|Last Updated: 17-06-2026
This DPA forms part of the agreement between HEFGRO ("HEFGRO", the "Processor") and the customer identified in the relevant account or order form (the "Customer", the "Controller") for the provision of the HEFGRO Smart Business Suite and related services (the "Services"). It applies whenever HEFGRO processes Customer Personal Data (defined below) on the Customer's behalf. If there is a conflict between this DPA and the Terms and Conditions, this DPA prevails for data protection matters.
The Customer is the controller / data fiduciary of Customer Personal Data; HEFGRO is the processor / data processor. The Customer is responsible for the lawfulness of Customer Personal Data and its processing instructions, including obtaining all required notices and consents from its own data subjects. HEFGRO's processing of personal data for its own purposes (e.g., Customer account administration, billing, security, platform analytics) is governed by the HEFGRO Privacy Policy, for which HEFGRO is the controller.
| Item | Description |
|---|---|
| Subject matter | Provision of the Smart Business Suite (inventory, production, accounting) and support |
| Duration | The term of the Customer's subscription plus the deletion period in Section 10 |
| Nature and purpose | Hosting, storage, computation, display, backup, support and related processing necessary to deliver the Services |
| Categories of data subjects | Customer's employees and authorised users; Customer's customers, vendors and business contacts |
| Categories of personal data | Names, business contact details, roles, transaction and invoice data, payment references, and other data the Customer chooses to upload |
| Special categories | Not intended; the Customer must not upload special/sensitive category data unless separately agreed in writing |
HEFGRO shall: (a) process Customer Personal Data only on the Customer's documented instructions (including the Terms, this DPA and configuration of the Services), unless required otherwise by law, in which case HEFGRO will inform the Customer unless legally prohibited; (b) immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws; (c) ensure persons authorised to process Customer Personal Data are bound by confidentiality; (d) implement the technical and organisational measures described in Section 7; (e) assist the Customer, taking into account the nature of processing, in responding to data subject / data principal rights requests and in meeting its obligations regarding security, breach notification, impact assessments and consultations; (f) make available information reasonably necessary to demonstrate compliance and allow audits per Section 9; and (g) not "sell" or "share" Customer Personal Data as those terms are defined under US state privacy laws, nor retain, use or disclose it outside the direct business relationship, acting as a "service provider"/"processor" under those laws.
The Customer shall: (a) have a lawful basis and provide all required notices for the Customer Personal Data it processes through the Services; (b) configure and use the Services in a manner consistent with Data Protection Laws (including access controls and user management); (c) not upload data categories prohibited by the Terms; and (d) respond to data subjects who contact HEFGRO in error, after HEFGRO redirects them to the Customer.
The Customer grants general authorisation for HEFGRO to engage Sub-processors (e.g., cloud infrastructure, backup, support tooling) listed at [URL of sub-processor list] (Annex 2). HEFGRO will: impose data protection obligations on Sub-processors no less protective than this DPA; remain liable for their performance; and give the Customer at least [30] days' prior notice of new Sub-processors, during which the Customer may object on reasonable data protection grounds. If the objection cannot be resolved, the Customer may terminate the affected Services and receive a pro-rata refund of prepaid fees.
HEFGRO implements appropriate technical and organisational measures aligned with Article 32 GDPR, Section 8 of the DPDP Act and Rule 6 of the DPDP Rules 2025, including: encryption in transit (TLS) and at rest for sensitive data; logical tenant separation; role-based access control and MFA for administrative access; vulnerability management and secure development practices; logging and monitoring with retention of at least one year where required by Indian law; backup and disaster recovery; personnel security and training; and vendor security assessments. A current security overview is available on request.
HEFGRO will notify the Customer without undue delay, and in any event within [48] hours, after becoming aware of a personal data breach affecting Customer Personal Data, providing information reasonably available about the nature, categories and approximate volumes affected, likely consequences, and measures taken or proposed. HEFGRO will cooperate with the Customer's own notification obligations (e.g., 72-hour notifications under GDPR Article 33 and the DPDP Rules 2025). HEFGRO's notification is not an admission of fault.
On reasonable prior written notice (not more than once per 12 months unless required by a regulator or following a breach), HEFGRO will make available the information necessary to demonstrate compliance with this DPA, including responses to security questionnaires, summaries of third-party audit reports and certifications. Where these are insufficient, the Customer may conduct (directly or through an independent auditor bound by confidentiality) an audit of relevant controls during business hours, without disrupting operations, at the Customer's cost.
Upon termination or expiry of the Services, the Customer may export Customer Content in a standard format within [30] days. Thereafter, HEFGRO will delete Customer Personal Data from active systems within [60] days and from backups in the ordinary backup rotation cycle, except where retention is required by applicable law (in which case the data remains protected under this DPA and is isolated from further processing).
HEFGRO processes data primarily in [India / specify hosting regions]. Where the Services involve a transfer of Customer Personal Data restricted by Data Protection Laws: (a) for EEA/UK/Swiss data, the EU Standard Contractual Clauses (2021) Module 2 (controller-to-processor) and Module 3 (processor-to-processor), and the UK Addendum/IDTA, are incorporated by reference with HEFGRO as data importer, supplemented by transfer impact assessments; (b) for Indian data, transfers comply with the DPDP Act and any restricted-country or localisation notifications; (c) for Chinese, GCC and other restricted-origin data, the corresponding lawful transfer mechanism is applied as described in the Privacy Policy. The processing details in Section 3.1 serve as the corresponding annexes to the SCCs.
Each party's liability under this DPA is subject to the limitations and exclusions in the Terms and Conditions, except to the extent Data Protection Laws prohibit such limitation (including each party's liability to data subjects under mandatory law). This DPA replaces any previously agreed data processing terms for the Services.
This DPA is governed by the law governing the Terms and Conditions, except where Data Protection Laws of another jurisdiction mandatorily apply to specific processing (including the SCCs, which are governed as stated within them).
Data protection queries and breach notifications: hello@hefgro.com