Skip to main content

Data Processing Agreement (DPA)

Template v1.0 · last updated 19 April 2026

This template DPA covers Gamyata's processing of personal data on behalf of customers (Controllers) under the GDPR, UK GDPR, India's DPDP Act, and the CCPA/CPRA where applicable. Procurement and legal reviewers can read the full document below or download it for redlining; execution is by counter-signing Annex B and exchanging copies with trust@gamyata.com.

Download PDFOpen HTML version
GDPR Art. 28
EU SCCs Module 2
UK IDTA
Schrems II supplementary measures
CCPA / CPRA
DPDP (India)

What's in the DPA

  1. Parties
  2. Definitions
  3. Subject matter, nature, purpose & duration
  4. Categories of data subjects & personal data
  5. Obligations of the Processor (GDPR Art. 28(3)(a)–(h))
  6. Authorised sub-processors
  7. International transfers (EU SCCs / UK IDTA / Schrems II)
  8. Personal data breach notification (72-hour SLA)
  9. Data subject requests
  10. Audit rights
  11. Return / deletion of personal data
  12. Liability
  13. Governing law and jurisdiction
  14. Annex A: Technical and organisational measures (TOMs)
  15. Annex B: Cover page (signature)

Authorised Sub-Processors (as of 19 April 2026)

Updated whenever the list changes; minimum 30 days' notice before introducing or replacing a sub-processor (per §6 of the DPA).

Sub-processorPurposeRegion(s)
LogtoAuthentication & identity
EU
Amazon Web ServicesCompute, storage, networking
ap-south-1 / eu-west-1
RazorpayPayment processing
India
AnthropicLLM inference (zero-retention)
United States
OpenAILLM inference (zero-retention)
United States
SentryError monitoring with PII scrubbing
EU
PostHogProduct analytics (opt-in)
EU

Key Commitments at a Glance

  • Documented instructions only: Processor processes personal data only on Controller's documented instructions (GDPR Art. 28(3)(a)).
  • 72-hour breach notification: without undue delay and in any event within 72 hours of becoming aware (Art. 33(2)).
  • Annual audit rights: Controller (or independent auditor) may audit once per 12-month period on 30 days' notice; SOC 2 / ISO summaries accepted in lieu where they meet Controller requirements.
  • Return or deletion in 60 days on termination; 35-day backup-rotation deletion; 12-month security-log retention; written deletion certificate on request.
  • EU SCCs Module 2 for transfers to India, with Schrems II supplementary measures (encryption at rest + transit, named-engineer access logging, government-access transparency).
  • 30-day prior notice for sub-processor additions / replacements; right of objection.

Execute or Ask Questions

Send the counter-signed Annex B (or a redlined version of the template) to trust@gamyata.com. For privacy or DPDP-specific questions reach privacy@gamyata.com. The remainder of our trust posture lives at /trust.

Items currently flagged for Legal Counsel review on first execution: §7 (SCC module annex completion), §10 (audit notice period for regulated-industry buyers), §12 (liability cap reference once Master Subscription Agreement is finalised). Final wording on these clauses is determined per-deal.