Data Processing Addendum
Effective 17 May 2026 · v1.0
This Data Processing Addendum (“DPA”) forms part of the agreement between you (the “Customer”) and Atharva Deshpande, sole proprietor, operating Tender Surrender (the “Processor”), and applies when the Processor processes Personal Data on behalf of the Customer in connection with the Service.
1. Definitions
- DPDP Act means the Digital Personal Data Protection Act, 2023, and any rules made under it.
- Personal Datameans information about an identified or identifiable natural person processed through the Service, including any “personal data” as defined under the DPDP Act.
- Data Principal has the meaning given in the DPDP Act.
- Subprocessormeans a third party engaged by the Processor to process Personal Data on the Customer’s behalf.
2. Roles
The Customer is the Data Fiduciary in respect of Personal Data contained in tender content and account data submitted to the Service. The Processor acts as a Data Processor and processes Personal Data only on documented instructions from the Customer (including instructions implicit in the Customer’s use of the Service).
3. Processor obligations
- Process Personal Data only for the purpose of providing the Service, and only on the Customer’s instructions.
- Implement appropriate technical and organisational measures, as set out in Section 7, to protect Personal Data.
- Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations.
- Assist the Customer, taking into account the nature of processing, with responding to Data Principal requests under the DPDP Act.
- Notify the Customer without undue delay of any verified Personal Data Breach affecting the Customer’s data.
- On termination of the Service, delete or return Personal Data in accordance with Section 9.
4. Customer obligations
- Ensure a valid legal basis (consent or legitimate use) exists for the Personal Data uploaded to the Service.
- Provide accurate account information and use the Service only for lawful purposes.
- Cooperate with the Processor on Data Principal requests received via the Service.
5. Subprocessors
The Customer authorises the Processor to engage the following Subprocessors, each of which is bound by a written agreement containing data protection obligations no less protective than those in this DPA:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | United States |
| Railway Corp. | Compute for API and workers | Singapore |
| Vercel Inc. | Frontend hosting and edge delivery | Global edge / US build |
| Anthropic, PBC | Claude LLM for extraction and chat | United States |
| Voyage AI | Document embeddings | United States |
| Functional Software, Inc. (Sentry) | Error monitoring | United States / EU |
| Cloudflare, Inc. | DNS and transit security | Global |
The Processor will give Customers at least 14 days’ prior notice of any intended addition or replacement of Subprocessors that handle Personal Data, by updating this page and notifying active users by email. If the Customer reasonably objects on data protection grounds, the Customer may terminate the affected portion of the Service.
6. Cross-border transfers
Personal Data may be transferred outside India to the jurisdictions listed above. The Processor will ensure that transfers occur only to jurisdictions which are not restricted under the DPDP Act and, where appropriate, on the basis of Standard Contractual Clauses or equivalent contractual safeguards entered into with each Subprocessor.
7. Security measures
- Encryption in transit: TLS 1.2 or higher for all endpoints.
- Encryption at rest: AES-256 for database and object storage via Supabase / AWS KMS.
- Tenant isolation: PostgreSQL Row-Level Security policies enforce per-organisation scoping of all tables containing Customer data.
- Access control: Production access is limited to the Proprietor and is gated by SSH key, MFA on cloud providers, and least-privilege service-role credentials.
- Secrets management: Production secrets are held in Railway and Vercel environment variables and are not committed to source.
- Monitoring: Application errors and anomalies are surfaced via Sentry. Authentication events are logged via Supabase.
- Backups: Supabase provides point-in-time recovery snapshots for up to 14 days.
- AI training opt-out: The Processor uses Anthropic and Voyage API endpoints under terms that prohibit training on Customer inputs.
8. Personal Data Breach
On becoming aware of a verified Personal Data Breach affecting Customer data, the Processor will notify the Customer without undue delay and, where feasible, within 72 hours. The notification will include known facts, categories and approximate number of affected Data Principals, likely consequences, and measures taken or proposed to address the breach.
9. Return and deletion
On termination of the Service or at the Customer’s written request, the Processor will, at the Customer’s choice, either return Customer Personal Data in a structured, commonly used, machine-readable format or delete it from primary storage within 30 days. Backup copies will be overwritten in the ordinary backup-rotation cycle (up to 14 days for Supabase point-in-time recovery).
10. Audits
On reasonable prior written notice and no more than once per calendar year (or more frequently if required by law or regulator), the Customer may request information reasonably necessary to verify the Processor’s compliance with this DPA. The Processor will respond in writing or by providing relevant Subprocessor audit reports where available.
11. Liability
Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms & Conditions between the parties.
12. Governing law
This DPA is governed by the laws of India and is subject to the jurisdiction provisions of the Terms & Conditions.
13. Contact
Data protection enquiries: tech@atharvad.me (Grievance Officer details in the Privacy Policy).