Welcome to Encatch Docs

Data Processing Addendum

Last Updated: March 03, 2026

ENCATCH DATA PROCESSING ADDENDUM (DPA)

Effective Date: [●]

Last Updated: March 03, 2026

This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the Encatch Terms of Service (or other Enterprise Agreement / Order Form) (the “Agreement”) between Phyder Mobile Solutions Pvt. Ltd., a company incorporated in India with its registered office at 412/413, 4th Floor, Palmspring (Above Croma), Link Road, Malad West, Mumbai City, Mumbai, Maharashtra, India, 400064, operating the business and brand name “Encatch” (“Encatch”, “we”, “us” or “our”), and the Customer (as defined in the Agreement). This DPA should be read together with the Agreement and Encatch’s Privacy Policy (as updated from time to time); however, in the event of any conflict, this DPA controls only with respect to Processor-side Processing of Personal Data covered by this DPA.

PURPOSE AND SCOPE

  • Purpose. This DPA sets out the parties’ respective obligations with respect to the Processing of Personal Data by Encatch on behalf of Customer in connection with Customer’s use of the Service, to the extent Encatch acts as a Processor (including a “data processor” under the DPDP Act) and Customer acts as a Controller (including a “data fiduciary” under the DPDP Act).
  • Applicability. This DPA applies only to Processor-side Processing of Personal Data, namely:
  • Customer End-User Feedback Data and related Customer End User Identifiers (each as defined in the Terms of Service), to the extent such data constitutes Personal Data; and
  • any other Customer Data only to the extent (and only for so long as) Encatch Processes such Customer Data as a Processor on Customer’s documented instructions under the Agreement.
  • For clarity, Encatch may process certain data as an independent Controller (for example, account, billing, payment administration, support, sales/marketing, and Website-related data), as described in the Privacy Policy; such Controller-side processing is not governed by this DPA; and this DPA does not apply to Usage Data or other aggregated/de-identified data to the extent it does not constitute Personal Data.
  • Term. This DPA remains in effect for the duration of Encatch’s Processing of Personal Data on behalf of Customer under the Agreement, and will terminate upon completion of such Processing, subject to Clause 13 and any provisions that are expressly stated to survive.

INCORPORATION; ORDER OF PRECEDENCE

  • Incorporation. This DPA is incorporated by reference into, and forms part of, the Agreement and should be read together with Encatch’s Privacy Policy. Capitalized terms not defined in this DPA have the meanings given in the Agreement and/or the Privacy Policy, as applicable.
  • Precedence. If there is any conflict between this DPA and the Agreement or the Privacy Policy, this DPA will control only with respect to Processor-side Processing of Personal Data to which this DPA applies. For clarity, the Agreement and the Privacy Policy continue to govern (among other things) Encatch’s Controller-side Processing. If Customer has entered into an Enterprise Agreement / Order Form with Encatch that includes data processing terms that expressly override this DPA, those expressly overriding terms will control to the extent of the conflict.
  • No Expansion of Scope. This DPA does not require either party to Process Personal Data in a manner that is inconsistent with Applicable Data Protection Law. This DPA does not expand Encatch’s obligations beyond the scope of: (a) the Service; (b) Customer’s documented instructions; and (c) Applicable Data Protection Law.

DEFINED TERMS; INTERPRETATION

  • Defined Terms.
  • Capitalized terms used but not defined in this DPA have the meanings given in the Agreement and/or Encatch’s Privacy Policy, as applicable. Without limiting the foregoing, the terms “Customer Data,” “Customer End-User Feedback Data,” “Customer End User Identifier,” “Service,” and related product/technical terms have the meanings given in the Agreement.
  • “Personal Data Breach” means any Security Incident (as defined in the Agreement) to the extent it results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data Processed under this DPA.
  • GDPR and DPDP Bridge. For purposes of this DPA, and solely to align terminology across Applicable Data Protection Law:
  • “Controller” includes “data fiduciary” under the DPDP Act;
  • “Processor” includes “data processor” under the DPDP Act; and
  • “Data Subject” includes “Data Principal” under the DPDP Act.
  • Scope-Limited Use of Privacy Policy Definitions. Where the Privacy Policy defines “Personal Data,” “Processing,” “Controller,” “Processor,” or “Applicable Law” (or similar terms), those definitions apply for purposes of this DPA to the extent relevant to Processor-side Processing covered by this DPA.
  • Interpretation. In this DPA, unless the context otherwise requires:
  • references to “include” or “including” mean “include without limitation” / “including without limitation”;
  • references to “Applicable Data Protection Law” mean the laws and binding regulatory requirements applicable to the Processing of Personal Data under this DPA (including, where applicable, the GDPR and the DPDP Act); and
  • headings are for convenience only and do not affect interpretation.

PROCESSING DETAILS (SUBJECT MATTER, DURATION, DATA SUBJECTS AND CATEGORIES)

  • Subject Matter. The subject matter of Processing under this DPA is Encatch’s provision of the Service to Customer under the Agreement, to the extent Encatch Processes Personal Data as a Processor on Customer’s documented instructions (as described in Clause 5).
  • Duration. The duration of Processor-side Processing under this DPA is the period described in Clause 1.3, together with any post-termination retention/export periods expressly permitted under the Agreement, the Privacy Policy, and this DPA (including any Retention/Deletion clause), and subject to Applicable Data Protection Law and legal hold.
  • Nature and Purpose of Processing. The nature and purpose of Processing under this DPA are as described in Clause 1.1 and Clause 1.2, and as further implemented through Customer’s configuration and documented instructions under the Agreement and consistent with the Agreement and Privacy Policy, in each case to the extent applicable to Processor-side Processing.
  • Categories of Data Subjects. Personal Data processed under this DPA may relate to:
  • Customer End Users; and
  • Customer’s Authorized Users and other individuals whose Personal Data is included in Customer Data submitted to the Service, in each case, to the extent such data constitutes Personal Data and is Processed by Encatch as a Processor under this DPA.
  • Categories of Personal Data. The categories of Personal Data processed under this DPA may include, to the extent configured and provided by Customer:
  • Customer End-User Feedback Data (including survey responses, ratings, selections, free-text inputs, bug reports, and similar submissions);
  • Customer End User Identifiers (for example, user IDs, email addresses, phone numbers, or hashed identifiers) and related workspace/project identifiers;
  • metadata associated with submissions and events (for example, timestamps and device/app/session context to the extent enabled by Customer); and
  • attachments or files submitted through feedback flows, only if enabled by Customer.
  • Special Categories / Sensitive Data. Customer will not (and will not permit Customer End Users or Authorized Users to) submit, upload, transmit, or otherwise make available through the Service any Sensitive Data. Encatch does not monitor, screen, or filter Customer Data processed on Customer instruction to detect or prevent submission of Sensitive Data. Customer is responsible for configuring its feedback flows, forms, fields/prompts, and SDK/API implementations (and for providing required notices and obtaining required consents/authorizations) to minimize and avoid the collection of Sensitive Data through the Service. If Customer anticipates that Sensitive Data may be processed through the Service (whether intentionally or inadvertently), Customer must promptly notify Encatch, and any such Processing (if any) will be subject to Applicable Data Protection Law and any additional written agreement between the parties.

