Skip to main content
Evaaluate
Book a Demo

Last updated: March 28, 2026 | Version 1.0

Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Terms of Use and applies to Enterprise customers with specific data processing requirements.

1. Subject Matter and Duration

This DPA governs the processing of personal data by ORIS Intelligence Pvt. Ltd. ("Data Processor") on behalf of the Customer ("Data Fiduciary") for the duration of the subscription agreement plus 30 days for data return/deletion.

2. Nature and Purpose of Processing

Processing of financial data, company information, and professional credentials for the purpose of operating the Evaaluate statutory valuation platform, including data extraction, market research, computation, and report generation.

3. Types of Personal Data

  • Professional credentials (name, designation, registration numbers)
  • Contact information (email, phone)
  • Financial data of valuation subject entities (uploaded by the Customer)
  • Engagement metadata and audit trail records

4. Categories of Data Subjects

  • Customer employees and authorized users
  • Directors and shareholders of entities being valued (as appearing in uploaded documents)

5. Obligations of the Data Processor

  • Process personal data only on documented instructions from the Customer
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Customer in responding to data subject requests
  • Notify the Customer of any personal data breach within 48 hours
  • Delete or return all personal data upon termination

6. Sub-Processor Management

Current sub-processors: AWS (infrastructure, Mumbai region), Razorpay (payments), Resend (email delivery). The Data Processor will notify the Customer 30 days before engaging a new sub-processor. The Customer may object within 14 days.

7. Security Measures

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Firm-level tenant isolation via PostgreSQL Row-Level Security
  • Access control with role-based permissions (RBAC)
  • Quarterly penetration testing by independent security firm
  • SOC 2 Type II certification (target: month 12)
  • All data stored within India (AWS ap-south-1)

8. Audit Rights

The Customer may audit the Data Processor's compliance with this DPA once per year with 30 days' written notice. The Data Processor will provide access to relevant documentation, systems, and personnel.

9. Data Return and Deletion

Upon termination, the Customer may export all data within 30 days. After 30 days, all personal data will be permanently deleted, except where retention is required by law (7 years for valuation records per statutory requirements).

10. Contact

For DPA inquiries or to request a signed copy: legal@evaaluate.com