Data Processing Addendum

1. About this DPA

1.1 When this DPA applies

This DPA applies when a business Customer (a brokerage firm, real-estate developer, builder, law firm, financial institution, or other organisation — the “Customer”) uses TAG Vault to collect, route, sign, store, or verify documents containing personal data of the Customer’s own clients, employees, signers, or witnesses. In that arrangement:

• The Customer is the Data Fiduciary for the personal data processed through TAG Vault under §2(i) of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), because the Customer determines the purpose and means of processing.
• TAG Vault is the Data Processor under §2(k) DPDP Act, processing that personal data only on the Customer’s documented instructions.

1.2 When this DPA does NOT apply

This DPA does NOT apply to consumer (B2C) users who sign up directly on TAG Vault to sign or receive documents in their personal capacity. In that relationship, TAG Vault is itself the Data Fiduciary under §2(i) DPDP Act, because TAG Vault determines purpose and means of processing for account creation, signing-ceremony attribution, audit logging, and sealed-document retention. That processing is governed by our Privacy Policy and Terms of Service, not by this DPA.

If a single individual is both a consumer user of TAG Vault and a signer on a Customer’s envelope, the controller/processor split applies envelope-by-envelope: the Customer’s envelope is processed under this DPA; the consumer’s own account profile and direct activity is processed under the Privacy Policy.

1.3 Effective date and version

This DPA is effective from 2026-04-25 and is version 1.0. We will publish material updates with at least thirty (30) days’ notice to the Customer’s designated contact under the Master Services Agreement (the “MSA”).

1.4 Relation to the MSA / Terms of Service

This DPA is incorporated into the MSA (or, where no separate MSA is signed, into the Terms of Service accepted by the Customer at sign-up). On data-protection matters, this DPA prevails over the MSA / Terms; on all other matters, the MSA / Terms prevail. Together, the MSA, this DPA, and our Privacy Policy form the entire agreement on data processing between the parties.

1.5 Single-tenant note (MVP)

At the launch (Phase 2a) stage, TAG Vault is single-tenant. This DPA is published in advance to support pre-sales conversations with B2B prospects (“do you have a DPA?”) and to govern the multi-tenant Phase 3 wave.

2. Definitions

Capitalised terms used in this DPA have the meanings given below. DPDP Act statutory definitions prevail where they exist; the operational definitions below supplement them for clarity.

3. Subject-matter and duration of processing

TAG Vault processes Customer Data solely to provide the Service to the Customer under the MSA — that is, to enable the Customer to upload documents, route them to signers, capture electronic signatures under §3A of the Information Technology Act, 2000 (“IT Act”), seal the resulting PDF with an ECDSA P-256 cryptographic seal, store the sealed PDF for 10 years on Amazon Web Services S3 with Object Lock COMPLIANCE retention, and maintain an audit trail.

Processing continues for the term of the MSA, plus the retention periods set out in §14 of this DPA.

4. Nature and purpose of processing

The nature of processing comprises:

• Collection — receiving uploaded document files, signer contact details, ceremony attributes (IP address, user-agent, device fingerprint, timestamp), and signature-image data;
• Storage — persisting the foregoing in our databases (PostgreSQL on AWS) and object storage (AWS S3) hosted in India (Mumbai region ap-south-1, with disaster-recovery replica in Hyderabad region ap-south-2);
• Transmission — sending notification emails (via AWS Simple Email Service) and WhatsApp messages (via Meta WhatsApp Business Cloud API) to Customer Data Principals to invite them to sign or notify them of envelope status;
• Sealing — generating a cryptographic seal over the sealed PDF using ECDSA P-256 over SHA-256, embedding a §65B Indian Evidence Act, 1872 / §63 Bharatiya Sakshya Adhiniyam, 2023 certificate as the final page;
• Audit-trail recording — writing append-only entries to the database via a PostgreSQL trigger;
• Public verification — exposing a POST /v1/verify endpoint that any third party may use, without an account, to test a SHA-256 hash against the sealed copy;
• Retention — preserving sealed PDFs and audit-trail entries for the periods set out in §14 and Annex 1.

