Data Processing Agreement

This Data Processing Agreement (“Agreement”) is incorporated into and forms part of the Terms andConditions (“Terms”) available at www.arya.ai (“Website”) for the Arya.ai Platform. By accepting the Terms,whether by clicking “I accept” or similar button or by accessing or using the Arya.ai Platform, Customer explicitlyagrees to be bound by this Agreement. This Agreement is deemed to be an integral part of the Terms enteredinto between Lithasa Technologies Private Limited, a company incorporated under the laws of India, itsaffiliates, assigns, subsidiaries (“Company” or “Arya”) and the Customer. This Agreement shall be interpretedin accordance with the laws of India and shall comply with both Indian data protection laws and the dataprotection requirements of the Customer's jurisdiction where applicable.Under this Agreement, Company primarily acts as a Data Processor processing Personal Data on behalf ofthe Customer (who acts as the Data Controller) in connection with the Customer’s use of the Arya.ai Platform.Company may also act as an independent Controller for certain processing activities related to platformadministration and improvement.

DEFINITIONS

For the purposes of this Agreement, the terms: “Controller”, “Data Subject”, “Joint-Controller(s)”, “PersonalData”, “Personal Data Breach”, “Processing”, “Processor”, “Special Categories of Personal Data”, and“Sub-Processor” shall have the meanings given to them in the Digital Personal Data Protection Act, 2023.Where Customer is subject to other privacy laws such as GDPR or UK GDPR, these terms shall be interpretedto include their corresponding definitions under such laws to ensure compliance with all applicablerequirements. The following additional terms shall have the meanings:

Customer means the entity or person that has agreed to the Terms to use the Arya.ai Platform.
Company means Lithasa Technologies Private Limited, having its registered office at 3rd Floor, Prudential IT Park, Hiranandani Gardens, Powai, Mumbai 400076, India with CIN No. U72300MH2013PTC362043
Applicable Privacy Laws all applicable data protection and privacy legislation in force from time to time including:
  1. Indian laws such as the Digital Personal Data Protection Act, 2023 read with rules and regulations framed thereunder;
  2. where applicable to Customer's jurisdiction, laws such as GDPR, UK GDPR, or other regional privacy regulations;
  3. all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data; and
  4. the guidance and codes of practice issued by relevant regulatory authorities in applicable jurisdictions;
Protected Data means the Personal Data as explicitly set forth in Part A of this Agreement, which is uploaded to, generated within, or accessed through the Arya.ai Platform, including but not limited to user data, artificial intelligence models, training data, and any other personal data processed as part of the AI and PaaS services, including any data transferred through third-party integrations by or on behalf of the Customer and processed by the Company in its capacity as Processor on behalf of the Customer (acting as Controller) in connection with the Customer's use of the Arya.ai Platform.

1. SCOPE OF THIS AGREEMENT

For the purposes of this Agreement and the Terms, the parties acknowledge and agree that:

(a) This Agreement applies to all Personal Data processed by the Company through the Arya.aiPlatform on behalf of the Customer, including data accessed through the Website, artificialintelligence services, PaaS solutions, and third-party integrations, which shall be processed incompliance with the Applicable Privacy Laws.

(b) Independent Controllers. This Agreement does not apply to the parties’ respective obligationsas independent Controllers of Personal Data. Company and the Customer operate as separateControllers in respect to the Personal Data either party may independently process in connectionwith the performance of obligations under the Terms or otherwise. Accordingly:

  1. the Company shall be deemed a separate Controller for any Personal Data (i) it collects toprovide the services to its clients and customers; and (ii) it collects in the course of providingthe Arya.ai Platform for platform administration and improvement.
  2. Customer shall be deemed a separate Controller for Personal Data related to its employeesand customers.
  3. The parties hereby undertake to respect applicable laws which apply to them as separateControllers and to be liable separately for their own controllership obligations andresponsibilities when acting as separate Controllers.

2. ROLES OF THE PARTIES

The parties agree that this Agreement shall only apply to processing activities whereby:

(a) The Protected Data is exchanged between the Company and the Customer, as part of and in thecourse of performance of their respective obligations under the Terms.

(b) The Company acts as a Data Processor for Customer data processed through the Arya.aiPlatform, and as an independent Controller only for specific platform administration andimprovement activities as detailed in Section 13 of this Agreement.

Nothing in this Agreement relieves either party of any of their respective responsibilities or liabilitiesunder the Applicable Privacy Laws.

