DPA

Effective Date: 1 January 2025

This DPA forms part of the Terms of Service or other written agreement (the “Agreement”) between:

  • Customer (the “Controller” or “Business”), and
  • Rao Information Technology Pvt. Ltd., Rajkot, Gujarat, India (“Rao IT”, “Processor”, “Service Provider”).

This DPA governs Rao IT’s Processing of Personal Data on behalf of Customer in connection with SuperSee (the “Service”).

1. Definitions

Applicable Data Protection Laws include the Digital Personal Data Protection Act, 2023 (India) (“DPDP”), the EU/UK GDPR, and relevant U.S. state privacy laws.
Customer Data means any data submitted to or collected by the Service on behalf of Customer, including Personal Data.
Data Subject means an identified or identifiable natural person.
Personal Data means any information relating to a Data Subject and protected under Applicable Data Protection Laws.
Processing has the meaning given in Applicable Data Protection Laws.
Security Incident means a confirmed breach of Rao IT’s security leading to unauthorized access, loss, or disclosure of Personal Data.
Sub-processor means any processor engaged by Rao IT to process Personal Data on behalf of Customer.

2. Roles, Scope, and Precedence

  • Roles. Customer is the Controller, and Rao IT acts as the Processor/Service Provider. For Rao IT’s website analytics, billing, and support data, Rao IT acts as a Controller.
  • Scope. Rao IT processes Personal Data strictly on Customer’s instructions and as needed to provide the Service (see Annex A).
  • Precedence. If there is a conflict between this DPA and the Agreement, this DPA governs regarding Personal Data Processing.

3. Customer Instructions

Rao IT processes Personal Data only to:
(a) provide the Service;
(b) comply with documented Customer instructions; and
(c) comply with legal obligations.

Customer is responsible for ensuring that the data and monitoring configurations comply with law and that appropriate employee notices and consents are obtained.

4. Confidentiality

Rao IT ensures that all personnel handling Personal Data are under confidentiality obligations and receive appropriate security and privacy training.

5. Security Measures

Rao IT maintains technical and organizational measures to safeguard Personal Data (see Annex B). These include:

  • Transport Security: HTTPS (TLS 1.2+) with JWT bearer authentication.
  • Storage Security: AWS S3 encryption (SSE-S3/SSE-KMS) and IAM-restricted access.
  • Access Control: Role-based permissions and administrative audit logs.
  • Data Lifecycle: Automated 90-day retention and deletion policies.
  • Live Screencast: Encrypted WebRTC sessions (SRTP over DTLS/TLS) via Google STUN/TURN and Rao IT TURN.
  • Real-time Status: Secure Firebase integration using service-account credentials and access control rules.

6. Sub-processors

Rao IT engages Sub-processors to provide infrastructure and support. Current Sub-processors are listed in Annex C. Rao IT remains responsible for their performance and will notify Customer of any new or replacement Sub-processors.

7. Data Subject Rights and Assistance

Rao IT assists Customer in fulfilling requests for access, correction, deletion, or portability of Personal Data and supports compliance with DPIAs or regulatory consultations where applicable.

8. Security Incidents

Rao IT will notify Customer without undue delay of any Security Incident affecting Personal Data. Rao IT will investigate, mitigate, and provide relevant information for Customer to meet notification requirements.

India Note: CERT-In requires reporting of certain incidents within 6 hours, and the DPDP may require notice to the Data Protection Board. Rao IT will assist in good faith.

9. Deletion or Return of Data

Upon termination or Customer request, Rao IT will delete or return Personal Data within 30 days, except where retention is legally required. Monitoring Data is automatically deleted after 90 days.

10. Audit and Verification

Customer may audit Rao IT’s compliance once annually with 30 days’ notice. Rao IT may satisfy audit requirements via third-party reports or certifications. Audits must preserve confidentiality and not disrupt operations.

11. International Transfers

Personal Data may be processed in regions where Rao IT or its Sub-processors operate. Where required, appropriate transfer safeguards (e.g., SCCs, UK Addendum) apply per Annex D.

Under the DPDP, transfers from India are allowed unless the destination country is restricted. Rao IT and Customer will cooperate to meet future requirements.

12. Liability and Term

Each party’s liability under this DPA is limited as per the Agreement. This DPA remains in effect during the Agreement and while Rao IT processes Personal Data for Customer.

13. Governing Law and Venue

This DPA is governed by Indian law and subject to the exclusive jurisdiction of Rajkot, Gujarat, India, except where SCCs/UK Addendum require otherwise.

Annex A — Details of Processing

Purpose: Provide, operate, and secure the Service, including monitoring, real-time status, and analytics.
Nature: Collection, relay, storage, display, deletion, and ephemeral streaming.
Duration: Term of Agreement + 30-day deletion window.
Data Subjects: Customer employees, contractors, Admins.
Categories:

  • Admin contact (name, email, phone)
  • Employee contact (email/phone)
  • Monitoring Data (screenshots, timestamps, app usage, device metadata)
  • Real-time status (presence/last active via Firebase)
  • Screencast session metadata
  • Billing data (via Razorpay)
  • Anonymous telemetry (Aptabase)

Retention: 90-day default; shorter for transient data (Firebase presence); longer where legally required.

Annex B — Security Measures

  • HTTPS (TLS 1.2+) with JWT bearer auth
  • AWS S3 with SSE-S3/SSE-KMS encryption
  • IAM role-based access
  • Encrypted WebRTC screencast (SRTP/DTLS/TLS)
  • Firebase presence secured with rules and service credentials
  • Lifecycle deletion after 90 days
  • Logging, alerting, and regular vulnerability testing

Annex C — Authorized Sub-processors

  1. Amazon Web Services (AWS) – hosting/storage
  2. Google STUN/TURN – live screencast connectivity
  3. Rao IT TURN – backup screencast relay
  4. Firebase (Google Cloud) – real-time presence/status
  5. Aptabase – anonymous telemetry
  6. Gmail / n8n – communications and automations
  7. Razorpay – payment processing

Annex D — Cross-Border Transfer Mechanisms

Where required under EU/UK GDPR, the EU Standard Contractual Clauses (Controller→Processor, Module Two) and UK Addendum/IDTA are incorporated by reference.

Governing law for SCCs: Ireland (or another EU Member State).
Supervisory authority: Irish DPC (unless otherwise designated).

Contact: support@supersee.io
Postal: Rao Information Technology Pvt. Ltd., Rajkot, Gujarat, India.