01The parties and their roles
This DPA is between Techvoria CrmSoft Solutions Private Limited ("Techvoria", "Processor") and the Customer ("Controller", "Data Fiduciary").
The Customer is the Data Fiduciary for personal data of End-Investors, employees, contractors, leads, prospects, and any other natural persons whose data is input into MFDStack by the Customer or its Authorised Users ("Personal Data").
Techvoria is the Data Processor and processes such Personal Data only on the Customer's documented instructions, except as otherwise required by Indian law applicable to Techvoria.
Techvoria's role as a Data Fiduciary for data it collects directly (for example, contact details supplied by the Customer's representatives during account setup, or website-visitor data) is addressed in our Privacy Policy and is not within the scope of this DPA.
02Scope, subject matter, and duration
| Subject matter | Provision of MFDStack to the Customer, including hosting, processing, and transmission of Personal Data on the Customer's instructions. |
| Duration | For the duration of the Subscription Term, plus any post-termination data retention period set out in the Terms of Service. |
| Nature and purpose | Hosting, storage, transmission, indexing, retrieval, parsing of registrar reports, drafting and summarisation through AI features, and other operations necessary to deliver MFDStack. |
| Categories of data principals | End-Investors of the Customer (clients, prospects, leads), the Customer's employees and contractors, and other natural persons referenced in Customer Data. |
| Types of Personal Data | Identification data (name, contact details), KYC and identification data (where input by Customer), folio and transaction data, financial planning information, risk profile information, employment data (for HRMS features), call and meeting records, communications (emails, notes), and audit logs. |
03Processor obligations
Techvoria shall:
- Process on instruction. Process Personal Data only on the Customer's documented instructions, including with regard to transfers, unless required by Indian law applicable to Techvoria. Where so required, Techvoria shall, to the extent permitted by law, inform the Customer of that legal requirement before processing.
- Confidentiality. Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Security. Implement appropriate technical and organisational measures as described in Schedule A.
- Assist with rights requests. Provide reasonable assistance, taking into account the nature of processing and information available to Techvoria, to the Customer in fulfilling the Customer's obligation to respond to requests from data principals exercising their rights under applicable law.
- Assist with compliance. Provide reasonable assistance to the Customer with respect to security, breach notification, data protection impact assessments, and prior consultations with regulators, taking into account the nature of processing and information available.
- Return or delete. At the end of the provision of services, delete or return Personal Data as set out in Section 9.
- Demonstrate compliance. Make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, subject to Section 8.
04Sub-processors
4.1 General authorisation
The Customer authorises Techvoria to engage the sub-processors listed in Schedule B for the processing activities described in this DPA. The Customer further provides general authorisation to Techvoria to add or replace sub-processors, subject to Section 4.2.
4.2 Notice of changes
Techvoria will provide the Customer at least 30 days' prior notice of any addition or replacement of sub-processors, by email and / or by updating Schedule B on this page. The Customer may object on reasonable data protection grounds within 30 days. If the parties cannot resolve the objection in good faith, the Customer's sole remedy is to terminate the affected portion of the Service in accordance with the Terms.
4.3 Responsibility for sub-processors
Techvoria remains responsible for the performance of each sub-processor's obligations under this DPA and shall impose on each sub-processor data protection obligations equivalent to those in this DPA.
05Cross-border transfers
Production Personal Data is stored within India on AWS infrastructure in the Mumbai region. Limited operational transmissions to international sub-processors (listed in Schedule B) may occur to deliver specific features — in particular, transactional email delivery, AI processing, and messaging services. Techvoria will ensure such transmissions comply with applicable Indian law and that appropriate safeguards are in place.
06Data principal rights
Where a data principal contacts Techvoria with a request to exercise rights in relation to Personal Data processed by Techvoria on the Customer's behalf, Techvoria will promptly notify and forward the request to the Customer. The Customer is responsible for responding. Techvoria will provide reasonable assistance to the Customer in responding, taking into account the nature of the processing.
