Data Processing Addendum
This Data Processing Agreement ("DPA") forms part of the agreement between the customer identified in the applicable order or Terms of Service ("Customer," "you") and Triophase Global Services Pvt. Ltd. ("OpsNGIN," "we," "us") governing your use of the OpsNGIN platform and related services (the "Services," and that agreement, the "Agreement").
This DPA applies where, and to the extent that, OpsNGIN processes Personal Data on your behalf in providing the Services. It is incorporated into the Agreement. In case of conflict on the subject of data protection, this DPA prevails over the rest of the Agreement.
1. Definitions
Terms such as "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Personal Data Breach" have the meanings given in Applicable Data Protection Law.
- Applicable Data Protection Law means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including, as applicable, the EU General Data Protection Regulation (2016/679) ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended ("CCPA/CPRA"), India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), and the data protection framework(s) of the United Arab Emirates.
- Customer Data has the meaning given in the OpsNGIN Privacy Policy and includes any Personal Data contained within it.
- Sub-processor means any third party engaged by OpsNGIN to Process Customer Data.
- Standard Contractual Clauses ("SCCs") means the clauses approved by the European Commission for the transfer of Personal Data to third countries, and/or the UK International Data Transfer Addendum, as applicable.
2. Roles of the parties
2.1 As between the parties, you are the Controller (or a Processor acting on behalf of your own customers) of Customer Data, and OpsNGIN is the Processor (or Sub-processor).
2.2 You are responsible for the lawfulness of the Customer Data you provide and the instructions you give, including ensuring you have the necessary rights, authority, and lawful basis to provide Customer Data to OpsNGIN and to authorize the access and Processing performed by the Services. This reflects, and is in addition to, your authorization obligations under the Agreement.
2.3 OpsNGIN will Process Personal Data only as a Processor acting on your documented instructions, as set out in this DPA, the Agreement, and your configuration and use of the Services.
3. Scope and instructions
3.1 OpsNGIN Processes Personal Data only: (a) to provide, secure, and maintain the Services in accordance with the Agreement; (b) as further documented in your use and configuration of the Services (including the autonomy tier and actions you authorize); (c) as set out in Annex I; and (d) as otherwise instructed by you in writing, where consistent with the Services.
3.2 OpsNGIN will inform you if, in its opinion, an instruction infringes Applicable Data Protection Law, unless legally prohibited from doing so.
3.3 OpsNGIN will not Process Customer Data for its own purposes, will not sell it, and will not use it to train, fine-tune, improve, or evaluate any AI model that is shared across customers or made available to third parties.
4. Confidentiality
OpsNGIN ensures that personnel authorized to Process Customer Data are bound by appropriate confidentiality obligations and access Customer Data only as described in the Privacy Policy (support, security/operational investigation, legal compliance, or with your authorization), on a least-privilege, need-to-know basis.
5. Security
5.1 OpsNGIN implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex II.
5.2 These measures include encryption of Customer Data at rest and in transit, brokered just-in-time privileged access with time-limited credentials, access logging and audit, and logical segregation of customer operational context.
6. Sub-processing
6.1 You grant OpsNGIN general authorization to engage Sub-processors to Process Customer Data, subject to this Section.
6.2 OpsNGIN maintains a current list of Sub-processors at https://opsngin.ai/legal/sub-processor and imposes on each Sub-processor data-protection obligations no less protective than those in this DPA.
6.3 OpsNGIN will give you notice of the addition or replacement of a Sub-processor (via the Sub-processor page and/or the notification mechanism you have subscribed to) before that Sub-processor begins Processing Customer Data. You may object on reasonable data-protection grounds within [10/15] days; the parties will work in good faith to resolve the objection, and if it cannot be resolved you may terminate the affected Services as your sole remedy.
6.4 OpsNGIN remains liable to you for the acts and omissions of its Sub-processors to the same extent OpsNGIN would be liable if performing the services directly, subject to the limitations of liability in the Agreement.
