Skip to content
Legal

Data Processing Agreement

Effective date: May 23, 2026  |  Last updated: June 22, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Verdeshell Technologies Pvt. Ltd.and the Customer and governs the processing of personal data on the Customer's behalf.

1. Parties and Roles

  • Data Controller: The Customer — the organisation subscribing to Verdeshell HRMS — determines the purposes and means of processing personal data of its employees and end users.
  • Data Processor: Verdeshell Technologies Pvt. Ltd.— processes personal data strictly on the Customer's documented instructions as described in this DPA and the Terms of Service.

DPDP Act terminology.For the purposes of India's Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 (together, "DPDP"), the Customer is the Data Fiduciary and Verdeshell Technologies Pvt. Ltd. is the Data Processor. Where this DPA uses "Data Controller" and "Data Processor", those terms are to be read as "Data Fiduciary" and "Data Processor" respectively. "Data Principal" has the meaning given in the DPDP Act and includes the Customer's employees and personnel whose personal data is processed under this DPA. Under Section 8 of the DPDP Act, the Data Fiduciary remains responsible for compliance in respect of personal data processed on its behalf.

2. Scope of Processing

2.1 Categories of Data Subjects

  • Employees and contractors of the Customer
  • HR administrators and managers designated by the Customer

2.2 Categories of Personal Data

  • Identity data: name, email, phone, employee ID, date of birth, photograph
  • Employment data: designation, department, salary, bank details, statutory IDs
  • Attendance data: check-in/out times, GPS coordinates, selfie photographs
  • Biometric data: facial geometry embeddings (where face enrolment is enabled)
  • Leave and timesheet records
  • Uploaded employee documents
  • Device identifiers (FCM tokens) for push notifications

2.3 Purpose of Processing

Processing is carried out solely to provide the Verdeshell HRMS Service, including attendance management, payroll processing, leave management, timesheet tracking, and related HR workflows, as described in the Terms of Service.

2.4 Duration

Processing continues for the duration of the Customer's active subscription. Following termination, data is retained for 90 days to allow export, then permanently deleted unless a longer statutory retention period applies.

3. Processor Obligations

Verdeshell shall:

  • Process personal data only on the documented instructions of the Customer (including these Terms) and not for any other purpose
  • Notify the Customer if, in Verdeshell's reasonable opinion, an instruction infringes applicable data protection law, and in that case may suspend the affected processing without liability until the instruction is confirmed or amended to be lawful
  • Ensure that personnel authorised to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures as described in Section 5
  • Assist the Customer in responding to data subject rights requests (access, erasure, portability, rectification) within 25 days of receiving a request from the Customer, allowing the Customer sufficient time to respond within the applicable statutory window
  • Notify the Customer without undue delay (and within 72 hours where required by GDPR) upon becoming aware of a personal data breach, as further described in Section 9
  • Provide all information necessary to demonstrate compliance with this DPA and cooperate with reasonable audits by the Customer or a mandated auditor, upon 30 days' written notice
  • Upon termination of the subscription or upon the Customer's written request, delete or return all personal data in a documented, machine-readable format and provide written confirmation of deletion within 30 days of completing the process
  • Maintain records of processing activities carried out on behalf of the Customer as required by Article 30(2) of the GDPR and make these available to the Customer upon request

4. Controller Obligations

The Customer shall:

  • Ensure a lawful basis exists for processing employee personal data under applicable law (employment contract, statutory obligation, or consent)
  • Inform employees about the use of Verdeshell HRMS and data collection (including location and photo data) through appropriate internal notices or employment agreements
  • Obtain necessary consents from employees for location tracking, camera access, and biometric face enrolment where required by national law
  • Ensure accuracy of personal data uploaded to the Service and promptly correct inaccuracies
  • Where biometric or facial-recognition features are enabled, independently obtain each affected employee's specific, unbundled consent (or rely on, and document, a lawful "legitimate use" under the DPDP Act), issue the required notice, and instruct deletion when the purpose expires (including on employee exit)
  • Be solely responsible for any obligations applicable to it as a Data Fiduciary or Significant Data Fiduciary under the DPDP Act — including any Data Protection Impact Assessment, independent data audit, appointment of an India-based Data Protection Officer, and reporting of personal data breaches to the Data Protection Board of India and to affected Data Principals
  • Not instruct Verdeshell to process personal data in a manner that would violate applicable data protection law

5. Security Measures

Verdeshell implements the following technical and organisational measures:

  • Encryption in transit: All data transmitted between clients and servers uses TLS 1.2+
  • Encryption at rest: Files on AWS S3 use AES-256 server-side encryption; database data at rest is encrypted by AWS RDS
  • Password security: User passwords are hashed using bcrypt (never stored in plain text)
  • Tenant isolation: Row-Level Security (RLS) in PostgreSQL enforces strict data isolation between Customer tenants
  • Access control: Role-Based Access Control (RBAC) with least-privilege principles; employees access only data they are authorised to see
  • Audit logging: All sensitive actions (logins, approvals, data exports, admin operations) are logged with timestamps and user IDs
  • Session security: HTTP-only, SameSite cookies; automatic session expiry
  • Access to production: Only authorised Verdeshell engineers with a documented need can access production infrastructure; access is logged and reviewed

