Sammati

Legal

Data Processing Addendum

Last updated: 1 July 2026

DRAFT — for review. This is a starting template. Finalise with your legal counsel before executing. Sammati supports your DPDPA obligations; it does not guarantee compliance.

This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Controller” / “Data Fiduciary”) and Sammati (“Processor” / “Data Processor”) governing the processing of personal data in connection with the Sammati consent management platform.

1. Definitions

Terms used here have the meanings given in the Digital Personal Data Protection Act, 2023 (“DPDPA”). “Personal Data” means any data about an individual who is identifiable by or in relation to such data. “Processing” means any operation performed on Personal Data.

2. Subject matter and nature of processing

Subject matterConsent management, DSR processing, and ledger storage
DurationFor the term of the Service agreement plus statutory retention periods
NatureStorage, retrieval, and cryptographic verification of consent records; DSR lifecycle management
Categories of dataIdentity references (as submitted by the Data Fiduciary), consent decisions, timestamps
Data PrincipalsEnd users whose consent is recorded by the Data Fiduciary via the Sammati SDK or API

3. Processor obligations

Sammati agrees to:

  • Process Personal Data only on your documented instructions
  • Ensure persons authorised to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organisational security measures, including an append-only, tamper-evident ledger enforced at the database level
  • Assist you in fulfilling Data Principal rights (access, correction, erasure via crypto-shred, grievance)
  • On termination, return or delete Personal Data within 30 days (your choice)
  • Make available information necessary to demonstrate compliance with this DPA

4. Sub-processors

Sammati may engage sub-processors for infrastructure, email delivery, and analytics. A current sub-processor list is available on request. We will notify you at least 14 days before adding or replacing a sub-processor.

[Placeholder — attach current sub-processor list before signing.]

5. Security

Sammati maintains the following controls, among others:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Append-only consent ledger with Postgres-enforced triggers — no row can be deleted or modified after write
  • Erasure via cryptographic key destruction (crypto-shred), not row deletion
  • Access controls, audit logging, and regular security reviews

6. Personal data breach

Sammati will notify you without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data breach, including information about the nature of the breach, categories and approximate number of Data Principals affected, and likely consequences. We will cooperate with your breach notification obligations.

7. Contact

Sammati Data Protection Contact

Email: dpdpa.sammati@gmail.com

[Placeholder — update with officer name and postal address before publishing.]