Data Processing Agreement (DPA)

Effective Date: February 10, 2026

Last Updated: February 10, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Terms") between the Customer ("Data Fiduciary" / "Controller") and EtheraEdge ("Data Processor" / "Processor") for the processing of personal data through the EtheraGuru platform.

This DPA applies to all personal data of students, parents, guardians, and other individuals ("Data Principals" / "Data Subjects") that the Customer uploads, stores, or processes through EtheraGuru.

1. Definitions

"DPDPA" means the Digital Personal Data Protection Act, 2023 (India).
"UK GDPR" means the UK General Data Protection Regulation.
"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDPA, or personal data as defined under UK GDPR, as applicable.
"Processing" means any operation performed on Personal Data, including collection, storage, use, sharing, modification, deletion, or destruction.
"Data Breach" means any unauthorised or accidental access, disclosure, alteration, loss, or destruction of Personal Data.
"Sub-Processor" means a third-party service provider engaged by EtheraEdge to process Personal Data on behalf of the Customer.

2. Roles and Responsibilities

The Customer (tutoring business) is the Data Fiduciary / Controller for all student, parent, and guardian data uploaded to EtheraGuru. The Customer determines the purposes and means of processing this data.
EtheraEdge is the Data Processor and processes Personal Data solely on the Customer's behalf and in accordance with the Customer's documented instructions as set out in this DPA and the Terms.
For the Customer's own account, billing, and contact information, EtheraEdge acts as a Data Fiduciary / Controller, as described in the Privacy Policy.

3. Customer Obligations

The Customer agrees to:

Ensure that all Personal Data uploaded to EtheraGuru has been collected lawfully and with appropriate consent, including verifiable parental or guardian consent for data of individuals below 18 years of age, as required under the DPDPA (Section 9) and other applicable laws.
Provide clear and accurate privacy notices to Data Principals (students, parents, guardians) informing them of the processing carried out through EtheraGuru.
Respond to requests from Data Principals to exercise their rights (access, correction, erasure, etc.) in a timely manner.
Notify EtheraEdge promptly of any changes to processing instructions or any Data Principal requests that require EtheraEdge's assistance.
Not upload any special category / sensitive personal data (e.g., biometric data, health records, caste, religious beliefs) to EtheraGuru unless explicitly agreed in writing.

4. Processor Obligations

EtheraEdge agrees to:

Process Personal Data only on the documented instructions of the Customer, unless required to do so by applicable law (in which case, EtheraEdge will inform the Customer before processing, unless prohibited by law).
Ensure that all personnel authorised to process Personal Data are bound by obligations of confidentiality.
Implement appropriate technical and organisational security measures to protect Personal Data, as described in Section 7.
Not engage any Sub-Processor without the Customer's prior general or specific authorisation, as described in Section 6.
Assist the Customer in fulfilling its obligations to respond to Data Principal / Data Subject rights requests, to the extent technically feasible.
Assist the Customer in ensuring compliance with security, breach notification, and data protection impact assessment obligations, to the extent applicable.
At the Customer's choice, delete or return all Personal Data upon termination of the Services, except where retention is required by applicable law. Data will be deleted within 30 days of account termination unless a data export is requested.
Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits and inspections, subject to reasonable advance notice and confidentiality obligations.

5. Children's Data

Given that EtheraGuru is used by tutoring businesses that serve students who may be below 18 years of age:

EtheraEdge will process children's data strictly in accordance with the Customer's instructions and solely for the purpose of providing the Services.
EtheraEdge will not engage in tracking, behavioural monitoring, profiling, or targeted advertising directed at children.
EtheraEdge will not process children's data in any manner likely to cause detrimental effect to the well-being of a child, in compliance with the DPDPA.
The Customer is solely responsible for obtaining verifiable parental or guardian consent before uploading children's data to EtheraGuru.

6. Sub-Processors

Authorised Sub-Processors

The Customer provides general authorisation for EtheraEdge to engage the following Sub-Processors:

Sub-Processor	Purpose	Data Processed	Location
WorkOS	Authentication and identity management	Account credentials, organisation info	USA
Cashfree Payments	Payment processing (PCI-DSS compliant)	Payment details, invoice data	India
PostHog	Product analytics, error tracking (customer-facing dashboard only; not used for student/parent data analytics)	Usage data, interaction data, error logs	EU/USA
Meta (WhatsApp Business API)	WhatsApp notification delivery	Phone numbers, message content	USA/India
Azure Communication Services	WhatsApp notification delivery (alternate provider)	Phone numbers, message content	Global
Cloud hosting provider	Data storage and compute infrastructure	All platform data	As disclosed

Changes to Sub-Processors

EtheraEdge will inform Customers of any intended changes to Sub-Processors (additions or replacements) by updating this page and notifying Customers via email at least 15 days before the change takes effect.
If the Customer has a reasonable objection to a new Sub-Processor, the Customer may notify EtheraEdge in writing within 15 days of the notice. Both parties will work in good faith to resolve the objection. If the objection cannot be resolved, the Customer may terminate the affected Services.