3. CUSTOMER’S COMPLIANCE WITH APPLICABLE PRIVACY LAWS

When acting as Controller, Customer shall at all times comply with all Applicable Privacy Laws.Customer shall ensure that all instructions given by it to the Company in respect of Protected Data(including the terms of this Agreement) shall at all times be in accordance with Applicable Privacy Laws.Customer shall be solely responsible for ensuring that it has obtained all applicable consents and hasprovided all advance notice and information of the processing contemplated hereunder to any DataSubjects, as required of it under Applicable Privacy Laws.

4 COMPANY’S COMPLIANCE WITH APPLICABLE PRIVACY LAWS

Company shall process Protected Data in compliance with the obligations placed on it under ApplicablePrivacy Laws and the terms of this Agreement.

5. INSTRUCTIONS

Company shall only process (and shall ensure that its personnel and Sub-Processors only process) theProtected Data in accordance with the Customer’s documented instructions set out at Part A of thisAgreement and the terms of this Agreement, except to the extent: (a) that alternative processinginstructions are agreed between the parties in writing; or (b) otherwise required by Applicable PrivacyLaws (in which case, the Company shall inform Customer of that legal requirement before processing,3unless applicable law prevents it doing so on important grounds of public interest). If the Companybelieves that any instruction received by it from the Customer is likely to infringe the Applicable PrivacyLaws of either India or Customer's jurisdiction, the parties shall discuss and agree on appropriateamended instructions which are not infringing.

6. SECURITY

To protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration,disclosure or access, the Company shall implement and maintain appropriate technical andorganisational measures in accordance with Applicable Privacy Laws, including but not limited to: (a)hosting data on secure cloud servers with individual customer databases and encryption at rest and intransit; (b) maintaining comprehensive audit trails of all data access and modifications; (c) implementingrole-based access controls with multi-factor authentication; (d) providing secure access through thedesktop application and web portal with session timeout controls; (e) ensuring secure integration withthird-party services; and (f) implementing specific security controls for data processing, all as furtherdetailed in Part B of this Agreement.

7. SUB-PROCESSING

The Company’s current list of Sub-Processors is set forth in Part C, which includes AI and PaaS serviceintegration partners and other sub-processors. The Company shall maintain an up-to-date list of SubProcessors and shall notify Customers of any intended changes concerning the addition or replacementof Sub-Processors by email at least thirty (30) days in advance. Customer may object to such changeswithin fourteen (14) days of receiving notice. If Customer objects to a new Sub-Processor and Companycannot reasonably accommodate Customer's objection, either party may terminate the affected servicesupon written notice.

8. DATA SUBJECTS RIGHTS

(a) The Company shall assist the Customer in ensuring compliance with Customer’s obligationsunder Applicable Privacy Laws taking into account the nature of the processing and theinformation available to the Customer. Taking into account the nature of the processing, theCustomer shall assist the Company by implementing appropriate technical and organisationalmeasures, insofar as this is possible, for the fulfilment of the Company’s obligations to respondto requests for exercising the Data Subjects’ rights under Applicable Privacy Laws in respect ofany Protected Data.

(b) Customer shall promptly notify the Company if it receives a request from a Data Subject underany Applicable Privacy Laws in respect of Personal Data processed through the Arya.ai Platform.The Customer shall coordinate with the Company on responding to such requests, consideringboth the Customer's obligations under their local privacy laws and the Company's obligationsunder Indian law. Where the Customer is required by applicable laws to respond directly, theCustomer shall, to the extent permitted by applicable laws, inform the Company of that legalrequirement before responding to the request.

9. INTERNATIONAL TRANSFERS

Company shall not transfer Protected Data to countries outside India except where appropriatesafeguards are in place in accordance with both Indian data protection laws and the data protection lawsof the Customer's jurisdiction. Any international transfers shall only occur after: (1) implementation ofappropriate data transfer agreements; (2) completion of transfer impact assessments; and (3)implementation of additional technical and organisational measures as required by applicable Indianlaws and regulations. Company shall maintain a register of all international transfers and conduct regularrisk assessments. If transfer is required by law, Company will inform the Customer of the legalrequirement before such transfer, unless prohibited by law.

