1. Introduction and Scope

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Work Invigilator ("Processor," "Company," "we") and the subscribing organization ("Controller," "Client," "you") for the provision of employee monitoring services ("Services").

This DPA applies to the Processing of Personal Data within the scope of:

The EU General Data Protection Regulation 2016/679 ("GDPR")
The Digital Personal Data Protection Act, 2023 ("DPDP Act") (India)
UK GDPR and Data Protection Act 2018 (UK)
Applicable state privacy laws (CCPA, CPRA, CDPA, etc.)

This DPA prevails over any conflicting provisions in the Terms of Service regarding data processing.

2. Definitions

Terms used in this DPA have the meanings defined below or in the applicable Data Protection Laws:

"Controller" means Client, who determines the purposes and means of Processing Personal Data.
"Data Protection Laws" means GDPR, DPDP Act, and all applicable data protection, privacy, and security laws.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates (monitored employees).
"Personal Data" means any information relating to an identified or identifiable Data Subject collected through the Services, including screenshots, audio presence data, productivity metrics, and metadata.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, use, disclosure, deletion, or destruction.
"Processor" means Company, who Processes Personal Data on behalf of Controller.
"Sub-processor" means any third party engaged by Company to Process Personal Data.
"Standard Contractual Clauses" (SCCs) means the European Commission's approved contractual clauses for international data transfers.

3. Roles and Responsibilities

3.1 Controller Responsibilities

Controller shall:

Determine the purposes and means of Processing Personal Data through the Services
Ensure lawful basis for Processing under applicable Data Protection Laws (consent, legitimate interest, or contractual necessity)
Provide clear notice to Data Subjects about monitoring activities
Obtain all necessary consents from Data Subjects where legally required
Ensure Processing instructions comply with Data Protection Laws
Conduct Data Protection Impact Assessments (DPIAs) where required
Respond to Data Subject rights requests (with Processor's assistance)
Maintain records of Processing activities as required by law

3.2 Processor Responsibilities

Processor shall:

Process Personal Data only on documented instructions from Controller (including transfers outside the EEA/India)
Ensure personnel authorized to Process Personal Data are bound by confidentiality
Implement appropriate technical and organizational security measures
Engage Sub-processors only with Controller's authorization
Assist Controller in responding to Data Subject rights requests
Assist Controller with DPIAs and consultations with supervisory authorities
Delete or return Personal Data upon termination (at Controller's choice)
Make available all information necessary to demonstrate compliance

Processor shall immediately inform Controller if instructions violate Data Protection Laws.

4. Details of Processing (Annex 1)

4.1 Subject Matter and Duration

Subject Matter: Provision of employee monitoring services through microphone presence detection, screenshot capture, and AI productivity scoring.

Duration: For the term of the subscription agreement, plus data retention periods specified in the Terms of Service.

4.2 Nature and Purpose of Processing

Nature: Automated collection, storage, analysis, and reporting of employee activity data during work hours.

Purpose: Workforce productivity verification, performance management, time tracking, and compliance auditing for Controller's legitimate business interests.

4.3 Types of Personal Data

Personal Data categories processed include:

Identity Data: Employee name, ID, email address, department, role
Technical Data: Device identifiers, IP addresses, operating system, browser type
Activity Data: Screenshots with timestamps, application usage, URL visits
Audio Data: Microphone presence indicators, voice activity detection metadata
Performance Data: AI-generated productivity scores, focus time, idle time
Location Data: IP-based approximate location, timezone
Special Categories: Audio streams may incidentally capture health information or other sensitive data.