The purpose is to deliver the Service. TAG Vault does not use Customer Data for any other purpose, and in particular does not train artificial-intelligence or machine-learning models on Customer Data, does not sell or share Customer Data with advertisers or data brokers, and does not profile Customer Data Principals for targeted advertising.

5. Categories of personal data and Customer Data Principals

5.1 Categories of personal data

5.2 Categories of Customer Data Principals

• The Customer’s own clients (buyers, sellers, lessees, lessors, mortgagors, mortgagees);
• The Customer’s employees, contractors, and authorised users of the Customer’s TAG Vault account;
• Signers and witnesses invited by the Customer to sign documents through TAG Vault.

The categories above are not exhaustive — the Customer determines, by configuring envelopes, which natural persons receive a signing request. The Customer is responsible for ensuring it has lawful basis under §6 or §7 DPDP Act for each such Customer Data Principal.

6. Customer’s instructions

TAG Vault processes Customer Data only on the Customer’s documented instructions. The Customer’s instructions are constituted by:

1. The MSA (and this DPA);
2. The Customer’s configuration of envelopes within the Service — including the documents uploaded, the signers added, the signing order, the message text, the notification channels selected, and the retention configuration;
3. Any additional written instructions the Customer issues by email to legal@brikbond.com and that TAG Vault accepts in writing.

If TAG Vault forms the view that an instruction infringes the DPDP Act, the DPDP Rules, or any other applicable Indian law, TAG Vault will inform the Customer in writing and may suspend processing the affected instruction until the Customer confirms the instruction or withdraws it.

7. Customer’s responsibilities

7.1 Customer is the Data Fiduciary

The Customer is the Data Fiduciary for Customer Data and bears all Data Fiduciary obligations under the DPDP Act in respect of that data, including:

• Issuing the §5 DPDP Act notice to its Customer Data Principals before or at the time of seeking consent;
• Obtaining §6 DPDP Act consent (or relying on §7 legitimate use) for each purpose for which the Customer processes Customer Data through TAG Vault;
• Maintaining records to demonstrate that consent was obtained;
• Responding to Data Principal Rights requests received directly by the Customer (TAG Vault provides assistance under §11 of this DPA);
• Filing the §8(6) DPDP Act breach notification to the DPDP Board and to affected Customer Data Principals within the timelines prescribed by the DPDP Rules where the breach affects Customer Data;
• Determining the lawful basis for any cross-border transfer that the Customer’s chosen workflow triggers (see §10).

7.2 Accuracy of Customer Data

The Customer warrants that Customer Data uploaded to TAG Vault is accurate and complete (DPDP §8(3)) at the time of upload and that the Customer has all necessary rights to provide that data to TAG Vault for processing under this DPA.

7.3 Prohibited uploads

The Customer must not upload to TAG Vault, and must not instruct its users to upload, any document barred from electronic execution under the First Schedule of the IT Act (negotiable instruments other than cheques outside the regulated-entity carve-out, powers of attorney between individuals, trust deeds, wills, codicils). The Customer remains liable for any such upload notwithstanding TAG Vault’s hard-block measures.

8. TAG Vault’s obligations as Data Processor

TAG Vault complies with the obligations imposed on a Data Processor under §8(2) DPDP Act, and in particular:

8.1 Process only on documented instructions

TAG Vault processes Customer Data only as set out in §6. TAG Vault notifies the Customer if an instruction appears unlawful and may suspend the affected processing until the Customer confirms or withdraws the instruction.

8.2 Confidentiality

Only TAG Vault personnel who need access to Customer Data to perform the Service have such access, and they are bound by written confidentiality undertakings that survive termination of their engagement. Access is enforced by role-based access control (“RBAC”), least-privilege IAM policies, MFA for all engineering accounts, and instance-profile credentials rather than long-lived static keys.