10. AUDITS AND PROCESSING

The Company shall, in accordance with Applicable Privacy Laws, make available to the Customer suchinformation as is necessary to demonstrate the Company's compliance with its obligations under thisAgreement, including access to the platform's built-in auditing tools that track data access andmodifications. The Company shall maintain comprehensive audit trails both within the Arya.ai Platformand in the backend systems to enable tracking of who accessed and modified data, when, and fromwhere. The Company shall allow for and contribute to audits, including inspections, by the Customer (oranother auditor mandated by the Customer) for this purpose (subject to a maximum of one audit requestin any 12-month period, and provided that such audit is conducted on reasonable notice, during normalbusiness hours in the Company's jurisdiction of operation, and results in minimal disruption toCompany’s business, except where the audit relates to or follows a Personal Data Breach).

11. PERSONAL DATA BREACH

Company shall notify the Customer without undue delay and in any event within 72 hours of becomingaware of any Personal Data Breach affecting the Protected Data, unless a shorter timeframe is requiredby applicable laws, and shall provide sufficient information to allow the Customer to meet its obligationsunder Applicable Privacy Laws to report the breach to relevant supervisory authorities. The notificationshall include: (a) a description of the nature of the breach; (b) the categories and approximate numberof Data Subjects affected; (c) likely consequences of the breach; and (d) measures taken or proposedto address the breach. Company shall cooperate with the Customer and take all reasonable steps toinvestigate, mitigate and remediate each such Personal Data Breach.

12. DELETION/RETURN

(a) Upon termination of the Terms, Company shall provide Customer with the ability to export theProtected Data through the platform's self-service export tools in a commonly used machinereadable format (such as CSV, XML, or JSON) for a period of thirty (30) days. After this period,Company shall securely delete all Protected Data from its systems, including any copies storedin backup systems, except where required by applicable law to retain such data. This deletionprocess shall include data stored in both production and backup environments, as well as anydata transferred to integrated third-party services. Company shall provide written confirmation ofdeletion upon Customer's request.

(b) Notwithstanding the foregoing, Company may retain anonymised and aggregated data derivedfrom Customer's use of the Arya.ai Platform, provided that such data cannot be used to identify,either directly or indirectly through combination with other data, any individual Data Subject,Customer, or Customer's clients, and such anonymisation is performed in accordance with therequirements of Applicable Privacy Laws. Such anonymised data may be used for platformimprovements, statistical analysis, and service optimisation. Company shall ensure compliancewith Applicable Privacy Laws in its processing of such anonymised data.

13. ADDITIONAL PROCESSING ACTIVITIES

(a) Company may process certain Personal Data as an independent Controller strictly limited to: (1)platform usage analytics (such as feature usage patterns and system performance metrics); (2)service improvement activities using anonymised data only; and (3) internal CRM activitiesrelating to Customer contact information and account management. Such processing will begoverned by Company's Privacy Policy and conducted in accordance with Applicable PrivacyLaws.

(b) Each party will provide a compliant data privacy notice to any end-users informing such end-userstheir respective identities, the purpose or purposes for which end-user Personal Data will beprocessed, and any other information that, having regard to the specific circumstances of thecollection and expected processing, is required to enable fair processing.

14. LIABILITY

Company shall be liable for any breach of Applicable Privacy Laws resulting from its processing activitiesas a data processor. Company shall indemnify Customer for any direct losses, fines, penalties, andregulatory sanctions incurred due to Company's breach of Applicable Privacy Laws or this Agreement,subject to the limitations set forth in the Terms. Customer shall be liable for ensuring the lawful basis forprocessing and compliance with Applicable Privacy Laws in its role as data controller, includingcompliance with any additional requirements specific to Customer's jurisdiction. Each party's liabilityshall be limited to direct damages and subject to the limitations set forth in the Terms. Neither party shallbe liable for any indirect, consequential, or punitive damages except where prohibited by applicable law.All liability shall be subject to the limitations set forth in the Terms.

15. GENERAL TERMS

(a) Confidentiality. The confidentiality provisions in the Terms shall apply to all information and dataprocessed under this Agreement. Company shall ensure that all personnel with access toProtected Data are bound by appropriate confidentiality obligations through written agreementsand have received adequate data protection training covering both Indian privacy laws andinternational data protection requirements. Such training shall be updated regularly to reflectchanges in applicable laws and best practices.

(b) Notices. All notices and communications given under this Agreement must be in writing and willbe delivered in accordance with the notice provisions set out in the Terms.

(c) Governing Law and Jurisdiction. This Agreement is governed by the laws of India. Any disputearising in connection with this Agreement, which the parties will not be able to resolve amicably,will be submitted to the exclusive jurisdiction of the courts in Mumbai, India, provided that thisdoes not affect (a) the jurisdiction of relevant supervisory authorities under Applicable PrivacyLaws in Customer's jurisdiction, or (b) Data Subject rights to lodge complaints with their localsupervisory authorities.

