Data Processing Agreement – Slice1

Data Processing Agreement

Last updated · 22 May 2026 Version · 1.0 Entity · Infomaze Sphere LLP

This Data Processing Agreement ("DPA") forms part of the agreement between Infomaze Sphere LLP ("Infomaze," "Processor") and the Customer subscribing to the hrPLANR platform ("Customer," "Data Fiduciary"). It applies whenever Infomaze processes personal data on behalf of Customer in connection with the Service.

This DPA reflects the requirements of the Digital Personal Data Protection Act, 2023 ("DPDP Act") and articulates the parties' respective roles, the scope of processing, and Infomaze's obligations as a Data Processor.

Lawyer review required This DPA is a working draft. It must be reviewed and finalised by qualified legal counsel — including confirmation of the parties' respective roles under the DPDP Act, which is the single most important determination for this document. Items marked [BRACKETED] require business-specific confirmation.

Definitions

Terms used but not defined here have the meanings given in the Terms of Service or the DPDP Act 2023.

Customer Personal DataPersonal data of Customer's employees, contractors, candidates, and other data principals that Infomaze processes on behalf of Customer in connection with the Service.
Data FiduciaryThe entity that determines the purpose and means of processing personal data, as defined in the DPDP Act. For Customer Personal Data, the Data Fiduciary is the Customer.
Data ProcessorInfomaze, when processing Customer Personal Data on behalf of and per the instructions of Customer.
Data PrincipalThe natural person whose personal data is being processed (e.g., Customer's employee).
Sub-ProcessorA third-party service provider Infomaze engages to process Customer Personal Data.
Personal Data BreachA breach of security leading to unauthorised access, disclosure, loss, alteration, or destruction of Customer Personal Data.
Confirm role assignments The default assumption above — Customer as Data Fiduciary, Infomaze as Data Processor — applies to employee data inside customer tenants. For website visitor and sales prospect data, Infomaze is the Data Fiduciary. Confirm this allocation is acceptable to the Customer's legal team.

Scope and purpose of processing

2.1 Subject matter

Processing of Customer Personal Data to provide the Service (the modules subscribed to by Customer, including but not limited to AI-Driven HR, Payroll, Compliance, Recruitment, Onboarding, Offboarding, Attendance, Leave, ESS, and AI capabilities).

2.2 Duration

For the duration of Customer's subscription, plus the post-termination data retention period described in Section 9.

2.3 Nature of processing

Storage, hosting, retrieval, structuring, analysis (including AI inference where Customer has enabled AI features), reporting, transmission to authorised users, generation of statutory filings, and other operations necessary to provide the Service.

2.4 Purpose

Solely to provide the Service to Customer per the Agreement. Infomaze does not use Customer Personal Data for its own purposes, including not using it to train AI models.

2.5 Categories of Data Principals

  • Customer's employees (current, former, prospective)
  • Customer's contractors, interns, vendors (as configured)
  • Job candidates applying to Customer
  • Family members of employees (as relevant for HR records — e.g., dependents for insurance)

2.6 Categories of Personal Data

  • Identification: name, employee ID, PAN, Aadhaar number (last-4 stored in UI), date of birth, photo
  • Contact: address, phone, email (work and personal), emergency contacts
  • Employment: job title, department, reporting manager, joining date, exit date, compensation, performance ratings
  • Financial: bank account, UAN, PF number, ESI number, salary components, tax declarations
  • Identity documents: PAN card, Aadhaar (as configured), education certificates, prior employer documents
  • Operational: attendance, leave records, regularization requests, expense claims
  • Communications: chat messages with AI HR Assistant (where enabled), support tickets

Infomaze's obligations as Data Processor

Infomaze will:

  1. Process only per Customer's instructions — Customer's instructions are documented in the Agreement, the Service's configuration, and any additional written instructions. If Infomaze believes an instruction violates law, it will inform Customer before proceeding.
  2. Limit access to authorised personnel — only Infomaze personnel with a need to know access Customer Personal Data, under a confidentiality obligation.
  3. Implement security measures — the technical and organisational measures described in Section 6 and on the Security page.
  4. Assist with Data Principal requests — provide reasonable assistance to enable Customer to respond to Data Principal rights requests within DPDP Act timelines.
  5. Notify Personal Data Breaches — as described in Section 7.
  6. Assist with regulatory cooperation — provide information reasonably required for Customer's regulatory or audit obligations.
  7. Not transfer data outside India — except as permitted by the sub-processor schedule and in compliance with the DPDP Act's cross-border rules (where applicable).
  8. Delete or return data on termination — as described in Section 9.
  9. Make available information demonstrating compliance — including audit reports, certifications, and (under NDA) penetration test summaries.