8.3 Security safeguards

TAG Vault implements and maintains the technical and organisational measures set out in Annex 3 — which align with §8(5) DPDP Act, Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”), and ISO/IEC 27001 control areas. Headline measures include TLS 1.2+ for all data in transit, AES-256 encryption at rest via AWS KMS Customer Managed Keys, Argon2id for password hashing, MFA, append-only audit logging at the database layer (PostgreSQL trigger), AWS S3 Object Lock COMPLIANCE retention on sealed PDFs, and CloudWatch monitoring with eleven (11) operational alarms.

8.4 Breach notification — 24-hour SLA to Customer

TAG Vault notifies the Customer of any Personal Data Breach affecting Customer Data within twenty-four (24) hours of TAG Vault becoming aware of it. The notification is sent to the Customer’s designated security contact by email and includes, to the extent then known: nature of the breach, categories and approximate volume of Customer Data and Customer Data Principals affected, likely consequences, mitigation measures taken or proposed, and the TAG Vault contact for further information. This 24-hour window is designed to give the Customer time to meet its own §8(6) DPDP Act seventy-two-hour (72-hour) notification obligation to the DPDP Board.

For B2C users where TAG Vault is itself the Data Fiduciary, TAG Vault directly notifies the Data Principal within 72 hours per the Privacy Policy.

TAG Vault separately complies with its own CERT-In six-hour (6-hour) external notification obligation under the CERT-In Directions of 28 April 2022.

8.5 Assistance with Data Principal Rights

TAG Vault provides reasonable assistance to the Customer in responding to access (§11 DPDP), correction / erasure (§12 DPDP), grievance (§13 DPDP), and nomination (§14 DPDP) requests received by the Customer from Customer Data Principals. Standard tooling is summarised in §11 of this DPA.

8.6 Assistance with DPIA, audits, and SDF cooperation

If the Customer is or becomes a Significant Data Fiduciary under §10 DPDP Act, TAG Vault provides reasonable assistance with the Customer’s data-protection-impact assessment, periodic data audit, and any DPDP Board enquiries — at the Customer’s reasonable cost where the assistance exceeds the standard tooling described in this DPA.

8.7 Return or deletion on termination

On termination of the MSA, TAG Vault returns or deletes Customer Data in accordance with §14 of this DPA, subject to the sealed-PDF carve-out for S3 Object Lock COMPLIANCE retention.

8.8 Demonstrating compliance

TAG Vault makes available to the Customer the information reasonably necessary to demonstrate compliance with §8(2) DPDP Act, including the TOMs in Annex 3, the sub-processor list in Annex 2, and (when issued) third-party audit reports such as SOC 2 Type II and ISO 27001 certification.

9. Sub-processors

9.1 General authorisation

The Customer authorises TAG Vault to engage the Sub-Processors listed in Annex 2 for the processing activities described against each entry. Each Sub-Processor is bound by a written agreement that imposes data-protection obligations no less protective than those in this DPA, in line with §8(2) DPDP Act.

9.2 New or replacement Sub-Processors

TAG Vault provides at least forty-five (45) days’ notice of any new sub-processor or replacement of an existing one. Notice is given by email to the Customer’s designated contact and by posting an updated Annex 2 on the TAG Vault website. The Customer may object on reasonable grounds in writing within thirty (30) days of notice. TAG Vault will not onboard the new sub-processor before the objection window closes, and where Customer has objected, TAG Vault and Customer will work in good faith to resolve (alternative service, alternative processor) within a further 30 days; if no resolution, the Customer may terminate the affected service portion.

9.3 Customer’s right to object

Within thirty (30) days of notice, the Customer may object on reasonable data-protection grounds. The parties will work in good faith to resolve the objection — for example by selecting an alternative Sub-Processor, by isolating the affected processing, or by adjusting the Customer’s configuration. If no resolution is reached within thirty (30) days of the objection, the Customer may terminate the affected portion of the Service without further liability and TAG Vault will refund pre-paid fees on a pro-rata basis.

