Data Processing Addendum

This Data Processing Addendum ("Addendum") forms part of the agreement between Navdhya Ritual Services ("Navdhya," "we," "us," or "our") and our customers or partners ("Customer," "you," or "your") regarding the processing of personal data in connection with our services.

Last Updated: November 1, 2025

Definitions

Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Personal Data

Any information relating to an identified or identifiable natural person ("data subject").

Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

Roles and Responsibilities

Navdhya as Processor

When Navdhya processes personal data on behalf of a customer:

  • Navdhya acts as a data processor
  • The customer acts as the data controller
  • Navdhya processes data only as instructed by the controller
  • Navdhya maintains records of processing activities

Navdhya as Controller

When Navdhya determines the purposes and means of processing:

  • Navdhya acts as the data controller
  • Customers whose data we process are data subjects
  • We are responsible for compliance with data protection laws
  • We implement appropriate technical and organizational measures

Details of Processing

Subject Matter

The subject matter of processing includes:

  • Provision of ritual and spiritual services
  • Customer account management and support
  • Booking and scheduling services
  • Communication and marketing activities
  • Analytics and business intelligence

Duration

The duration of processing is:

  • For the term of the customer relationship
  • Plus retention period as required by law
  • Subject to earlier termination upon request
  • Archival for legal and compliance purposes

Nature and Purpose

The nature and purpose of processing include:

  • Performance of contractual obligations
  • Compliance with legal requirements
  • Provision of requested services
  • Customer communication and support
  • Business improvement and analytics

Types of Personal Data

Categories of personal data processed:

  • Contact information (name, email, phone, address)
  • Identity verification data (ID documents, photos)
  • Service usage and interaction data
  • Payment and financial information
  • Preferences and communication history

Categories of Data Subjects

Individuals whose data is processed:

  • Customers and service users
  • Prospective customers and leads
  • Employees and contractors
  • Family members and household contacts
  • Website visitors and app users

Processor Obligations

Processing Instructions

Navdhya will process personal data only:

  • In accordance with documented instructions
  • As required by applicable law
  • With prior written consent for new processing
  • Subject to this Addendum and privacy policy

Confidentiality

Navdhya ensures confidentiality by:

  • Requiring confidentiality agreements from personnel
  • Implementing access controls and authentication
  • Restricting data access to authorized individuals
  • Providing training on data protection obligations

Security Measures

Technical and organizational measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and audits
  • Incident response and breach notification procedures
  • Access logging and monitoring systems
  • Physical security for data storage facilities

Sub-processing

Use of third-party subprocessors requires:

  • Prior written consent from the controller
  • Written contracts with equivalent obligations
  • Regular monitoring of subprocessor compliance
  • Immediate notification of subprocessor changes

Controller Rights and Obligations

Data Subject Rights

The controller may exercise rights including:

  • Access to personal data being processed
  • Rectification of inaccurate personal data
  • Erasure of personal data when appropriate
  • Restriction of processing in certain cases
  • Data portability in structured formats

Controller Obligations

The controller must:

  • Provide accurate and lawful personal data
  • Ensure appropriate legal basis for processing
  • Inform data subjects of processing activities
  • Respond to data subject requests appropriately
  • Comply with data protection laws and regulations

Third-Party Subprocessors

Navdhya uses the following categories of subprocessors:

  • Cloud infrastructure providers (AWS, Google Cloud)
  • Payment processing services (Razorpay, Stripe)
  • Email and communication platforms (SendGrid, Twilio)
  • Analytics and marketing tools (Google Analytics, Meta Pixel)
  • Customer support and CRM systems (Zendesk, Salesforce)
  • Security and monitoring services (DataDog, Sentry)

Current list of subprocessors is available upon request. We will notify controllers of any changes to subprocessors.

International Data Transfers

Transfer Mechanisms

For international data transfers, we implement:

  • Standard contractual clauses for EU transfers
  • Binding corporate rules for internal transfers
  • Adequacy decisions for approved countries
  • Appropriate safeguards for high-risk transfers

Data Localization

Our data storage and processing locations:

  • Primary data centers in India
  • Backup and disaster recovery in Singapore
  • CDN and edge locations globally
  • Processing in accordance with local laws

Assistance and Cooperation

Navdhya will assist the controller with:

  • Fulfillment of data subject requests
  • Data protection impact assessments
  • Prior consultation with supervisory authorities
  • Security breach notification and response
  • Compliance with data protection obligations

Data Breach Notification

Notification Requirements

Upon becoming aware of a personal data breach:

  • Notify the controller without undue delay
  • Provide detailed information about the breach
  • Include likely consequences and mitigation measures
  • Document the breach and response actions

Response Measures

Our breach response procedures include:

  • Immediate containment and investigation
  • Assessment of risks to data subjects
  • Notification to affected individuals when required
  • Reporting to supervisory authorities as needed

Data Deletion and Return

Upon termination of services or at the controller's request:

  • Return or delete all personal data processed
  • Certify destruction of copies and backups
  • Retain data only as required by law
  • Provide written confirmation of deletion

Audits and Inspections

Audit Rights

The controller may:

  • Request information about processing activities
  • Conduct audits with reasonable notice
  • Engage third-party auditors at their expense
  • Review compliance documentation and records

Compliance Measures

Navdhya maintains:

  • Records of processing activities
  • Security and compliance documentation
  • Training records for personnel
  • Incident response and breach logs

Liability and Indemnification

Each party's liability is limited to:

  • The amount paid under the agreement in the preceding 12 months
  • Direct damages only, excluding indirect or consequential damages
  • Indemnification for breaches of data protection obligations
  • Compliance with statutory liability limitations

Governing Law and Jurisdiction

This Addendum is governed by:

  • The laws of India, without regard to conflict of law principles
  • GDPR for processing of EU personal data
  • Applicable data protection laws in other jurisdictions
  • International data transfer regulations

Contact Information

For questions about this Data Processing Addendum or to request information about our data processing practices, contact:

Navdhya Data Protection Officer
Email: dpo@navdhya.com
Phone: +91-7289000377
Postal Address: Navdhya Ritual Services, Pandav Nagar, Delhi 110092, India