Legal
Data Processing Addendum
Last updated: 1 July 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Controller” / “Data Fiduciary”) and Sammati (“Processor” / “Data Processor”) governing the processing of personal data in connection with the Sammati consent management platform.
1. Definitions
Terms used here have the meanings given in the Digital Personal Data Protection Act, 2023 (“DPDPA”). “Personal Data” means any data about an individual who is identifiable by or in relation to such data. “Processing” means any operation performed on Personal Data.
2. Subject matter and nature of processing
| Subject matter | Consent management, DSR processing, and ledger storage |
| Duration | For the term of the Service agreement plus statutory retention periods |
| Nature | Storage, retrieval, and cryptographic verification of consent records; DSR lifecycle management |
| Categories of data | Identity references (as submitted by the Data Fiduciary), consent decisions, timestamps |
| Data Principals | End users whose consent is recorded by the Data Fiduciary via the Sammati SDK or API |
3. Processor obligations
Sammati agrees to:
- Process Personal Data only on your documented instructions
- Ensure persons authorised to process Personal Data are bound by confidentiality
- Implement appropriate technical and organisational security measures, including an append-only, tamper-evident ledger enforced at the database level
- Assist you in fulfilling Data Principal rights (access, correction, erasure via crypto-shred, grievance)
- On termination, return or delete Personal Data within 30 days (your choice)
- Make available information necessary to demonstrate compliance with this DPA
4. Sub-processors
Sammati may engage sub-processors for infrastructure, email delivery, and analytics. A current sub-processor list is available on request. We will notify you at least 14 days before adding or replacing a sub-processor.
[Placeholder — attach current sub-processor list before signing.]
5. Security
Sammati maintains the following controls, among others:
- Encryption of data in transit (TLS 1.2+) and at rest
- Append-only consent ledger with Postgres-enforced triggers — no row can be deleted or modified after write
- Erasure via cryptographic key destruction (crypto-shred), not row deletion
- Access controls, audit logging, and regular security reviews
6. Personal data breach
Sammati will notify you without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data breach, including information about the nature of the breach, categories and approximate number of Data Principals affected, and likely consequences. We will cooperate with your breach notification obligations.
7. Contact
Sammati Data Protection Contact
Email: dpdpa.sammati@gmail.com
[Placeholder — update with officer name and postal address before publishing.]