Data Processing Addendum

Introduction

Whizz Cybersecurity Private Limited (operating as WhizzC, “we”, “us”, or “our”), a company incorporated in Chennai, Tamil Nadu, India, provides a platform that automates and streamlines compliance processes for frameworks including SOC 2, ISO 27001, GDPR, PCI-DSS, NESA, ADHICS, and others.

When you (the Customer or “you”) use WhizzC services, you may upload or generate data that includes Personal Data. In such cases, you act as the data controller, and WhizzC acts as the data processor.

This DPA sets out the terms under which we process Personal Data on your behalf. It forms part of our [Terms of Service / Master Subscription Agreement / Subscription Terms] (the Agreement) and applies whenever WhizzC processes Personal Data for you. It ensures compliance with applicable data protection laws, including GDPR, UK GDPR, and India’s Digital Personal Data Protection Act, 2023 (DPDP Act).

In the event of any conflict between this DPA and the Agreement regarding Personal Data processing, this DPA shall prevail.

1. Definitions

For the purposes of this DPA:

• “Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, contact details, employee IDs, IP addresses, or usage data.

• “Processing” means any operation performed on Personal Data, such as collection, storage, organization, structuring, use, disclosure, or deletion.

• “Data Protection Laws” means all applicable laws governing the processing of personal data, including DPDPA, GDPR, CCPA, or any local equivalents.

• “Subprocessor” means any third-party service provider engaged by WhizzC to process Personal Data on behalf of our customers.

2. Processing Details

WhizzC processes Personal Data solely to deliver our SaaS compliance services, ensuring secure, accurate, and efficient management of compliance activities. The processing is necessary to provide the functionality, insights, and automation that our platform offers.

2.1 Purpose and Scope of Processing

We process Personal Data to support the following core services:

• Compliance Gap Assessments: Identify gaps and deficiencies in your organization’s compliance posture across frameworks such as SOC 2, ISO 27001, GDPR, PCI-DSS, and others. This includes comparing your current processes, policies, and evidence against required standards.

• Document Management and Evidence Collection: Securely store, organize, and manage compliance-related documents and evidence, such as policies, training records, and audit files, allowing your teams and auditors to access relevant information efficiently.

• Risk Monitoring and Reporting: Track compliance risks and generate reports or dashboards highlighting trends, exceptions, and key metrics to support informed decision-making.

• AI-Assisted Analysis and Recommendations: Leverage AI-powered features (e.g., intelligent text analysis, summaries, and compliance recommendations) to enhance review efficiency and provide actionable insights. Any AI processing is performed using anonymized or minimized data where feasible.

• Audit Preparation and Automation Workflows: Streamline audit readiness by automating workflows, notifications, and task tracking, ensuring timely completion of compliance activities.

2.2 Duration of Processing

Personal Data is processed for the entire duration of your subscription with WhizzC, including any post-termination period necessary to:

• Complete transitional activities, such as returning or securely deleting data

• Preserve information where retention is required by law

• Maintain operational continuity during winding-down of services

2.3 Types of Personal Data Processed

The categories of Personal Data we process include:

• Identity Data: Names, job titles, employee or contractor identifiers

• Contact Data: Email addresses, phone numbers, internal messaging IDs

• Usage and System Data: Audit logs, platform activity metadata, login records, task completion logs

• Compliance Documentation: Uploaded files, policies, evidence records, assessment forms

• AI-Anonymized Data: Text extracts or summaries generated by AI features for analysis, without retaining identifiable personal details where possible

2.4 Categories of Data Subjects

WhizzC processes Personal Data belonging to:

• Employees, contractors, and consultants of your organization

• Your customers, where included as part of compliance evidence or records

• Other personnel involved in compliance, risk management, or audit processes within your organization

2.5 Data Processing Principles

All processing is carried out according to the following principles:

• Lawfulness, Fairness, and Transparency: Personal Data is processed in accordance with applicable laws and with transparency to data subjects.

• Purpose Limitation: Personal Data is used only for the purposes described above.

• Data Minimization: Only data necessary to provide WhizzC services is processed.

• Accuracy and Integrity: Measures are in place to ensure data accuracy, integrity, and protection from unauthorized alteration.