10. Cross-border transfer — DPDP §16

10.1 India-resident processing

All core processing of Customer Data occurs on AWS infrastructure located in India — primary in ap-south-1 (Mumbai), disaster-recovery replica of sealed buckets and archive in ap-south-2 (Hyderabad). The Central Government has not, as of the effective date of this DPA, notified any country as restricted for transfer under §16 DPDP Act.

10.2 WhatsApp metadata cross-border

When the Customer or its Customer Data Principal selects WhatsApp as a notification channel, phone-number metadata and message-delivery information are processed by Meta Platforms Inc. on infrastructure that may be located in the United States or other regions. Message content is end-to-end encrypted in transit. TAG Vault has a data-processing agreement in place with Meta that governs this processing.

10.3 Email recipient mail servers

When a Customer Data Principal’s email address resolves to a mail server outside India (for example a Gmail, Yahoo, or Outlook account routed via servers in the United States), the SMTP transmission terminates at that mail server outside India. This is an unavoidable consequence of email standards and the Customer Data Principal’s choice of mail provider. The Customer is responsible for reflecting this in its §5 DPDP Act notice to its Customer Data Principals.

10.4 Customer’s notice

The Customer must reflect §10.2 and §10.3 in its own §5 DPDP Act notice to Customer Data Principals where the Customer’s chosen workflow uses these channels.

11. Data Principal rights assistance

11.1 Standard tooling

TAG Vault provides the following standard tools to assist the Customer in responding to Customer Data Principals’ rights requests:

• Access (§11 DPDP): machine-readable export of the Customer Data Principal’s signing-related Customer Data (envelopes, signature events, audit-trail slice for that signer);
• Correction (§12 DPDP): Customer-facing controls to update name, email, phone, and account profile fields; sealed PDFs cannot be altered after sealing — the Customer may issue a corrective addendum envelope;
• Erasure (§12 DPDP): deletion of mutable account-profile data on request; sealed PDFs are NOT erasable on user request because they fall under the §7(c) DPDP Act / §8(7) proviso legal-obligation retention carve-out, as set out in our Data Retention Policy;
• Grievance redressal (§13 DPDP): the Customer’s grievance officer remains the first point of contact; TAG Vault assists with operational data needed to resolve the complaint;
• Nomination (§14 DPDP): TAG Vault honours nominee instructions issued by the Customer.

11.2 Turnaround

TAG Vault responds to the Customer’s written rights-assistance request within seven (7) business days of receipt at legal@brikbond.com, or sooner where required by the DPDP Rules timelines that the Customer is itself bound by.

11.3 Direct requests routed to TAG Vault

Where a Customer Data Principal contacts TAG Vault directly with a rights request that relates to Customer Data, TAG Vault will, without acting on the substance, inform the Customer Data Principal that the Customer is the Data Fiduciary and forward the request to the Customer within two (2) business days.

12. Personal Data Breach cooperation

The 24-hour notification commitment in §8.4 is supported by operational cooperation:

• TAG Vault provides logs, audit-trail slices, forensic outputs, and mitigation evidence reasonably required by the Customer for its §8(6) DPDP Act notification to the DPDP Board (within 72 hours);
• The Customer leads the breach communication to its Customer Data Principals, with TAG Vault providing factual support;
• Where the breach affects multiple Customers, TAG Vault coordinates communications to avoid inconsistent messaging, while preserving each Customer’s autonomy as Data Fiduciary;
• TAG Vault does not make public statements identifying the Customer without the Customer’s prior written consent, except where compelled by law or regulator direction.

