This Data Processing Agreement ("DPA") supplements the RingSafe Trust Terms of Service and governs the processing of personal data by RingSafe Trust ("Processor") on behalf of you ("Controller") under DPDP Act 2023, GDPR, and applicable data protection law.
1. Roles
You are the Data Fiduciary / Controller of personal data you upload (vendor records, questionnaire responses, documents). RingSafe Trust is the Data Processor. We process your data only on your documented instructions, which include the Terms of Service and your use of the Service.
2. Subject matter, duration, nature, purpose
- Subject matter: personal data of your vendors, vendor contacts, and team members.
- Duration: for the term of your subscription, plus 30 days of read-access after cancellation, plus statutory retention (audit log: 12 months; billing: 7 years).
- Nature: storage, retrieval, transmission, transformation, and deletion of personal data via the Service's functions.
- Purpose: providing the vendor risk management Service per the Terms.
3. Categories of data subjects and personal data
- Data subjects: your vendors' employees (typically security/compliance contacts), your team members, your end-customers (if their data appears in vendor questionnaire responses).
- Categories of data: name, email, role, organization affiliation, free-form text in questionnaire responses, uploaded documents (typically SOC 2, ISO certificates, DPAs).
4. Processor obligations
RingSafe Trust will:
- Process personal data only on your documented instructions.
- Ensure personnel authorised to process personal data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (see /security).
- Engage sub-processors only with your authorisation; current sub-processors are listed at /security; 30-day notice before adding new ones.
- Assist you in fulfilling data subject rights requests (access, correction, erasure, portability).
- Assist you in compliance with security obligations, breach notification, DPIA, and prior consultation duties.
- Notify you of personal data breaches without undue delay and within 72 hours of becoming aware.
- Delete or return personal data at the end of the relationship, at your choice.
- Make available all information necessary to demonstrate compliance, and allow audits (including on-site) on reasonable notice.
5. Security measures
RingSafe Trust implements:
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest (Supabase + S3-compatible storage)
- Multi-factor authentication on all administrative access
- Postgres Row Level Security enforcing tenant isolation at the database
- Audit logging for every meaningful action
- Annual third-party penetration testing
- Continuous CSPM monitoring on infrastructure
- Quarterly access reviews
6. International transfers
Personal data is stored in Singapore (AWS ap-southeast-1) by default. Pro plan customers may request India-region storage. Sub-processor transfers (e.g., transactional email via Resend in US/EU) are protected by Standard Contractual Clauses for any transfers from EU/UK; for transfers from India, supplementary measures (encryption, contractual safeguards) apply.
7. Sub-processors
Authorised sub-processors are listed at /security. By signing this DPA, you authorise the use of those sub-processors. We give 30 days' notice before adding new sub-processors and you may object during that period.
8. Liability
Liability under this DPA is governed by the limitation of liability clause in the Terms of Service.
9. Term and termination
This DPA is effective for the term of the Terms. On termination, RingSafe Trust will delete or return your personal data per your instruction within 30 days, except where retention is required by law.
10. Governing law
This DPA is governed by the same law as the Terms of Service.
If you require a counter-signed DPA on your letterhead, email trust@ringsafe.in with your details. Standard DPA available on Starter and above; custom negotiation included on Pro plan.