• Security and Confidentiality: Data is secured through technical and organizational measures, as outlined in Section 3.

3. WhizzC Obligations as Data Processor

At WhizzC, we are committed to processing Personal Data securely, responsibly, and in compliance with applicable laws. Our obligations as your Data Processor include the following:

3.1 Processing per Customer Instructions

• We process Personal Data only in accordance with your documented instructions, including any instructions regarding international transfers.

• If we are legally required to process Personal Data in a manner that deviates from your instructions, we will notify you in advance, unless prohibited by law.

• All processing activities are strictly limited to the purposes outlined in Section 2 of this DPA.

3.2 Confidentiality

• All personnel authorized to access or process Personal Data are bound by strict confidentiality agreements.

• Access to Personal Data is granted on a need-to-know basis, ensuring that only those directly involved in providing WhizzC Services can access the data.

• Employees and contractors undergo regular training on data protection and security responsibilities.

3.3 Security Measures

We implement technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. These measures include, but are not limited to:

• Encryption: AES-256 encryption for data at rest and TLS 1.3+ for data in transit.

• Access Controls: Role-based access management with multi-factor authentication (MFA).

• Monitoring & Auditing: Continuous logging, monitoring, and regular review of access and system activity.

• Vulnerability Management: Regular vulnerability scanning, penetration testing, and security assessments.

• Backup & Recovery: Robust backup procedures and disaster recovery planning to ensure data availability.

• Compliance Alignment: Security controls aligned with SOC 2 Type 2 and ISO 27001 standards.

3.4 Sub-processors

• We engage only approved sub-processors to process Personal Data on your behalf. Our current list is provided in Annex 2.

• If a new sub-processor is introduced, we will notify you at least 30 days in advance, giving you 14 days to raise any reasonable objections.

• We remain fully responsible for the acts or omissions of our sub-processors.

3.5 Assistance to Customers

We assist you, where reasonably requested, in fulfilling your obligations as a Data Controller under applicable Data Protection Laws, including:

• Responding to Data Subject Rights requests (access, rectification, erasure, restriction, or portability).

• Managing and investigating Personal Data Breaches.

• Supporting Data Protection Impact Assessments (DPIAs) and risk assessments.

• Coordinating with regulatory or supervisory authorities when required.

3.6 Breach Notification

• We commit to notifying you without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting your data.

• Our notifications include:

1. A description of the nature and scope of the breach

2. The categories and approximate number of data subjects and records affected

3. Remedial actions undertaken or planned

4. Contact information for further assistance

3.7 Return or Deletion of Data

• Upon termination of the Agreement, or upon your written request, we will:

1. Return all Personal Data to you, or

2. Permanently delete Personal Data in our possession, unless retention is required by law.

• Any retained data will continue to be protected in accordance with the security measures outlined in Section 3.3.

4. International Data Transfers

WhizzC recognizes that Personal Data may be stored, processed, or transmitted across different jurisdictions, including outside of India, the European Economic Area (EEA), or the United Kingdom. We ensure that all such transfers comply with applicable Data Protection Laws and are subject to appropriate safeguards.

4.1 Transfers from EEA, UK, or Restricted Jurisdictions

• Transfers of Personal Data from the EEA, UK, or other jurisdictions with data transfer restrictions are governed by the 2021 EU Standard Contractual Clauses (SCCs, Controller to Processor, Module 2).

• These SCCs provide legally recognized safeguards to ensure that personal data continues to receive an adequate level of protection when transferred internationally.

• A copy of the SCCs is incorporated by reference in Annex III, and WhizzC is committed to adhering to all relevant clauses regarding processing, security, and audit rights.

4.2 Transfers to U.S.-Based Sub-processors

For Personal Data processed by U.S.-based sub-processors (such as OpenAI, Google Workspace), WhizzC implements additional measures to ensure equivalent protection:

1.   Data Minimization & Anonymization

• Only the minimum Personal Data necessary for processing is transferred.

• Data is anonymized or pseudonymized wherever feasible to protect individual identities.

2.   Encryption in Transit and at Rest

• All data transfers are encrypted using industry-standard protocols (TLS 1.3+).