13. Audit rights

13.1 Customer audit on notice

Once per calendar year, on at least thirty (30) days’ written notice, the Customer may, at its own cost, audit TAG Vault’s compliance with this DPA. The audit must be:

• conducted during business hours on business days;
• carried out by a qualified independent auditor not in competition with TAG Vault, bound by appropriate confidentiality undertakings;
• scoped reasonably to the obligations under this DPA;
• conducted in a manner that does not unreasonably interfere with TAG Vault’s operations or compromise the confidentiality, security, or availability of any other customer’s data.

13.2 Audit by reliance on third-party reports

In lieu of an on-site audit, the Customer may rely on TAG Vault’s then-current independent third-party audit reports — including the SOC 2 Type II report and ISO/IEC 27001 certification, once these are issued — together with the TOMs disclosure in Annex 3.

13.3 Excessive audit demands

If the Customer requests audits beyond the once-per-year right, or with scope materially exceeding this DPA, TAG Vault may charge the Customer for the reasonable cost of accommodating the request. TAG Vault is not obliged to grant access where the request is not reasonably scoped, would breach a confidentiality obligation owed to a third party, or would compromise the security of any other customer’s data.

14. Retention and deletion on termination

14.1 Mutable Customer Data

Within thirty (30) days of termination of the MSA, TAG Vault returns to the Customer (in machine-readable format) or, at the Customer’s written election, deletes the following Customer Data:

• Customer’s account-profile data;
• Customer’s authentication credentials (cryptographically erased — refresh-token hashes destroyed, MFA secrets KMS-purged);
• In-flight (unsealed) envelope drafts and uploads;
• Notification logs older than the retention periods in our Data Retention Policy.

14.2 Sealed-PDF carve-out — Customer cannot waive

Sealed PDFs together with their certificate-of-completion final page and the audit-trail entries linked to them are subject to AWS S3 Object Lock COMPLIANCE retention for ten (10) years from the date of sealing. Object Lock COMPLIANCE retention CANNOT be shortened or removed by TAG Vault, by the Customer, or by AWS during the retention period — that is the technical guarantee of immutability. This retention rests on §7(c) DPDP Act compliance with the Limitation Act, 1963, the Indian Stamp Act, 1899, and the Registration Act, 1908, and §8(7) DPDP Act proviso (legal-obligation retention).

The Customer cannot waive this retention because the immutability commitment is owed not only to the Customer but also to the Customer Data Principals who signed the document and who are entitled to rely on the integrity of the sealed copy for the limitation periods that apply to their underlying transaction.

Court-order and regulatory carve-out. Notwithstanding the foregoing, where a court of competent jurisdiction, the Data Protection Board of India, the Reserve Bank of India, or any other Indian regulator with lawful authority directs deletion of a sealed PDF, TAG Vault will (a) place the affected object on litigation hold immediately on receipt of the direction, (b) within 30 days seek a clarificatory order if the deletion would compromise other Data Principals’ rights or contradict §49 of the Registration Act, 1908, and (c) comply with the final order within the timeline directed. S3 Object Lock COMPLIANCE has the technical limitation that early deletion is impossible until the retention window expires; the legal-process workaround is documented in our compliance runbook and will be made available to the relevant authority on request.

14.3 Pre-termination export

Before termination, the Customer may export sealed PDFs and the corresponding certificate-of-completion pages in machine-readable format using the Service’s standard export tools. After termination, TAG Vault preserves a read-only retrieval mechanism limited to the sealed PDFs in the Object Lock COMPLIANCE bucket; access is granted on the Customer’s written request and on identity verification, at the Customer’s reasonable cost.

14.4 Audit log retention

Audit-log entries linked to Customer Data are retained for seven (7) years from the event as set out in the Data Retention Policy. This retention rests on the same §7(c) DPDP Act basis.

14.5 Backups

Backups containing Customer Data follow the lifecycle in the Data Retention Policy (daily pg_dump to tag-vault-db-backups: 30 days S3 Standard, then 11 months Glacier Deep Archive, then expire). Restoration from backup post-termination is on Customer request and at Customer cost, subject to the §14.2 carve-out.

