Data Processing Agreement

Terms in initial capitals have the meanings set out in India's Digital Personal Data Protection Act 2023 ("DPDP Act") or, where relevant, equivalent concepts under GDPR. "Personal Data", "Processing", "Data Fiduciary", and "Data Processor" have the meanings given in the DPDP Act.

Subject matter: Cabbge processes personal data on Controller's behalf solely to provide the Service as described in the Terms.

Nature of processing: storage, retrieval, analysis, use for machine-learning inference, transmission to sub-processors, and production of derivative outputs (scan results, audits, generated content).

Purpose: to deliver the features of the Service — AI visibility analysis, mention tracking, off-domain coverage checks, content generation, and related services.

Duration: for the period of the subscription, plus a 30-day post-termination export window, plus any legally mandated retention.

Categories of data subjects include:

• Controller's own employees and contractors who use the Service (e.g. name, work email, role).
• Individuals referenced incidentally in Controller-provided content (e.g. a brand voice document that mentions a spokesperson).

Types of personal data processed:

• Contact identifiers (name, work email, phone).
• Employment information (company, job title).
• Account and session data.
• Any personal data Controller voluntarily uploads inside project descriptions, brand context, or generated content.

Cabbge does not process sensitive personal data in the ordinary course. Controller must not upload special-category data (health, biometric, payment-card, government ID etc.) unless a separate, signed, in-writing agreement specifies terms.

Cabbge undertakes to:

• Process personal data only on documented instructions from Controller, including those set out in the Terms and this DPA.
• Ensure persons authorised to process personal data have committed to confidentiality.
• Implement appropriate technical and organisational security measures as set out in Section 8.
• Respect the sub-processor conditions set out in Section 5.
• Assist Controller in responding to data-subject rights requests under the DPDP Act.
• Assist Controller with data-protection impact assessments and consultations with regulators, where applicable.
• Delete or return personal data at Controller's choice at the end of provision of services, subject to legal retention requirements.
• Make available information reasonably necessary to demonstrate compliance with this DPA.

Controller grants general written authorisation for Cabbge to engage the sub-processors listed in the Privacy Policy. Cabbge will:

• Impose data-protection obligations on each sub-processor that are at least as protective as those in this DPA.
• Remain responsible for a sub-processor's performance.
• Give at least 30 days' notice before adding or replacing a sub-processor.
• If Controller reasonably objects to a new sub-processor within 30 days, Cabbge will either address the concern or allow Controller to terminate the affected portion of the subscription without penalty.

Some sub-processors operate outside India. Transfers rely on the provider's published transfer safeguards (e.g. Standard Contractual Clauses) and on Cabbge's commercial contracts with those providers. Controller authorises these transfers for the purpose of operating the Service.

If Cabbge receives a rights request (access, correction, erasure, nomination) directly from a data subject whose personal data we process on Controller's behalf, we will forward it to Controller without undue delay and assist Controller in responding. Cabbge does not respond to such requests directly without Controller's instruction, except where required by law.

Cabbge implements, at a minimum, the following technical and organisational measures:

• Transport security: TLS 1.2+ for all API and browser traffic.
• At-rest encryption: AES-256 by default through our database and object-storage sub-processors.
• Access control: role-based access for team members; production data accessible only to personnel with a documented need; all access logged.
• Row-level security: customer data is logically isolated per owner; queries enforce tenant boundaries.
• Secrets management: API keys and credentials stored only in hosted environment-variable stores; never committed to source control.
• Change management: code changes reviewed before merge; deploys logged via Vercel.
• Dependency hygiene: third-party libraries reviewed against published vulnerability feeds.
• Incident response: breach notification workflow capable of meeting DPDP Act timelines.
• Backups: managed by our database sub-processor; restorable on request.

Cabbge will notify Controller of a personal-data breach affecting Controller's personal data without undue delay, and within 72 hours of confirmation wherever practicable. Notification will include, to the extent known: the nature of the breach; the categories and approximate number of records affected; the likely consequences; and the measures taken or proposed in response.

On written request with reasonable notice, and no more than once per calendar year (except where required by a regulator or following a breach), Controller may audit Cabbge's compliance with this DPA. Cabbge will respond to audit questionnaires, make available relevant policies, and provide commercially reasonable evidence of its security controls.

On-site audits are at Controller's expense, require 30 days' advance notice, must avoid disruption to Cabbge's other customers, and must respect the confidentiality of third-party information.

On termination of the subscription, Cabbge will make Customer Data available for export for 30 days. After that period, Cabbge will delete Customer Data from active systems within a further 30 days. Residual copies in backups are retained per sub-processor backup cycles (typically 30-90 days) and are then rotated out.

Aggregated, anonymised data that cannot identify a data subject or Controller may be retained indefinitely for service improvement.

Liability under this DPA is capped and allocated as set out in the Terms of Service. Controller remains responsible for the lawfulness of the personal data it provides and for obtaining any required consents from data subjects.

In the event of conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of personal data.

This DPA is governed by the laws of India and subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka.

Enterprise customers may request a physically or electronically signed counterpart of this DPA, including any necessary custom provisions, by emailing legal@cabbge.com. We aim to return executed DPAs within five business days.