Legal / Data Processing Addendum
Data Processing Addendum (DPA)
This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement, Design Partner Agreement, or other written agreement between Manthan Intelligence Ltd (“Manthan”, “Processor”) and [CUSTOMER LEGAL NAME] (“Customer”, “Controller”) (the “Principal Agreement”). Where the Customer engages Manthan to process personal data on its behalf, this DPA governs that processing.
In any conflict between this DPA and the Principal Agreement on data-protection matters, this DPA prevails.
1. Definitions
Terms not defined here have the meaning given in the UK GDPR. Specifically:
- “Personal Data”, “Process / Processing”, “Data Subject”, “Controller”, “Processor”, “Sub-processor”, and “Personal Data Breach” have the meanings in Articles 4–5 of the UK GDPR.
- “Customer Personal Data” means Personal Data that Manthan Processes on behalf of the Customer in providing the Services.
- “Applicable Data Protection Law” means the UK GDPR, the Data Protection Act 2018, the EU GDPR (where applicable to Customer), and any other data-protection law applicable to the Processing.
- “Standard Contractual Clauses” or “SCCs” means the EU SCCs adopted by Commission Implementing Decision (EU) 2021/914.
- “UK IDTA” means the UK International Data Transfer Agreement issued by the ICO.
2. Roles and scope
| Scenario | Manthan role | Customer role |
|---|---|---|
| Processing Customer’s Mandate Book, CRM data, contacts, OAuth-supplied data, accept/decline events | Processor | Controller |
| Processing Customer’s named-user account info (login, name, email, billing) | Controller | n/a (Manthan is sole Controller for its own users) |
| Processing public-domain knowledge-graph data (regulatory filings, public news, etc.) | Controller | n/a |
This DPA addresses Manthan’s Processor obligations under row 1.
3. Subject matter and details of Processing
Set out in Annex 1. As at the Effective Date:
- Nature and purpose: providing the Narada intelligence platform to the Customer.
- Categories of Data Subjects: the Customer’s named users; the Customer’s contacts and counter-parties to the extent included in Customer Personal Data.
- Categories of Personal Data: business contact details, professional history, relationship metadata, email metadata (where OAuth granted), accept/decline events and other interaction data.
- Special categories: none ordinarily processed. Customer must not upload special-category data (Art 9) without prior written agreement.
- Duration of Processing: for the term of the Principal Agreement plus retention permitted by Clause 11.
4. Manthan’s processing obligations
Manthan shall:
(a) Process Customer Personal Data only on the Customer’s documented instructions, including those set out in this DPA and the Principal Agreement, and as required for the provision of the Services; (b) ensure that personnel authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations; (c) implement and maintain the technical and organisational measures set out in Annex 2; (d) not engage a Sub-processor without complying with Clause 7; (e) provide reasonable assistance to the Customer in responding to Data Subject requests under Clauses 8 and 9; (f) make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 UK GDPR, including the information in Annexes 1 and 2; (g) on the Customer’s reasonable instruction, return or delete Customer Personal Data at the end of Processing, per Clause 11; (h) immediately inform the Customer if, in Manthan’s opinion, an instruction infringes Applicable Data Protection Law.
5. Manthan-specific commitments (not standard SaaS)
Per the Principal Agreement and the Manthan product architecture, the following commitments apply and may not be waived by any Order Form:
(a) Per-customer isolation. Customer Personal Data is stored in a per-customer data environment with row-level security enforcement. Manthan shall not co-mingle Customer Personal Data with any other customer’s data in any shared compute, storage, or model context. (b) No model training. Manthan shall not use Customer Personal Data, or any data derived from it, to train, evaluate, fine-tune, or otherwise improve any artificial intelligence or machine learning model — Manthan’s own, a Sub-processor’s, or any third party’s. (c) No cross-customer learning. No Personal Data, derived insight, scoring weight, accept/decline pattern, or any other artefact attributable to the Customer shall be used to benefit any other customer.
These commitments are tested by the audit-trail mechanisms in Clauses 6 and 13.
6. Security
Manthan implements and maintains the technical and organisational measures in Annex 2, which include (without limitation):
- Encryption at rest (AES-256) and in transit (TLS 1.2+);
- Access control on a least-privilege, role-based basis;
- Multi-factor authentication for production system access;
- Audit logging of access to Customer Personal Data, retained for at least twelve (12) months;
- Secure development practices (peer review, automated test gates, dependency scanning);
- Quarterly chaos / resilience drills per the Engineering Disciplines B2 framework;
- Annual third-party penetration testing (planned from Q4 2026; until then, internal red-team and vulnerability scanning);
- Personnel training on data protection and confidentiality.
Manthan keeps Annex 2 current and provides updated versions on request.
7. Sub-processors
7.1 General authorisation
The Customer authorises Manthan to engage the Sub-processors listed at Annex 3 (incorporating 07_Subprocessor_List_v1_0 as updated from time to time). Manthan flows the relevant Processor obligations down to each Sub-processor by contract.
7.2 Changes
Manthan shall give the Customer at least thirty (30) days’ prior written notice of any new Sub-processor (or change in Sub-processor scope). The Customer may object on reasonable data-protection grounds. If the Parties cannot agree on an alternative within a further thirty (30) days, the Customer may terminate the affected Order Forms without penalty.
7.3 Manthan’s liability
Manthan remains fully liable for any Sub-processor’s acts and omissions in relation to Customer Personal Data.
8. Data Subject rights
Manthan shall provide reasonable assistance, by appropriate technical and organisational measures, to enable the Customer to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection, within the timescales required by Applicable Data Protection Law.
If Manthan receives a Data Subject request directly, it shall forward the request to the Customer without undue delay and shall not respond to the Data Subject (except to acknowledge receipt and direct them to the Customer) unless required by law.