15. Liability

15.1 Reference to the MSA cap

TAG Vault’s aggregate liability arising out of or in connection with this DPA is subject to the same cap, in the same twelve-month measurement period, as is set out in the MSA / Terms of Service. There is no separate or additional cap for DPA matters — claims under this DPA, the MSA, and the Terms of Service share a single aggregate cap to avoid double-counting.

15.2 Carve-outs (no cap)

The same carve-outs that apply to the MSA / Terms §19.4 cap apply here in full, including (i) personal injury, (ii) fraud, (iii) non-excludable Indian-law liability, (iv) stamp duty refund (which TAG Vault does not collect), and (v) such other liability as cannot be excluded.

15.3 DPDP Board penalty pass-through

Where the Data Protection Board of India imposes a penalty on the Customer in respect of a personal-data-related contravention directly attributable to TAG Vault’s breach of this DPA, that penalty is recoverable from TAG Vault subject to a separate cap of the greater of (i) three (3) times the annual fees paid by the Customer to TAG Vault in the year preceding the contravention, or (ii) ₹50,00,000 (Rupees fifty lakh). This cap is in addition to and does not aggregate with the §15.1 general cap. Carve-outs in §15.2 apply equally to this clause. Recovery is also subject to (a) the Customer’s mitigation obligations, and (b) the Customer having afforded TAG Vault a reasonable opportunity to participate in the proceeding before the DPDP Board.

15.4 Customer’s own breach

TAG Vault is not liable for, and the Customer indemnifies TAG Vault against, any DPDP Board penalty, regulator order, or third-party claim arising from the Customer’s own breach of its Data Fiduciary obligations, subject to the §15.1 aggregate cap, save where the Customer’s breach involves fraud, wilful misconduct, or upload of First Schedule excluded documents.

16. Governing law and disputes

This DPA is governed by Indian law. The courts at Bangalore (Bengaluru) Urban district, Karnataka, India have exclusive jurisdiction over any dispute arising from this DPA, save that either party may apply to any court of competent jurisdiction in India for interim or injunctive relief.

The parties may, by mutual written agreement, refer a dispute to arbitration under the Arbitration and Conciliation Act, 1996, with seat at [Enter arbitration seat — same as the courts above], before a sole arbitrator, in the English language.

Nothing in this DPA limits or restricts the right of the Customer or any Customer Data Principal to file a complaint before the DPDP Board under §13 / §27 DPDP Act, or before any court, consumer commission, or competent Indian regulator. Any such restriction would be void under §28 of the Indian Contract Act, 1872.

17. Conflict and entire agreement

In the event of conflict between this DPA, the MSA / Terms of Service, and our Privacy Policy:

• On data-protection matters, this DPA prevails;
• On commercial matters (fees, term, scope of Service), the MSA / Terms prevail;
• On B2C consumer privacy matters that fall outside this DPA, the Privacy Policy prevails.

This DPA, the MSA / Terms, and our Privacy Policy together constitute the entire agreement between the parties on the processing of personal data and supersede all prior discussions, drafts, and understandings on that subject.

Annex 1 — Description of Processing

Annex 2 — Authorised Sub-Processors

Effective as of the DPA effective date.

Customer-level opt-out for Meta WhatsApp. Meta WhatsApp is engaged only when the Customer or a Customer Data Principal selects WhatsApp as a notification channel for a specific envelope. Where the Customer disables WhatsApp at the account level (Settings → Notifications → Disable WhatsApp), no Customer Data flows to Meta. The disable mechanism will be available in the platform UI from Phase 2b.

The current authoritative version of this list is published at vault.brikbond.com/legal/dpa#annex-2. New or replacement Sub-Processors are notified per §9.

Annex 3 — Technical and Organisational Measures (TOMs)

This Annex describes the security baseline TAG Vault maintains. It satisfies §8(5) DPDP Act and Rule 8 SPDI Rules and aligns with ISO/IEC 27001 control areas.