ROLES AND DOCUMENTED INSTRUCTIONS

  • Roles of the Parties. For purposes of Processor-side Processing under this DPA:
  • Customer acts as a Controller (including a “Data Fiduciary” under the DPDP Act) with respect to Personal Data; and
  • Encatch acts as a Processor (including a “Data Processor” under the DPDP Act) with respect to such Personal Data. Nothing in this DPA modifies the parties’ respective roles where Encatch Processes data as an independent Controller, as described in the Privacy Policy.
  • Documented Instructions. Encatch will Process Personal Data only on Customer’s documented instructions, which consist of:
  • the Agreement;
  • this DPA;
  • Customer’s configuration and use of the Service (including settings, integrations, workflows, identifiers, and AI feature usage); and
  • any additional written instructions provided by Customer and agreed by Encatch, to the extent consistent with the Agreement and Applicable Data Protection Law. Encatch will inform Customer if, in its reasonable opinion, an instruction infringes Applicable Data Protection Law.
  • Compliance with Law. Notwithstanding the foregoing, Encatch may Process Personal Data to the extent required by Applicable Data Protection Law to which Encatch is subject. In such case, Encatch will (unless legally prohibited) inform Customer of that legal requirement before Processing.
  • Customer Responsibility for Instructions. Customer is solely responsible for:
  • determining the lawfulness, scope, and appropriateness of its instructions;
  • ensuring that it has provided all required notices and obtained all required consents or other lawful bases under Applicable Data Protection Law; and
  • ensuring that its configuration and use of the Service (including the submission of identifiers, integrations, attachments, and any use of AI Features) complies with Applicable Data Protection Law.

CUSTOMER OBLIGATIONS

  • Compliance as Controller / Data Fiduciary. Customer is responsible for complying with Applicable Data Protection Law in its capacity as Controller (including as a Data Fiduciary under the DPDP Act) with respect to Personal Data Processed under this DPA, including by:
  • establishing and maintaining a valid lawful basis (and, where required, providing notices and obtaining consents/authorizations) for the collection, use, and disclosure of such Personal Data to Encatch for Processing under the Agreement and this DPA;
  • providing all required disclosures to, and enabling the exercise of rights by, the relevant Data Subjects / Data Principals (including Customer End Users), and maintaining appropriate records and policies as required by Applicable Data Protection Law; and
  • responding to Data Subject / Data Principal requests, complaints, or inquiries in the first instance (with Encatch assistance only as set out in this DPA).
  • Configuration, Data Minimization, and Content Controls. Customer is solely responsible for its configuration and use of the Service, including the design and operation of its feedback flows, forms, fields/prompts, SDK/API implementations, integrations, workflows, identifiers, and any attachment/file enablement. Customer will:
  • limit the Personal Data submitted to the Service to what is necessary for Customer’s intended purposes (data minimization); and
  • ensure that any identifiers, tags, custom fields, prompts, and integrations used by Customer do not cause Customer End Users or Authorized Users to submit Sensitive Data or other prohibited content through the Service, except as expressly permitted under the Agreement and this DPA (and only where Customer has satisfied all requirements under Applicable Data Protection Law).
  • Sensitive Data. Customer will comply with the Sensitive Data restrictions set out in Clause 4.6 (Special Categories / Sensitive Data).
  • Accuracy; Authority for Disclosures. Customer is responsible for the accuracy, quality, and legality of Personal Data and other Customer Data submitted to the Service and for ensuring that it has the necessary rights, permissions, and authority to disclose such data to Encatch for Processing under the Agreement and this DPA (including where Customer imports data via integrations or SDK/API implementations).
  • Customer Security Responsibilities. Customer will implement and maintain appropriate technical and organizational measures on its side to protect Personal Data, including:
  • maintaining appropriate access controls and credential hygiene for Customer accounts and Authorized Users;
  • limiting access to the Service to Authorized Users with a need-to-know; and
  • taking reasonable steps to secure end-user collection points, devices, and environments that interact with the Service (including SDK/API implementations and any integrated systems), and promptly notifying Encatch of any unauthorized access to Customer’s credentials or workspace that may impact Personal Data processed under this DPA.