7. Assistance to the Customer
Taking into account the nature of the Processing, OpsNGIN will provide reasonable assistance to help you: (a) respond to Data Subject requests (access, correction, deletion, portability, objection, restriction) — see Section 8; (b) ensure security of Processing, notify Personal Data Breaches, and conduct data protection impact assessments and prior consultations; and (c) respond to inquiries or investigations from a supervisory authority concerning Processing carried out on your behalf.
8. Data Subject rights
8.1 The Services provide functionality (including audit logs, export, and deletion controls) that lets you respond to Data Subject requests directly.
8.2 If OpsNGIN receives a request from a Data Subject relating to Customer Data, it will, unless legally required to respond, redirect the Data Subject to you and promptly inform you, and will not otherwise respond except on your instructions.
9. Personal Data Breach notification
OpsNGIN will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and will provide information reasonably available to it to help you meet your own breach-notification obligations. Notification will be made to your account owner's contact.
10. Deletion and return of Customer Data
10.1 On termination or expiry of the Services, or on your request, OpsNGIN will delete or return Customer Data as you elect, except to the extent retention is required by law.
10.2 In line with the Privacy Policy, deleted Customer Data is removed from active systems within 30 days and from backups within 90 days, unless retention is legally required or necessary to resolve a dispute. After these periods, data is deleted or irreversibly anonymized.
11. Audits
11.1 OpsNGIN will make available information reasonably necessary to demonstrate compliance with this DPA, including relevant certifications or third-party assessment reports once available.
11.2 Where required by Applicable Data Protection Law and not satisfied by the information above, OpsNGIN will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality, frequency limits, and scheduling so as not to disrupt the Services or compromise the security of other customers.
12. International transfers
12.1 OpsNGIN operates from India and the UAE, and may Process Customer Data in other countries via its infrastructure and Sub-processors (see Annex III / the Sub-processor page).
12.2 Where a transfer of Personal Data is subject to the GDPR or UK GDPR and is made to a country without an adequacy decision, the SCCs (and UK Addendum where applicable) are incorporated into this DPA by reference and apply to that transfer, with the parties' details and elections as set out in Annex I.
12.3 For transfers subject to the DPDP Act, the UAE framework, or other Applicable Data Protection Law, the parties will implement the transfer mechanism and safeguards that law requires.
13. Term and liability
13.1 This DPA takes effect on the Effective date and continues for as long as OpsNGIN Processes Customer Data under the Agreement.
13.2 Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
Annex I — Details of Processing
- Subject matter: provision of the OpsNGIN autonomous AI infrastructure operations Services.
- Duration: the term of the Agreement, plus the retention periods in Section 10.
- Nature and purpose: connecting to and operating on Customer-authorized infrastructure; planning, executing, and verifying infrastructure operations; storing operational context; providing audit, support, billing, and security functions.
- Types of Personal Data: account and contact data (names, work emails, roles); authentication identifiers; any Personal Data incidentally present in logs, telemetry, command output, configurations, or file contents within the Customer's environment.
- Categories of Data Subjects: Customer's authorized users and administrators; any individuals whose Personal Data is present within the Customer's infrastructure data.
- Frequency of transfer: continuous, for the duration of the Services.
- Controller / data exporter: the Customer. Processor / data importer: OpsNGIN.
Annex II — Technical and organizational measures
- Encryption of Customer Data at rest (e.g. AES-256) and in transit (TLS/HTTPS).
- Brokered, just-in-time privileged access with time-limited credentials that expire automatically; least-privilege and need-to-know enforcement.
- Logging and audit of privileged sessions and executed actions, available to the Customer.
- Logical segregation of customer operational context per account.
- Restricted human access to Customer Data, limited to support, security/operational investigation, legal compliance, or explicit Customer authorization.
- Incident response process and breach notification.
- Administrative, technical, and organizational safeguards appropriate to the sensitivity of the data, with additional formal certifications and independent assessments to be pursued as the platform matures.
Annex III — Approved Sub-processors
As listed at https://opsngin.ai/legal/sub-processor, as updated from time to time in accordance with Section 6.