This Data Processing Addendum (“Addendum“) between MASIN PROJECTS PRIVATE LIMITED (“MASIN AI” or the “Company”) and the Customer (as defined in the Agreement) forms part of the MASIN AI Terms and Conditions, Privacy Policy and Cookie Policy set forth at https://masin.ai/terms-and-conditions/, https://masin.ai/privacy-policy/, https://masin.ai/cookie-policy/, or such other written or electronic agreement incorporating this Addendum, in each case governing Customer’s access to and use of the Services (the “Agreement”).
Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with MASIN AI. For the purposes of this Addendum only, and except where otherwise indicated, references to “Customer” shall include Customer and such Affiliates.
The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. MASIN AI may update or amend this Addendum from time to time to reflect changes in applicable law or in MASIN AI’s Services or internal practices.
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1 “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or MASIN AI, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
1.2 “Customer Personal Data” means any Personal Data provided by or made available by Customer to MASIN AI, or collected by MASIN AI on behalf of Customer, which is Processed by MASIN AI to perform the Services. Customer Personal Data does not include system-generated technical or usage data (such as device identifiers, IP addresses, event logs, cookies, or telemetry) unless such data forms part of the content uploaded or submitted by Customer;
1.3 “Controller to Processor SCCs” means the standard contractual clauses for cross-border transfers published by the European Commission on 4 June 2021 governing the transfer of Personal Data to Third Countries, including any successor clauses thereto;
1.4 “Data Protection Law” means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) (“GDPR”);
1.5 “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by MASIN AI ;
1.6 “Services” means the services to be supplied by MASIN AI to Customer or Customer’s Affiliates pursuant to the Agreement; and
1.7 “Third Country” means countries that have not received an adequacy decision from the European Commission relating to cross-border transfers of Personal Data;
1.8 “Personal Data” means any information that identifies or can be used to identify a living individual, whether directly (such as a name) or indirectly (such as an identification number, location data, or online identifier). This includes system-generated technical or usage data where such data can be linked to an identifiable individual.
1.9 “Agreement” means the MASIN AI Terms and Conditions set forth at https://masin.ai/terms-and-conditions/, as amended from time to time.
Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.
This Addendum applies to MASIN AI’s Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This Addendum is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.
3.1 The Parties acknowledge and agree that, with regard to the Processing of Customer Personal Data: (a) Customer acts as Controller; (b) MASIN AI acts as Processor; and (c) MASIN AI Processes Customer Personal Data solely on behalf of, and under the documented instructions of, Customer.
3.2 Nothing in this Addendum or the Agreement shall be construed to create a joint controllership arrangement between the Parties within the meaning of Article 26 of the GDPR.
3.3 MASIN AI shall not Process Customer Personal Data for any purpose other than as set out in this Addendum and the Agreement. MASIN AI shall have no rights to use Customer Personal Data for its own purposes.
3.4 Customer Responsibilities. Customer acknowledges and agrees that:
(a) Customer is solely responsible for ensuring the lawfulness of the Processing of Customer Personal Data, including establishing a valid legal basis under Articles 6 and (where applicable) 9 of the GDPR;
(b) Customer shall provide all required notices to, and obtain all required consents or authorisations from, Data Subjects in accordance with applicable Data Protection Laws;
(c) Customer shall ensure that its instructions to MASIN AI are lawful and do not cause MASIN AI to violate applicable Data Protection Laws;
(d) Customer shall comply with its obligations in respect of Personal Data Breach notifications to Supervisory Authorities and Data Subjects;
(e) MASIN AI shall have no liability arising from Customer’s failure to comply with its obligations under this Section 3.4; and
(f) Customer shall indemnify and hold harmless MASIN AI against any claims, damages, losses, or expenses arising from Customer’s breach of its obligations under this Section 3.4.
In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the subject matter and details of the Processing of Customer Personal Data to be Processed by MASIN AI pursuant to this Addendum. The Parties may make reasonable amendments to Annex 1 on mutual written agreement. Annex 1 does not create any obligation or rights for any Party. The purpose of Processing under this Addendum is the provision of the Services pursuant to the Agreement.