ENCATCH OBLIGATIONS AS PROCESSOR

  • Processing on Instructions. Encatch will Process Personal Data only in accordance with Customer’s documented instructions as set out in Clause 5.2, unless Processing is required by Applicable Data Protection Law as set out in Clause 5.3.
  • Confidentiality of Personnel. Encatch will ensure that its personnel and any persons authorized to Process Personal Data on its behalf (including contractors) are subject to appropriate confidentiality obligations (contractual or statutory) and access controls, and are permitted to Process Personal Data only to the extent necessary to provide the Service and perform Encatch’s obligations under the Agreement and this DPA.
  • Appropriate Technical and Organisational Measures. Encatch will implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as further set out in the Security Measures clause (and any related Annex) of this DPA.
  • Assistance With Data Subject / Data Principal Rights. Taking into account the nature of the Processing and the information available to Encatch, Encatch will provide reasonable assistance to Customer to enable Customer to respond to Data Subject / Data Principal requests in relation to Personal Data Processed under this DPA, to the extent required by Applicable Data Protection Law and subject to: (a) verification of the request; (b) Customer providing sufficient information to locate the relevant data; (c) security and confidentiality requirements; and (d) reasonable limitations and/or costs and fees for excessive or disproportionate requests (including by scope or frequency).
  • Assistance With Compliance. To the extent required by Applicable Data Protection Law and reasonably feasible, Encatch will provide reasonable assistance to Customer with Customer’s compliance obligations relating to: (a) security of Processing; (b) notification of Personal Data Breaches; and (c) data protection impact/risk assessments and prior consultations with a supervisory authority, in each case solely to the extent the underlying Processing is Processor-side Processing under this DPA.
  • Inability to Comply. If Encatch becomes aware that it cannot comply with Customer’s documented instructions or its obligations under this DPA due to Applicable Data Protection Law, legal requirements, or technical limitations of the Service, Encatch will promptly inform Customer and, where applicable, work with Customer in good faith to identify a compliant alternative within the Service (without committing to any feature, routing, or provider alternatives unless expressly agreed in writing).
  • No Modification of Controller-Side Processing. Nothing in this Clause 7 modifies Encatch’s Controller-side Processing described in the Privacy Policy, which remains governed by the Agreement and the Privacy Policy (and not by this DPA).

SECURITY MEASURES (TECHNICAL AND ORGANISATIONAL MEASURES)

  • Security Measures. Encatch will implement and maintain appropriate technical and organisational measures designed to protect Personal Data Processed under this DPA against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access (the “Security Measures”), taking into account: (a) the nature, scope, context, and purposes of Processing; (b) the risks to Data Subjects / Data Principals; and (c) the state of the art, implementation costs, and the nature of the Service.
  • Minimum Controls. Without limiting Clause 8.1, Encatch’s Security Measures include controls reasonably designed to address, as applicable:
  • access controls and authentication (including role-based access and least-privilege principles for personnel access);
  • logical separation and environment controls appropriate to the Service architecture;
  • encryption and/or other protections for data in transit and at rest, as appropriate to the risk and the Service;
  • logging and monitoring to support security, auditing, troubleshooting, and incident response;
  • vulnerability management and patching practices consistent with reasonable industry standards;
  • backup and recovery practices to support availability and resilience, consistent with the Agreement, Privacy Policy, and this DPA;
  • secure development and change management practices appropriate to the Service; and
  • personnel security (including confidentiality obligations and security awareness measures appropriate to roles).
  • Security Annex. Additional details of the Security Measures may be described in Annex 2 (Security Measures) to this DPA and/or in security documentation made available by Encatch from time to time. Annex 2 and such documentation are incorporated into this DPA to the extent they describe Encatch’s Security Measures for Processor-side Processing under this DPA.
  • Updates and Improvement. Encatch may update or modify the Security Measures from time to time, provided that such updates do not materially reduce the overall level of protection for Personal Data Processed under this DPA, taking into account the nature of the Service and the risks presented by the Processing.
  • Customer Responsibilities; Shared Security. Customer acknowledges that security is a shared responsibility. Customer remains responsible for implementing and maintaining appropriate technical and organisational measures on its side (including as described in Clause 6.5), and for securing its environments, devices, SDK/API implementations, integrations, and Authorized User access credentials. Encatch is not responsible for security incidents caused by Customer’s acts or omissions, Customer’s configuration choices, or Customer-controlled systems, except to the extent caused by Encatch’s failure to implement or maintain the Security Measures required under this DPA.
  • No Guarantee. Customer acknowledges that no security measures are perfect or impenetrable. Encatch does not guarantee that unauthorized access, loss, or alteration will never occur, but Encatch will maintain the Security Measures in accordance with this Clause 8 and will respond to Security Incidents in accordance with the Security Incident / Breach Notification clause of this DPA.

SECURITY INCIDENT / PERSONAL DATA BREACH NOTIFICATION

  • Notification of Confirmed Security Incident. Encatch will notify Customer without undue delay, and where feasible within seventy-two (72) hours after confirmation of a Security Incident (as defined in the Agreement) to the extent it constitutes a Personal Data Breach (as defined in Clause 3.1(b)).
  • Content in Notice. Encatch’s notice will include, to the extent known and reasonably available at the time (and may be provided in phases as information becomes available):
  • the nature of the Personal Data Breach (including, where feasible, the categories and approximate number of Data Subjects / Data Principals concerned and the categories and approximate number of Personal Data records concerned);
  • the likely consequences of the Personal Data Breach; and
  • the measures taken or proposed to be taken by Encatch to address the Personal Data Breach, including (where appropriate) measures to mitigate its possible adverse effects.
  • Investigation and Mitigation. Encatch will take reasonable steps to investigate, contain, remediate, and mitigate the effects of the Personal Data Breach and to restore the security of the affected systems, consistent with the nature of the Service and the risks presented.
  • Customer Notifications and Regulatory Reporting. Customer is responsible for determining whether, and to what extent, any notification to Data Subjects / Data Principals, regulators, or other third parties is required under Applicable Data Protection Law, and for making any such notifications. Encatch will provide reasonable cooperation to Customer in connection with such notifications to the extent the Personal Data Breach relates to Processor-side Processing under this DPA.
  • Legal Restrictions. Encatch’s notification obligations under this Clause 9 will not apply (or may be delayed) to the extent Encatch is legally prohibited from providing notice (including where a law enforcement request requires delay). In such case, Encatch will provide notice as soon as it is legally permitted to do so.
  • No Admission. Encatch’s notification of a Security Incident / Personal Data Breach under this Clause 9 will not be construed as an acknowledgment of fault or liability by Encatch.