Customer's obligations as Data Fiduciary

Customer represents and warrants that it will:

  1. Have lawful basis for the processing of Customer Personal Data Customer instructs Infomaze to perform.
  2. Obtain necessary consents from Data Principals where consent is the basis of processing (including for AI features that process Data Principal data).
  3. Provide DPDP Act notices to Data Principals as required, including informing employees that hrPLANR is the platform on which their data is processed.
  4. Configure the Service appropriately — including data retention policies, access controls, and AI feature toggles.
  5. Respond to Data Principal requests in the first instance; Infomaze will assist with technical execution.
  6. Not provide Infomaze with personal data outside the scope of the agreed categories without prior agreement.
  7. Comply with all applicable laws in its use of the Service.

Sub-processors

Customer authorises Infomaze to engage sub-processors as listed in Schedule A below. Infomaze:

  • Maintains a current list of sub-processors at hrplanr.com/legal/sub-processors
  • Imposes data protection obligations on each sub-processor at least as protective as those in this DPA
  • Remains responsible for sub-processor performance
  • Provides 30 days' notice before adding or replacing a sub-processor (via email and the sub-processor page)
  • Allows Customer to object to a new sub-processor on reasonable data protection grounds; if the objection cannot be resolved, Customer may terminate the Service for the affected modules without penalty

Schedule A — Current sub-processors

Sub-processorServiceLocationData category
Amazon Web Services (AWS) IndiaCloud infrastructureMumbai (ap-south-1), Hyderabad (ap-south-2)All Customer Data
Resend [CONFIRM]Transactional emailUS/EU (no Personal Data of Indian employees transmitted in body)Email metadata for transactional notifications
Plausible AnalyticsWebsite analytics (no PII)EUAnonymised website usage data only
Stripe / Razorpay [CONFIRM payment gateway]Payment processingIndiaBilling contact details only; card details processed by gateway directly
AWS Bedrock [CONFIRM AI provider]AI inference (Enterprise)Mumbai (ap-south-1)Data submitted to AI features, with zero-retention contract
Standard regional LLM endpoint [CONFIRM provider]AI inference (non-Enterprise plans)[CONFIRM region]Data submitted to AI features, with zero-retention contract
AuthBridge [Coming Q3 2026]Background verificationIndiaBGV-relevant data for candidates where Customer has enabled BGV

Security measures

Infomaze implements and maintains the following technical and organisational measures:

6.1 Access control

  • MFA on all administrative access
  • Role-based access control with audit logging on all admin actions
  • SSO (SAML 2.0, OIDC) available on Enterprise plan
  • Sessions timeout after inactivity; force logout on suspicious activity

6.2 Encryption

  • At rest: AES-256-GCM via AWS KMS, per-tenant keys, annual rotation
  • In transit: TLS 1.3, HSTS enforced, TLS 1.0/1.1 rejected
  • Aadhaar handling: only last-4 displayed in UI; full number encrypted column-level

6.3 Network and infrastructure

  • Hosted on AWS Mumbai with DR in AWS Hyderabad
  • VPC isolation, security groups, WAF
  • Annual penetration testing by CERT-In empanelled firm

6.4 Backups and recovery

  • Daily automated backups, 35-day point-in-time recovery
  • Cross-region replication to Hyderabad
  • Backup encryption with separate KMS key
  • Recovery Time Objective: 4 hours; Recovery Point Objective: 1 hour
  • Quarterly DR drills, documented runbooks

6.5 Personnel security

  • Background checks on personnel with access to Customer Personal Data
  • Confidentiality agreements signed by all personnel
  • Mandatory annual security and privacy training

6.6 Certifications

  • ISO 27001:2022 — in progress, target Q4 2026
  • SOC 2 Type II — planning for 2027
  • DPDP Act 2023 — compliant

Current status and updates: hrplanr.com/security.

