Ayzen Private Limited
Brand: Ayzen Creatives
Effective Date: March 15, 2026
This Data Processing Agreement (“DPA”) is entered into between the Client (“Data Controller”) and Ayzen Private Limited (“Data Processor”). It supplements the Terms and Conditions and complies with Article 28 of the GDPR and applicable U.S. privacy laws.
1. Definitions
GDPR definitions apply. Key terms:
- “Personal Data” – information relating to an identified or identifiable natural person.
- “Processing” – any operation on Personal Data including collection, storage, use, or deletion.
- “Controller” – the Client, who determines the purposes and means of processing.
- “Processor” – the Company, who processes data on behalf of the Controller.
- “Sub-Processor” – any third party engaged by the Processor.
2. Roles
The Client is the Data Controller. Ayzen Private Limited is the Data Processor. The Processor shall act only on documented instructions from the Controller unless required by law.
3. Purpose of Processing
Personal Data is processed solely for:
- Fulfilling creative and production service orders.
- Client communication and project management.
- Invoicing and payment administration.
- Compliance with legal obligations.
4. Categories of Personal Data
- Contact information: name, email, telephone.
- Company name and billing details.
- Project files and associated metadata.
- Communications and correspondence.
5. Data Subject Categories
- Clients (individuals or company representatives).
- End customers of the Client (where applicable and disclosed).
6. Processor Obligations
- Process Personal Data only on the Controller’s instructions, including transfers to third countries.
- Ensure all authorised persons are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures (Art. 32 GDPR).
- Obtain Controller’s authorisation before engaging Sub-Processors.
- Assist the Controller in fulfilling Data Subject rights requests.
- Notify the Controller within 72 hours of becoming aware of a Personal Data Breach.
- Delete or return all Personal Data upon termination of services, as directed by the Controller.
- Provide information and cooperate with audits to demonstrate compliance.
7. Sub-Processors
General authorisation is granted for Sub-Processors used to deliver the contracted services (e.g., cloud hosting, email, file-sharing). The Processor will:
- Provide 14 days’ advance notice of any changes to Sub-Processor arrangements.
- Impose equivalent data protection obligations on all Sub-Processors.
- Remain fully liable for Sub-Processor performance.
8. International Data Transfers
Transfers outside the EEA are subject to Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent GDPR-compliant safeguards. Details available upon request.
9. Security Measures
- Encryption of data at rest (AES-256) and in transit (TLS 1.2+).
- Role-based access controls and principle of least privilege.
- Regular security assessments and vulnerability management.
- Employee training on data protection and security.
- Incident response and breach notification procedures.
10. Data Retention and Deletion
Personal Data is retained only as long as necessary. Upon termination or request, the Processor will securely delete or return all Personal Data within 30 days.
11. Audit Rights
The Controller may audit the Processor’s data processing activities upon 14 business days’ prior notice. The Processor will cooperate and provide documentation.
12. Governing Law
This DPA is governed by the law applicable to the principal services agreement. GDPR applies for EU/EEA Clients. CCPA/CPRA applies for California Clients.
13. Contact
Ayzen Private Limited | Ayzen Creatives | Email: info@ayzencreatives.com | Website: www.ayzencreatives.com
Address: Ayzen Private Limited, [Registered Office Address]
