Legal

Data Processing Addendum

Template · Last updated: 2026-05-21

Enterprise tier requires a counter-signed DPA. Email legal@reyatech.com to request a signed PDF executed by Reya Technologies LLP.

1. Parties & roles

This Data Processing Addendum (“DPA”) supplements the ProductionLens Terms of Service (the “Agreement”) between the customer organisation (the “Customer” — acting as Data Controller) and Reya Technologies LLP (“ProductionLens” — acting as Data Processor).

2. Subject matter & duration

ProductionLens processes Customer Personal Data solely for the purpose of providing the service described in the Agreement, for the duration of the Agreement and any post-termination wind-down period agreed in writing.

3. Customer instructions

ProductionLens will process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers, unless required to do otherwise by law. The Agreement and ordinary use of the service constitute the Customer's standing instructions.

4. Sub-processors

The Customer authorises ProductionLens to engage the sub-processors listed at /sub-processors. ProductionLens will give at least 30 days' notice of any new sub-processor handling Customer Personal Data, and the Customer may object on reasonable grounds.

5. Security measures

ProductionLens will implement and maintain the technical and organisational security measures described at /security, including encryption at rest (AES-256), in transit (TLS 1.3), Row-Level Security, audit logging and India-based primary residency.

6. Data-subject requests

ProductionLens will, to the extent legally permitted, promptly notify the Customer of any request received from a data subject. Where the Customer cannot itself fulfil the request using in-product controls, ProductionLens will reasonably assist the Customer to respond.

7. Audit rights

Once per calendar year, and additionally upon a material security incident, the Customer (or an independent auditor it appoints, subject to confidentiality) may audit ProductionLens' compliance with this DPA. Audits will be scheduled with at least 30 days' notice, conducted during business hours, and will not unreasonably interfere with operations.

8. Personal-data breach notification

ProductionLens will notify the Customer within 72 hours after becoming aware of a personal-data breach affecting Customer Personal Data, with the information reasonably required for the Customer to meet its regulatory obligations under the DPDP Act 2023 (and, where applicable, the GDPR).

9. Return or deletion on termination

Within 90 days of termination of the Agreement, ProductionLens will, at the Customer's choice, return all Customer Personal Data in a machine-readable format or delete it permanently and certify the deletion in writing, except where retention is required by law.

10. International transfers

Primary Customer Personal Data is held in India. Where operational sub-processors process data outside India, ProductionLens relies on the sub-processor's published cross-border transfer safeguards (e.g. EU SCCs), incorporated by reference at /sub-processors.

11. Jurisdiction & precedence

This DPA is governed by the laws of India and is subject to the exclusive jurisdiction of the courts at Mumbai. In the event of a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict.

12. Contact

ProductionLens Data Protection contact: legal@reyatech.com.