Skip to content
EmployeeSight

Legal

Data Processing Addendum.

Last reviewed · 15 May 2026

Working draft · counsel review pending

This Data Processing Addendum is a working draft prepared from public Indian statutes (Digital Personal Data Protection Act 2023, IT Rules 2011 SPDI, Indian Contract Act 1872) and standard SaaS contractual practice. It is pending review by Indian SaaS legal counsel. For any current contractual relationship, the executed Master Agreement and DPA signed between the parties govern. Questions: email sales@employeesight.com with subject “Legal — Data Processing Addendum”.

1. Definitions & roles

This Data Processing Addendum (“DPA”) forms part of the Master Agreement / Order Form between EmployeeSight and the Customer. Capitalised terms not defined here have the meanings given in the Terms of Service.

Under the Digital Personal Data Protection Act, 2023 (“DPDP Act”):

  • The Customer is the Data Fiduciary in respect of personal data of its employees, contractors, and other Data Principals whose data it processes through the Service.
  • EmployeeSight is the Data Processor per DPDP s.8(7), processing such personal data strictly on the Customer’s documented instructions and for the purposes set out in the Master Agreement.

2. Scope of processing

EmployeeSight processes Customer-controlled personal data consisting of: employee identifiers, payroll-related data (salary structures, statutory deductions, bank details), attendance and time-tracking records, productivity telemetry (where the workforce product is enabled), document attachments, and biometric attendance signals (where biometric integration is enabled). Processing duration matches the term of the Master Agreement.

3. Processor obligations

EmployeeSight will:

  • Process Customer personal data only on the Customer’s documented instructions, except where required by applicable Indian law (in which case we will inform the Customer before processing, unless prohibited from doing so by law).
  • Ensure personnel authorised to process Customer personal data are bound by appropriate confidentiality obligations.
  • Implement the technical and organisational measures set out in §5.
  • Engage sub-processors only on the terms set out in §4.
  • Assist the Customer with Data Principal rights requests per §7.
  • Notify the Customer of personal data breaches per §6.
  • Return or delete Customer personal data on termination per §10.
  • Make available the information reasonably necessary to demonstrate compliance with this DPA, and submit to audits per §8.

4. Sub-processors

EmployeeSight engages the following sub-processors as of the last-reviewed date. We notify the Customer in writing at least thirty (30) days before adding or replacing a sub-processor.

  • Amazon Web Services India Private Limited — cloud infrastructure, Mumbai region (ap-south-1).
  • Payment processor — specific vendor confirmed at GA. Used for subscription billing only; full card numbers are never stored by EmployeeSight.
  • Transactional email provider — specific vendor confirmed at GA. Used for system emails (account, billing, alerts).
  • Error tracking provider — specific vendor confirmed at GA. Used for application error and performance monitoring; we configure these tools to scrub personal data from error payloads.

EmployeeSight remains liable for each sub-processor’s acts and omissions under this DPA.

5. Technical & organisational measures

  • Encryption — AES-256 at rest, TLS 1.3 in transit.
  • Access controls — role-based, least-privilege, with SSO + MFA for EmployeeSight personnel with production access.
  • Audit logging — every administrative action on Customer data is logged immutably.
  • Data residency — AWS Mumbai (ap-south-1) by default.
  • Vulnerability management — continuous dependency scanning + quarterly third-party penetration testing.
  • Backups — encrypted, India-region, with periodic restore testing.

Further detail is published on our security page.

6. Breach notification

EmployeeSight will:

  • Notify CERT-In within six (6) hours of becoming aware of a reportable cyber incident, per the CERT-In Directions 2022.
  • Notify the Data Protection Board of India and affected Data Principals as prescribed under DPDP s.8(6).
  • Notify the Customer without undue delay (and in any case within seventy-two (72) hours of confirmation) of any personal data breach affecting Customer personal data, including the nature of the breach, the categories and approximate volume of data affected, the likely consequences, and the steps EmployeeSight is taking.
  • Cooperate with the Customer’s own notification obligations to its Data Principals and regulators.

7. Data Principal rights assistance

EmployeeSight provides reasonable assistance to the Customer to enable the Customer to respond to Data Principal requests under DPDP ss.11–14 (access, correction, completion, updation, erasure, nomination, grievance). Most requests are self-serve for the Customer via in-product tooling; for any request that isn’t self-serve, EmployeeSight responds within thirty (30) days of a verifiable written request from the Customer.

8. Audit rights

On reasonable advance notice (and not more than once per twelve (12) months unless required by a regulator), the Customer may audit EmployeeSight’s compliance with this DPA, with scope limited to processing of the Customer’s personal data. A written audit summary or current third-party certification (SOC 2 Type II / ISO 27001) is acceptable in lieu of an on-site audit unless the Customer can demonstrate a specific concern that requires direct verification.

9. Cross-border transfer

EmployeeSight does not transfer Customer personal data outside India unless the Customer explicitly enables a cross-border feature and the destination jurisdiction has not been restricted by the Central Government under DPDP s.16. Cross-region exports remain subject to DPDP Act 2023 obligations and are logged in the Customer’s audit trail.

10. Return & deletion on termination

On termination of the Master Agreement, EmployeeSight makes Customer personal data available for export by the Customer for ninety (90) days. After ninety (90) days, EmployeeSight deletes Customer personal data from primary systems and purges it from backups within an additional thirty-five (35) days. Statutory retention (e.g., payroll records under the Income Tax Act, 1961) is preserved as required by applicable law.

11. Liability & indemnity

Each party’s liability arising out of or related to this DPA is governed by the limitation of liability and indemnification clauses of the Terms of Service.

12. Term & survival

This DPA is coterminous with the Master Agreement. Obligations that by their nature should survive termination — including §6 (Breach notification cooperation for events occurring during the term), §8 (Audit rights for the period the data was processed), §10 (Return & deletion), and §11 (Liability) — survive termination.

13. Governing law & jurisdiction

This DPA is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts at Noida, Uttar Pradesh, consistent with the Terms of Service §16.

14. Contact

Data protection enquiries: sales@employeesight.com with subject “DPDP / DPA”. One inbox routes everything for now — we’ll provision a dedicated data-protection inbox when the team scales.