SUBPROCESSORS

  • General Authorisation. Customer provides Encatch with a general authorisation to engage Subprocessors to Process Personal Data on Customer’s behalf for the purpose of providing, securing, supporting, and operating the Service, subject to the terms of this DPA.
  • Subprocessor List (Annex 3). The Subprocessors authorised under this DPA as of the Effective Date are listed in Annex 3 (Subprocessors). Customer acknowledges and agrees that Encatch may update Annex 3 from time to time and will provide notice where required under Clause 10.4 and/or Applicable Data Protection Law. Encatch will make the then-current Annex 3 available to Customer on request (and/or via a DPA portal or within the Service, where Encatch maintains such a list).
  • Subprocessor Obligations. Where Encatch engages a Subprocessor to Process Personal Data under this DPA, Encatch will: (a) enter into a written agreement with such Subprocessor that imposes data protection obligations that are no less protective than those set out in this DPA (to the extent applicable to the Subprocessor’s Processing); and (b) remain responsible for the performance of the Subprocessor’s obligations to the extent required under Applicable Data Protection Law.
  • Customer Objection; Resolution; Integral Subprocessors.
  • Where Applicable Data Protection Law provides Customer a right to object to a new Subprocessor, Customer may submit a written objection on reasonable grounds relating to data protection (an “Objection”) within the objection period specified in Encatch’s notice (or, if no period is specified, within a reasonable period after such notice).
  • If Customer raises an Objection, the parties will discuss in good faith a commercially reasonable resolution. Without limiting the foregoing, Encatch may, at its option: (i) take reasonable steps to address Customer’s Objection (including by providing additional information about the Subprocessor and the safeguards in place); or (ii) where reasonably feasible within the Service, refrain from using the relevant Subprocessor for Customer’s Personal Data.
  • Integral Subprocessors. If Customer objects to a Subprocessor that is integral to a specific feature or functionality of the Service (including an AI model provider used to provide an AI Feature), and Encatch cannot reasonably accommodate the Objection within the Service without materially impairing such feature or functionality, Encatch may, at its option: (i) disable or terminate the affected feature, functionality, plan component, Order Form, or impacted portion of the Service for Customer; and only if neither of the foregoing is reasonably feasible, (ii) terminate the Agreement in accordance with its termination provisions.

INTERNATIONAL TRANSFERS

  • Transfers Generally. Customer acknowledges that, depending on the configuration and use of the Service, Personal Data Processed under this DPA may be transferred to, accessed from, or otherwise Processed in jurisdictions other than the jurisdiction where Customer or the relevant Data Subjects / Data Principals are located, including due to: (a) hosting or infrastructure locations; (b) support and maintenance access; and/or (c) Subprocessors engaged under Clause 10.
  • Standard Contractual Clauses; UK Addendum (Deemed Incorporated).
  • EEA Transfers. To the extent Encatch Processes Personal Data subject to the GDPR and such Processing involves a transfer of that Personal Data to a country that is not subject to an adequacy decision under applicable law, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) (the “EU SCCs”) are incorporated by reference into this DPA and are deemed entered into by the Parties, and will apply automatically to the relevant transfer(s), as follows: (i) where Customer is a Controller and Encatch is a Processor, Module Two (Controller to Processor) applies; and (ii) where Customer is a Processor and Encatch is a Processor, Module Three (Processor to Processor) applies, in each case as further completed in Annex 4.
  • UK Transfers. To the extent Encatch Processes Personal Data subject to UK GDPR and such Processing involves a restricted transfer, the UK Addendum to the EU SCCs (the “UK Addendum”) is incorporated by reference into this DPA and is deemed entered into by the Parties, and will apply automatically to the relevant transfer(s), as further completed in Annex 4.
  • Order of Precedence. If there is any conflict or inconsistency between the EU SCCs / UK Addendum and this DPA, the EU SCCs / UK Addendum (as applicable) will prevail solely to the extent of that conflict for the relevant transfer(s). Otherwise, this DPA remains in full force and effect.
  • Operationalization. The Parties agree that the information required to complete the Annexes to the EU SCCs / UK Addendum is set out in Annex 4 to this DPA, and that Customer’s acceptance of this DPA (including by clickwrap or electronic acceptance) constitutes Customer’s execution of the EU SCCs and/or UK Addendum (as applicable) to the extent they apply.
  • Other international transfers (including DPDP Act). Where Encatch Processes Personal Data subject to Applicable Data Protection Laws other than GDPR/UK GDPR (including the Digital Personal Data Protection Act, 2023 (India), where applicable) and such Processing involves cross-border transfers, the Parties will comply with any applicable cross-border transfer requirements under such laws, including implementing any lawful transfer mechanism or safeguards required under those laws, to the extent applicable.
  • Deemed / Documented Instructions for Feature-Driven Transfers (Including AI). Customer’s configuration and use of the Service (including use of any AI Features) constitutes Customer’s documented instruction for Encatch and its Subprocessors to Process and, where applicable, transfer AI Inputs and other Customer Data submitted for such features in the jurisdictions where the relevant Subprocessors operate, subject to any transfer safeguards required by Applicable Data Protection Law.
  • Customer Responsibilities. Customer is responsible for assessing and ensuring that its own instructions, configuration, and use of the Service (including enabling integrations, selecting data fields/prompts, submitting identifiers, and using AI Features) comply with Applicable Data Protection Law, including any restrictions or conditions relating to cross-border transfers that apply to Customer as Controller / Data Fiduciary.

AI PROCESSING (PROCESSOR-SIDE)

  • Scope. To the extent Encatch Processes Personal Data as a Processor through or in connection with AI Features (as defined in the Agreement) and AI Inputs (as defined in Encatch’s Privacy Policy), such Processing is subject to this Clause 12 and the other terms of this DPA.
  • No Training by Encatch. Encatch will not use Personal Data Processed under this DPA (including AI Inputs to the extent they constitute Personal Data) to train, fine-tune, or improve Encatch’s models, except where Customer has expressly agreed in writing.
  • Third-Party AI Providers. Where Encatch uses Subprocessors (including AI model providers) to provide AI Features, Encatch will (a) contractually restrict such Subprocessors to Processing Personal Data only as necessary to provide the AI Features and related support, and (b) where available, use provider settings and/or contractual terms intended to restrict the Subprocessor’s use of Customer Data for model training or improvement.
  • Customer Control Posture. Customer controls what Customer Data (if any) is submitted, routed, or otherwise made available for AI-assisted Processing within the Service through Customer’s configuration and use of the Service (including workflows, integrations, prompts/fields, identifiers, attachment settings, and user permissions). Customer is responsible for ensuring that its configuration and use of AI Features complies with Applicable Data Protection Law, including providing required notices and obtaining required consents/authorizations.
  • Outputs and Responsibility. Customer acknowledges that AI Features may generate outputs based on AI Inputs and other data made available through Customer’s configuration and use of the Service. Customer remains responsible for reviewing outputs for accuracy, appropriateness, and compliance with Applicable Data Protection Law and Customer’s obligations to Data Subjects / Data Principals.

