Back to divontrix.com
Legal · DPA

Data Processing Addendum

Effective 3 July 2026·Divontrix Technologies (OPC) Private Limited

01Purpose and scope

This Data Processing Addendum (“DPA”) sets out the terms under which Divontrix Technologies (OPC) Private Limited (“Divontrix”, “Processor”) processes personal data on behalf of a customer (“Customer”, “Controller”) that has executed a Master Services Agreement, End-User License Agreement, or other commercial agreement (collectively, the “Agreement”) with Divontrix for the licensing, deployment, configuration, or support of DivontrixDB.

This DPA reflects the parties’ agreement with respect to the processing of personal data under the Digital Personal Data Protection Act, 2023 (India), the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the UK General Data Protection Regulation, and any other applicable data-protection law (collectively, “Data Protection Law”). In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of personal data.

On-premise architecture note

DivontrixDB is a binary-only, on-premise database. In a standard deployment, all Customer personal data is processed exclusively on infrastructure under the Customer’s control — never on Divontrix infrastructure. DivontrixDB transmits nothing back to Divontrix: no telemetry, no license check-ins, no crash reports, no usage data. This DPA therefore governs the limited processing that Divontrix performs as part of engagement delivery (defined in Section 02), not the operation of DivontrixDB itself.

02Roles and scope of processing

With respect to personal data processed as part of engagement delivery, the parties’ roles are:

  • Customer is the Controller (or Processor, where Customer is itself processing on behalf of a third party). Customer determines the purposes and means of processing.
  • Divontrix is the Processor. Divontrix processes personal data only on Customer’s documented instructions, as set out in the Agreement and this DPA.

The scope of processing by Divontrix under an engagement is limited to:

  • Configuration files generated for the Customer’s deployment, which may reference the Customer’s environment (hostnames, network topology, regulatory regime) but do not contain personal data from the Customer’s production database.
  • Engagement correspondence (email, calls, meetings) that may include personal data of Customer personnel — names, roles, contact details — disclosed by Customer during configuration, training, or support.
  • Stress-test evidence generated on the Customer’s premise during the 24–48 hour production-readiness validation. This evidence is generated on Customer infrastructure, transferred to Divontrix for review, and deleted after the engagement closes or upon Customer request, whichever is earlier.
  • Audit and compliance evidence (control mappings, architecture diagrams) prepared for the Customer. These are delivered to the Customer and retained by Divontrix only for the duration of the engagement plus 24 months for defensibility.

Divontrix does not process Customer’s production database contents — the actual records, queries, or audit logs produced by DivontrixDB in operation. Those remain exclusively on the Customer’s premise, under the Customer’s exclusive control.

03Customer instructions

Divontrix processes personal data only on the Customer’s documented instructions, including with regard to transfers of personal data to a third country, unless required to do so by applicable Indian law. Where Divontrix is required to process personal data in a manner that deviates from the Customer’s instructions due to a legal obligation, Divontrix will inform the Customer in advance of the processing, unless the law prohibits informing the Customer on grounds of important public interest.

The Customer warrants that its instructions comply with Data Protection Law and that it has provided all necessary notices and obtained all necessary consents from data subjects required for Divontrix to process personal data on the Customer’s behalf.

04Sub-processors

Divontrix engages sub-processors only for the limited engagement-delivery processing described in Section 02. As of the effective date of this DPA, the only sub-processor engaged is:

Sub-processor inventory
Email delivery · Hostinger SMTP

Used for engagement correspondence (email) between Divontrix and Customer personnel. See Hostinger’s Privacy Portal.

Divontrix remains fully responsible for the performance of each sub-processor and ensures that each sub-processor is bound by written terms offering at least the same level of protection as this DPA.

Divontrix will give Customer at least 30 days’ notice of any intended addition or replacement of a sub-processor. Customer may object to a new sub-processor on reasonable data-protection grounds by notifying Divontrix in writing within 30 days of the notice. In such a case, the parties will work together in good faith to identify an alternative. If no alternative can be found and the objection is reasonable, Customer may terminate the affected portion of the engagement with a pro-rata refund of fees paid for the unfulfilled portion.

05Security measures

Divontrix implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including as required under Article 32 GDPR and Section 8 of the Indian Digital Personal Data Protection Act, 2023. These measures include:

Technical measures
  • Strict Content-Security-Policy, HSTS preload, X-Frame-Options DENY, Permissions-Policy lockdown, and Referrer-Policy strict-origin-when-cross-origin on all Divontrix-operated web infrastructure.
  • CSRF protection on every state-changing API route via Origin header validation.
  • Per-IP rate-limiting on public form routes (3/hour for waitlist, 5/hour for contact).
  • PGP-encrypted channel (RSA 4096) for vulnerability reports and sensitive correspondence. Public key published at /.well-known/pgp-key.asc with fingerprint 33F3 F3DB 33C3 F8E1 29F7 A285 4D9B 2771 42BE C696.
  • Signed binary build pipeline — every DivontrixDB binary delivered to a Customer is traceable to a specific signed build from a controlled pipeline.
  • Hash-chained, signed audit log architecture in DivontrixDB itself — though this protects Customer data on Customer infrastructure, not Divontrix infrastructure.
Organizational measures
  • Single-founder-led engineering organization with documented operational continuity plan covering build reproduction, signing key succession, and emergency maintenance.
  • No third-party contractors, no offshore development, no external repository access — all engineering is performed by Divontrix personnel under Divontrix control.
  • All engagement correspondence retained only for the duration specified in Section 06 and accessible only to the founder and named engineering personnel.
  • Documented onboarding for any future engineering personnel, including confidentiality obligations and access controls.
  • Annual review of this DPA and the security posture with each major release.