• Data stored on U.S.-based systems is encrypted at rest (AES-256 or equivalent).

3.   Transfer Impact Assessments (TIAs)

• Regular assessments are conducted to evaluate risks associated with cross-border data transfers.

• Any identified risks are mitigated through technical, organizational, or contractual measures.

4.   Contractual Commitments from Sub-processors

• All U.S.-based sub-processors are contractually obligated to provide a level of protection equivalent to EU/UK standards, including data security, breach notification, and restrictions on onward transfers.

4.3 Cooperation and Support

• WhizzC will cooperate with you to provide information or documentation required for compliance with international data transfer obligations.

• We will assist with any regulatory requests, supervisory authority inquiries, or additional safeguards you reasonably require for cross-border processing.

5. Audits and Compliance

WhizzC is committed to transparency and accountability in processing Personal Data. To demonstrate our compliance with this DPA and applicable Data Protection Laws, we provide the following audit and compliance framework:

5.1 Information and Documentation Provided

Upon request, WhizzC will provide reasonable access to information necessary to demonstrate compliance, including:

• SOC 2 Type 2 reports, subject to execution of a non-disclosure agreement (NDA)

• ISO 27001 certification and supporting audit summaries

• Security policies, procedures, and documentation related to technical and organizational measures

• Evidence of approved sub-processor contracts and safeguards

5.2 Frequency and Limitations

• Audits are generally limited to once per 12-month period, unless a higher frequency is required by law or following a serious incident affecting Personal Data.

• Any audit findings will be communicated in writing, and WhizzC will work collaboratively with customers to address any gaps or recommendations.

5.3 Regulatory Compliance Support

• WhizzC will cooperate with customers in responding to regulatory inquiries, investigations, or assessments conducted by supervisory authorities, providing documentation and explanations as reasonably requested.

6. General Provisions

These general provisions govern the interpretation, enforceability, and updates to this DPA:

6.1 Survival

• This DPA remains in effect even after the termination or expiration of the Agreement for as long as WhizzC continues to process Personal Data on your behalf.

• Obligations related to confidentiality, security, and return or deletion of Personal Data continue to apply post-termination.

6.2 Governing Law

• This DPA is governed by the laws specified in the Agreement, typically Indian law, without regard to conflict-of-law principles.

• Any disputes arising under this DPA will be addressed in accordance with the dispute resolution provisions in the Agreement.

6.3 Amendments

• Any amendments, updates, or modifications to this DPA must be made in writing and mutually agreed upon by both parties.

• Updates may also be published on the WhizzC website, with prior notice to customers where material changes affect data processing practices.

6.4 Contact Information

• For questions regarding this DPA, data protection practices, or exercising Data Subject Rights, contact WhizzC’s Data Protection team at:
  Email: jamunas@whizzc.com

Annex I – Description of Processing

This Annex describes the nature and scope of Personal Data processing carried out by WhizzC on behalf of its customers in accordance with this Data Processing Addendum.

1. Subject Matter of the Processing

The subject matter of the processing is the provision and operation of the WhizzC compliance automation platform, which enables customers to manage, monitor, and demonstrate compliance with information security, privacy, and regulatory frameworks (such as SOC 2, ISO 27001, GDPR, DPDP Act, PCI-DSS, and others).

2. Duration of the Processing

Personal Data is processed:

• For the active term of the customer’s subscription to WhizzC services; and

• For a limited post-termination wind-down period, solely to:

1. Facilitate data return or secure deletion at the customer’s instruction

2. Meet legal, regulatory, or contractual retention requirements

3. Ensure business continuity and closure of outstanding compliance workflows

After this period, Personal Data is deleted or anonymized unless retention is required by applicable law.

3. Nature and Purpose of the Processing

The nature and purpose of processing include the following activities, strictly limited to enabling the WhizzC services:

• Hosting and Storage
  Secure hosting and storage of compliance-related data, documents, and records within WhizzC’s cloud infrastructure.

• Compliance Analysis and Assessment
  Evaluation of customer-provided information against applicable compliance and regulatory frameworks to identify gaps, risks, and control requirements.

• Document and Evidence Management
  Collection, organization, versioning, and controlled access to policies, procedures, audit evidence, and compliance artifacts.