Customer shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum and the Processing of Customer Personal Data. As between the Parties, Customer shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to MASIN AI of Customer Personal Data.
5.1 Processing Instructions. MASIN AI shall Process Customer Personal Data for the purposes of the Agreement and for the specific purposes set out in Annex 1, and otherwise solely on the documented instructions of Customer. The Agreement, this Addendum, and Customer’s use of the Services are Customer’s written instructions to MASIN AI in relation to Processing Customer Personal Data.
5.2 Confidentiality. MASIN AI shall implement and maintain measures designed to ensure that MASIN AI personnel authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security Measures. MASIN AI shall implement and maintain reasonable technical and organisational measures designed to ensure a level of security appropriate to the risk of the Processing of Customer Personal Data, including pseudonymisation and encryption where appropriate.
5.4 Sub-processors.
5.4.1 Customer hereby authorises MASIN AI to engage and appoint sub-processors, including those listed in Annex 2. MASIN AI shall use reasonable efforts to notify Customer of any material changes or additions to sub-processors.
5.4.2 MASIN AI shall include data protection obligations in its contracts with sub-processors that are consistent with the requirements of Data Protection Laws.
5.4.3 Customer acknowledges and agrees that any failure by a sub-processor to fulfil its obligations in relation to the Processing of Customer Personal Data shall not give rise to any direct liability on the part of MASIN AI towards Customer. Customer’s sole remedy in respect of any sub-processor failure shall be to exercise its rights under Section 5.5 below.
5.5 Sub-processor Objections. Where MASIN AI notifies Customer of a proposed new sub-processor, Customer may raise any reasonable objection on data protection grounds within thirty (30) days. MASIN AI shall consider Customer’s objection in good faith. If MASIN AI determines, in its reasonable discretion, that it requires the proposed sub-processor to provide the Services, and the Parties cannot agree on an alternative arrangement, MASIN AI may proceed with engagement of the sub-processor. Customer’s continued use of the Services following such engagement shall constitute acceptance of the sub-processor.
5.6 Government Access. MASIN AI shall not disclose Customer Personal Data to any governmental authority unless legally compelled by valid legal process, and then only to the minimum extent required. Upon receipt of any governmental request for Customer Personal Data, MASIN AI shall (to the extent legally permitted): (i) promptly notify Customer; (ii) limit any compelled disclosure to the greatest extent possible. MASIN AI shall not make voluntary disclosures and shall maintain records of all governmental access requests received.
5.7 Data Subject Requests.
(a) MASIN AI shall notify Customer if it receives any request from a Data Subject to exercise rights under Chapter III of the EU GDPR in respect of Customer Personal Data (a “Data Subject Request”).
(b) MASIN AI shall not respond to any Data Subject Request directly unless Customer provides prior written authorisation, or unless MASIN AI is required by applicable Data Protection Laws to respond, in which case MASIN AI shall, to the extent legally permitted, inform Customer of that legal requirement before responding.
(c) MASIN AI shall not charge Customer for reasonable assistance with Data Subject Requests. For Data Subject Requests that are manifestly unfounded or excessive (including by reason of their repetitive character), MASIN AI may charge a reasonable fee based on administrative costs, provided that MASIN AI notifies Customer in advance and provides justification for any such charges.
5.8 Security Incident Notification. MASIN AI shall notify Customer without undue delay and in any event no later than seventy-two (72) hours after becoming aware of a Security Incident, in accordance with Article 10.10 of the Terms and Conditions. Such notice shall include, to the extent reasonably available: (i) a description of the nature of the Security Incident; (ii) the categories and approximate number of Data Subjects affected; (iii) the likely consequences of the Security Incident; and (iv) measures taken or proposed to address the Security Incident. Customer acknowledges that MASIN AI’s notification of a Security Incident is not an acknowledgement by MASIN AI of fault or liability.
5.9 Assistance. To the extent required by Data Protection Laws, MASIN AI shall provide reasonable assistance to Customer with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and information available to MASIN AI. Customer agrees to pay MASIN AI for time and out-of-pocket expenses incurred in connection with any such assistance.
