Last Updated: January 15, 2025
Effective Date: January 15, 2025
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Actuals ("Processor," "we," "our," or "us") and you ("Controller," "Customer," or "you") regarding the processing of personal data in connection with our AI-powered analytics services.
For the purposes of this DPA:
"Controller" means the entity that determines the purposes and means of processing personal data
"Processor" means the entity that processes personal data on behalf of the Controller
"Personal Data" has the meaning given in applicable Data Protection Laws
"Data Subject" means an identified or identifiable natural person
"Data Protection Laws" means GDPR, CCPA, and other applicable privacy regulations
"Processing" has the meaning given in applicable Data Protection Laws
"Sub-processor" means any third party engaged by Actuals to process personal data
This DPA applies to all personal data processed by Actuals on behalf of the Customer in connection with our Services, including but not limited to:
Employee data uploaded for HR analytics
Customer data processed for business intelligence
Financial data containing personal identifiers
Any other personal data within business datasets
The Customer acts as the Data Controller and is responsible for:
Determining the purposes and means of processing personal data
Ensuring lawful basis for processing under applicable Data Protection Laws
Obtaining necessary consents from data subjects
Providing appropriate privacy notices to data subjects
Responding to data subject requests and complaints
Conducting Data Protection Impact Assessments (DPIAs) where required
Ensuring data accuracy and minimization
Actuals acts as the Data Processor and will:
Process personal data only on documented instructions from the Customer
Ensure confidentiality of personal data
Implement appropriate technical and organizational measures
Assist with data subject requests and regulatory compliance
Notify the Customer of any data breaches without undue delay
Delete or return personal data upon termination of services
Maintain records of processing activities
Actuals will process personal data only on the basis of documented instructions from the Customer, including:
Initial instructions set out in the Terms and Conditions
Additional instructions provided through the platform interface
Written instructions provided via email or support channels
Configuration settings within the analytics platform
Actuals will not:
Process personal data for purposes other than those instructed
Sell, rent, or otherwise commercialize personal data
Use personal data for marketing purposes without consent
Combine personal data with other datasets without authorization
Transfer personal data to unauthorized third parties
Actuals implements the following security measures:
Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
Access Controls: Role-based access control with multi-factor authentication
Network Security: Firewalls, intrusion detection, and network segmentation
Monitoring: 24/7 security monitoring and incident response
Backup and Recovery: Regular backups with tested recovery procedures
Vulnerability Management: Regular security assessments and penetration testing
Staff Training: Regular privacy and security training for all employees
Background Checks: Screening of personnel with access to personal data
Confidentiality: Contractual confidentiality obligations for all staff
Data Minimization: Processing only necessary personal data
Retention Policies: Automated deletion based on retention schedules
The Customer provides general authorization for Actuals to engage sub-processors, subject to the conditions set out in this DPA. Current sub-processors include:
Amazon Web Services (AWS): Cloud hosting and infrastructure
Google Cloud Platform: AI/ML services and analytics
Microsoft Azure: Additional cloud services
Stripe: Payment processing services
All sub-processors must:
Provide sufficient guarantees of data protection compliance
Enter into written agreements with equivalent data protection obligations
Implement appropriate technical and organizational measures
Allow for audits and inspections
Actuals will notify the Customer of any intended changes to sub-processors at least 30 days in advance. The Customer may object to such changes within 14 days of notification.
For transfers of personal data outside the EEA, Actuals ensures appropriate safeguards through:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission
Binding Corporate Rules where applicable
Certification schemes and codes of conduct
Actuals conducts Transfer Impact Assessments (TIAs) for all international transfers to ensure adequate protection of personal data in the destination country.
Actuals will assist the Customer in responding to data subject requests, including:
Access requests: Providing copies of personal data
Rectification requests: Correcting inaccurate personal data
Erasure requests: Deleting personal data where required
Portability requests: Providing data in a structured format
Restriction requests: Limiting processing of personal data
Objection requests: Stopping processing based on legitimate interests
Actuals will respond to Customer requests for assistance within 10 business days and provide all necessary information to enable the Customer to respond to data subjects within the required timeframes.
In the event of a personal data breach, Actuals will:
Notify the Customer without undue delay and within 24 hours of becoming aware
Provide all available information about the breach
Assist with regulatory notifications where required
Implement immediate containment and remediation measures
Provide regular updates on the investigation and remediation
Breach notifications will include:
Description of the nature of the breach
Categories and approximate number of data subjects affected
Categories and approximate number of personal data records affected
Likely consequences of the breach
Measures taken or proposed to address the breach
The Customer has the right to conduct audits and inspections of Actuals' data processing activities, subject to:
Reasonable advance notice (at least 30 days)
Execution of appropriate confidentiality agreements
Limitation to normal business hours
Reimbursement of reasonable costs incurred by Actuals
Instead of on-site audits, Actuals may provide:
Third-party security certifications (SOC 2, ISO 27001)
Penetration testing reports
Security questionnaires and assessments
Compliance documentation and policies
Actuals will retain personal data only for the duration necessary to provide the Services and as instructed by the Customer, unless longer retention is required by law.
Upon termination of the Services or upon Customer request, Actuals will:
Delete all personal data within 30 days
Provide certification of deletion upon request
Ensure deletion from all systems and backups
Require the same deletion from all sub-processors
Each party will be liable for damages caused by its own breach of this DPA. Actuals' liability is limited to damages directly caused by its failure to comply with this DPA.
Each party will be responsible for regulatory fines imposed due to its own non-compliance with Data Protection Laws.
This DPA will remain in effect for the duration of the Terms and Conditions and will automatically terminate upon termination of the Services. Provisions relating to data deletion, confidentiality, and liability will survive termination.
This DPA may only be amended in writing and signed by both parties. Actuals may update this DPA to reflect changes in Data Protection Laws, provided that such updates do not materially reduce the level of protection.
This DPA is governed by the laws of India. For EU customers, this DPA is also governed by the GDPR and the laws of the Customer's jurisdiction where more protective.
Data Protection Officer
Name: Saurabh Srivastava
Email: privacy@actuals.co.in
Phone: +91 8073 879 031
Address: L 148, 5TH MAIN, HSR LAYOUT, 6TH SECTOR, BANGALORE SOUTH HSR LAYOUT, BANGALORE-560102, India