07Personal data breach
Techvoria shall notify the Customer without undue delay, and in any event within 72 hours after becoming aware, of any Personal Data breach affecting the Customer's Personal Data. The notification shall, to the extent feasible, describe:
- The nature of the breach, including the categories and approximate number of data principals and records affected;
- The likely consequences;
- The measures taken or proposed to address the breach and mitigate adverse effects;
- A point of contact at Techvoria for further information.
If full information is not available within 72 hours, Techvoria will provide what is available and supplement as further information becomes known. Notification of a breach is not by itself an admission of fault or liability by Techvoria.
08Audit
The Customer may, no more than once per twelve-month period and with at least 30 days' written notice, request information reasonably necessary to verify Techvoria's compliance with this DPA. Techvoria may satisfy audit requests through (a) responses to written questionnaires, (b) summary descriptions of its security and processing practices, or (c) third-party certifications or audit reports where available.
On-site audits will be conducted only after reasonable notice, during business hours, in a manner that does not unreasonably interfere with Techvoria's operations, and subject to confidentiality protections. The Customer shall bear its own costs of audit. Audits will not extend to the data, systems, or facilities of other Techvoria customers.
09Return or deletion of data
On termination of services, or on the Customer's earlier written request:
- Techvoria will, for up to 30 days after termination, provide the Customer the ability to export Customer Data in CSV format;
- Techvoria will permanently delete Personal Data from active production systems within 30 days of termination, except as required by law;
- Residual copies in routine backup media will age out in accordance with the backup retention cycle described in the Privacy Policy.
10Liability and term
This DPA forms part of the Terms of Service. Liability under this DPA is subject to the limitation of liability set out in the Terms. This DPA remains in effect for the duration of the Terms and survives termination to the extent necessary to give effect to its provisions.
Schedule A — Technical and organisational measures
Techvoria implements and maintains the following technical and organisational measures to protect Personal Data processed under this DPA:
Encryption and transport
- HTTPS / TLS for all data in transit between user agents and MFDStack;
- Encryption at rest for production databases;
- Encrypted backups.
Access control
- Per-firm tenant isolation;
- Role-based access control within MFDStack, configured by the Customer;
- Internal access to production data restricted to authorised technical personnel on a need-to-know basis;
- Authentication using strong passwords; multi-factor authentication available where supported.
Operations and resilience
- Daily, weekly, and monthly backup cycles;
- Logging and monitoring of administrative actions and significant security events;
- Regular software updates and patch management;
- Documented incident response procedures.
Governance
- Confidentiality obligations on personnel and contractors;
- Periodic review of security practices;
- Designated Grievance Officer (rohit@techvoriacrm.com).
Techvoria may update these measures from time to time. The overall level of protection shall not be materially reduced.
Schedule B — Approved sub-processors
As at the Last Updated date above, Techvoria engages the following sub-processors in connection with the provision of MFDStack:
| Sub-processor | Purpose / location |
|---|---|
| Amazon Web Services, Inc. | Cloud hosting and storage. Region: Mumbai (ap-south-1), India. |
| Mailgun Technologies, Inc. | Transactional email delivery. United States. |
| Google LLC (Gmail API) | Authorised user Gmail integration; OAuth tokens only. United States. |
| OpenAI, L.L.C. | AI features (MOM drafting, summarisation). Model training disabled on Techvoria's API account. United States. |
| WhatsApp / Meta Platforms, Inc. | Outbound messaging via WhatsApp Business platform, where enabled. United States. |
Updates to this Schedule will be published on this page and notified to the Customer in accordance with Section 4.2.
Registered office: Building B, Flat No. 901, ULV Co-op Housing Society Shivdarshan,
Parvati, Pune – 411009, Maharashtra, India
Office: 1224, Lane No 4, Shubhash Nagar, Shukrawar Peth, Pune – 411002, Maharashtra, India
CIN: U62013PN2025PTC249305
Email: contact@techvoriacrm.com · Privacy: rohit@techvoriacrm.com