Data Processing Agreement

Template · Last updated: 6 June 2026 · India (DPDP Act 2023) + EU/UK (Art. 28 GDPR)

This Data Processing Agreement ("DPA") supplements the Terms of Service between Project MARINA Private Limited ("Processor") and the Customer ("Controller" / "Data Fiduciary"). By executing the order form or beginning paid use of the Service, the parties agree to this DPA. Print-ready PDF: /dpa/marina-dpa.pdf.

1. Subject matter and duration

Processor processes Personal Data on Controller's behalf to provide the workforce intelligence Service. Duration: the term of the underlying agreement plus any wind-down period.

2. Nature and purpose of processing

Collection, storage, transmission, and analysis of employee activity telemetry, AI summary generation and verification, dashboarding for managers, audit logging, and notification.

3. Categories of Data Principals

Controller's employees, contractors, and the Controller's own administrators.

4. Types of Personal Data

Identity (name, email, GitHub login, avatar); workstation telemetry (active app names, idle time, optional window titles); GitHub events; punch-in/out shifts with summaries; break reasons; leave dates and reasons; AI-derived labels.

5. Processor obligations

1. Process Personal Data only on Controller's documented instructions.
2. Ensure persons authorised to process are under confidentiality obligations.
3. Implement the security measures set out in Annex II (Sub-processor list and Technical & Organisational Measures), available at /security.
4. Engage Sub-processors only with Controller's prior general authorisation. The current list is at /sub-processors. Material additions notified 30 days in advance.
5. Assist Controller with Data Principal rights requests under DPDP Act §§ 11–15 and GDPR Arts. 12–22.
6. Assist Controller with the security obligations under DPDP Act § 8 and GDPR Arts. 32–36.
7. Notify Controller of a Personal Data Breach without undue delay and in any event within 24 hours.
8. At end of services, at Controller's choice, delete or return all Personal Data within 30 days.
9. Make available all information needed to demonstrate compliance, and allow audits (max once per year, on 30 days' notice).

6. Sub-processors (Annex II)

• Neon (US, EU) — Postgres database hosting.
• Vercel (Global edge) — application hosting.
• Groq, Inc. (US) — AI inference (Llama 3.3) for narrative + verification.
• OpenAI, LLC (US) — AI inference (gpt-4o-mini) for narrative + verification.
• Resend (US, EU) — transactional email.
• Slack (US) — only if Controller configures Slack webhook.
• Cloudflare R2 or Vercel Blob — screenshot blob storage (48h retention).

7. Cross-border transfers

Some Sub-processors host data outside India. Transfers are made under DPDP Act § 16 and, where applicable, the EU Standard Contractual Clauses (Commission Decision 2021/914). On request, MARINA will execute the UK International Data Transfer Addendum.

8. Liability and indemnity

The liability provisions of the main agreement apply to this DPA. Nothing here limits any party's liability under applicable law for fines imposed by a regulator on the party that caused the breach.

9. Governing law

India, courts of Bengaluru.

Annex I · Technical and organisational measures

See /security. Summary: TLS 1.3 everywhere, sha256-hashed tokens at rest, Keychain-backed local token storage, sandboxed Electron preload, rate limiting on agent endpoints, audit log of every privileged action, 48-hour screenshot purge, owner-only org settings, automatic database backups with point-in-time recovery.

To execute this DPA, email thetanishgarg@gmail.com with your company details. A countersigned PDF will be returned within 2 business days.