Data Processing Agreement
Last updated: April 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Customer", acting as the Data Fiduciary / Controller) and AskBooks Technologies Pvt Ltd ("AskBooks", acting as the Data Processor) and applies whenever AskBooks processes personal data on behalf of the Customer.
1. Roles of the Parties
The Customer is the Data Fiduciary / Controller determining the purposes and means of processing personal data submitted to the Service. AskBooks is the Data Processor, processing such data only on documented instructions from the Customer.
2. Scope and Duration of Processing
- Subject matter: provision of the AskBooks Service.
- Nature and purpose: hosting, storing, and processing personal and business data uploaded by the Customer.
- Categories of data subjects: Customer's employees, customers, vendors, and other contacts.
- Duration: for the term of the subscription, plus any retention period required by law.
3. Sub-processors
AskBooks engages the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting & storage | India (ap-south-1) |
| Razorpay | Payment processing | India |
| Twilio SendGrid | Transactional email | United States |
| Cloudflare | CDN & DDoS protection | Global |
| Sentry | Error monitoring | United States |
| OpenAI / Anthropic | AI features (when enabled by Customer) | United States |
We will give at least 30 days' notice of any new sub-processor; the Customer may object on reasonable grounds.
4. Security Measures
- Encryption in transit (TLS 1.3) and at rest (AES-256-GCM).
- Role-based access control with least-privilege defaults and multi-factor authentication for all engineering staff.
- Tamper-evident audit logs of all data access.
- PostgreSQL Row-Level Security (RLS) for tenant isolation.
- Annual penetration testing and quarterly vulnerability scanning.
- Background checks on all employees with production data access.
5. Data Subject Rights
AskBooks will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures to fulfil obligations to respond to requests from data principals exercising their rights under the DPDPA. The Service provides built-in self-service endpoints for access, correction, erasure, and portability requests.
6. Personal Data Breach Notification
AskBooks shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remediation measures taken.
7. Audit Rights
Once per year, the Customer may request a copy of our latest independent audit reports (e.g. SOC 2, ISO 27001 once available). For deeper audits, the parties shall agree on scope, timing, and reasonable costs.
8. Termination & Return / Deletion of Data
On termination of the Service, AskBooks will, at the Customer's option, return or irreversibly delete all Customer Data within 90 days, except where retention is required by Indian law (e.g. financial records under the Income Tax Act).
9. Liability
Each party's liability under this DPA is subject to the limits set out in the Terms of Service.
10. Contact
For DPA inquiries email dpo@askbooks.in.