1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Agreement") between Exicube App Solutions (OPC) Private Limited ("Processor", "Exicube", "we") and the subscribing client ("Controller", "Client", "you") for the Exicube managed platform services.
This DPA applies where Exicube processes personal data on behalf of the Client in the course of providing the Exicube platform. This DPA is designed to comply with the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Indian Digital Personal Data Protection Act 2023, and other applicable data protection laws.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed by Exicube on behalf of the Client through the Exicube platform.
- "Controller" means the Client, who determines the purposes and means of the processing of Personal Data through the Exicube platform.
- "Processor" means Exicube, who processes Personal Data on behalf of the Controller.
- "Sub-Processor" means any third party engaged by Exicube to process Personal Data on behalf of the Controller.
- "Data Subjects" means the individuals whose Personal Data is processed (e.g., end-users: riders, drivers, customers).
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
3. Scope and Purpose of Processing
3.1 Categories of Data Subjects
- End-user customers (riders, shoppers, grocery customers)
- Drivers and delivery personnel
- Vendor/merchant operators
- Fleet administrators
- Corporate account users
- CRM agents and support staff
3.2 Types of Personal Data
- Contact information (name, email, phone number, addresses)
- Location data (GPS coordinates, addresses, routes)
- Transaction data (orders, payments, earnings)
- Communication data (chat messages, support tickets, call metadata)
- Device and usage data (IP addresses, device identifiers, app usage)
- Driver documents (licence, ID — for verification purposes)
- Voice transcripts (from AI-assisted support interactions)
3.3 Purpose of Processing
Personal Data is processed solely for the purpose of operating the Exicube platform on behalf of the Client, including: ride/order dispatch, delivery tracking, payment processing, customer support, driver management, analytics, and AI-powered service optimisation.
4. Obligations of the Processor
- Lawful Processing: Exicube shall process Personal Data only on documented instructions from the Controller, unless required by applicable law.
- Confidentiality: All persons authorised to process Personal Data shall be bound by obligations of confidentiality.
- Security: Exicube shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (TLS) and at rest (AES-256 via infrastructure-level volume/database encryption provided by our cloud hosting provider)
- Database-level tenant isolation using Row Level Security (RLS) policies, with
tenant_idscoping enforced by the database engine on all queries - Role-based access controls (RBAC) for admin, fleet admin, operation manager, vendor, and driver roles
- Targeted API rate limiting on security-sensitive endpoints (authentication, payment operations) with input validation across all API routes
- Regular security updates and patch management for all managed infrastructure
- AI Processing Safeguards: When AI features are enabled, Exicube shall automatically strip PII (names, phone numbers, email addresses, IP addresses) before sending data to third-party AI inference providers. For Exicube's own CRM outreach activities, business contact names and company names may be included in AI prompts where essential for personalisation; this is conducted under legitimate interest (GDPR Article 6(1)(f)) and all AI providers are contractually prohibited from using input data for model training.
- Data Minimisation: Exicube shall process only the Personal Data necessary for the purposes outlined in this DPA.
- DPIA Assistance: Exicube shall assist the Controller in conducting Data Protection Impact Assessments (DPIAs) where required under GDPR Article 35, taking into account the nature of processing and the information available to Exicube.
5. Sub-Processors
- The Controller authorises Exicube to engage the sub-processors listed on our Sub-Processor List.
- Exicube shall notify the Controller via email at least 30 days before engaging any new sub-processor.
- The Controller may object to a new sub-processor within 14 days of notification. If a reasonable objection cannot be resolved, the Controller may terminate the Agreement.
- Exicube shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.
6. Data Subject Rights
Exicube shall assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) by:
- Providing tools within the admin panel for managing end-user data.
- Responding to Controller requests for data export within 10 business days.
- Executing data deletion requests (cascade delete) within 30 days of a verified request.
- Supporting the Controller in responding to supervisory authority inquiries.
7. Data Breach Notification
- Exicube shall notify the Controller within 48 hours of becoming aware of a Personal Data breach affecting the Controller's data.
- The notification shall include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
- Exicube shall cooperate with the Controller in investigating and remediating the breach.
- Exicube shall assist the Controller in meeting its breach notification obligations to supervisory authorities (within 72 hours per GDPR Article 33) and to affected Data Subjects.
8. Audit Rights
- The Controller may request an audit of Exicube's data processing practices to verify compliance with this DPA.
- Audit requests must be submitted in writing with at least 30 days' notice.
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt Exicube's operations.
- Exicube may provide security documentation, completed security questionnaires, or independent audit reports as an alternative to on-site audits where available.
- The Controller shall bear its own costs for conducting audits, unless the audit reveals material non-compliance by Exicube.
9. International Data Transfers
Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or other jurisdictions that restrict cross-border transfers:
- Exicube shall ensure appropriate transfer mechanisms are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
- Exicube shall conduct transfer impact assessments where required.
- The Controller acknowledges that certain sub-processors (listed on the Sub-Processor List) are located in countries outside the EEA.
10. Data Return and Deletion
- Upon termination of the Agreement, Exicube shall provide the Controller with a 30-day data export window to retrieve business data in CSV and/or JSON format at no additional charge.
- After the export window, Exicube shall delete or anonymise all Personal Data processed on behalf of the Controller, except where retention is required by applicable law.
- Exicube shall confirm deletion in writing upon request.
- Backup copies shall be deleted within 90 days of the termination date through normal backup rotation.
11. Liability
Liability under this DPA is subject to the limitations set forth in the Terms and Conditions. Each party is liable for damage caused by processing that infringes applicable data protection laws, subject to the liability caps in the Agreement.
12. Term and Termination
This DPA shall remain in effect for the duration of the Agreement and for as long as Exicube processes Personal Data on behalf of the Controller. The obligations in sections 4 (Security), 7 (Breach Notification), and 10 (Data Deletion) survive termination.
13. Governing Law
This DPA is governed by the same governing law as the Terms and Conditions. For EEA/UK Controllers, the applicable provisions of the GDPR/UK GDPR shall take precedence in case of conflict.
14. Contact
For questions about this DPA or to exercise data protection rights, contact our Data Protection team at: [email protected]
Exicube App Solutions (OPC) Private Limited
3, Sreenagar, Madhyamgram
Kolkata, West Bengal – 700129
India
Version History
| Date | Changes |
|---|---|
| 25 March 2026 | Initial version. GDPR/UK GDPR/DPDP Act compliance, AI processing safeguards with PII stripping, sub-processor governance, breach notification (48hr), audit rights, international data transfer mechanisms (SCCs), data return/deletion procedures (30-day export window). |