5.10 Data Retention and Deletion. Upon termination or expiry of the Agreement, MASIN AI shall, at Customer’s choice, delete or return all Customer Personal Data within thirty (30) days of termination. Personal Data may remain in encrypted backup systems for a maximum period of one hundred and eighty (180) days, during which time such data shall not be restored or accessed except as required by law. MASIN AI shall provide written certification of data deletion within thirty (30) days of completing the deletion process, which shall occur no later than one hundred and eighty (180) days after termination, in accordance with Article 10.8 of the Terms and Conditions.
5.11 Records of Processing. MASIN AI shall maintain records in support of demonstrating compliance with its obligations for the processing of Customer Personal Data on behalf of Customer.
5.12 Audits. Upon Customer’s written request no more than once in any twelve (12) month period, MASIN AI will make available summaries of third-party audit reports and certifications that MASIN AI generally makes available to its customers, in accordance with Article 10.12 of the Terms and Conditions.
5.13 Prohibition on Use for AI Training. MASIN AI shall not use Customer Personal Data to train, develop, or improve any artificial intelligence models or machine learning algorithms without Customer’s prior explicit written consent.
5.14 Cookies and Technical Data. MASIN AI’s use of cookies and similar technologies is governed by the Cookie Policy and Terms and Conditions. Any Personal Data collected through such technologies is processed by MASIN AI as an independent controller, unless it forms part of Customer Personal Data.
The Parties agree that when the transfer of Customer Personal Data from Customer and/or any of its Affiliates to MASIN AI is a Restricted Transfer and EU Area Law applies, the transfer shall be subject to the appropriate Controller to Processor SCCs, which shall be deemed incorporated into and form part of this Addendum as follows:
6.1 . When personal data is transferred from the European Union to a country outside the EU that has not been officially recognised as having adequate data protection laws, European law requires that special legal safeguards be put in place. The European Commission has created a set of pre-approved contract terms called “Standard Contractual Clauses” (SCCs) that provide these safeguards. By agreeing to these clauses, both Parties commit to protecting the transferred data to the same standard as required under EU law, even though the data will be processed in a country with different data protection rules.
For transfers of Customer Personal Data protected by the EU GDPR from Customer (located in the EU/EEA) to MASIN AI (located in India), the Parties agree to be bound by the European Commission’s Standard Contractual Clauses adopted on 4 June 2021 (Commission Implementing Decision (EU) 2021/914). The specific terms and selections made under the SCCs are as follows:
6.1.1 Type of Transfer: Controller to Processor (Module Two). The SCCs offer different “modules” depending on the relationship between the Parties. The Parties have selected Module Two , which applies when the data exporter (Customer) is a “controller” (meaning Customer decides why and how personal data is processed) and the data importer (MASIN AI) is a “processor” (meaning MASIN AI only processes personal data on Customer’s behalf and according to Customer’s instructions). Customer remains in control of the personal data and decides what happens to it. MASIN AI may only process the data as instructed by Customer and for the purposes set out in this Addendum. MASIN AI cannot use the data for its own purposes. Customer remains responsible for ensuring there is a lawful basis for processing the data.
6.1.2 Ability for Other Parties to Join Later (Docking Clause). The SCCs include an optional provision allowing additional Parties to join the agreement at a later date without needing to sign a completely new contract. The Customer has agreed to apply the docking clause. If Customer has affiliated companies (for example, subsidiaries or parent companies) that also need to transfer personal data to MASIN AI, those affiliates can join this Addendum later. New affiliates can become bound by these SCCs by completing and signing an accession document. This provides flexibility for corporate groups without requiring renegotiation of the entire agreement each time a new entity needs to transfer data.