4.4 Categories of Data Subjects

Controller's employees
Contractors and temporary workers
Remote and hybrid workers subject to monitoring

4.5 Processing Operations

Collection via browser extension and desktop software
Storage in encrypted cloud databases
Analysis through AI/ML algorithms
Visualization in admin dashboards
Export to CSV/JSON formats
Deletion after retention periods

5. Controller Instructions

5.1 Authorized Instructions

Processor shall Process Personal Data only based on Controller's documented instructions, which include:

Use of the Services in accordance with Terms of Service and Documentation
Configuration settings selected by Controller in the admin dashboard
Data export, deletion, or retention requests submitted through proper channels

5.2 Instruction Limitations

If Processor believes an instruction violates Data Protection Laws, Processor shall:

Immediately inform Controller of the concern
Suspend execution of the instruction until Controller confirms or modifies it
Not be liable for violations resulting from Controller's confirmed instructions

5.3 Legal Obligations

If Processor is required by law to Process Personal Data beyond Controller's instructions, Processor shall:

Inform Controller before Processing (unless legally prohibited)
Document the legal requirement
Limit Processing to what is strictly necessary

6. Security Measures

6.1 Technical and Organizational Measures

Processor implements appropriate security measures to protect Personal Data:

Technical Measures:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls with multi-factor authentication
Automated security monitoring and intrusion detection
Regular vulnerability assessments and penetration testing
Secure software development lifecycle practices
Audit logging of all admin actions
Network segmentation and firewall protection

Organizational Measures:

Documented information security policies and procedures
Employee background checks and confidentiality agreements
Regular security awareness training
Incident response and business continuity plans
Vendor security assessments for Sub-processors
Annual third-party security audits

6.2 Security Standards

Processor maintains security controls consistent with industry best practices, including:

OWASP Top 10 mitigation for web applications
Secure software development lifecycle and code review
Encryption of data in transit (TLS 1.3) and at rest (AES-256)

6.3 Security Updates

Processor shall review and update security measures regularly to account for technological developments and emerging threats.

7. Sub-processors

7.1 Authorization to Use Sub-processors

Controller hereby provides general authorization for Processor to engage Sub-processors to fulfill Processor's obligations under this DPA.

7.2 Current Sub-processors

Processor currently engages the following Sub-processors:

Sub-processor	Service	Location	Purpose
Cloudflare, Inc.	Web hosting and CDN	USA/Global	Platform hosting and content delivery
Amazon Web Services (AWS)	Cloud infrastructure	USA/EU/India regions	Data storage and computing
Stripe, Inc.	Payment processing	USA	Billing and subscription management
Razorpay	Payment processing	India	India-based payment processing
[Email Provider]	Transactional email	[Location]	Service notifications

7.3 Sub-processor Changes

Processor shall notify Controller of any intended changes (addition or replacement of Sub-processors) at least 30 days in advance via email to the Controller's registered account.

Controller may object to new Sub-processors within 14 days of notification. If Controller objects on reasonable data protection grounds, parties shall work in good faith to resolve concerns. If no resolution is reached, Controller may terminate the affected Services and receive a pro-rata refund.

7.4 Sub-processor Obligations

Processor shall:

Impose the same data protection obligations on Sub-processors as in this DPA
Execute written agreements with Sub-processors containing Article 28(3) GDPR requirements
Remain fully liable to Controller for Sub-processor performance
Conduct due diligence on Sub-processor security and compliance capabilities

8. Data Subject Rights

8.1 Data Subject Requests

Processor shall, to the extent legally permitted and technically feasible, assist Controller in responding to Data Subject requests to exercise their rights under Data Protection Laws:

Right of Access: Provide copies of Personal Data
Right to Rectification: Correct inaccurate data
Right to Erasure: Delete Personal Data ("right to be forgotten")
Right to Restriction: Limit Processing in certain circumstances
Right to Data Portability: Provide data in machine-readable format
Right to Object: Object to Processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent where applicable
Right to Complain: Lodge complaints with supervisory authorities

8.2 Request Process

When Processor receives a Data Subject request:

Processor shall not respond directly without Controller's prior written authorization
Processor shall promptly forward the request to Controller (within 2 business days)
Processor shall provide reasonable assistance (e.g., data exports, deletion tools) at no additional charge for standard requests
Complex or excessive requests may incur reasonable fees based on Processor's actual costs

8.3 Assistance Tools

Processor provides Controller with self-service tools in the admin dashboard to:

Search and export employee monitoring data
Delete specific data records or entire employee profiles
Generate data portability reports
View data retention and deletion schedules

9. Data Breach Notification

9.1 Notification Obligation

Processor shall notify Controller without undue delay and in any event within 24 hours after becoming aware of a Personal Data breach affecting Controller's data.

