Data Processing Agreement

1. Parties and Scope

This DPA is entered into between:

• Data Controller ("Controller" or "Client"): The entity identified in the applicable Statement of Work or Master Service Agreement with Grow With Gradient.
• Data Processor ("Processor"): THEPROJECTSEO DIGITAL (OPC) PRIVATE LIMITED, CIN U73100JH2025OPC026020, GSTIN 20AAMCT3829K1Z5, registered at 808 Mahabir Tower, JD High Street, Hindpiri, Ranchi, Jharkhand 834001, India, trading as Grow With Gradient.

This DPA forms part of, and is incorporated by reference into, the Master Service Agreement or Statement of Work between the parties (the "Principal Agreement"). In the event of any conflict, this DPA prevails to the extent it relates to personal data processing.

Where neither party is established in the European Union or EEA and the processing does not target EU data subjects, GDPR obligations apply only to the extent explicitly agreed in Schedule A. India's Digital Personal Data Protection Act 2023 ("DPDPA") applies to all processing of digital personal data of individuals located in India.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person ("data principal" under DPDPA; "data subject" under GDPR) that is shared by the Controller with the Processor in connection with the services.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, analysis, and deletion.
• "Sub-processor" means a third-party service provider engaged by the Processor to assist with processing activities described in this DPA.
• "Security Incident" means any confirmed or reasonably suspected breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

3. Nature, Purpose, and Duration of Processing

What We Process

In the course of delivering SEO and analytics services, the Processor may handle Personal Data that includes:

• Google Search Console and Google Analytics data (aggregated search queries, page performance metrics, user session data) exported from the Controller's property
• Contact details of the Controller's team members provided for project communication and access management (name, work email, role)
• CRM export data (company names, contact names, deal stages) provided for SEO attribution analysis, if applicable under the SOW
• Any other Personal Data the Controller shares in briefing materials, asset uploads, or platform integrations

Purpose

The Processor processes Personal Data solely to provide the services agreed in the Principal Agreement. No Personal Data is used for the Processor's own marketing, profiling, or benchmarking purposes without explicit written consent from the Controller.

Duration

The Processor processes Personal Data for the duration of the Principal Agreement and retains it for a maximum of 12 months after termination, unless a shorter retention period is required by law or agreed in writing. On expiry of the retention period, Personal Data is securely deleted or anonymised.

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including the instructions set out in the Principal Agreement, unless required by applicable law to process otherwise
• Ensure that personnel authorised to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organisational measures to protect Personal Data, as described in Section 6 (Security Measures)
• Assist the Controller in responding to requests from data principals or data subjects exercising their rights under applicable law, including rights of access, correction, and erasure
• Notify the Controller without undue delay upon becoming aware of a Security Incident affecting the Controller's Personal Data (and in any event within 72 hours where GDPR applies)
• Not transfer Personal Data to a third country or territory without appropriate safeguards, unless required by applicable law
• On termination of the Principal Agreement, at the Controller's election, return or delete all Personal Data processed under this DPA

5. Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors, subject to the following conditions:

• The Processor must impose data protection obligations on each sub-processor equivalent to those in this DPA
• The Processor remains fully liable to the Controller for any failure by a sub-processor to fulfil its data protection obligations
• The Processor shall maintain an up-to-date list of sub-processors and make it available to the Controller on request
• The Processor shall notify the Controller of any intended changes to sub-processors at least 14 days before the change takes effect, giving the Controller an opportunity to object

Current categories of sub-processors include: cloud hosting providers, analytics platforms, project management tools, and AI model providers used to assist in content and data analysis. A full list is available on written request.

6. Security Measures

The Processor maintains the following technical and organisational security measures:

• Encryption of Personal Data in transit (TLS 1.2 or higher)
• Encryption of Personal Data at rest where stored in Processor-controlled systems
• Access controls limiting Personal Data access to authorised personnel on a need-to-know basis
• Regular review of access rights and offboarding procedures
• Security awareness practices for team members handling Personal Data
• Use of cloud infrastructure with SOC 2 or ISO 27001 certification for primary data storage

7. Controller Obligations

The Controller warrants that:

• It has a lawful basis for sharing Personal Data with the Processor and for the processing activities described in this DPA
• It has provided appropriate privacy notices to data principals or data subjects whose data it shares with the Processor
• It will not instruct the Processor to process Personal Data in a manner that would violate applicable law

8. Governing Law and Jurisdiction

This DPA is governed by the laws of India, including the Digital Personal Data Protection Act 2023 and rules made thereunder. Any disputes shall be subject to the jurisdiction of the courts at Ranchi, Jharkhand, India.

Where the Principal Agreement is subject to the laws of another jurisdiction (for example, where the Controller is an EU-established entity and the parties have agreed to GDPR standard contractual clauses), those jurisdiction-specific addenda take precedence for EU-related processing.

9. Amendments

This DPA may be amended by mutual written agreement of the parties. Grow With Gradient may update this published version to reflect changes in law or sub-processor arrangements; material changes will be notified to active clients at least 30 days in advance.

10. Contact and Execution

To execute a signed DPA for your specific engagement, or to request the current sub-processor list, contact:

• Brand: Grow With Gradient
• Legal entity: THEPROJECTSEO DIGITAL (OPC) PRIVATE LIMITED
• CIN: U73100JH2025OPC026020
• GSTIN: 20AAMCT3829K1Z5
• Registered office: 808 Mahabir Tower, JD High Street, Hindpiri, Ranchi, Jharkhand 834001, India
• Data contact email: hello@growwithgradient.com