Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between TinTorch and a customer (the “Customer”) for the use of the Services. It applies where TinTorch processes personal data on the Customer’s behalf and is intended to reflect the parties’ obligations under applicable data protection laws, including the GDPR and India’s DPDP Act. This is a brief summary template and should be completed with legal counsel.

For personal data processed on the Customer’s behalf (for example, data about an organization’s members), the Customer acts as the controller and TinTorch acts as the processor. TinTorch acts as an independent controller for data it determines the purposes of, such as account security and billing.

• Subject matter: provision of identity, single sign-on and related account services.
• Duration: for the term of the agreement and as required by law thereafter.
• Nature and purpose: authentication, account management, security and billing.
• Categories of data: identifiers, contact details, authentication and security data, and billing metadata.
• Data subjects: the Customer's users, administrators and organization members.

• Process personal data only on documented instructions from the Customer, except where required by law.
• Ensure persons authorized to process the data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (see our Security page).
• Assist the Customer with data subject requests and with security, breach notification and impact assessments.
• Delete or return personal data at the end of the engagement, subject to legal retention requirements.

The Customer authorizes TinTorch to engage the sub-processors listed on our Sub-processors page. TinTorch imposes data protection obligations on each sub-processor and remains responsible for their performance. We will provide a mechanism to notify the Customer of new sub-processors.

Where personal data is transferred across borders, the parties will rely on a lawful transfer mechanism, such as standard contractual clauses or an equivalent safeguard recognized under applicable law.

TinTorch will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data and will provide reasonable information to assist the Customer in meeting its notification obligations.

To execute a DPA or raise questions, contact privacy@tintorch.com.