Data Processing Agreement

1. Introduction & Applicability

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Terms of Service between Narriva (“Processor”, “we”, “us”) and the customer (“Controller”, “you”). It governs how Narriva processes personal data on your behalf when delivering the social media management services described in the Terms of Service.

This DPA is governed by the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and any applicable subordinate regulations. Where you operate a business subject to additional international obligations (such as GDPR), the more protective standard shall apply.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person — including customer names, phone numbers, email addresses, social media profile data, and message content processed through Narriva.
• Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
• Data Principal: The individual whose personal data is being processed (e.g., your customers, leads, and social media followers).
• Sub-processor: Any third party engaged by Narriva to process personal data on your behalf.
• Personal Data Breach: Any unauthorized or accidental access, disclosure, alteration, loss, or destruction of personal data.

3. Scope & Nature of Processing

3.1 Purpose of Processing

Narriva processes personal data solely to deliver the Service as described in the Terms of Service. Specific processing activities include:

• Managing and publishing content to your connected social media accounts
• Reading, routing, and generating AI-drafted replies to DMs and comments
• Capturing, tagging, and organizing lead information from social interactions
• Analyzing engagement metrics and content performance
• Generating AI-powered content recommendations using your business context

3.2 Categories of Personal Data Processed

• Contact information: names, phone numbers, email addresses
• Social media profile data: usernames, profile photos, public bios
• Message and comment content from your social media inbox
• Engagement data: likes, shares, comments, and story interactions
• Location data at city or region level (for content personalization)

3.3 Data Subjects

The individuals whose personal data may be processed include:

• Your existing customers and potential leads who contact you on social media
• Followers, commenters, and viewers who interact with your content
• Individuals who send direct messages or inquiries through your accounts

4. Narriva's Obligations as Processor

4.1 Lawful Processing

Narriva agrees to:

• Process personal data only on your documented instructions — which are established by your use of specific Narriva features. Any instructions that Narriva believes may violate applicable law will be flagged to you promptly.
• Ensure that all Narriva personnel with access to personal data are bound by legally enforceable confidentiality obligations.
• Not engage in any secondary use of personal data, including selling, renting, or sharing it for third-party marketing purposes.
• Assist you in responding to Data Principal requests and regulatory inquiries within the statutory timeframes.

4.2 Technical & Organisational Security Measures

We implement a layered security framework to protect all personal data:

• Encryption in transit: TLS 1.3 for all data transmitted between systems.
• Encryption at rest: AES-256 for all stored data on AWS infrastructure.
• Access controls: Role-based access with the principle of least privilege. All access is logged and subject to regular audit.
• Authentication: Multi-factor authentication required for all internal systems with access to user data.
• Vulnerability management: Regular security assessments and penetration testing by independent parties.
• Incident response: A documented incident response plan with defined escalation paths and communication protocols.

5. Your Obligations as Controller

As the data controller, you agree to:

• Ensure you have a lawful basis (under the DPDP Act or applicable law) for processing personal data through Narriva.
• Provide appropriate privacy notices to your customers disclosing that their data may be processed through third-party service providers, including Narriva.
• Respond to Data Principal rights requests within statutory timeframes (30 days under the DPDP Act).
• Notify Narriva promptly if you become aware that any of your instructions may violate applicable data protection laws.
• Not use Narriva to process special categories of sensitive personal data (health, biometric, financial credentials) unless explicitly agreed to in writing.

6. Sub-processors

6.1 General Authorization

You provide general authorization for Narriva to engage the sub-processors listed below. We will notify you at least 14 days before adding or replacing a sub-processor, giving you the opportunity to object. If you object and we cannot reasonably accommodate your concern, you may terminate your subscription with a full pro-rata refund.

6.2 Current Sub-processors

6.3 Sub-processor Accountability

Narriva enters into written agreements with all sub-processors imposing data protection obligations equivalent to or stricter than those in this DPA. Narriva remains fully liable to you for any failure by a sub-processor to fulfil its data protection obligations.

7. International Data Transfers

Our primary data storage is within India (AWS Mumbai) to minimize international transfers. Where personal data must be transferred to sub-processors located outside India (specifically OpenAI and Meta), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) with the relevant sub-processor
• Limiting the personal data transferred to the minimum necessary
• Explicitly excluding personal customer data from AI content generation calls

8. Data Principal Rights & Requests

We will assist you in fulfilling your obligations to respond to Data Principal (your customers') rights requests, including:

• Access to their personal data stored through Narriva
• Correction of inaccurate or incomplete data
• Erasure of personal data (“right to be forgotten”)
• Data portability in a machine-readable format
• Withdrawal of consent for specific processing activities
• Grievance redressal through Narriva's support channel

Narriva will promptly forward any Data Principal rights request received directly by us to you, without responding independently — unless legally required to do so.

9. Personal Data Breach Notification

In the event of a confirmed or suspected personal data breach, Narriva will:

• Notify you within 72 hours of becoming aware of the breach, via the email address on your account.
• Provide a written incident report detailing: the nature of the breach, categories and approximate volume of data affected, likely consequences, and measures taken or proposed to contain and remediate the breach.
• Cooperate fully with you and any competent authority (including the Data Protection Board of India) in any investigation or regulatory notification.
• Take all reasonable steps to contain, investigate, and prevent recurrence of the breach.

10. Data Retention & Deletion

Narriva retains personal data only for as long as necessary to deliver the Service. Upon account termination or your written request:

• You may request a complete export of your data within 30 days of termination.
• All personal data will be permanently and securely deleted from active systems within 90 days of termination, unless legal retention obligations require otherwise.
• Payment records are retained for 7 years as required by Indian tax law and are not subject to early deletion.
• Upon request, Narriva will provide a written certification of deletion.

11. Audit Rights

You have the right to verify Narriva's compliance with this DPA. We will:

• Make available all documentation and information necessary to demonstrate compliance, upon reasonable written request.
• Provide applicable third-party security certifications and audit reports (e.g., SOC 2 reports of our infrastructure providers) where available.
• Permit audits or inspections with reasonable prior notice (minimum 10 business days) and at mutually agreed times, conducted in a manner that does not disrupt normal operations.

12. Liability

Each party's liability under this DPA is subject to the limitations and caps set forth in the Terms of Service. Both parties agree to cooperate in good faith to promptly resolve any data protection issues. Narriva's total liability under this DPA shall not exceed the greater of (a) the amount paid by you in the 12 months preceding the claim or (b) ₹10,000.

13. Term & Termination

This DPA is effective from the date you accept the Terms of Service and remains in effect for the duration of your use of Narriva. The data handling obligations under Sections 9, 10, and the confidentiality obligations continue to apply after termination until all personal data has been deleted, returned, or is no longer held by Narriva.

14. Contact & Data Protection Officer

For questions about this DPA, data protection compliance, or to submit a formal grievance:

• Email: [email protected]
• Phone: +91 8569958265 (Mon–Sat, 10 AM–6 PM IST)
• Address: Narriva Technologies, NE-15, New Palam Vihar Extension, Sec-110, Gurugram 122017, Haryana, India

Narriva — We process your customers' data with the same care we would want applied to our own.