Sovaryn

Legal

Data Processing Agreement

Last updated: May 17, 2026

Enterprise customers: This DPA is incorporated into your Master Service Agreement with Sovaryn. For a countersigned copy, email legal@sovaryn.in.

1. Definitions

"Controller" means the customer entity that determines the purposes and means of processing personal data. "Processor" means Sovaryn, acting on the Controller's instructions. "Personal Data" has the meaning given in applicable data protection law.

2. Scope and Role

This DPA applies where Sovaryn processes Personal Data on behalf of the customer in the course of providing the Service. Sovaryn acts as a Processor; the customer acts as a Controller.

3. Processing Instructions

Sovaryn shall process Personal Data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA) unless required to do so by applicable law.

4. Sub-processors

Sovaryn uses the following sub-processors: (a) Resend Inc. — transactional email delivery; (b) Stripe Inc. — payment processing; (c) Vercel Inc. — infrastructure hosting. The current list of sub-processors is available at sovaryn.in/sub-processors. We will notify customers 30 days before adding new sub-processors.

5. Security Measures

Sovaryn implements appropriate technical and organisational measures including: TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access controls, regular security assessments, and incident response procedures.

6. Data Subject Rights

Sovaryn shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability) within 5 business days of receiving such requests.

7. Data Breach Notification

In the event of a Personal Data breach, Sovaryn shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.

8. Data Transfers

Sovaryn transfers data between India and the EU under applicable Standard Contractual Clauses (SCCs) as approved by the European Commission.

9. Audit Rights

The Controller may, on reasonable notice (30 days minimum), request information necessary to demonstrate compliance with this DPA. Sovaryn may provide a third-party audit report in lieu of direct access.

10. Deletion

Upon termination of the Service, Sovaryn shall delete or return all Personal Data within 90 days, at the Controller's election, and provide written confirmation of deletion.

11. Governing Law

This DPA is governed by the same law as the Master Service Agreement. For EU customers, GDPR requirements take precedence.

12. Contact

Data protection queries: privacy@sovaryn.in