Data Processing Agreement
Effective: May 23, 2026 · Last updated: June 22, 2026
This Data Processing Agreement supplements the Verdeshell CRM Terms of Service and governs the processing of personal data on behalf of Subscribers in accordance with applicable data protection law.
1. Parties & Roles
This Data Processing Agreement ("DPA") is entered into between Verdeshell Technologies ("Processor") and the Subscriber ("Controller"). The Controller determines the purposes and means of processing personal data entered into the Verdeshell CRM Service. The Processor processes that data only as instructed by the Controller in accordance with this DPA.
2. Scope of Processing
Subject matter: Operation of the Verdeshell CRM platform including Sales, Interior Design, Nutrition and Service modules. Duration: For the term of the Subscription Agreement plus 90 days after termination for data export. Nature: Collection, storage, retrieval, modification, deletion and transmission of personal data as directed by Users. Purpose: Providing the contracted CRM Service. Types of personal data: Names, email addresses, phone numbers, company details, financial data, health information (Nutrition module), project data, and any other data the Controller chooses to store in the Service. Categories of data subjects: The Controller's clients, contacts, patients and employees.
3. Controller Instructions
Verdeshell will process personal data only on documented instructions from the Controller (including through the Service interface). If Verdeshell believes an instruction infringes applicable data protection law, it will notify the Controller before processing.
4. Confidentiality of Processing
Verdeshell ensures that persons authorized to process personal data under this DPA are bound by appropriate confidentiality obligations and have received adequate data protection training.
5. Security Measures
Verdeshell implements and maintains the following technical and organizational measures: • Encryption of data in transit using TLS 1.2+ • Encryption of data at rest using AES-256 • Role-based access control and multi-tenant data isolation • Regular security assessments and penetration testing • Incident response procedures and breach notification within 72 hours • Logical access controls with audit logging
6. Sub-processors
Verdeshell uses the sub-processors listed in the table below. The Controller hereby grants general authorization for Verdeshell to engage sub-processors, subject to the conditions in this section. Verdeshell will notify the Controller of intended changes to sub-processors at least 30 days in advance. If the Controller objects to a new sub-processor on reasonable data protection grounds, Verdeshell will use reasonable efforts to offer an alternative. Verdeshell ensures sub-processors are bound by data protection obligations at least as protective as those in this DPA.
| Sub-Processor | Location | Purpose |
|---|---|---|
| Amazon Web Services (AWS) | Mumbai, India (ap-south-1) | Cloud hosting, file storage (S3), compute |
| Microsoft Graph API | Global (Microsoft 365) | Transactional email sent by Verdeshell |
| Razorpay | India | Subscription payment processing & billing |
| WhatsApp Business Solution Provider | India | WhatsApp message delivery (when WhatsApp messaging is enabled) |
7. Data Subject Rights
Verdeshell will assist the Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction and objection) within the timescales required by applicable law. Where technically feasible, Verdeshell will provide self-service tools to help the Controller respond to such requests.
8. Data Protection Impact Assessments
Verdeshell will provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments (DPIAs) where required by applicable law, taking into account the nature of processing and information available to Verdeshell.
9. International Transfers
Personal data is primarily stored and processed in AWS Mumbai (ap-south-1). Where data is transferred outside India or the EEA, Verdeshell relies on Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent transfer mechanisms to ensure an adequate level of protection.
10. Data Breach Notification
Verdeshell will notify the Controller without undue delay and within 72 hours of becoming aware of a personal data breach likely to result in a risk to the rights and freedoms of natural persons. The notification will include: (a) a description of the nature of the breach; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; (d) measures taken or proposed.
11. Deletion & Return of Data
Upon termination of the Subscription Agreement, Verdeshell will, at the Controller's choice: (a) return all personal data in a standard export format; or (b) securely delete all personal data, within 90 days of termination, except where retention is required by applicable law. Verdeshell will provide a written confirmation of deletion on request.
12. Audits & Inspections
Verdeshell will make available all information necessary to demonstrate compliance with this DPA and will contribute to and allow for audits by the Controller or an independent auditor appointed by the Controller, upon reasonable notice (at least 30 days) and at the Controller's expense, not more than once per year.
13. Controller Obligations & Warranties
The Controller warrants that: (a) it has provided all required notices and obtained all consents, and has a valid lawful basis, for the personal data it processes through the Service, including any special-category data (such as health data processed in the Nutrition module); (b) its instructions to Verdeshell comply with applicable law; and (c) it is responsible for the accuracy, quality and legality of the personal data it uploads. The Controller will indemnify and hold Verdeshell harmless against claims, fines, penalties and losses arising from the Controller's breach of these warranties or of applicable data protection law.
14. Liability
Each party's aggregate liability arising out of or in connection with this DPA is subject to, and counts towards, the limitations and exclusions of liability set out in the Subscription Agreement and Terms of Service. Nothing in this DPA increases a party's liability beyond those limits, except to the extent applicable data protection law requires otherwise.
15. Governing Law
This DPA is governed by the laws of India and, where applicable, by the EU General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Act 2023 (DPDP Act). Any disputes under this DPA shall be resolved under the same governing law and jurisdiction as the main Subscription Agreement.