9. Personal Data Breach
Manthan shall notify the Customer without undue delay (and, where feasible, within seventy-two (72) hours) of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include:
(a) the nature of the breach, categories and approximate numbers of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate its effects; (d) the name and contact details of Manthan’s relevant point of contact.
Manthan shall cooperate with the Customer’s investigation and breach-notification obligations and shall not make public statements about a breach affecting Customer Personal Data without the Customer’s consent, except as required by law.
10. Cross-border transfers
Customer Personal Data is hosted in the United Kingdom (DigitalOcean LON1) as Manthan’s default data-residency commitment.
To the extent that Processing requires transfer of Customer Personal Data to a country outside the UK and the EEA without an adequacy decision (notably to Anthropic, PBC in the United States for LLM inference), Manthan shall:
(a) execute the UK IDTA (or, for EEA-originating data, the EU SCCs Module Two/Three as applicable) with the relevant Sub-processor; (b) maintain a Transfer Impact Assessment (TIA) for each such transfer; and (c) provide the TIA and transfer documents to the Customer on request.
11. Return and deletion of Customer Personal Data
On expiry or termination of the Principal Agreement, or on the Customer’s written request, Manthan shall:
(a) within thirty (30) days, make Customer Personal Data available for export in a structured, machine-readable format; and (b) within sixty (60) days, delete Customer Personal Data from active systems, and within ninety (90) days from all backups (subject to retention required by law or Manthan’s bona fide internal record-retention policy, in which case the retained data remains subject to this DPA indefinitely).
Manthan shall certify deletion in writing on request.
12. Confidentiality
Customer Personal Data is at all times Confidential Information of the Customer and is treated under the confidentiality terms of the Principal Agreement (or, in their absence, the Mutual NDA between the Parties).
13. Audit
Manthan shall make available to the Customer, no more than once in any twelve-month period and on thirty (30) days’ notice, evidence reasonably necessary to demonstrate compliance with this DPA. Evidence may take the form of:
(a) third-party audit reports (e.g. ISO 27001, SOC 2, when available); (b) responses to a Customer security questionnaire; (c) an audit-trail summary covering access to the Customer’s Personal Data over the relevant period; (d) where the Customer reasonably requires it, an on-site audit at the Customer’s cost, conducted with reasonable notice and without disrupting Manthan’s operations.
Regulator audits requested by a competent authority are governed by Applicable Data Protection Law and do not require Manthan’s consent.
14. Liability
Liability arising under or in connection with this DPA is subject to the liability provisions of the Principal Agreement, except that nothing in the Principal Agreement limits liability for breach of Applicable Data Protection Law to the extent such limitation is prohibited by that law.
15. Order of precedence
In any conflict regarding data protection:
- The UK GDPR and Applicable Data Protection Law (mandatory);
- The UK IDTA / SCCs (as executed);
- This DPA;
- The Principal Agreement.
16. Governing law
This DPA is governed by the same law as the Principal Agreement (default: England and Wales). Disputes follow the same jurisdiction.
Annex 1 — Description of Processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Narada platform and related services to the Customer. |
| Nature | Continuous, automated processing for signal monitoring, scoring, output generation, and persistence. |
| Purpose | To enable the Customer to identify, evaluate, and act on deal opportunities in its mandate area. |
| Duration | Term of the Principal Agreement plus retention under Clause 11. |
| Categories of Data Subjects | Customer’s named users; the Customer’s contacts, counter-parties, and prospects to the extent included in Customer Personal Data. |
| Categories of Personal Data | Business contact details (name, work email, work phone, role, employer); professional history and CV-style information; relationship metadata (who knows whom, where, when); email metadata where Customer’s user OAuth-shared their mailbox; accept/decline events and Customer feedback; any other Personal Data the Customer chooses to upload. |
| Special category data | None ordinarily. Customer not to upload Art 9 data without prior written agreement. |
| Frequency and means | Continuous, electronic. |
| Manthan personnel with access | Strictly need-to-know basis: founder, named engineering staff, contracted DPO (when appointed). |
Annex 2 — Technical and Organisational Measures
Confidentiality — Encryption at rest (AES-256). Encryption in transit (TLS 1.2+). Per-customer data-environment isolation with row-level security. Authentication via multi-factor for production access. Least-privilege role-based access control.
Integrity — Schema validation at ingestion. Audit logging of writes to Customer Personal Data. Backup integrity verification. Tamper-resistant audit trail with rule-IDs cited on every Output.
Availability and resilience — Daily backups. Disaster-recovery test quarterly. Resilience drills quarterly (Engineering Discipline B2). Documented incident-response runbook.
Procedures for regular testing, assessment, and evaluation — Weekly automated security scans (dependencies, secrets, configuration). Annual penetration test (planned Q4 2026). Internal continuous evaluation framework with calibration sweeps weekly.
Personnel — Confidentiality obligations on all personnel. Annual data-protection training. Background checks for production-access personnel.
Sub-processor management — Sub-processor due diligence before onboarding. Contractual flow-down of DPA obligations. Annual review of each Sub-processor’s compliance posture.
Data minimisation and retention — Customer Personal Data retained only as long as needed for Service provision and per Clause 11. Aggregate operational metrics retained anonymised only.
Annex 3 — Sub-processors
See 07_Subprocessor_List_v1_0 (incorporated by reference). Current version reflected on Manthan’s website and provided on request.
Acknowledged for and on behalf of Manthan Intelligence Ltd:
Name: __________________________________ Title: __________________________________ Date: __________________________________ Signature: ______________________________
Acknowledged for and on behalf of [CUSTOMER LEGAL NAME]:
Name: __________________________________ Title: __________________________________ Date: __________________________________ Signature: ______________________________