Data Processing Agreement (DPA)

Effective Date: 01/05/2025
Last Updated: 25/10/2025

This Data Processing Agreement ("DPA") forms part of the Service Subscription Agreement between the Customer ("Controller / Data Fiduciary") and Nynedge Software Pvt. Ltd. ("Processor / Data Processor"), governing the processing of personal data within the Nynedge HR & Geofence App.

1. Definitions

Under DPDP Act (India):

• Data Fiduciary: Entity determining purpose of processing (Customer)
• Data Principal: Individuals whose data is processed
• Data Processor: Processes data on fiduciary’s behalf (Company)

Under GDPR:

• Controller: Determines purpose of processing (Customer)
• Processor: Processes data for controller (Company)
• Personal Data: Any identifiable information

2. Subject Matter of Processing

The Processor provides HRMS and geofencing services involving:

• Attendance & location check-in/check-out
• Employee records & documentation
• Leave & shift management
• Timesheets and payroll

3. Duration of Processing

Processing continues during the subscription period and until data is returned or deleted after termination.

4. Categories of Data Subjects

• Employees
• Contractors
• Interns

5. Types of Personal Data Processed

5.1 Personal Identifiers

• Name, Employee ID, Contact info
• Photo (optional)
• HR demographic details

5.2 Employment & HR Data

• Attendance, leave & shift records
• Payroll/timesheet data
• Uploaded documents

5.3 Location Data

• GPS coordinates during attendance
• Geofence entry/exit logs

5.4 Technical Data

• IP address, device info, logs

6. Roles of the Parties

6.1 Customer as Controller/Fiduciary

• Defines purposes of data collection
• Manages access and retention

6.2 Nynedge as Processor

• Processes data only as instructed
• Does not sell or misuse personal data

7. Lawful Basis of Processing

The Customer ensures lawful basis (Consent, Contract, Legitimate Use). The Processor follows documented Customer instructions only.

8. Processor Obligations

• Implement industry-standard security measures
• Maintain confidentiality
• Assist in compliance activities
• Notify Customer of breaches within 72 hours

9. Security Measures

• Encryption (HTTPS/SSL)
• Secure cloud hosting
• RBAC & access logging
• Firewalls & monitoring
• Regular backups

10. Sub-processors

Includes cloud hosting, SMS/email providers, analytics etc. All sub-processors follow strict data protection agreements.

11. International Transfers

Data may be stored/processed outside the Customer’s region with adequate safeguards (DPDP compliance, GDPR SCCs).

12. Assistance to Customer

• DPIA support
• Audit assistance
• Data subject request handling

13. Data Breach Notification

The Processor will notify the Customer within 72 hours of a confirmed breach with full details and mitigation steps.

14. Data Retention & Deletion

Upon termination, Customer may export data. All data is deleted within 30–90 days as per retention policy.

15. Customer Responsibilities

• Ensure lawful data collection
• Provide employee notices/consent
• Maintain data accuracy

16. Liability

Processor liability is limited to subscription fees of last 3 months. Processor is not liable for misuse by Customer staff.

17. Governing Law

Governed by DPDP Act, GDPR (if applicable), and laws of selected jurisdiction (e.g., Bengaluru/Pune courts).

18. Contact Details

Nynedge Software Pvt. Ltd.
📧 support@nynedge.com
🌐 www.nynedge.com