This Data Processing Addendum (“DPA”) sets out the terms under which Divontrix Technologies (OPC) Private Limited (“Divontrix”, “Processor”) processes personal data on behalf of a customer (“Customer”, “Controller”) that has executed a Master Services Agreement, End-User License Agreement, or other commercial agreement (collectively, the “Agreement”) with Divontrix for the licensing, deployment, configuration, or support of DivontrixDB.
This DPA reflects the parties’ agreement with respect to the processing of personal data under the Digital Personal Data Protection Act, 2023 (India), the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the UK General Data Protection Regulation, and any other applicable data-protection law (collectively, “Data Protection Law”). In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of personal data.
DivontrixDB is a binary-only, on-premise database. In a standard deployment, all Customer personal data is processed exclusively on infrastructure under the Customer’s control — never on Divontrix infrastructure. DivontrixDB transmits nothing back to Divontrix: no telemetry, no license check-ins, no crash reports, no usage data. This DPA therefore governs the limited processing that Divontrix performs as part of engagement delivery (defined in Section 02), not the operation of DivontrixDB itself.
With respect to personal data processed as part of engagement delivery, the parties’ roles are:
The scope of processing by Divontrix under an engagement is limited to:
Divontrix does not process Customer’s production database contents — the actual records, queries, or audit logs produced by DivontrixDB in operation. Those remain exclusively on the Customer’s premise, under the Customer’s exclusive control.
Divontrix processes personal data only on the Customer’s documented instructions, including with regard to transfers of personal data to a third country, unless required to do so by applicable Indian law. Where Divontrix is required to process personal data in a manner that deviates from the Customer’s instructions due to a legal obligation, Divontrix will inform the Customer in advance of the processing, unless the law prohibits informing the Customer on grounds of important public interest.
The Customer warrants that its instructions comply with Data Protection Law and that it has provided all necessary notices and obtained all necessary consents from data subjects required for Divontrix to process personal data on the Customer’s behalf.
Divontrix engages sub-processors only for the limited engagement-delivery processing described in Section 02. As of the effective date of this DPA, the only sub-processor engaged is:
Used for engagement correspondence (email) between Divontrix and Customer personnel. See Hostinger’s Privacy Portal.
Divontrix remains fully responsible for the performance of each sub-processor and ensures that each sub-processor is bound by written terms offering at least the same level of protection as this DPA.
Divontrix will give Customer at least 30 days’ notice of any intended addition or replacement of a sub-processor. Customer may object to a new sub-processor on reasonable data-protection grounds by notifying Divontrix in writing within 30 days of the notice. In such a case, the parties will work together in good faith to identify an alternative. If no alternative can be found and the objection is reasonable, Customer may terminate the affected portion of the engagement with a pro-rata refund of fees paid for the unfulfilled portion.
Divontrix implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including as required under Article 32 GDPR and Section 8 of the Indian Digital Personal Data Protection Act, 2023. These measures include:
Divontrix retains personal data processed as part of engagement delivery only for as long as necessary to fulfill the purposes described in Section 02:
Upon termination of the Agreement, Divontrix will, at the Customer’s choice, delete or return all personal data processed as part of the engagement, and delete existing copies, within 90 days of termination — unless applicable law requires longer retention.
Divontrix will notify the Customer without undue delay, and in any case within 48 hours, of becoming aware of a personal data breach affecting personal data processed as part of engagement delivery. The notification will:
Divontrix will cooperate with the Customer in handling the breach, including assisting the Customer in notifying the relevant supervisory authority and affected data subjects where required under Articles 33 and 34 GDPR.
Divontrix will assist the Customer in fulfilling its obligations to respond to data-subject rights requests under Data Protection Law — including access, rectification, erasure, restriction, portability, and objection. Where Divontrix receives a data-subject request directly, it will forward the request to the Customer without responding to the data subject itself, unless required by law.
Divontrix will provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to Divontrix.
Divontrix is incorporated in Telangana, India. Where personal data processed as part of engagement delivery is transferred outside India, or where Customer is located outside India and Divontrix processes personal data on Customer’s behalf, the transfer will be subject to appropriate safeguards, including:
Because DivontrixDB itself transmits nothing back to Divontrix, this Section applies only to engagement correspondence (email) and to the limited engagement-delivery processing described in Section 02 — not to Customer production database contents.
The Customer may audit Divontrix’s compliance with this DPA, subject to:
In lieu of an on-site audit, Divontrix may, at its option, provide the Customer with a third-party audit report or certification (such as SOC 2 Type II or ISO/IEC 27001) once such certifications are obtained. Divontrix currently holds no formal certifications; SOC 2 Type II and ISO/IEC 27001 are in planning.
This DPA terminates automatically when the Agreement terminates, or when Divontrix ceases to process personal data on behalf of the Customer, whichever is earlier. Sections 06 (Retention and deletion), 07 (Breach notification — survival of obligations for breaches occurring before termination), 10 (International transfers), and 11 (Audit rights — for audits of pre-termination processing) survive termination.
This DPA is governed by the laws of the Republic of India, without regard to conflict-of-laws principles. The courts of Telangana, India shall have exclusive jurisdiction over any dispute arising out of or related to this DPA.
For Customers located in the EEA, UK, or Switzerland, where mandatory consumer-protection or data-protection law of your country of residence confers rights that cannot be excluded by contract, those rights are preserved.
For any matter arising under this DPA, including data-subject requests forwarded by the Customer, sub-processor objections, or audit requests, contact:
Questions about this document?
Contact privacy@divontrix.com for privacy and data-protection inquiries, contact@divontrix.com for everything else.
© 2026 Divontrix Technologies. All rights reserved.