DPA

Our standing Data Processing Addendum.

This is Paiteq's standing DPA, the terms that govern how we process personal data on your behalf when you engage us. In most engagements you are the controller and Paiteq is the processor. Request a signed copy via info@paiteq.com.

Last updated 30 May 2026
Roles Controller / Processor
Entity Paiteq Private Limited
Execute via info@paiteq.com

Last updated: · Paiteq Private Limited (founded 2017) · HQ Bengaluru, Karnataka 560077, India · US mailing 539 W. Commerce St #1814, Dallas, TX 75208

001 / TERMS

The addendum, clause by clause.

This page mirrors the standing DPA we counter-sign for clients. It is a plain-language summary of the operative terms; the executed contract version controls. We can send a signed and countersigned copy on request.

  1. 001

    Roles & scope

    For the purposes of applicable data-protection law, the client is the data controller and Paiteq Private Limited is the data processor. Paiteq processes personal data only on the documented instructions of the controller.

    The nature and purpose of the processing is the delivery of the AI engineering services engaged, scoping, building, evaluating, deploying, and operating the systems described in the applicable statement of work (SOW). The duration of processing matches the engagement term.

  2. 002

    Categories of data & data subjects

    The categories of personal data and categories of data subjects depend on the engagement and are defined per SOW, for example end-user records, support transcripts, or documents within scope of the workload.

    No special-category data (health, biometric, financial, or other sensitive data under GDPR Art. 9) is processed without explicit written agreement defining the additional safeguards.

  3. 003

    Sub-processors

    Paiteq engages sub-processors to deliver the services, including Sanity (CMS), cloud hosting / CDN providers, email and CRM tooling, and model / LLM providers (Anthropic, OpenAI, and others). We maintain a current list of sub-processors and notify the controller of additions or changes with reasonable notice so objections can be raised.

    Flow-down obligations apply: each sub-processor is bound by data-protection terms no less protective than those in this addendum, and Paiteq remains responsible for their performance.

  4. 004

    International transfers

    Processing may take place in India, the United States, and the EU. Where personal data subject to EU or UK GDPR is transferred outside the EEA / UK, the transfer is governed by the appropriate safeguards, the Standard Contractual Clauses (SCCs) and, where required, the UK International Data Transfer Addendum, together with any supplementary measures the transfer assessment requires.

  5. 005

    Security measures

    Paiteq applies the security posture described on the security page: SOC-2-ready practices, audit logs, least-privilege IAM, key rotation, and encryption in transit and at rest, alongside HIPAA-ready and GDPR-ready engagement patterns.

    To be explicit: these are practices, not certifications. Paiteq is not itself SOC 2 Type II or ISO 27001 certified as a vendor. If your procurement requires a vendor SOC 2 report, flag it early and we'll route accordingly.

  6. 006

    Personal-data breach

    On becoming aware of a personal-data breach affecting controller data, Paiteq notifies the controller without undue delay and provides the information the controller reasonably needs to meet its own notification obligations to authorities and data subjects. We assist the controller in investigating, mitigating, and remediating the breach.

  7. 007

    Data-subject requests

    Taking the nature of the processing into account, Paiteq assists the controller by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects to exercise their rights, access, rectification, erasure, portability, restriction, and objection. Requests received directly by Paiteq are routed to the controller rather than actioned independently.

  8. 008

    Return & deletion

    On termination or expiry of the engagement, Paiteq, at the controller's choice, deletes or returns the personal data it processes on the controller's behalf and deletes existing copies, subject to any legal-retention obligation that requires storage for a defined period. Backup copies are purged on their normal rotation cycle.

  9. 009

    Audit rights

    Paiteq makes available to the controller the information reasonably necessary to demonstrate compliance with this addendum, and allows for and contributes to audits, including inspections, conducted by the controller or an auditor it mandates, on reasonable prior notice and during business hours, subject to confidentiality and not unreasonably disrupting operations.

002 / HOW TO EXECUTE

Get a signed, countersigned copy.

If your procurement needs a DPA on file before data touches our infrastructure, request one and we'll send a signed copy to countersign, or counter-sign yours. We typically sign the DPA alongside the NDA before discovery on regulated engagements.

REQUEST VIA info@paiteq.com
  • Email info@paiteq.com or use the contact form with your entity details and the engagement in scope.
  • We send our standard DPA to countersign, or counter-sign your paper if you have a preferred template.
  • Sub-processor list and security posture (see the security page) are provided as exhibits.
003 / Need it on file before discovery?

Request a signed DPA.

We counter-sign the DPA alongside the NDA before any regulated data touches our infrastructure. An engineer handles the paperwork in parallel with scoping.