6. Sub-Processors

Verdeshell uses the following sub-processors to deliver the Service. The Customer consents to the engagement of these sub-processors by accepting these Terms. Verdeshell will notify Customers of any material changes to this list — including additions or replacements of sub-processors — with at least 30 days' advance notice, giving Customers the opportunity to object before the change takes effect. If a Customer objects and the parties cannot resolve the objection, either party may terminate the affected portion of the Service without penalty.

Sub-processorPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure, database hosting, file storage (S3)Asia Pacific (Mumbai) — ap-south-1
Google Firebase (FCM)Push notification delivery to mobile devicesUnited States / Global
OpenStreetMap / NominatimReverse geocoding of GPS coordinates to human-readable addressesGlobal (no personal identifiers transmitted — coordinates only)
Microsoft (MS Graph API)Transactional email delivery (payslips, notifications, billing)Global
RazorpaySubscription billing and payment processing (Customer billing only)India

7. International Data Transfers

Personal data is primarily stored on AWS in the Asia Pacific (Mumbai) region. Where data is transferred to sub-processors outside India or the EEA, Verdeshell ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission where GDPR applies
  • Adequacy decisions, where applicable, for transfers to countries deemed adequate by the European Commission

Under the DPDP Act and the DPDP Rules, 2025, personal data may be transferred outside India except to any country or territory restricted by the Government of India by notification. The parties will comply with any sector-specific data-localisation requirements that apply (including those of the Reserve Bank of India in respect of payment data) and with any additional transfer restrictions that apply to Significant Data Fiduciaries.

8. Data Subject Rights Assistance

When a Customer receives a data subject request (access, erasure, portability, rectification, objection), the Customer should forward the request to support@verdeshell.com. Verdeshell will provide the Customer with the necessary technical assistance to fulfil the request within 25 days, allowing the Customer sufficient time to respond within the 30-day GDPR window. Data subjects may also contact Verdeshell directly; we will acknowledge the request and route it to the appropriate Customer for a decision.

9. Breach Notification

In the event of a personal data breach, Verdeshell will notify the Customer without undue delay and in any case within 72 hours of becoming aware of the breach. Notification will include, to the extent known at the time:

  • A description of the nature of the personal data breach, including the categories of personal data affected (e.g., identity data, payroll data, biometric data)
  • The approximate number of data subjects affected and the approximate number of personal data records affected
  • The name and contact details of Verdeshell's data protection contact point (or the contact person from whom more information can be obtained)
  • A description of the likely consequences of the personal data breach
  • A description of the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects

Where all required information is not available within 72 hours, Verdeshell will provide an initial notification and supply additional information as it becomes available, without undue further delay. The Customer is responsible for notifying the relevant supervisory authority (including, under the DPDP Act, the Data Protection Board of India) and affected data subjects as required by applicable law.

10. Audits and Compliance Demonstration

Upon written request with at least 30 days' notice, Verdeshell will provide the Customer with documentation and information necessary to demonstrate compliance with this DPA, including relevant extracts from processing records maintained under Article 30(2) GDPR. Physical on-site audits may be conducted at the Customer's expense, subject to reasonable confidentiality protections and operational constraints.

11. Liability and Indemnity

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, including the aggregate liability cap, which apply to the combined liability of the parties under the Terms of Service and this DPA taken together.

As between the parties, and consistent with Section 8 of the DPDP Act, the Customer (as Data Fiduciary) is responsible for the lawfulness of the personal data it provides and the instructions it gives. The Customer shall indemnify and hold Verdeshell harmless from any claim, loss, penalty, or proceeding (including by the Data Protection Board of India or any other regulatory authority) arising from (a) the Customer's failure to establish a lawful basis, obtain any required consent, or provide any required notice to Data Principals; (b) the Customer's instructions to process personal data in breach of applicable law; or (c) the Customer's breach of its obligations as a Data Controller or Data Fiduciary. Verdeshell's corresponding indemnity to the Customer is limited to losses arising from Verdeshell's breach of the Customer's documented processing instructions or its failure to maintain the security measures described in Section 5.

12. Governing Law

This DPA is governed by the laws of India. For Customers subject to GDPR, the parties agree that this DPA shall be interpreted consistently with GDPR requirements and that EU data subjects' rights shall not be diminished.

13. Contact

Verdeshell Technologies Pvt. Ltd.

Sector 58, Gurgaon, Haryana, India – 122011

Data & Privacy queries: support@verdeshell.com