Live Sign in Request a briefing

Legal / Data Processing Addendum

Version 1.0 · Effective 23 May 2026 · Manthan Intelligence

Status: v1.0 · effective 23 May 2026 · prepared in-house by Manthan Intelligence’s legal function. Review by UK-qualified external counsel is pending; the document will be re-issued on completion. Questions: [email protected].

Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement, Design Partner Agreement, or other written agreement between Manthan Intelligence Ltd (“Manthan”, “Processor”) and [CUSTOMER LEGAL NAME] (“Customer”, “Controller”) (the “Principal Agreement”). Where the Customer engages Manthan to process personal data on its behalf, this DPA governs that processing.

In any conflict between this DPA and the Principal Agreement on data-protection matters, this DPA prevails.


1. Definitions

Terms not defined here have the meaning given in the UK GDPR. Specifically:

2. Roles and scope

ScenarioManthan roleCustomer role
Processing Customer’s Mandate Book, CRM data, contacts, OAuth-supplied data, accept/decline eventsProcessorController
Processing Customer’s named-user account info (login, name, email, billing)Controllern/a (Manthan is sole Controller for its own users)
Processing public-domain knowledge-graph data (regulatory filings, public news, etc.)Controllern/a

This DPA addresses Manthan’s Processor obligations under row 1.

3. Subject matter and details of Processing

Set out in Annex 1. As at the Effective Date:

4. Manthan’s processing obligations

Manthan shall:

(a) Process Customer Personal Data only on the Customer’s documented instructions, including those set out in this DPA and the Principal Agreement, and as required for the provision of the Services; (b) ensure that personnel authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations; (c) implement and maintain the technical and organisational measures set out in Annex 2; (d) not engage a Sub-processor without complying with Clause 7; (e) provide reasonable assistance to the Customer in responding to Data Subject requests under Clauses 8 and 9; (f) make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 UK GDPR, including the information in Annexes 1 and 2; (g) on the Customer’s reasonable instruction, return or delete Customer Personal Data at the end of Processing, per Clause 11; (h) immediately inform the Customer if, in Manthan’s opinion, an instruction infringes Applicable Data Protection Law.

5. Manthan-specific commitments (not standard SaaS)

Per the Principal Agreement and the Manthan product architecture, the following commitments apply and may not be waived by any Order Form:

(a) Per-customer isolation. Customer Personal Data is stored in a per-customer data environment with row-level security enforcement. Manthan shall not co-mingle Customer Personal Data with any other customer’s data in any shared compute, storage, or model context. (b) No model training. Manthan shall not use Customer Personal Data, or any data derived from it, to train, evaluate, fine-tune, or otherwise improve any artificial intelligence or machine learning model — Manthan’s own, a Sub-processor’s, or any third party’s. (c) No cross-customer learning. No Personal Data, derived insight, scoring weight, accept/decline pattern, or any other artefact attributable to the Customer shall be used to benefit any other customer.

These commitments are tested by the audit-trail mechanisms in Clauses 6 and 13.

6. Security

Manthan implements and maintains the technical and organisational measures in Annex 2, which include (without limitation):

Manthan keeps Annex 2 current and provides updated versions on request.

7. Sub-processors

7.1 General authorisation

The Customer authorises Manthan to engage the Sub-processors listed at Annex 3 (incorporating 07_Subprocessor_List_v1_0 as updated from time to time). Manthan flows the relevant Processor obligations down to each Sub-processor by contract.

7.2 Changes

Manthan shall give the Customer at least thirty (30) days’ prior written notice of any new Sub-processor (or change in Sub-processor scope). The Customer may object on reasonable data-protection grounds. If the Parties cannot agree on an alternative within a further thirty (30) days, the Customer may terminate the affected Order Forms without penalty.

7.3 Manthan’s liability

Manthan remains fully liable for any Sub-processor’s acts and omissions in relation to Customer Personal Data.

8. Data Subject rights

Manthan shall provide reasonable assistance, by appropriate technical and organisational measures, to enable the Customer to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection, within the timescales required by Applicable Data Protection Law.

If Manthan receives a Data Subject request directly, it shall forward the request to the Customer without undue delay and shall not respond to the Data Subject (except to acknowledge receipt and direct them to the Customer) unless required by law.

9. Personal Data Breach

Manthan shall notify the Customer without undue delay (and, where feasible, within seventy-two (72) hours) of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include:

(a) the nature of the breach, categories and approximate numbers of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate its effects; (d) the name and contact details of Manthan’s relevant point of contact.

Manthan shall cooperate with the Customer’s investigation and breach-notification obligations and shall not make public statements about a breach affecting Customer Personal Data without the Customer’s consent, except as required by law.

10. Cross-border transfers

Customer Personal Data is hosted in the United Kingdom (DigitalOcean LON1) as Manthan’s default data-residency commitment.