Part A - Processing Activities

Processing of the Protected Data by Company under this Agreement and the Terms shall be for the subjectmatter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjectsset out in this Part A, in accordance with Applicable Privacy Laws, including but not limited to Indian dataprotection laws and, where applicable, other jurisdictions' privacy laws based on Customer location. Suchprocessing shall adhere to the principles of data minimisation and purpose limitation, ensuring that only datanecessary for the specified purposes is processed.

Subject-matter of processing To enable Customer's use of the Arya.ai Platform for artificial intelligence, PaaS and software services, including AI model training, data processing, analytics, and all related processing necessary for these purposes.
Duration of the processing For the duration of the Terms, and for the retention period specified in the data deletion provisions. This includes processing of Protected Data in both live systems and backups, as well as any data processed through third-party integrations enabled by the Customer.
Nature and purpose of the processing To process Personal Data as necessary for:
  1. providing artificial intelligence and PaaS services through the Arya.ai Platform;
  2. facilitating third-party integrations and API connections;
  3. providing technical support and maintenance;
  4. generating audit trails of system access and modifications;
  5. creating backups and ensuring data security.
Type of Personal Data This includes personal information processed through the AI and PaaS services, including but not limited to: user account information, training data for AI models, analytics data, and any personal information processed through the platform's features and integrations. This may include names, contact details, user behavioural data, and other personal information necessary for providing the AI and PaaS services.
Categories of Data Subjects Users of the Arya.ai Platform, customer employees, end-users of customer applications, individuals whose data is used for AI model training, and any other individuals whose personal data is processed through the Arya.ai Platform in connection with the AI and PaaS services, regardless of their geographical location.

Part B - Minimum technical and organisational security measures

In accordance with Applicable Privacy Laws, taking into account the state of the art, the costs of implementationand the nature, scope, context and purposes of the processing of the Protected Data to be carried out underor in connection with the Terms, as well as the risks of varying likelihood and severity for the rights andfreedoms of natural persons and the risks that are presented by the processing, especially from accidental orunlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Protected Data transmitted,stored or otherwise processed, Company shall implement and maintain appropriate technical andorganisational security measures proportionate to the risk, which shall be reviewed and updated at leastannually, or more frequently if required by applicable laws or significant changes in risk assessment, or uponmaterial changes to the security infrastructure, documented, and made available to the Customer through theCompany's security portal or upon written request, including but not limited to: (a) the encryption andpseudonymisation of Protected Data; (b) secured cloud infrastructure with appropriate regional servers basedon Customer requirements; (c) individual database instances for each Customer with encryption at rest; (d)comprehensive audit logging of data access and modifications through both the Arya.ai Platform interface andbackend systems; (e) role-based access controls and multi-factor authentication mechanisms for Companysupport and development staff when accessing Customer data; (f) real-time monitoring and automated alerts3for any unusual access patterns; (g) secure access mechanisms for the Arya.ai Platform including multi-factorauthentication; (h) controls over backup creation and storage with encryption requirements; (i) regularpenetration testing and security assessments.

Part C - Company's Authorised Sub-Processors and International Data Transfer Information

Sub-Processor Processing Activity and Data Categories Location of Processing (inside or outside of the UK or EEA) Compliance URL International Transfer Safeguards
The company does not have any sub-processors at the moment

Join our newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By subscribing, you agree to our terms and privacy policy. 
Products
Apex - AI API PlatformNexus - API Gateway
AI APIs
Bank Statement AnalyserHealth Vitals Monitor APIDocument Fraud DetectionDeepfake Detection APINamed Entity Recognition APISignature Detection APILiveness Detection APIFace Verification API
Autonomous Finance
BankingInsuranceLendingAI Cashflow ForecastingIntelligent Document Processing AI Onboarding
Company
About Arya AIContact Us
Resources
BlogCase StudiesNewsletterTech Blog
Success Stories
TATA AIG Improves KYC ProcessRedmil Minimizes Identity FraudLeading Bank Processes 20 Cheques Every SecondICICI Lombard Automates OnboardingAxis Bank Redefines KYC Workflows
What's NewWhat is Automated Underwriting?CFO's PlaybookSynthetic Identity FraudFraud Risk Management Guide
Legal
Privacy PolicyPayments and Refunds PolicyTerms and ConditionsData Processing Agreement
© Copyright 2025, Lithasa Technologies Pvt. Ltd.
eclipse