9.2 Breach Notification Content

Notification shall include (to the extent known):

Description of the nature of the breach (categories and approximate number of Data Subjects and records affected)
Name and contact details of Processor's data protection officer or contact point
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate adverse effects
Timeline of events and discovery

9.3 Investigation and Remediation

Processor shall:

Investigate the breach promptly and thoroughly
Take reasonable measures to remediate the breach and prevent recurrence
Preserve forensic evidence in accordance with applicable laws
Cooperate with Controller's investigation and regulatory notifications
Provide ongoing updates as new information becomes available

9.4 Controller Responsibilities

Controller is responsible for:

Determining whether to notify supervisory authorities (required within 72 hours under GDPR)
Notifying affected Data Subjects where required by law
Coordinating with regulatory authorities regarding the breach

Processor shall provide reasonable assistance with these obligations at no additional charge.

10. Data Transfers

10.1 Transfer Locations

Processor may Process and store Personal Data in the following locations:

India: Primary data center for India-based customers
United States: Cloud infrastructure (AWS, Cloudflare)
European Union: Cloud infrastructure (AWS EU regions)

10.2 Transfers from EU/EEA

For transfers of Personal Data originating in the EU/EEA to countries not recognized as having adequate data protection:

Standard Contractual Clauses Apply: Processor and Controller hereby agree to be bound by the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) adopted by the European Commission on June 4, 2021, which are incorporated into this DPA by reference.

SCC Annexes:

Annex I: Details of Processing are as specified in Section 4 above
Annex II: Technical and Organizational Measures are as specified in Section 6 above
Annex III: Sub-processor list as specified in Section 7 above

10.3 Transfers from India (DPDP Act)

For transfers from India under the DPDP Act:

Processor shall only transfer Personal Data to countries not blacklisted by the Indian Central Government
Processor shall implement appropriate safeguards equivalent to those under Indian law
Controller consents to transfers necessary for Service delivery as described in this DPA

10.4 Supplementary Measures

Beyond SCCs, Processor implements additional safeguards for international transfers:

End-to-end encryption for data in transit and at rest
Data minimization and pseudonymization where feasible
Strict access controls limiting access to authorized personnel only
Regular security audits and compliance assessments
Transparency reports regarding government data requests (published annually)

10.5 Government Access Requests

If Processor receives a legally binding request from government authorities to disclose Personal Data:

Processor shall attempt to redirect the request to Controller
Processor shall promptly notify Controller unless legally prohibited
Processor shall challenge requests that appear unlawful or overbroad
Processor shall limit disclosure to the minimum necessary to comply

11. Data Retention and Deletion

11.1 Retention Periods

Processor retains Personal Data as specified in the Terms of Service:

Screenshots: 90 days (default)
Audio presence logs: 90 days (default)
Productivity scores: 12 months (default)
Account/billing data: 7 years (legal requirement)

Controller may configure shorter retention periods through the admin dashboard (subject to minimum technical requirements).

11.2 Deletion Upon Termination

Upon termination or expiration of the subscription:

Controller's Choice:

Return: Processor shall provide Controller with a complete export of Personal Data in CSV/JSON format within 30 days
Deletion: Processor shall securely delete all Personal Data within 30 days (except as legally required to retain)

Secure Deletion: Processor uses industry-standard secure deletion methods ensuring data cannot be recovered.

Backup Deletion: Personal Data in backups shall be deleted or rendered inaccessible within 90 days of termination.

11.3 Legal Holds

If Processor is required to retain Personal Data due to legal obligations or pending litigation:

Processor shall notify Controller of the retention requirement
Personal Data shall be isolated and restricted from Processing except as legally required
Personal Data shall be deleted promptly once the legal obligation expires

12. Audit Rights

12.1 Information and Audit

Processor shall make available to Controller all information necessary to demonstrate compliance with obligations under this DPA and Data Protection Laws.