Sub-Processor Obligations

EtheraEdge will:

Impose data protection obligations on each Sub-Processor that are no less protective than those set out in this DPA.
Remain liable to the Customer for the acts and omissions of its Sub-Processors.

7. Security Measures

EtheraEdge implements the following technical and organisational measures to protect Personal Data:

Technical Measures:

Encryption of data in transit (HTTPS/TLS) and at rest.
Secure authentication via trusted identity provider (WorkOS) with encrypted session cookies.
Role-based access controls limiting data access to authorised personnel.
Regular automated backups with secure storage.
Continuous system monitoring, logging, and alerting.
PCI-DSS compliant payment processing via Cashfree.

Organisational Measures:

Confidentiality obligations for all personnel with access to Personal Data.
Access limited to personnel who require it for service delivery.
Incident response procedures for timely detection and resolution of security events.
Periodic review and update of security measures.

8. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA:

EtheraEdge will notify the Customer without unreasonable delay and in any event within 72 hours of becoming aware of the breach.
The notification will include (to the extent known):
- A description of the nature of the breach, including the categories and approximate number of Data Principals affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
- Contact details of the person responsible for managing the breach response.
EtheraEdge will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
For Indian customers, EtheraEdge will assist the Customer in fulfilling its notification obligations to the Data Protection Board of India under the DPDPA.
For UK/international customers, EtheraEdge will assist the Customer in fulfilling its notification obligations under UK GDPR (72-hour notification to supervisory authority).

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the Customer's jurisdiction as part of EtheraEdge's cloud infrastructure and through Sub-Processors.

For Indian customers: Cross-border transfers will comply with the DPDPA and any restrictions notified by the Central Government. EtheraEdge will not transfer Personal Data to any jurisdiction that has been specifically restricted by the Central Government.
For UK/international customers: EtheraEdge will ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) or other mechanisms approved under UK GDPR.

10. Data Subject / Data Principal Rights

EtheraEdge will assist the Customer in fulfilling its obligations to respond to requests from Data Principals exercising their rights under applicable law, including:

Access – Providing a summary of Personal Data processed.
Correction – Correcting inaccurate or incomplete Personal Data.
Erasure – Deleting Personal Data where required (subject to legal retention obligations).
Portability – Providing data in a machine-readable format (where applicable under UK GDPR).

The Customer will direct Data Principal requests to EtheraEdge where assistance is needed. EtheraEdge will respond to such requests within a reasonable timeframe, not exceeding 30 days.

11. Data Retention and Deletion

EtheraEdge will retain Personal Data processed under this DPA only for as long as necessary to provide the Services, or as instructed by the Customer.
Upon termination of the Services or upon the Customer's written request:
- EtheraEdge will provide the Customer with a data export in a machine-readable format within a reasonable timeframe.
- After the export (or after 30 days if no export is requested), EtheraEdge will securely delete all Personal Data, except where retention is required by applicable law.
Financial and tax records may be retained as required under the Income Tax Act, 1961 and the Companies Act, 2013.

12. Audits

The Customer may request information about EtheraEdge's data processing practices and security measures to verify compliance with this DPA.
EtheraEdge will make available relevant documentation, certifications, or audit reports upon reasonable request.
On-site audits may be conducted with at least 30 days advance written notice, during normal business hours, and subject to confidentiality obligations. Costs of on-site audits are borne by the Customer.
EtheraEdge may satisfy audit requests by providing third-party audit reports or certifications (e.g., SOC 2, ISO 27001) where available.

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
EtheraEdge shall not be liable for any breach of this DPA caused by the Customer's failure to comply with its obligations (e.g., failure to obtain required consents, uploading data in violation of applicable law).

14. Term and Termination

This DPA is effective for the duration of the Customer's use of EtheraGuru under the Terms.
This DPA will automatically terminate upon termination of the Terms.
Sections 8 (Data Breach Notification), 11 (Data Retention and Deletion), and 13 (Liability) shall survive termination.

15. Governing Law

For Indian customers: This DPA is governed by the laws of India, including the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000.
For UK/international customers: This DPA is governed by the laws of England and Wales.

16. Contact

For questions about this DPA:

India:

grievance@etheraedge.in

EtheraEdge Solutions Private Limited, Kanjirakkattu House, Kalampoor, Enanalloor P.O, Muvattupuzha, Kerala, India – 686673

Global/UK:

contact@etheraedge.com

EtheraEdge Limited, 128 City Road, London, EC1V 2NX, United Kingdom