Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between the customer (“Controller”) and Akaro AI, a sole proprietorship of Rohan Vij, registered under the Delhi Shops & Establishment Act, 1954 (Registration No. 2026019320), with its place of business at Flat No. 19, Jeevan Bima Apartment, East Arjun Nag, Delhi 110032, India (“Processor” or “Akaro”), and applies where Akaro processes Personal Data on behalf of the Controller in connection with the Services. In case of conflict, this DPA prevails over the Agreement for matters relating to the processing of Personal Data.

Capitalised terms not defined here have the meanings given in Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, or equivalent applicable data protection law, as context requires.

1. Roles and scope

• Controller determines the purposes and means of the processing of Personal Data it submits to the Services.
• Processor processes Personal Data only on documented instructions from the Controller, including as set out in the Agreement and this DPA.
• This DPA applies to Personal Data contained in Customer Content and in configuration data provided by Controller’s users. It does not apply to Personal Data Akaro collects as an independent controller (e.g., billing information, website visitor data) — those are addressed in the Privacy Policy.

2. Subject matter and duration

Subject matter: processing of Personal Data necessary to provide the Services described in the Agreement, including hosting, indexing, retrieval, AI-assisted answer generation, and third-party connector imports.

Duration: for the term of the Agreement, plus any period afterwards during which Akaro retains Personal Data as permitted or required by law (e.g., residual data in encrypted backups until rotation).

Nature and purpose: storage, retrieval, generation, and transmission to authorised sub-processors to operate the Services.

Categories of data subjects: Controller’s personnel and other individuals whose Personal Data is included in Customer Content.

Categories of Personal Data: contact details (name, email, phone), authentication data, role and permissions, document content uploaded or connected, activity logs, and any other Personal Data the Controller chooses to include in Customer Content.

Special category data: the Services are not designed for the processing of special category data or data relating to criminal convictions. Controller should not upload such data unless it has a lawful basis and notifies Akaro in writing.

3. Processor obligations

Akaro shall:

• Process Personal Data only on documented instructions from the Controller, including as set out in the Agreement and as documented in Controller’s configuration of the Services; notify Controller if Akaro believes an instruction infringes applicable law;
• Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations;
• Implement the technical and organisational measures described in Section 5 and the Security page;
• Engage sub-processors only under Section 4;
• Assist Controller, taking into account the nature of the processing and the information available, in responding to data-subject requests and in complying with Controller’s obligations under Articles 32–36 GDPR;
• At the Controller’s choice, delete or return all Personal Data after the end of the provision of Services, subject to legal retention requirements and residual copies in encrypted backups that roll off in the ordinary course;
• Make available to the Controller information reasonably necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits as described in Section 7.

4. Sub-processors

The Controller grants Akaro a general authorisation to engage sub-processors to provide the Services, subject to the terms of this Section. Akaro’s current sub-processors are listed at akaro.ai/legal/subprocessors, which also identifies the services they perform and their processing locations.

Before engaging a new sub-processor, Akaro will update the sub-processor list with at least 30 days’ prior notice. Controllers may subscribe to email notifications of sub-processor changes by emailing [email protected]. If Controller reasonably objects to the new sub-processor on data protection grounds, Controller may terminate the affected Services on written notice.

Akaro will impose on each sub-processor, by written contract, data protection obligations that are substantially the same as those under this DPA.

5. Security

Akaro implements and maintains appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. Current measures include:

• TLS 1.2+ for data in transit between clients, the platform, and sub-processor APIs;
• Encryption at rest for the operational database (provided by MongoDB Atlas, AES-256);
• Encryption of third-party connector tokens at application level using Fernet (AES-128-CBC with HMAC-SHA256);
• Password hashing using bcrypt;
• Short-lived JWT access tokens and optional two-factor authentication (TOTP);
• Role-based access controls within the Services and principle-of-least-privilege access for Akaro personnel to production systems;
• Logging of authentication events, privileged administrative actions, and application errors, retained for operational and security purposes;
• Regular application of security updates to operating systems and dependencies; monitoring of vulnerabilities disclosed in components we depend on.

Additional measures are described in the Security page, which is incorporated into this DPA by reference and may be updated from time to time to reflect improvements.

6. International transfers

Where the processing of Personal Data involves a transfer out of the EEA, the United Kingdom, or Switzerland to a country that has not been recognised as providing an adequate level of protection, the parties agree that Module Two (Controller-to-Processor) of the European Commission’s Standard Contractual Clauses (Decision 2021/914) is incorporated by reference and applies to such transfers, with Akaro as the “data importer” and Controller as the “data exporter.” For transfers from the United Kingdom, the UK International Data Transfer Addendum issued by the ICO is incorporated by reference. For transfers from Switzerland, the SCCs apply as amended by the Swiss Federal Data Protection and Information Commissioner’s guidance.

In the SCCs, the governing law is Ireland (Clause 17 option 1), the forum is Ireland (Clause 18(b)), and docking is permitted (Clause 7). The technical and organisational measures in the Security page satisfy Annex II; the sub-processor list in /legal/subprocessors satisfies Annex III.

7. Audits

Akaro will make available, on reasonable request to [email protected], information reasonably necessary to demonstrate compliance with this DPA, including responses to a customer security questionnaire. On reasonable prior written notice (and no more than once per 12-month period unless otherwise required by a supervisory authority), Controller may request an audit of Akaro’s data-protection practices, conducted during business hours, subject to appropriate confidentiality obligations, and at Controller’s reasonable expense. Where available, Akaro may satisfy audit obligations by providing third-party attestation reports.

8. Personal data breach

Akaro will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller’s Personal Data, and in any case no later than 72 hours after such awareness. The notification will describe the nature of the breach, likely consequences, and measures taken or proposed. Akaro will cooperate reasonably with Controller’s breach-response obligations under applicable law.

9. Deletion and return

On termination of the Agreement, Akaro will, at Controller’s written election, delete or return Personal Data in its possession, except for copies retained to comply with applicable law and residual copies in encrypted backups that roll off in the ordinary course. Where in-product deletion is available, Controller may delete Personal Data directly; deletion of content in the product propagates to the associated vector embeddings used for search.

10. Liability and order of precedence

Each party’s liability under this DPA is subject to the exclusions and limitations of liability in the Agreement. Where this DPA conflicts with the Agreement, this DPA prevails solely with respect to the processing of Personal Data. Where this DPA conflicts with the SCCs, the SCCs prevail.

11. Signing

This DPA is automatically incorporated into the Agreement for every customer. No counter-signature is required for it to be effective. If your organisation requires a counter-signed version — for example, to reference specific SCC modules or to attach your Annex details — email [email protected] and we will return a signed copy, generally within 5 business days.

12. Contact