Personal Data Breach notification

7.1 Notification timeline

If Infomaze becomes aware of a Personal Data Breach affecting Customer Personal Data, Infomaze will notify Customer without undue delay, and in any event within 72 hours of becoming aware, in line with DPDP Act requirements.

7.2 Notification contents

The notification will include, to the extent then known:

  • Description of the nature of the breach (categories and approximate numbers of Data Principals and records affected)
  • Likely consequences
  • Measures taken or proposed to address the breach and mitigate adverse effects
  • Contact point for further information

7.3 Cooperation

Infomaze will cooperate with Customer in responding to the breach — including providing information needed for Customer to notify the Data Protection Board of India and affected Data Principals as required.

7.4 Status page

Material service incidents are also posted to status.hrplanr.com.

Audit rights

8.1 Audit reports

Infomaze makes available to Customer information demonstrating compliance with this DPA, including:

  • Annual penetration test summary (under NDA)
  • ISO 27001 certification, when issued
  • SOC 2 Type II report, when issued
  • Sub-processor list and changes

8.2 On-site audits

For Enterprise customers, on reasonable advance written notice (at least 30 days), and not more than once per year (except in case of a regulatory request or following a Personal Data Breach), Customer or its independent auditor may conduct an on-site audit of Infomaze's compliance with this DPA, subject to:

  • Reasonable confidentiality obligations
  • Limited scope agreed in advance
  • Reasonable hours and minimal disruption to operations
  • Customer bearing its own costs and Infomaze's reasonable costs for facilitating the audit

Data deletion and return

9.1 During subscription

Customer may export Customer Personal Data at any time through the Service's export features (JSON, CSV, PDF as available per module).

9.2 On termination

On termination of the subscription:

  • 30-day grace period for Customer to export Customer Personal Data via the Service
  • After the grace period, Customer Personal Data is deleted from active systems within 90 days
  • Backup copies are deleted as per the backup retention schedule (within 35 days of the production deletion)
  • Statutory retention: Customer Personal Data may be retained longer where required by Indian law (e.g., Income Tax records). Such retention is in a restricted-access archive and is not used for any other purpose.

9.3 Confirmation of deletion

On Customer's request, Infomaze provides a written confirmation of deletion.

Liability and indemnification

The limitation of liability and indemnification provisions in the Terms of Service apply to this DPA. Each party indemnifies the other for breaches of its respective obligations under this DPA, subject to those limits.

Nothing in this DPA limits either party's statutory liability under the DPDP Act for its respective acts and omissions.

Term and changes

11.1 Duration

This DPA is effective from the date Customer accepts the Terms of Service and continues until all Customer Personal Data has been deleted in accordance with Section 9.

11.2 Updates

Infomaze may update this DPA to reflect changes in law (including DPDP Rules issued under the DPDP Act), the Service, or sub-processor list. Material changes will be communicated at least 30 days in advance. Continued use after the effective date constitutes acceptance.

11.3 Conflict

If there is a conflict between this DPA and the Terms of Service, this DPA prevails on data processing matters.

Governing law

This DPA is governed by the laws of India. Disputes are resolved as described in the Terms of Service — arbitration in Bengaluru, exclusive jurisdiction of Bengaluru courts for related court proceedings.

Contact and signatures

Infomaze contact

Email (DPA matters)dpa@hrplanr.com
Email (privacy queries)privacy@hrplanr.com
Email (security)security@hrplanr.com
Grievance Officergrievance@hrplanr.com
Postal address[REGISTERED ADDRESS], Bengaluru, Karnataka, India

How to execute this DPA

For most customers, accepting the Terms of Service constitutes acceptance of this DPA. For Enterprise customers requiring a signed DPA, please email dpa@hrplanr.com with your details and we will execute via DocuSign or Aadhaar e-sign within 5 business days.

Personal data
Privacy Policy
The contract
Terms of Service
Data processing
DPA
Cookies & tracking
Cookie Policy