RETENTION, DELETION, AND RETURN

  • Termination; Deletion Requests. Upon termination or expiry of the Agreement, and subject to Customer’s documented instructions, Encatch will (within a reasonable period) delete or return Customer Data containing Personal Data Processed under this DPA, except to the extent Encatch is permitted or required to retain such data under the Agreement, the Privacy Policy, this DPA, Applicable Data Protection Law, or legal hold.
  • Post-Termination Retention (Customer Data). During the term of the Agreement, retention of Customer Data containing Personal Data within the Service follows Customer’s documented instructions and configuration choices, including any Plan-based retention settings permitted under the Agreement. Following termination or expiration of the Agreement, Encatch may retain Customer Data for up to sixty (60) days (or such other period expressly permitted under the Agreement and/or Privacy Policy) to allow Customer to export or retrieve Customer Data, after which Encatch will delete or de-identify Customer Data from active systems in accordance with its standard deletion practices, subject to Clause 13.3 (Backups) and Clause 13.5 (Legal Hold and Residual Retention). For clarity, this Clause 13 applies only to Customer Data to the extent it constitutes Personal Data and is Processed by Encatch as a Processor under this DPA.
  • Backups. Customer Data containing Personal Data Processed under this DPA that is deleted from active systems may remain in backups for up to forty-five (45) days, after which it will be deleted in accordance with Encatch’s backup deletion cycles, except to the extent required by Applicable Data Protection Law or legal hold.
  • Operational Logs (Including AI Invocation Logs). Customer acknowledges that Encatch may generate and retain operational logs for security, auditing, troubleshooting, fraud prevention, and service integrity. To the extent such logs contain Personal Data Processed under this DPA:
  • Encatch will generally discard such log data from active records within approximately one (1) month; and
  • such log data may remain in backups for up to ninety (90) days, in each case subject to Clause 13.5 and Applicable Data Protection Law.
  • Legal Hold and Residual Retention. Notwithstanding the foregoing, Encatch may retain Personal Data to the extent required by Applicable Data Protection Law or a valid legal process, or as necessary to establish, exercise, or defend legal claims, and will isolate and protect such retained data from further Processing except as required for the applicable legal purpose.
  • Deletion Method; Residual Copies. Deletion under this Clause 13 means rendering Personal Data irretrievable from active systems in accordance with Encatch’s standard deletion practices, and does not require deletion from backups until completion of the applicable backup purge cycle described above. Encatch is not required to delete residual copies of Personal Data from archives or disaster recovery systems earlier than those cycles, provided such data is not accessed or used except for restoration/testing, legal compliance, or security purposes.
  • Deletion of Sensitive Data. If Customer becomes aware that Sensitive Data has been submitted through the Service in breach of Clause 4.6, Customer will promptly notify Encatch. Encatch will use commercially reasonable efforts to assist Customer in deleting such Sensitive Data from active systems, subject to the technical limitations of the Service and backup deletion cycles, and subject to Applicable Data Protection Law and legal hold.
  • Certification (On Request). On Customer’s reasonable written request and only where required by the Applicable Data Protection Law, Encatch will provide a written confirmation that deletion and/or return under this Clause 13 has been completed in accordance with this DPA, subject to reasonable confidentiality and security restrictions.

AUDIT / COMPLIANCE DEMONSTRATION

  • Compliance Information. Upon Customer’s reasonable written request, Encatch will make available to Customer information reasonably necessary to demonstrate Encatch’s compliance with this DPA with respect to Processor-side Processing, which may include: (a) written responses to reasonable security and privacy questionnaires; (b) summaries of Encatch’s Security Measures and policies relevant to Processor-side Processing; and (c) where available, independent audit reports, attestations, or certifications (if any), in each case subject to confidentiality restrictions and appropriate redactions.
  • Audit Rights; Conditions. To the extent required by Applicable Data Protection Law, Customer (or an independent third-party auditor appointed by Customer) may conduct an audit of Encatch’s Processor-side Processing under this DPA, subject to all of the following conditions:
  • Scope. The audit must be limited to Processor-side Processing of Personal Data under this DPA and must not unreasonably interfere with Encatch’s business or compromise the security of other customers’ data or Encatch systems.
  • Notice and Timing. Customer must provide at least thirty (30) days’ prior written notice (unless a shorter period is required by Applicable Data Protection Law or a competent supervisory authority), and audits will be conducted during normal business hours.
  • Frequency. No more than one (1) audit in any twelve (12) month period, unless (i) required by Applicable Data Protection Law; or (ii) a confirmed Personal Data Breach has occurred and the audit is limited to matters reasonably related to that breach.
  • Auditor Requirements. Any third-party auditor must be independent, bound by confidentiality obligations no less protective than those in the Agreement/DPA, and must not be a competitor of Encatch.
  • Confidentiality and Security. Audit activities and results are Confidential Information. Encatch may require reasonable security controls for the audit, including access limitations, identity verification, and restrictions on copying, scanning, or recording.
  • Costs. Customer will bear its own audit costs and will reimburse Encatch for reasonable time and expenses incurred in supporting the audit (including for personnel time), except to the extent Applicable Data Protection Law requires otherwise.
  • Alternative to On-Site Audits. Before conducting any on-site audit, Customer will first use the mechanisms in Clause 14.1 (documentation, security summaries, written responses, and available third-party reports). Where those mechanisms reasonably demonstrate compliance, Customer will not require an on-site audit.
  • Supervisory Authority Requests. Nothing in this Clause 14 limits Encatch’s ability to cooperate with a competent supervisory authority or regulator. Where Encatch is legally permitted, Encatch will notify Customer of any supervisory authority audit or request relating specifically to Customer’s Processor-side Processing under this DPA.