12.2 Audit Procedures

Controller or its authorized auditor may conduct audits (including inspections) of Processor's Processing activities, subject to:

Notice: Controller shall provide at least 30 days' advance notice.
Frequency: Audits may be conducted once per calendar year, unless:
- A Data Subject breach has occurred affecting Controller's data
- Regulatory authority requires an audit
- Significant changes to Processor's systems or Sub-processors
Scope: Audits shall be limited to Processor's compliance with obligations under this DPA and applicable Data Protection Laws.
Confidentiality: Auditor shall execute Processor's standard confidentiality agreement before accessing Processor facilities or systems.
Timing: Audits shall be conducted during regular business hours and shall not unreasonably interfere with Processor's operations.

12.3 Alternative Compliance Evidence

In lieu of on-site audits, Processor may provide:

Third-party security audit reports (when available)
Completed security questionnaires
Documented security policies and procedures
Previous audit findings and remediation evidence

Controller shall accept such alternative evidence if it reasonably demonstrates compliance.

12.4 Audit Costs

Controller bears all costs associated with audits, except:

Processor-caused data breaches: Processor bears audit costs
Regulatory-required audits: Costs shared equally

13. Liability and Indemnification

13.1 Allocation of Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service, except:

Liability that cannot be limited under applicable Data Protection Laws
Violations of Data Protection Laws resulting from willful misconduct or gross negligence
Data breaches caused by failure to implement required security measures

13.2 Chain of Liability

Under GDPR Article 82, both Controller and Processor may be held liable for damages caused by Processing:

Each party is liable only for the portion of damage for which it is responsible
If one party pays full damages to Data Subjects, it may seek contribution from the other party for their respective share

13.3 Regulatory Fines

If either party incurs fines or penalties from supervisory authorities due to the other party's violation of Data Protection Laws:

The violating party shall indemnify the non-violating party for such fines
This indemnification is subject to the procedures in Section 14 of the Terms of Service

13.4 Sub-processor Liability

Processor remains fully liable to Controller for Sub-processor performance. Controller may not pursue Sub-processors directly.

14. Data Protection Impact Assessment (DPIA)

Upon Controller's written request, Processor shall provide reasonable assistance to Controller in conducting DPIAs required under Article 35 GDPR or equivalent provisions:

Technical documentation about Processing activities
Security measures and data flow diagrams
Sub-processor information and safeguards
Risk assessment and mitigation measures

Processor Cooperation: Assistance provided at no additional charge for initial DPIA. Extensive or recurring assistance may incur reasonable fees.

15. Prior Consultation

If Controller's DPIA indicates high-risk Processing requiring prior consultation with supervisory authorities under Article 36 GDPR, Processor shall provide reasonable assistance:

Supplementary information requested by authorities
Evidence of security measures and safeguards
Cooperation with authority inquiries

16. International Organization Exemptions

If Controller is subject to the GDPR as applied to EU institutions under Regulation (EU) 2018/1725, specific provisions may vary. Controller shall notify Processor in writing of such status.

17. Conflicting Provisions

In the event of conflict between this DPA and the Terms of Service regarding Processing of Personal Data, this DPA shall prevail.

18. Amendments

This DPA may only be amended by written agreement signed by both parties, except:

Updates to Sub-processor list (subject to notification requirements in Section 7.3)
Updates to Standard Contractual Clauses mandated by European Commission
Updates required by changes in Data Protection Laws

19. Termination and Survival

This DPA shall commence on the Effective Date and continue for the duration of the Terms of Service.

Survival: Sections 6 (Security), 9 (Data Breach), 11 (Data Deletion), 13 (Liability), and 15 (Prior Consultation) shall survive termination to the extent necessary to fulfill their purpose.

20. Governing Law and Jurisdiction

This DPA shall be governed by the same law and jurisdiction as specified in the Terms of Service, except where Data Protection Laws require otherwise.

For disputes specifically related to Standard Contractual Clauses, the jurisdiction provisions in the SCCs shall apply.