• Reporting and Monitoring
  Generation of dashboards, reports, logs, and alerts to support compliance tracking, audit readiness, and risk visibility.

• AI-Assisted Processing
  Use of AI-enabled features (such as text analysis, summarization, and recommendations) to improve efficiency and insight, using minimized or anonymized data wherever feasible.

• Operational and Security Monitoring
  Processing of system logs and metadata to maintain platform security, performance, and availability.

4. Types and Categories of Personal Data

Depending on customer usage and configuration, WhizzC may process the following categories of Personal Data:

• Identification Data
  Names, job titles, employee or contractor identifiers, organizational roles.

• Contact Information
  Business email addresses, phone numbers, and internal contact references.

• Usage and Technical Data
  Audit logs, access logs, timestamps, IP addresses, system metadata, and activity records.

• Compliance Documentation
  Policies, training records, risk assessments, evidence files, and audit materials uploaded by the customer, which may contain Personal Data.

• Derived or AI-Generated Data
  Summaries, insights, or text extracts generated through AI-assisted features, typically anonymized or pseudonymized where feasible.

5. Categories of Data Subjects

The Personal Data processed by WhizzC may relate to the following categories of Data Subjects:

• Employees of the customer organization

• Contractors, consultants, and temporary staff

• Customer personnel involved in governance, risk, compliance, audit, or security functions

• Customers or third parties of the customer, where their data is included in compliance evidence or records

• Other individuals whose data is lawfully provided by the customer for compliance purposes

6. Processing Principles

All processing under this Annex is carried out in accordance with the following principles:

• Processing only on documented customer instructions

• Purpose limitation and data minimization

• Confidentiality, integrity, and availability of Personal Data

• Appropriate technical and organizational security measures

Annex II – Approved Sub-processors

(As of January, 2026)

This Annex sets out the third-party sub-processors engaged by WhizzC to support the delivery, security, and functionality of the WhizzC compliance automation platform. Each sub-processor is contractually bound to implement appropriate technical and organizational measures and to process Personal Data only for the purposes specified below.

WhizzC remains responsible for the acts and omissions of its sub-processors in accordance with applicable data protection laws.

List of Approved Sub-processors

Sub-processor Management and Updates

• WhizzC conducts due diligence and risk assessments before engaging any sub-processor.

• Sub-processors are required to maintain appropriate security controls aligned with industry standards (such as ISO 27001, SOC 2).

• WhizzC will notify customers of material changes to this list, including the addition or replacement of sub-processors, in accordance with Section 3.4 of the Data Processing Addendum.

• Customers may raise reasonable objections to new sub-processors as provided under the DPA.

Annex III – Standard Contractual Clauses (SCCs)

To ensure an adequate level of protection for Personal Data transferred outside the European Economic Area (EEA), WhizzC incorporates the EU Standard Contractual Clauses (SCCs) adopted by the European Commission.

Applicable SCCs

• EU Commission Implementing Decision: 2021/914

• CC Module Applied:
  Module 2 – Controller to Processor

These SCCs apply to any transfer of Personal Data from a Controller established in the EEA to WhizzC or its sub-processors located in third countries that are not subject to an adequacy decision.

SCC Annexes

The SCCs are supplemented as follows:

Annex I.A – List of Parties

• Data Exporter (Controller): The Customer, as defined in the Agreement

• Data Importer (Processor): WhizzC

Annex I.B – Description of the Transfer

• The subject matter, duration, nature, purpose of processing, categories of Personal Data, and categories of Data Subjects are as described in Annex 1 – Description of Processing of this Data Processing Addendum.

Annex II – Technical and Organizational Measures

WhizzC implements appropriate security measures to protect Personal Data, including but not limited to:

• Encryption of data at rest and in transit

• Role-based access controls and least-privilege access

• Multi-factor authentication for administrative access

• Centralized logging, monitoring, and audit trails

• Secure development and change management practices

• Incident detection, response, and breach notification procedures

• Alignment with recognized standards such as ISO/IEC 27001 and SOC 2

Precedence

• In the event of any conflict between the SCCs and this Data Processing Addendum, the SCCs shall prevail with respect to international data transfers.