LIABILITY; RELATIONSHIP TO AGREEMENT

  • Relationship to Agreement; No Expansion. This DPA is subject to the Agreement. Nothing in this DPA: (a) expands Encatch’s obligations beyond the scope of the Service, Customer’s documented instructions, and Applicable Data Protection Law; or (b) creates any obligation for Encatch to provide features, configurations, routing, or alternative providers beyond what is provided under the Service and the Agreement, unless expressly agreed in writing.
  • Liability Limits Apply. To the maximum extent permitted by Applicable Data Protection Law, all claims, damages, liabilities, costs, and expenses arising out of or relating to this DPA (including any Personal Data Breach or other claim relating to Processor-side Processing under this DPA) are subject to the exclusions, limitations of liability, and caps set out in the Agreement, unless an Enterprise Agreement / Order Form expressly overrides those limitations for the Customer.
  • No DPA “Backdoor”. Customer agrees that this DPA does not create any separate or additional right to recover damages, compensation, or other remedies beyond those available under the Agreement. For clarity, Customer may not avoid or circumvent the liability limitations in the Agreement by bringing a claim under this DPA.
  • Allocation of Responsibility. Customer remains responsible for: (a) the lawfulness of its instructions and configuration; (b) providing required notices and obtaining required consents/authorizations; and (c) Customer-controlled systems, integrations, SDK/API implementations, and end-user collection points. Encatch is responsible for implementing and maintaining the Security Measures and meeting its Processor obligations under this DPA to the extent applicable to Processor-side Processing.
  • No Limitation Where Prohibited. Nothing in this DPA limits liability to the extent such limitation is prohibited by Applicable Data Protection Law.

GENERAL

  • Governing Law; Venue. This DPA is governed by, and will be interpreted in accordance with, the governing law and dispute resolution provisions set out in the Agreement.
  • Notices. Notices under this DPA will be given in accordance with the notices provisions in the Agreement.
  • Assignment. This DPA may not be assigned except as permitted under the Agreement. Any permitted assignment of the Agreement will include assignment of this DPA.
  • Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force and effect, and the parties will substitute a valid and enforceable provision that most closely reflects the original intent.
  • Survival. Clauses that by their nature should survive termination or expiry of the Agreement (including Clauses 10–16 and any provisions relating to confidentiality, security, retention/deletion, audit, liability, and interpretation) will survive.
  • Acceptance; Electronic Assent. This DPA is incorporated into the Agreement and becomes binding on Customer when: (a) Customer (or an Authorized User acting on Customer’s behalf) clicks to accept the Agreement (or an Order Form / Enterprise Agreement that incorporates this DPA); (b) Customer accesses or uses the Service in a manner that indicates acceptance of the Agreement; or (c) the parties otherwise agree in writing that this DPA applies. Where this DPA applies, Customer’s continued access to or use of the Service after any update to this DPA constitutes acceptance of the updated DPA as of its effective date, subject to the Agreement’s modification and notice terms.
  • Entire Agreement (Processor-Side). This DPA, together with the Agreement and the Privacy Policy (as applicable), constitutes the entire agreement between the parties with respect to Processor-side Processing of Personal Data covered by this DPA, and supersedes any prior or contemporaneous understandings on that subject matter.

ANNEX 1 DETAILS OF PROCESSING

This Annex 1 forms part of the Encatch Data Processing Addendum (DPA) and describes the Processing of Personal Data by Encatch as a Processor on behalf of Customer in connection with the Service.

  • Subject Matter of Processing Encatch’s provision of the Service to Customer under the Agreement, only to the extent Encatch Processes Personal Data as a Processor on Customer’s documented instructions (as described in Clause 5) and such Processing constitutes Processor-side Processing covered by the DPA.
  • Duration of Processing Processing will continue for the term of the Agreement and, where applicable, for any post-termination retention, deletion, backup, or export periods permitted under the Agreement, the DPA (including the Retention/Deletion clause), and the Privacy Policy, subject to Applicable Data Protection Law and legal hold requirements.
  • Nature and Purpose of Processing
  • The nature and purpose of Processing is to host, store, transmit, organize, analyze, route, tag, troubleshoot, and otherwise Process Personal Data as necessary to provide, maintain, secure, and support the Service in accordance with Customer’s configuration and documented instructions.
  • This may include the generation of analytics, dashboards, automations, and (where invoked through Customer’s configuration and use of the Service) AI-assisted outputs, in each case as described in the Agreement and Privacy Policy and limited to Processor-side Processing under the DPA.
  • Categories of Data Subjects Personal Data Processed under the DPA may relate to:
  • Customer End Users;
  • Customer’s Authorized Users (as defined in the Agreement); and
  • other individuals whose Personal Data is included in Customer Data submitted to the Service, in each case to the extent such data constitutes Personal Data and is Processed by Encatch as a Processor.
  • Categories of Personal Data Depending on Customer’s configuration and the Customer Data submitted to the Service, Personal Data Processed may include:
  • Customer End-User Feedback Data (including survey responses, ratings, selections, free-text inputs, bug reports, and similar submissions);
  • Customer End User Identifiers (such as user IDs, email addresses, phone numbers, or hashed identifiers) and related workspace/project identifiers;
  • metadata associated with submissions and events (including timestamps, device/app/session context, and similar properties to the extent enabled by Customer); and
  • attachments or files submitted through feedback flows, if enabled by Customer, in each case, to the extent such data constitutes Personal Data and is Processed by Encatch as a Processor under the DPA.
  • Sensitive Data Customer will not submit (and will not permit Customer End Users or Authorized Users to submit) Sensitive Data through the Service. Encatch does not monitor or filter Customer Data for Sensitive Data. If Customer anticipates that Sensitive Data may be Processed, Customer must notify Encatch and any such Processing (if any) will be subject to Applicable Data Protection Law and any additional written agreement between the parties, in each case only to the extent such Processing constitutes Processor-side Processing covered by the DPA.
  • Processing Locations and Transfers Processing may be carried out by Encatch and its authorized Subprocessors in jurisdictions in which they operate, in each case in accordance with Clause 11 (International Transfers), the safeguards described in the DPA, and Applicable Data Protection Law.