A3.1 Encryption

• In transit: TLS 1.2 minimum (TLS 1.3 preferred) on all public endpoints; HSTS; modern cipher suites only.
• At rest: AES-256 via AWS KMS with Customer Managed Keys (tagvault-sse-kms, symmetric, annual auto-rotation). Sealed-PDF cryptographic seal: ECDSA P-256 over SHA-256 (tagvault-seal-ecdsa-p256, manual rotation on compromise only).
• Passwords: Argon2id with parameters tuned to current OWASP guidance.
• MFA: TOTP available to all users; mandatory for engineering accounts.

A3.2 Access control

• RBAC with least-privilege defaults;
• Per-environment IAM roles, instance-profile credentials, no long-lived static keys;
• SSO + MFA enforced for engineering access;
• Quarterly access review;
• All console access logged to CloudTrail.

A3.3 Network

• AWS Security Groups segregate web, app, and (Phase 2b+) data tiers;
• Private subnets for the data tier (Phase 2b);
• Web Application Firewall planned for Phase 2c+;
• DDoS protection via AWS Shield Standard.

A3.4 Audit logging

• Append-only audit log at the database layer, enforced by a PostgreSQL trigger that rejects UPDATE and DELETE on the audit table at the engine layer;
• CloudWatch retention 30–90 days for application and infrastructure logs;
• Eleven (11) operational alarms covering authentication anomalies, error rates, queue depth, KMS errors, S3 access denied, and replication lag.

A3.5 Resilience

• AWS S3 Object Lock COMPLIANCE 10-year retention on sealed and archive buckets;
• S3 Cross-Region Replication of the same buckets to ap-south-2 (Hyderabad);
• Daily pg_dump backups to tag-vault-db-backups (30 days S3 Standard → 11 months Glacier Deep Archive → expire) at MVP;
• AWS RDS automated backups with point-in-time recovery from Phase 2b;
• Documented disaster-recovery runbook with periodic tabletop exercises.

A3.6 Vendor management

• Written DPAs in place with AWS and Meta;
• Sub-Processor change notice per §9 of this DPA;
• Annual review of Sub-Processor security posture.

A3.7 Personnel

• Confidentiality undertakings on hire (carrying through after termination);
• NDA for any third-party engagement that touches Customer Data;
• Annual security awareness training;
• Background checks for engineering hires.

A3.8 Incident response

• 24-hour breach notification SLA to the Customer (§8.4);
• 6-hour CERT-In external notification under the 28 April 2022 Directions;
• Documented incident-response playbook covering detection, containment, eradication, recovery, and post-incident review;
• Annual tabletop exercises; lessons learned fed back into TOMs.

A3.9 Vulnerability management

• pnpm audit / npm audit on every CI build;
• Dependency upgrades within thirty (30) days for critical CVEs (sooner where exploit-in-the-wild is reported);
• Annual third-party penetration test from Phase 2b;
• Bug-bounty programme planned for Phase 2c.

A3.10 No analytics, no AI training, no targeted advertising

TAG Vault does not run third-party analytics, tracking pixels, or ad networks; does not train AI / ML models on Customer Data; and does not profile Customer Data Principals for targeted advertising.

Contact

Questions on this DPA, sub-processor notices, breach communications, or audit requests should be directed to:

TAG Projects (operated by VTAG Software Private Limited)
Karnataka, India

Legal:                legal@brikbond.com
Privacy team:         privacy@brikbond.com
Data Protection Officer (when designated): dpo@brikbond.com
Security incidents:   security@brikbond.com
Grievance Officer:    grievance@brikbond.com

The Grievance Officer designated under §8(9)/§13 DPDP Act, Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and Rule 4(5) of the Consumer Protection (E-Commerce) Rules, 2020 is:

Grievance Officer
Vijay Sivanjan
TAG Projects (operated by VTAG Software Private Limited)
Karnataka, India
Email: grievance@brikbond.com