Zenkins Technologies Pvt. Ltd. Last Updated: June 10, 2026 Effective Date: June 10, 2026

This Data Processing Agreement (“DPA” or “Agreement”) forms part of the contractual relationship between Zenkins Technologies Pvt. Ltd. (“Zenkins,” “Data Processor,” “we,” “us”) and the client or business entity (“Client,” “Data Controller,” “you”) engaging Zenkins for IT services, software development, managed services, or any other service offering.

This DPA governs how Zenkins processes personal data on behalf of the Client in connection with the services provided under the applicable Master Service Agreement, Statement of Work, or other service contract (“Principal Agreement”).

In the event of any conflict between this DPA and the Principal Agreement, this DPA shall take precedence with respect to data protection matters.

1. Definitions

For the purposes of this Agreement, the following terms shall have the meanings given below:

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”), including but not limited to name, email address, phone number, location data, financial information, IP address, or any other identifier.

“Processing” means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, transmission, erasure, or destruction.

“Data Controller” means the Client who determines the purposes and means of Processing Personal Data.

“Data Processor” means Zenkins Technologies, which Processes Personal Data on behalf of and under the instructions of the Data Controller.

“Sub-processor” means any third party engaged by Zenkins to Process Personal Data in connection with the services.

“Data Subject” means the individual to whom the Personal Data relates.

“Data Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

“Applicable Data Protection Law” means the Information Technology Act, 2000 (India); the Digital Personal Data Protection Act, 2023 (DPDPA, India); the General Data Protection Regulation (GDPR, EU/UK) where applicable; and any other applicable national or regional data protection legislation.

2. Scope & Purpose

2.1 This DPA applies to all Personal Data Processed by Zenkins on behalf of the Client in the course of delivering the agreed services.

2.2 The nature, purpose, duration, types of Personal Data, and categories of Data Subjects involved in each engagement are detailed in Schedule A (Description of Processing Activities) appended to this Agreement or as defined in the applicable Statement of Work.

2.3 Zenkins shall only Process Personal Data for the specific purposes described in Schedule A or as otherwise documented in written instructions from the Client.

3. Obligations of Zenkins (Data Processor)

Zenkins shall:

3.1 Process only on instructions. Process Personal Data solely on the documented instructions of the Client, unless required to do so by applicable law. In such cases, Zenkins will inform the Client of the legal requirement prior to processing, unless prohibited by law.

3.2 Confidentiality. Ensure that all personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations and are aware of their data protection responsibilities.

3.3 Security. Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, or alteration, as further described in Schedule B (Security Measures).

3.4 Sub-processors. Not engage any Sub-processor without the prior written consent of the Client (general or specific). Zenkins shall impose equivalent data protection obligations on any approved Sub-processor. A current list of Sub-processors is maintained and made available upon request.

3.5 Data Subject rights. Assist the Client in responding to Data Subject requests to exercise their rights (access, rectification, erasure, portability, objection, restriction) under Applicable Data Protection Law, taking into account the nature of the Processing.

3.6 Compliance assistance. Assist the Client in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments (DPIAs), and prior consultation with supervisory authorities, where applicable.

3.7 Deletion or return. Upon termination or expiry of the Principal Agreement, at the Client’s choice, delete or return all Personal Data and delete existing copies, unless applicable law requires retention.

3.8 Audit rights. Make available to the Client all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits or inspections conducted by the Client or their authorized representative, with reasonable prior written notice.

4. Obligations of the Client (Data Controller)

The Client shall:

4.1 Ensure it has a lawful basis for Processing Personal Data and for instructing Zenkins to Process that data on its behalf.

4.2 Provide clear, documented, and lawful instructions to Zenkins regarding the Processing of Personal Data.

4.3 Ensure that Data Subjects have been appropriately informed about the Processing, including any transfers to Zenkins as a Data Processor.

4.4 Notify Zenkins promptly of any changes in applicable law, regulatory requirements, or Data Subject rights that may affect Zenkins’ Processing activities.

4.5 Be responsible for the accuracy, quality, and legality of the Personal Data provided to Zenkins.

5. International Data Transfers

5.1 Zenkins is headquartered in Ahmedabad, Gujarat, India. Personal Data may be Processed within India and, in certain cases, by Sub-processors located in other countries.

5.2 Where Personal Data is transferred outside the country of origin, Zenkins shall ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Law — including, where required, Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognized transfer mechanisms.

5.3 Clients from the European Union, United Kingdom, or other jurisdictions with specific cross-border transfer rules should contact Zenkins to establish appropriate transfer safeguards before commencing the engagement.