ANNEX 2 SECURITY MEASURES (TECHNICAL AND ORGANISATIONAL MEASURES)

This Annex 2 forms part of the Encatch Data Processing Addendum (DPA) and describes Encatch’s technical and organisational measures (“Security Measures”) designed to protect Personal Data Processed under the DPA against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These Security Measures reflect Encatch’s current practices as of the Effective Date and may be updated from time to time in accordance with Clause 8.4 of the DPA, provided that updates do not materially reduce the overall level of protection for Personal Data Processed under the DPA.

  • Information Security Governance
  • Encatch maintains internal security policies and procedures designed to address confidentiality, integrity, and availability of systems and data.
  • Access to Personal Data is limited to personnel with a legitimate business need, subject to role-based access controls and least-privilege principles.
  • Encatch maintains an incident response process for detection, investigation, containment, remediation, and post-incident review of security incidents.
  • Access Controls and Authentication
  • Administrative access to systems that Process Personal Data is restricted to authorized personnel only.
  • Strong authentication controls are implemented for privileged access (for example, multi-factor authentication where supported).
  • Logical access is managed through role-based access control and access provisioning/deprovisioning processes.
  • Access rights are reviewed periodically and adjusted as needed based on role changes and operational needs.
  • Encryption and Key Management
  • Personal Data is protected in transit using industry-standard encryption protocols (for example, TLS).
  • Personal Data stored in production systems is protected using encryption at rest where appropriate to the risk and architecture.
  • Encryption keys are managed using reasonable security controls to limit access and reduce risk of unauthorized disclosure.
  • Network Security and Perimeter Controls
  • Encatch uses network security controls appropriate to the Service architecture (for example, firewalling, security groups, and segmentation where applicable).
  • Administrative interfaces and sensitive endpoints are restricted and protected against unauthorized access.
  • Remote administrative access (where used) is protected using secure methods and access restrictions.
  • Logging, Monitoring, and Detection
  • Encatch maintains logging for key security-relevant events to support troubleshooting, auditing, and incident response.
  • Monitoring controls are used to detect anomalous behavior and security events where reasonable for the Service.
  • Logs are protected from unauthorized access and modification and retained in accordance with the DPA’s Retention/Deletion provisions where applicable.
  • Vulnerability Management and Patching
  • Encatch maintains processes to identify and remediate security vulnerabilities in systems used to provide the Service.
  • Patches and updates are applied on a risk-based basis, taking into account severity and operational impact.
  • Encatch uses reasonable practices to reduce exposure to known vulnerabilities, consistent with industry norms for SaaS services.
  • Secure Development and Change Management
  • Encatch maintains development and change management practices intended to support secure software delivery (for example, peer review or approvals for material changes, environment separation where applicable).
  • Production deployments are controlled and restricted to authorized personnel.
  • Where appropriate, Encatch uses testing and validation practices to reduce the risk of introducing security regressions.
  • Data Segregation and Tenant Controls
  • Encatch maintains logical controls designed to prevent unauthorized access across customer workspaces/tenants.
  • Access to customer environments is restricted based on authorization and operational need.
  • Backup, Recovery, and Resilience
  • Encatch maintains backup and recovery practices intended to support availability and restore data after certain operational failures, consistent with the Service architecture.
  • Backup retention and purge cycles are handled in accordance with the DPA’s Retention/Deletion clause and operational constraints.
  • Physical and Environmental Security
  • Where Encatch uses third-party hosting or cloud infrastructure providers, physical and environmental security controls are provided by those providers within their managed facilities.
  • Encatch limits physical access to any Encatch-controlled work environments used to access production systems through reasonable controls.
  • Personnel Security and Confidentiality
  • Encatch ensures personnel with access to Personal Data are subject to confidentiality obligations (contractual or statutory).
  • Encatch uses reasonable onboarding and offboarding procedures to manage access to systems and data.
  • Security awareness practices are implemented in a manner appropriate to personnel roles and responsibilities.
  • Subprocessor Security Flow-Down Where Encatch engages Subprocessors to Process Personal Data, Encatch requires Subprocessors to implement security measures that are no less protective than those set out in the DPA, to the extent applicable to their Processing.
  • Customer Responsibilities (Shared Security) Customer acknowledges that security is a shared responsibility. Customer is responsible for implementing and maintaining appropriate security measures on its side, including securing Authorized User credentials, endpoint devices, integrations, SDK/API implementations, and end-user collection points, and for configuring the Service to minimize risk (including avoiding collection of Sensitive Data).
  • Limitations These Security Measures are designed to reduce risk, but no system can be guaranteed to be fully secure. Encatch does not warrant or guarantee that unauthorized access, loss, or alteration will never occur.

ANNEX 3 SUBPROCESSORS

This Annex 3 forms part of the Encatch Data Processing Addendum (DPA) and identifies Subprocessors authorised to Process Personal Data on behalf of Customer under the DPA.

  • Subprocessor List Available on Request Encatch maintains a list of its then-current Subprocessors authorised to Process Personal Data under the DPA (including, where applicable, categories of Subprocessors and the nature/purpose of their Processing). Encatch will make the then-current Subprocessor list available to Customer on request.
  • How to Request the List Customer may request the then-current Subprocessor list by contacting: privacy@encatch.com
  • Updates. Encatch may update its Subprocessors from time to time in accordance with the DPA (including Clause 10). Where required under the DPA and/or Applicable Data Protection Law, Encatch will provide notice of material Subprocessor changes and permit objections in accordance with Clause 10.4 of the DPA.

ANNEX 4 INTERNATIONAL TRANSFERS (EU SCCs & UK ADDENDUM)

This Annex 4 forms part of the Encatch Data Processing Addendum (“DPA”). It describes the transfer safeguards that apply where required for Restricted Transfers under Applicable Data Protection Laws.

