Legal
Data Processing Agreement.
This DPA forms part of your Terms of Service when Depra processes Personal Data on your behalf. It describes our obligations as a Data Processor under the DPDP Act, 2023 and GDPR (where applicable).
01Roles
You (the Customer) are the Data Fiduciary (Controller). Depra is the Data Processor, processing Personal Data only on your documented instructions.
02Scope of processing
Subject-matter: providing the Depra platform (AI agents for WhatsApp, voice, email) and support.
Duration: for the term of the subscription, plus 30 days for export and then deletion.
Nature: automated processing — reading, classifying, responding, routing, storing, and analysing customer conversations.
Purpose: enabling you to deliver customer experience using Depra.
Categories of data subjects: your end customers (and prospective customers) who interact with your channels.
Categories of Personal Data: names, phone numbers, email addresses, order details, conversation content.
03Our obligations as Processor
Process Personal Data only on your documented instructions — including the Terms of Service and any configurations you set in the product.
Maintain the confidentiality of Personal Data via access controls, NDAs with all staff, and need-to-know access.
Implement and maintain reasonable security measures including encryption in transit (TLS 1.3) and at rest (AES-256).
Assist you with Data Principal requests (access, correction, deletion) within 10 business days.
Notify you of any Personal Data breach within 24 hours of discovery.
Delete or return Personal Data at the end of the service, per your instruction.
04Sub-processors
We use AWS ap-south-1 (infrastructure), Deepgram (voice STT), ElevenLabs (voice TTS), OpenAI & Anthropic (language models), Razorpay (payments) as sub-processors.
Current list is maintained at depra.ai/subprocessors.
We'll give you 30 days' notice before engaging a new sub-processor. If you object on reasonable grounds, we'll work with you or terminate the affected service.
05International transfers
We store and process Personal Data in India (AWS Mumbai). Some sub-processors (Deepgram, ElevenLabs, OpenAI, Anthropic) process data in the US — these are covered by our data processing agreements with them and Standard Contractual Clauses where applicable.
06Data Principal rights assistance
We provide tools for you to fulfil Data Principal requests directly from the product (export, delete, correct). For requests you can't handle in-app, we respond to requests for assistance within 10 business days.
07Security measures
Encryption: TLS 1.3 in transit, AES-256 at rest.
Access control: role-based access, MFA required for all admin access, SSO supported for Enterprise.
Monitoring: 24×7 intrusion detection, anomaly alerting, and quarterly penetration testing.
Backup: encrypted daily backups, retained 35 days, tested quarterly for restoration.
08Audits
Enterprise customers can request an annual security audit with 30 days' notice. We'll share our latest SOC 2 Type II report (expected Q3 2026) or a comparable independent audit.
09Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service.
10Signing
This DPA is auto-accepted as part of your subscription. Enterprise customers can request a counter-signed hard copy via legal@depra.ai.
Need a counter-signed DPA for your compliance team? Email legal@depra.ai with your entity details — we'll send a signed version within 3 business days.