. The SCCs require the Parties to decide how MASIN AI may engage other companies (called “subprocessors”) to help process Customer’s data. The SCCs offer two options: (1) requiring Customer’s specific prior approval for each new subprocessor, or (2) allowing MASIN AI to engage subprocessors generally, provided Customer is given advance notice and an opportunity to object. The Parties have selected Option 2 (General Authorisation). This means: Customer gives MASIN AI general permission to use subprocessors to help deliver the Services; MASIN AI must give Customer at least 30 days’ written notice before engaging any new subprocessor or replacing an existing one; During that 30-day period, Customer may object to the proposed subprocessor if Customer has reasonable data protection concerns; If Customer objects and the Parties cannot find an alternative solution, either party may terminate the affected Services; MASIN AI remains fully responsible to Customer for any subprocessor’s failure to meet data protection obligations.
6.4 . Prior to any Restricted Transfer, MASIN AI shall: (a) conduct and document an assessment of the laws and practices of the destination country that may affect compliance with the Standard Contractual Clauses, including any access by public authorities to transferred Personal Data; (b) where the assessment identifies material risks to Data Subject rights, implement supplementary measures as necessary to ensure an essentially equivalent level of protection; (c) suspend or cease the transfer where supplementary measures cannot adequately address the identified risks; and (d) make such assessments available to the Customer upon request. MASIN AI shall repeat such assessments periodically or when there is a material change in the legal framework of the destination country.
6.4A For transfers to India, this assessment shall specifically consider the Information Technology Act 2000 (including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011), the Digital Personal Data Protection Act 2023, and any regulations or orders issued thereunder that may permit government or law enforcement access to Customer Personal Data;
6.5 Supplementary Measures. Where required to ensure compliance with applicable Data Protection Laws in respect of international transfers, MASIN AI may implement supplementary technical, contractual, or organisational measures as agreed between Parties.
6.6 Additional measures. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.
Disclosures. Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed): challenge the request and promptly notify the data exporter about it, and only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.
Customer acknowledges that certain sub-processors listed in Annex 2 are located in the United States. MASIN AI confirms that:
(a) Each US-based sub-processor has entered into appropriate Standard Contractual Clauses or other valid transfer mechanisms with MASIN AI in compliance with EU Area Law;
(b) MASIN AI has conducted due diligence on each US-based sub-processor’s data protection practices and has documented the same in its Transfer Impact Assessment, including assessment of US surveillance laws (including FISA Section 702 and Executive Order 12333) and the EU-US Data Privacy Framework where applicable; and
(c) Each US-based sub-processor implements technical and organisational security measures that meet the requirements of Article 32 of the EU GDPR.
6.8 AWS India Hosting. Customer acknowledges that MASIN AI hosts Customer Personal Data using Amazon Web Services (AWS) data centers located in India. MASIN AI confirms that:
(a) AWS has entered into appropriate Standard Contractual Clauses or other valid transfer mechanisms with MASIN AI in compliance with EU Area Law;
(b) MASIN AI has conducted due diligence on AWS’s data protection practices and has documented the same in its Transfer Impact Assessment; and
(c) AWS implements technical and organisational security measures that meet the requirements of Article 32 of the EU GDPR, including encryption at rest and in transit, access controls, and incident response capabilities.
7.1 The Customer shall defend, indemnify, and hold harmless MASIN AI and its affiliates from any and all claims, damages, losses, liabilities, penalties, fines, costs, and expenses (including attorneys’ fees) arising out of or relating to: (i) the Customer’s Personal Data; (ii) any use of the Software in violation of this Addendum, law, or third-party rights; or (iii) any cyber-attack, security breach, malicious code, or unauthorized access to the Services or MASIN AI’s systems caused or facilitated by the Customer, its personnel, contractors, or systems.
7.2 These obligations apply regardless of any contributory negligence of the MASIN AI and shall survive termination of this Addendum.
7.3 Limited Liability. MASIN AI’s total liability under this Addendum is limited to £1000. MASIN AI will not be liable for any indirect or consequential losses. However, there shall be no limitation on the Customer’s liability arising out of any breach under this Addendum by the Customer.
The Parties agree that, if any clause or sub-clause of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable from any other clause of this Addendum.
10.1 This Addendum is governed by the laws of India or UAE as determined by the principal place of business of the MASIN AI entity with which Customer has entered into the agreement, without regard to conflict of law principles. Subject to the arbitration clause below, the courts at Delhi, India or Dubai, UAE shall have exclusive jurisdiction.