To the extent that Processing requires transfer of Customer Personal Data to a country outside the UK and the EEA without an adequacy decision (notably to Anthropic, PBC in the United States for LLM inference), Manthan shall:

(a) execute the UK IDTA (or, for EEA-originating data, the EU SCCs Module Two/Three as applicable) with the relevant Sub-processor; (b) maintain a Transfer Impact Assessment (TIA) for each such transfer; and (c) provide the TIA and transfer documents to the Customer on request.

11. Return and deletion of Customer Personal Data

On expiry or termination of the Principal Agreement, or on the Customer’s written request, Manthan shall:

(a) within thirty (30) days, make Customer Personal Data available for export in a structured, machine-readable format; and (b) within sixty (60) days, delete Customer Personal Data from active systems, and within ninety (90) days from all backups (subject to retention required by law or Manthan’s bona fide internal record-retention policy, in which case the retained data remains subject to this DPA indefinitely).

Manthan shall certify deletion in writing on request.

12. Confidentiality

Customer Personal Data is at all times Confidential Information of the Customer and is treated under the confidentiality terms of the Principal Agreement (or, in their absence, the Mutual NDA between the Parties).

13. Audit

Manthan shall make available to the Customer, no more than once in any twelve-month period and on thirty (30) days’ notice, evidence reasonably necessary to demonstrate compliance with this DPA. Evidence may take the form of:

(a) third-party audit reports (e.g. ISO 27001, SOC 2, when available); (b) responses to a Customer security questionnaire; (c) an audit-trail summary covering access to the Customer’s Personal Data over the relevant period; (d) where the Customer reasonably requires it, an on-site audit at the Customer’s cost, conducted with reasonable notice and without disrupting Manthan’s operations.

Regulator audits requested by a competent authority are governed by Applicable Data Protection Law and do not require Manthan’s consent.

14. Liability

Liability arising under or in connection with this DPA is subject to the liability provisions of the Principal Agreement, except that nothing in the Principal Agreement limits liability for breach of Applicable Data Protection Law to the extent such limitation is prohibited by that law.

15. Order of precedence

In any conflict regarding data protection:

  1. The UK GDPR and Applicable Data Protection Law (mandatory);
  2. The UK IDTA / SCCs (as executed);
  3. This DPA;
  4. The Principal Agreement.

16. Governing law

This DPA is governed by the same law as the Principal Agreement (default: England and Wales). Disputes follow the same jurisdiction.


Annex 1 — Description of Processing

ItemDetail
Subject matterProvision of the Narada platform and related services to the Customer.
NatureContinuous, automated processing for signal monitoring, scoring, output generation, and persistence.
PurposeTo enable the Customer to identify, evaluate, and act on deal opportunities in its mandate area.
DurationTerm of the Principal Agreement plus retention under Clause 11.
Categories of Data SubjectsCustomer’s named users; the Customer’s contacts, counter-parties, and prospects to the extent included in Customer Personal Data.
Categories of Personal DataBusiness contact details (name, work email, work phone, role, employer); professional history and CV-style information; relationship metadata (who knows whom, where, when); email metadata where Customer’s user OAuth-shared their mailbox; accept/decline events and Customer feedback; any other Personal Data the Customer chooses to upload.
Special category dataNone ordinarily. Customer not to upload Art 9 data without prior written agreement.
Frequency and meansContinuous, electronic.
Manthan personnel with accessStrictly need-to-know basis: founder, named engineering staff, contracted DPO (when appointed).

Annex 2 — Technical and Organisational Measures

Confidentiality — Encryption at rest (AES-256). Encryption in transit (TLS 1.2+). Per-customer data-environment isolation with row-level security. Authentication via multi-factor for production access. Least-privilege role-based access control.

Integrity — Schema validation at ingestion. Audit logging of writes to Customer Personal Data. Backup integrity verification. Tamper-resistant audit trail with rule-IDs cited on every Output.

Availability and resilience — Daily backups. Disaster-recovery test quarterly. Resilience drills quarterly (Engineering Discipline B2). Documented incident-response runbook.

Procedures for regular testing, assessment, and evaluation — Weekly automated security scans (dependencies, secrets, configuration). Annual penetration test (planned Q4 2026). Internal continuous evaluation framework with calibration sweeps weekly.

Personnel — Confidentiality obligations on all personnel. Annual data-protection training. Background checks for production-access personnel.

Sub-processor management — Sub-processor due diligence before onboarding. Contractual flow-down of DPA obligations. Annual review of each Sub-processor’s compliance posture.

Data minimisation and retention — Customer Personal Data retained only as long as needed for Service provision and per Clause 11. Aggregate operational metrics retained anonymised only.

Annex 3 — Sub-processors

See 07_Subprocessor_List_v1_0 (incorporated by reference). Current version reflected on Manthan’s website and provided on request.


Acknowledged for and on behalf of Manthan Intelligence Ltd:

Name: __________________________________ Title: __________________________________ Date: __________________________________ Signature: ______________________________

Acknowledged for and on behalf of [CUSTOMER LEGAL NAME]:

Name: __________________________________ Title: __________________________________ Date: __________________________________ Signature: ______________________________