  • Incorporation and deemed execution
  • Incorporation by reference. Where required for a Restricted Transfer, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) (“EU SCCs”) and, where applicable, the UK Addendum to the EU SCCs (“UK Addendum”) are incorporated into this DPA by reference and are deemed entered into by the Parties solely for the relevant Restricted Transfer(s).
  • Deemed signature / clickwrap. Customer’s acceptance of the DPA (including by clickwrap or electronic acceptance) is deemed to constitute Customer’s execution of the EU SCCs and/or the UK Addendum (as applicable), without requiring any separate signature.
  • Exporter identity. For purposes of the EU SCCs/UK Addendum, the data exporter is Customer as identified in the Customer account, Order Form, or other ordering record associated with Customer’s use of the Service.
  • Importer identity. The data importer is: Phyder Mobile Solutions Pvt. Ltd. (Encatch).
  • Precedence (transfer-only). If there is a conflict between the EU SCCs/UK Addendum and this DPA, the EU SCCs/UK Addendum will prevail solely to the extent required for the relevant transfer(s). Otherwise, this DPA remains in effect.
  • EU SCCs (2021/914) — Completion Information
  • Module selection.
  • Default: Module Two (Controller → Processor) applies where Customer is a Controller and Encatch is a Processor.
  • Alternative: Module Three (Processor → Processor) applies where Customer is a Processor and Encatch is a Processor.
  • Rule: Module Two applies unless Customer is acting as a Processor for another Controller in respect of the Personal Data being transferred, in which case Module Three applies.
  • Parties (Appendix I.A).
  • Data Exporter: Customer (as identified under Section 1.3). Contact details: Customer’s primary account administrator email as on file (or as otherwise provided in the Order Form/account).
  • Data Importer: Phyder Mobile Solutions Pvt. Ltd. (Encatch) Address: 412/413, 4th Floor, Palmspring (Above Croma), Link Road, Malad West, Mumbai City, Mumbai, Maharashtra, India, 400064 Contact: privacy@encatch.com
  • Description of transfer (Appendix I.B).
  • Categories of data subjects: Customer End Users; Customer account administrators and authorized users (as applicable).
  • Categories of Personal Data: Customer End User Identifiers (as provided/configured by Customer); feedback/survey responses and related content (to the extent it contains Personal Data); device/browser metadata, IP address (where applicable), timestamps, and usage/activity signals required to operate the Service/SDK; workspace/project identifiers and configuration metadata (where applicable).
  • Special categories of data: Not intended as a standard feature; if processed, only to the extent submitted by Customer and as permitted by Applicable Law.
  • Frequency of transfer: Continuous or intermittent, depending on Customer implementation and use of the Service/SDK.
  • Nature of processing: Collection, transmission, hosting, storage, retrieval, use, disclosure to Subprocessors, and deletion, as necessary to provide the Service.
  • Purpose(s): Provide and operate the Service and SDK functionality; security, fraud/abuse prevention, reliability, diagnostics, and performance monitoring; Customer support/troubleshooting (as applicable); analytics/diagnostics where enabled and permitted by Applicable Law.
  • Retention: As described in the DPA/Terms of Service and Customer’s documented instructions (Processor-side), subject to applicable legal requirements.
  • Supervisory authority (Appendix I.C). The competent supervisory authority is determined under GDPR rules based on Customer’s establishment and the circumstances of the Processing.
  • Technical and organisational measures (Appendix II). Appendix II is satisfied by Annex 2 (Security Measures) to this DPA, incorporated by reference.
  • Subprocessors (Appendix III). Appendix III is satisfied by Annex 3 (Subprocessors) to this DPA, incorporated by reference.
  • UK Addendum — Completion Information (UK GDPR)
  • Parties. Same exporter/importer as Section 2.2.
  • Which agreement the Addendum is appended to. The EU SCCs (2021/914), as incorporated by reference under this Annex 4.
  • Effective date. The effective date is the date Customer accepts the DPA (including via clickwrap), unless otherwise stated in an Order Form.
  • Appendices. The UK Addendum tables/appendices are completed by reference to: (i) Appendix I.B in Section 2.3 above; (ii) Annex 2 (Security Measures); and (iii) Annex 3 (Subprocessors).
  • Governing law and jurisdiction (for the Addendum). As required under the UK Addendum framework for UK restricted transfers; otherwise, the governing law and dispute provisions of the Terms of Service continue to apply to the remainder of the relationship.
  • Availability of SCC text (self-serve links) The full text of (i) the EU SCCs (2021/914) and (ii) the UK Addendum is available at the following links and is incorporated by reference into this DPA as described above:
  • EU SCCs (2021/914): [insert direct PDF link hosted by Encatch]
  • UK Addendum: [insert direct PDF link hosted by Encatch]
How is this guide?

Terms of Service

Previous Page

On this page

ENCATCH DATA PROCESSING ADDENDUM (DPA)PURPOSE AND SCOPEINCORPORATION; ORDER OF PRECEDENCEDEFINED TERMS; INTERPRETATIONPROCESSING DETAILS (SUBJECT MATTER, DURATION, DATA SUBJECTS AND CATEGORIES)ROLES AND DOCUMENTED INSTRUCTIONSCUSTOMER OBLIGATIONSENCATCH OBLIGATIONS AS PROCESSORSECURITY MEASURES (TECHNICAL AND ORGANISATIONAL MEASURES)SECURITY INCIDENT / PERSONAL DATA BREACH NOTIFICATIONSUBPROCESSORSINTERNATIONAL TRANSFERSAI PROCESSING (PROCESSOR-SIDE)RETENTION, DELETION, AND RETURNAUDIT / COMPLIANCE DEMONSTRATIONLIABILITY; RELATIONSHIP TO AGREEMENTGENERALANNEX 1 DETAILS OF PROCESSINGANNEX 2 SECURITY MEASURES (TECHNICAL AND ORGANISATIONAL MEASURES)ANNEX 3 SUBPROCESSORSANNEX 4 INTERNATIONAL TRANSFERS (EU SCCs & UK ADDENDUM)