10.2 If a dispute arises, Customer agrees to first notify MASIN AI at [email protected] and engage in good-faith discussions to resolve the dispute within thirty (30) working days of MASIN AI’s receipt of Customer’s notice.
10.3 Any dispute not resolved within that period shall be finally resolved by arbitration in accordance with the Arbitration and Conciliation Act, 1996. The tribunal shall consist of a sole arbitrator appointed in accordance with the Act. The seat and venue of arbitration shall be either Delhi, India or Dubai, United Arab Emirates, as determined by the principal place of business of the MASIN AI entity with which Customer has entered into the agreement. The language shall be English. Each party shall bear its own costs, and the arbitrator may allocate costs in the award. The arbitral award shall be final and binding.
Name: Himanshu Kashyap
Email: [email protected]
Annex 1 to Data Protection Addendum
Description of Processing Activities for Customer Personal Data
This Annex includes certain details of the Processing of Customer Personal Data by MASIN AI in connection with the Services.
List of Parties
Name: | Customer (as defined in the Agreement) |
Address: | As set forth in the relevant Order Form. |
Contact person’s name, position and contact details: | As set forth in the relevant Order Form. |
Activities relevant to the data transferred under these Clauses: | Recipient of the Services provided by MASIN AI in accordance with the Agreement. |
Signature and date: | Signature and date are set out in the Agreement. |
Role (controller/processor): | Controller |
Name: | MASIN PROJECTS PRIVATE LIMITED |
Address: | Plot 847, Phase V, |
Contact person’s name and contact details: | Aishwary Dwivedi |
Activities relevant to the data transferred under these Clauses: | Provision of the Services to the Customer in accordance with the Agreement. |
Signature and date: | Signature and date are set out in the Agreement. |
Role (controller/processor): | Processor |
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs) | As determined by application of Clause 13 of the EU SCCs. |
Categories of data subjects whose personal data is transferred | Customer’s authorized users of the Services |
Categories of personal data transferred | Processed automatically by the Services: · Names · Email IDs Processed where and to the extent provided by Customer or its authorized users in connection with audit services provided by MASIN AI : · address · date of birth · past employment details |
Sensitive personal data transferred | None |
Frequency of the transfer | Continuous |
Nature of the processing | Provision of Services to Customer, including querying, cleansing, standardising, and storing information. |
Purpose of the data transfer and further processing | To facilitate the performance of the Services as described in the Agreement |
Period for which the personal data will be retained or criteria used to determine that period | As described in the Agreement and this Addendum. |
Technical and Organisational Security Measures
MASIN AI implements the following technical and organisational security measures pursuant to Article 32 of the GDPR. These measures are consistent with the security measures described in Article 10.9 of the Agreement.
MASIN AI implements encryption technologies for data in transit (HTTPS/TLS) and at rest to ensure the security and confidentiality of Customer Personal Data.
(a) Access Controls: MASIN AI maintains access management processes to limit access to Customer Personal Data to properly authorised personnel on a need-to-know basis, following the principle of least privilege. Access is controlled using unique user IDs, strong passwords, and multi-factor authentication.
(b) Personnel Confidentiality: Personnel are required to execute confidentiality agreements.
(c) Network Security: MASIN AI uses AWS Security Groups (virtual firewalls) for its production environment.
MASIN AI replicates data over multiple systems (Multi Availability Zones on AWS) and maintains disaster recovery programmes to restore availability and access to Customer Personal Data in a timely manner following a physical or technical incident.
MASIN AI performs regular vulnerability scans on infrastructure components and maintains incident management policies and procedures, including security incident escalation procedures, in accordance with Article 10.10 of the Agreement.
Annex 2
MASIN AI’s Sub-processors
Name of Sub-processor | Description of Processing | Location of Sub-processor |
Amazon Web Service | Running the Production environment including the Application | India
|
Microsoft Corporation (Microsoft 365) | Email services | India |
Microsoft Teams | Messaging | India |
Supabase | Databases services | India |
Signoz | Monitoring and Error Alerting | India |
