Data Processing Agreement (DPA).
GDPR Article 28 compliant DPA for all paid engagements. Below is a summary of the controlled clauses. Request the full executable PDF for your records.
Roles of the parties.
For data processed under the engagement, you (Client) act as the Data Controller and Super Intellisense Technologies Pvt. Ltd. (Super In Tech) acts as the Data Processor. The DPA governs how Super In Tech processes Personal Data on behalf of the Client.
Categories of Personal Data processed.
- Contact identifiers (name, email, phone number, postal address)
- Account credentials (where required for system integration)
- Commercial transaction data (orders, invoices, payment metadata)
- Communication content (CRM notes, support tickets, call transcripts)
- Web behaviour data (analytics events, session metadata)
- Other categories specified in individual engagement statements of work
Categories of Data Subjects.
- Client's end customers and prospects
- Client's employees authorised to access systems
- Other Data Subjects as specified per engagement
Processing purposes.
- Designing, building, and operating CRM, marketing automation, and AI agent systems
- Providing ongoing operational support, monitoring, and iteration
- Generating analytical insights for the Client
- Any additional purposes documented in the engagement SOW
Subject rights.
Super In Tech will assist the Client in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) within 30 days of request. Mechanism: direct request via privacy@superintech.com or via the Client.
Security measures.
- Encryption at rest using AES-256 on all storage
- Encryption in transit using TLS 1.3 on all endpoints
- Least-privilege role-based access control with mandatory two-factor authentication
- Audit logging with 12-month retention
- Quarterly security training for all staff
- Annual penetration testing on production systems
- Documented incident response: detection within 1 hour, containment within 4 hours, notification within 24 hours
- Daily encrypted backups with 30-day retention; quarterly restore testing
International transfers.
For transfers of Personal Data from the EEA, UK, or Switzerland to non-adequate jurisdictions (including India), Super In Tech relies on the European Commission's Standard Contractual Clauses (2021) as adopted into the DPA. Additional safeguards (encryption, anonymisation, access controls) are documented per engagement.
Sub-processors.
Super In Tech uses the sub-processors listed below. Client may object to a new sub-processor within 30 days of being notified.
Current sub-processor list.
Updated quarterly. Last reviewed 2026-05-14.
| Sub-processor | Purpose | Data category | Location |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure | Encrypted data at rest | Customer-selected region (US, EU, UK, CA, IN, APAC) |
| Cloudflare | CDN and DDoS protection | Request metadata (no payload inspection) | Global edge network |
| OpenAI | Language model API | Inference inputs (zero retention via Enterprise API) | United States |
| Anthropic | Language model API | Inference inputs (zero retention via Enterprise API) | United States |
| Google Cloud / Vertex AI | Language model API | Inference inputs (zero retention configurable) | Customer-selected region |
| GoHighLevel | CRM and marketing automation platform | Customer-specific CRM data | United States |
| Twilio | SMS and voice services | Phone numbers and message content | United States |
| Stripe | Payment processing | Payment metadata (no card data stored) | United States |
| Vercel | Web hosting (some client builds) | Web request logs | Customer-selected region |
| Sentry (self-hosted) | Error tracking | Anonymised error events | Super In Tech VPS |
Need the executable PDF?
Request the full DPA via email and we will send a signed PDF for your counsel to review and counter-sign. Standard turnaround is 1 business day.