Our standing Data Processing Addendum.
This is Paiteq's standing DPA, the terms that govern how we process personal data on your behalf when you engage us. In most engagements you are the controller and Paiteq is the processor. Request a signed copy via info@paiteq.com.
Last updated: · Paiteq Private Limited (founded 2017) · HQ Bengaluru, Karnataka 560077, India · US mailing 539 W. Commerce St #1814, Dallas, TX 75208
The addendum, clause by clause.
This page mirrors the standing DPA we counter-sign for clients. It is a plain-language summary of the operative terms; the executed contract version controls. We can send a signed and countersigned copy on request.
- 001
Roles & scope
For the purposes of applicable data-protection law, the client is the data controller and Paiteq Private Limited is the data processor. Paiteq processes personal data only on the documented instructions of the controller.
The nature and purpose of the processing is the delivery of the AI engineering services engaged, scoping, building, evaluating, deploying, and operating the systems described in the applicable statement of work (SOW). The duration of processing matches the engagement term.
- 002
Categories of data & data subjects
The categories of personal data and categories of data subjects depend on the engagement and are defined per SOW, for example end-user records, support transcripts, or documents within scope of the workload.
No special-category data (health, biometric, financial, or other sensitive data under GDPR Art. 9) is processed without explicit written agreement defining the additional safeguards.
- 003
Sub-processors
Paiteq engages sub-processors to deliver the services, including Sanity (CMS), cloud hosting / CDN providers, email and CRM tooling, and model / LLM providers (Anthropic, OpenAI, and others). We maintain a current list of sub-processors and notify the controller of additions or changes with reasonable notice so objections can be raised.
Flow-down obligations apply: each sub-processor is bound by data-protection terms no less protective than those in this addendum, and Paiteq remains responsible for their performance.
- 004
International transfers
Processing may take place in India, the United States, and the EU. Where personal data subject to EU or UK GDPR is transferred outside the EEA / UK, the transfer is governed by the appropriate safeguards, the Standard Contractual Clauses (SCCs) and, where required, the UK International Data Transfer Addendum, together with any supplementary measures the transfer assessment requires.
- 005
Security measures
Paiteq applies the security posture described on the security page: SOC-2-ready practices, audit logs, least-privilege IAM, key rotation, and encryption in transit and at rest, alongside HIPAA-ready and GDPR-ready engagement patterns.
To be explicit: these are practices, not certifications. Paiteq is not itself SOC 2 Type II or ISO 27001 certified as a vendor. If your procurement requires a vendor SOC 2 report, flag it early and we'll route accordingly.
- 006
Personal-data breach
On becoming aware of a personal-data breach affecting controller data, Paiteq notifies the controller without undue delay and provides the information the controller reasonably needs to meet its own notification obligations to authorities and data subjects. We assist the controller in investigating, mitigating, and remediating the breach.
- 007
Data-subject requests
Taking the nature of the processing into account, Paiteq assists the controller by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects to exercise their rights, access, rectification, erasure, portability, restriction, and objection. Requests received directly by Paiteq are routed to the controller rather than actioned independently.
- 008
Return & deletion
On termination or expiry of the engagement, Paiteq, at the controller's choice, deletes or returns the personal data it processes on the controller's behalf and deletes existing copies, subject to any legal-retention obligation that requires storage for a defined period. Backup copies are purged on their normal rotation cycle.
- 009
Audit rights
Paiteq makes available to the controller the information reasonably necessary to demonstrate compliance with this addendum, and allows for and contributes to audits, including inspections, conducted by the controller or an auditor it mandates, on reasonable prior notice and during business hours, subject to confidentiality and not unreasonably disrupting operations.
Get a signed, countersigned copy.
If your procurement needs a DPA on file before data touches our infrastructure, request one and we'll send a signed copy to countersign, or counter-sign yours. We typically sign the DPA alongside the NDA before discovery on regulated engagements.
- Email info@paiteq.com or use the contact form with your entity details and the engagement in scope.
- We send our standard DPA to countersign, or counter-sign your paper if you have a preferred template.
- Sub-processor list and security posture (see the security page) are provided as exhibits.
Request a signed DPA.
We counter-sign the DPA alongside the NDA before any regulated data touches our infrastructure. An engineer handles the paperwork in parallel with scoping.