This Data Processing Agreement ("DPA") forms part of the agreement
between Safety Desk, operator of the Vigilo platform ("Processor"),
and the organisation that has subscribed to Vigilo ("Controller").
This DPA applies wherever the Processor processes personal data on behalf of the Controller
in connection with the provision of the Vigilo service.
In the event of any conflict between this DPA and the
Terms of Service, this DPA shall prevail with
respect to the processing of personal data.
1. Definitions
- "Personal Data" — any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Vigilo platform.
- "Processing" — any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
- "Data Subject" — the individual to whom Personal Data relates (e.g. employees, contractors, workers of the Controller's organisation).
- "Sub-processor" — any third party engaged by the Processor to process Personal Data.
- "Applicable Law" — the Information Technology Act, 2000 and the IT (SPDI) Rules, 2011 of India, and any other applicable data protection law.
2. Roles of the Parties
The Controller determines the purposes and means of processing Personal Data through the
Vigilo platform. The Processor processes Personal Data solely on the documented instructions
of the Controller and for no other purpose.
3. Subject Matter and Duration
The Processor shall process Personal Data for the duration of the Controller's active
subscription to Vigilo, and for 30 days thereafter pending deletion as described in
Clause 10. The subject matter of processing is described in Schedule 1.
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside India, unless required by applicable law.
- Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality.
- Implement the technical and organisational security measures described in Schedule 2 and in the Data Security Policy.
- Not engage a Sub-processor without prior written authorisation of the Controller, except as listed in Schedule 1. The Processor shall impose equivalent data protection obligations on any Sub-processor.
- Assist the Controller in responding to Data Subject requests to the extent possible given the nature of the processing.
- Assist the Controller in ensuring compliance with security, breach notification, data protection impact assessment, and prior consultation obligations.
- At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
5. Controller Obligations
The Controller warrants that:
- It has the legal basis to collect and transfer the Personal Data to the Processor for processing under this DPA.
- It has provided all required notices to Data Subjects and obtained all necessary consents where applicable.
- The instructions it gives to the Processor comply with all Applicable Laws.
- It will promptly inform the Processor of any changes in applicable law that may affect the Processor's obligations.
6. Sub-processors
The Controller grants general written authorisation to the Processor to engage the
Sub-processors listed in Schedule 1. The Processor shall notify the
Controller of any intended changes to Sub-processors by updating Schedule 1 and
providing at least 30 days' notice, giving the Controller the opportunity
to object.
7. Security
The Processor shall implement and maintain appropriate technical and organisational
measures to protect Personal Data against accidental or unlawful destruction, loss,
alteration, unauthorised disclosure, or access. The current measures are described
in the Data Security Policy and summarised
in Schedule 2.
8. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event
within 72 hours, after becoming aware of a Personal Data Breach
affecting the Controller's data. The notification shall include, to the extent known:
- The nature of the breach and categories of Personal Data affected
- The approximate number of Data Subjects and records affected
- The likely consequences of the breach
- Measures taken or proposed to address the breach
A full written incident report shall be provided within 14 days
of the initial notification.
9. Data Subject Rights
The Processor shall, taking into account the nature of the processing, assist the
Controller by appropriate technical and organisational measures to fulfil its obligations
to respond to Data Subject requests (access, correction, deletion, restriction, portability).
Managers may export, correct, or delete Data Subject records directly from within the
Vigilo platform at any time.
10. Retention & Deletion
Following termination or expiry of the subscription, the Processor shall retain
the Controller's Personal Data for 30 days to allow recovery,
after which all Personal Data shall be permanently deleted from all systems and
backups on a rolling basis. The Processor shall provide written confirmation of
deletion upon request.
11. Audit Rights
The Processor shall make available all information reasonably necessary to demonstrate
compliance with this DPA. The Controller may exercise audit rights by submitting
written questions to the Processor's security contact. The Processor shall respond
within 14 business days.
12. Limitation of Liability
Each party's liability under this DPA shall be subject to the limitations set out in
the Terms of Service.
13. Governing Law
This DPA is governed by the laws of India. Any dispute shall be subject to the
exclusive jurisdiction of the courts of Chennai, Tamil Nadu.
Schedule 1 — Description of Processing
Nature and purpose: The Processor provides a cloud-based workplace safety management platform. Personal Data is processed to deliver the features of the platform to the Controller and its authorised users.
Categories of Personal Data:
- Names, email addresses, job designations, and employee IDs
- Authentication credentials (hashed passwords and PINs)
- Safety observations, incident reports, HIRA assessments, and corrective action records
- Training records, assessment scores, and skill certifications
- Performance appraisal records
- Uploaded photos and documents (evidence, attachments)
- IP addresses and session data (for security and diagnostics)
Categories of Data Subjects: Employees, contractors, and workers of the Controller's organisation.
Authorised Sub-processors:
- Amazon Web Services — hosting, database, file storage — ap-south-1 (Mumbai, India)
- Brevo (Sendinblue) — transactional email delivery — European Union
- Razorpay — payment processing — India
Schedule 2 — Technical & Organisational Security Measures
- Encryption in transit: TLS 1.2+ via AWS CloudFront
- Encryption at rest: AES-256 for database (AWS RDS) and file storage (AWS S3)
- Access control: Role-based permissions; organisation-level data isolation
- Authentication: PBKDF2-SHA256 hashed passwords; PIN credentials hashed with PBKDF2
- Application security: CSRF protection, XSS prevention, SQL injection prevention via ORM, X-Frame-Options header
- Secrets management: All credentials stored as environment variables, not in source code
- Backups: Automated daily database backups, 30-day retention, point-in-time recovery
- Availability: 99.9% monthly uptime target on AWS managed infrastructure
- Incident response: 72-hour breach notification; 14-day incident report
- Private repository: Application source code maintained in a private version-controlled repository
Full details are available in the
Data Security Policy.
Need a signed copy of this DPA?
Send us an email and we will provide a countersigned PDF copy within 2 business days.
Request Signed DPA