06Retention and deletion

Divontrix retains personal data processed as part of engagement delivery only for as long as necessary to fulfill the purposes described in Section 02:

  • Engagement correspondence (email, meeting notes): retained for the duration of the engagement plus 24 months for defensibility, then deleted.
  • Configuration files referencing Customer environment: retained for the duration of the engagement plus 12 months, then deleted. The Customer retains its own copy at all times.
  • Stress-test evidence: deleted after the engagement closes, or upon Customer request, whichever is earlier. The Customer receives the evidence as part of the production-readiness review.
  • Audit and compliance evidence prepared for the Customer: delivered to the Customer; retained by Divontrix only for the engagement duration plus 24 months for defensibility, then deleted.

Upon termination of the Agreement, Divontrix will, at the Customer’s choice, delete or return all personal data processed as part of the engagement, and delete existing copies, within 90 days of termination — unless applicable law requires longer retention.

07Personal data breach notification

Divontrix will notify the Customer without undue delay, and in any case within 48 hours, of becoming aware of a personal data breach affecting personal data processed as part of engagement delivery. The notification will:

  • Describe the nature of the breach, the categories and approximate number of data subjects and records concerned, and the likely consequences.
  • Describe the measures taken or proposed by Divontrix to address the breach and mitigate its possible adverse effects.
  • Identify a Divontrix contact point (privacy@divontrix.com) from whom the Customer can obtain further information.

Divontrix will cooperate with the Customer in handling the breach, including assisting the Customer in notifying the relevant supervisory authority and affected data subjects where required under Articles 33 and 34 GDPR.

08Data subject rights

Divontrix will assist the Customer in fulfilling its obligations to respond to data-subject rights requests under Data Protection Law — including access, rectification, erasure, restriction, portability, and objection. Where Divontrix receives a data-subject request directly, it will forward the request to the Customer without responding to the data subject itself, unless required by law.

09Data protection impact assessments

Divontrix will provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to Divontrix.

10International transfers

Divontrix is incorporated in Telangana, India. Where personal data processed as part of engagement delivery is transferred outside India, or where Customer is located outside India and Divontrix processes personal data on Customer’s behalf, the transfer will be subject to appropriate safeguards, including:

  • The EU Standard Contractual Clauses for the transfer of personal data to third countries (Commission Implementing Decision 2021/914), where the Customer is located in the EEA.
  • The UK International Data Transfer Addendum to the EU Standard Contractual Clauses, where the Customer is located in the United Kingdom.
  • Such other transfer mechanism as may be approved under applicable Data Protection Law.

Because DivontrixDB itself transmits nothing back to Divontrix, this Section applies only to engagement correspondence (email) and to the limited engagement-delivery processing described in Section 02 — not to Customer production database contents.

11Audit rights

The Customer may audit Divontrix’s compliance with this DPA, subject to:

  • Providing at least 30 days’ written notice.
  • Conducting the audit during Divontrix’s normal business hours and in a manner that does not interfere with Divontrix’s operations.
  • Limiting the audit scope to information and systems relevant to the processing of Customer personal data under this DPA.
  • Maintaining the confidentiality of any Divontrix confidential information disclosed during the audit.

In lieu of an on-site audit, Divontrix may, at its option, provide the Customer with a third-party audit report or certification (such as SOC 2 Type II or ISO/IEC 27001) once such certifications are obtained. Divontrix currently holds no formal certifications; SOC 2 Type II and ISO/IEC 27001 are in planning.

12Termination

This DPA terminates automatically when the Agreement terminates, or when Divontrix ceases to process personal data on behalf of the Customer, whichever is earlier. Sections 06 (Retention and deletion), 07 (Breach notification — survival of obligations for breaches occurring before termination), 10 (International transfers), and 11 (Audit rights — for audits of pre-termination processing) survive termination.

13Governing law

This DPA is governed by the laws of the Republic of India, without regard to conflict-of-laws principles. The courts of Telangana, India shall have exclusive jurisdiction over any dispute arising out of or related to this DPA.

For Customers located in the EEA, UK, or Switzerland, where mandatory consumer-protection or data-protection law of your country of residence confers rights that cannot be excluded by contract, those rights are preserved.

14Contact

For any matter arising under this DPA, including data-subject requests forwarded by the Customer, sub-processor objections, or audit requests, contact:

Divontrix Technologies — DPA contact
Divontrix Technologies (OPC) Private Limited
CIN: U62011TS2025OPC205089
D.NO.2-3-353, Market Road, M V Complex,
Metpalli, Karim Nagar district,
Telangana, India — 505325
Privacy / DPA inquiries: privacy@divontrix.com
Security inquiries: security@divontrix.com

Questions about this document?

Contact privacy@divontrix.com for privacy and data-protection inquiries, contact@divontrix.com for everything else.

© 2026 Divontrix Technologies. All rights reserved.