6. Data Security

6.1 Zenkins implements technical and organizational security measures appropriate to the risk, including:

Encryption of Personal Data in transit and at rest
Access controls and role-based permissions
Regular security audits and vulnerability assessments
Employee training on data protection and information security
Incident response and breach management procedures
Secure disposal and deletion practices

6.2 Full details of security measures are set out in Schedule B.

7. Data Breach Notification

7.1 Zenkins shall notify the Client without undue delay — and in any event within 72 hours of becoming aware — of a confirmed or reasonably suspected Personal Data Breach affecting Client data.

7.2 The notification shall include, to the extent available:

A description of the nature of the breach
Categories and approximate number of Data Subjects affected
Categories and approximate volume of Personal Data records affected
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate its effects

7.3 The Client is responsible for notifying relevant supervisory authorities and affected Data Subjects as required by Applicable Data Protection Law.

8. Sub-processors

8.1 The Client provides general written authorization for Zenkins to engage Sub-processors, subject to the conditions in this section.

8.2 Zenkins shall maintain an up-to-date list of approved Sub-processors and make it available to the Client upon request.

8.3 Zenkins shall notify the Client of any intended changes to its Sub-processor list (additions or replacements) with reasonable prior notice, giving the Client the opportunity to object to such changes.

8.4 Zenkins shall enter into written agreements with Sub-processors that impose equivalent data protection obligations as set out in this DPA.

8.5 Zenkins remains fully liable to the Client for the performance of Sub-processors’ data protection obligations under this DPA.

9. Data Retention & Deletion

9.1 Zenkins shall retain Personal Data only for as long as is necessary to fulfil the purposes described in Schedule A or as required by applicable law.

9.2 Upon termination of the Principal Agreement, or at the Client’s written request, Zenkins shall securely delete or return all Personal Data within 30 days, unless legal obligations require a longer retention period.

9.3 Zenkins shall provide the Client with written confirmation of deletion upon request.

10. Liability

10.1 Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Principal Agreement, to the extent permitted by Applicable Data Protection Law.

10.2 Where both parties are responsible for damage caused by Processing, each party shall be liable for the portion of damage attributable to their actions or omissions.

11. Term & Termination

11.1 This DPA shall remain in force for the duration of the Principal Agreement.

11.2 Termination of the Principal Agreement shall automatically terminate this DPA, subject to any survival provisions relating to data deletion, confidentiality, and audit rights.

12. Governing Law & Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Republic of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the competent courts in Ahmedabad, Gujarat, India.

13. Contact & Data Protection Enquiries

For any questions, requests, or concerns relating to data protection or this DPA, please contact:

Zenkins Technologies Pvt. Ltd. B 612 The Gateway, Nikol, Ahmedabad, Gujarat 382350, India 📧 contact@zenkins.com 📞 +91 70690 18504 🌐 https://zenkins.com/contact

Schedule A — Description of Processing Activities

This schedule is to be completed and agreed upon for each client engagement. The following is a general template.

Field	Details
Subject matter of Processing	IT services, software development, managed IT, and related services as described in the Principal Agreement
Duration of Processing	Duration of the Principal Agreement
Nature of Processing	Collection, storage, use, transmission, and deletion of Personal Data as necessary to deliver contracted services
Purpose of Processing	Provision of services under the Principal Agreement
Types of Personal Data	May include: names, email addresses, phone numbers, IP addresses, system credentials, financial data, employee records (as applicable)
Categories of Data Subjects	Client’s employees, customers, end-users, or other individuals whose data is shared with Zenkins for service delivery
Transfers to third countries	To be specified per engagement — subject to appropriate safeguards

Schedule B — Technical & Organizational Security Measures

Zenkins Technologies implements the following security measures to protect Personal Data:

Access Control

Role-based access control (RBAC) for all systems handling Personal Data
Multi-factor authentication (MFA) for privileged accounts
Principle of least privilege enforced across teams
Regular access reviews and revocation upon role change or termination

Data Encryption

Encryption in transit using TLS 1.2 or higher
Encryption at rest for sensitive data stores
Secure key management practices

Network & Infrastructure Security

Firewalls, intrusion detection, and network segmentation
Regular vulnerability scans and penetration testing
Patch management procedures for all systems

Incident Response

Documented incident response and breach notification procedures
Designated personnel responsible for managing security incidents
Post-incident reviews and corrective action processes

Personnel & Training

Background checks for personnel handling sensitive data (where permitted by law)
Mandatory data protection and security awareness training
Confidentiality agreements for all staff and contractors

Data Management

Secure deletion and disposal protocols
Backup and recovery procedures with regular testing
Data classification and handling guidelines

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Tailored Solutions for Every Sector

Data Processing Agreement (DPA)