Last updated: 26 May 2026

On this page

Data Processing Addendum

Version 1.0 — Effective 26 May 2026

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the agreement between Remittx Private Limited, a company incorporated under the laws of India and having its registered office at 1st Floor, Gopala Krishna Complex, Residency Road, Bengaluru, Karnataka 560025, India ("Recomnext", "Processor", or "Data Processor") and the entity identified as the customer of the Recomnext Service ("Customer", "Controller", or "Data Fiduciary") (each a "Party", together the "Parties").

This DPA applies to the Processing of Personal Data by Recomnext on behalf of Customer in connection with Customer's use of the Recomnext Service and reflects the Parties' agreement on the terms governing such Processing under (i) Regulation (EU) 2016/679 ("GDPR"), (ii) the United Kingdom General Data Protection Regulation and the Data Protection Act 2018 ("UK GDPR"), (iii) the Digital Personal Data Protection Act, 2023 of India ("DPDP Act"), and (iv) any other applicable Data Protection Laws.

In the event of conflict between this DPA and the principal agreement between the Parties (including the Recomnext Public SDK License Agreement and any commercial subscription agreement), this DPA prevails with respect to the Processing of Personal Data.

1. Definitions

1.1 Capitalized terms not defined in this DPA have the meanings given to them in the principal agreement or, where not defined there, in the applicable Data Protection Laws.

1.2 The following definitions apply:

"Data Protection Laws" means all laws relating to the Processing of Personal Data applicable to a Party, including the GDPR, UK GDPR, DPDP Act, and any successor or supplementary legislation, rules, regulations, and binding guidance.
"Personal Data" means any information relating to an identified or identifiable natural person (a "Data Subject" under GDPR/UK GDPR, or a "Data Principal" under the DPDP Act) that is Processed by Processor on behalf of Controller in connection with the Recomnext Service.
"Processing" has the meaning given in the GDPR (and includes acts of "processing" under the DPDP Act).
"Sub-processor" means any third party engaged by Processor to Process Personal Data on Controller's behalf.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Standard Contractual Clauses" or "SCCs" means (i) the standard contractual clauses for the transfer of personal data to third countries approved by Commission Implementing Decision (EU) 2021/914 (Module Two: Controller-to-Processor), and (ii) the UK International Data Transfer Addendum (issued by the UK ICO under section 119A of the Data Protection Act 2018).

2. Roles and Scope

2.1 Roles. With respect to Personal Data Processed under this DPA:

(a) Customer is the Controller (Data Fiduciary under the DPDP Act); (b) Recomnext is the Processor (Data Processor under the DPDP Act); (c) Recomnext's Sub-processors are sub-processors.

2.2 Scope. This DPA applies only to Personal Data that Recomnext Processes on Customer's behalf as Processor. It does not apply to data Processed by Recomnext as a Controller in its own right (for example, account administration data, billing data, telemetry data relating to the Customer's authorized users as integrators of the SDK), which is governed by the Recomnext Privacy Notice.

2.3 Duration. Processing under this DPA continues for the term of the principal agreement and until Personal Data is returned or deleted in accordance with Section 11.

2.4 Nature, purpose, types of data, and categories of Data Subjects are described in Annex 1.

3. Processor Obligations

Recomnext shall:

3.1 Documented Instructions. Process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by applicable law. Where such law applies, Recomnext shall inform Customer of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest. The principal agreement, this DPA, and Customer's use of the Recomnext Service (including configuration choices made in the SDK and dashboard) together constitute Customer's complete and final documented instructions to Recomnext.

3.2 Lawfulness of Instructions. Promptly inform Customer if, in Recomnext's opinion, an instruction infringes applicable Data Protection Laws. Recomnext is not obliged to monitor the lawfulness of Customer's Processing in general.

3.3 Confidentiality. Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.4 Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 3, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.

3.5 Sub-processors. Engage Sub-processors only in accordance with Section 4.

3.6 Assistance to Controller. Taking into account the nature of Processing, assist Customer by appropriate technical and organisational measures, insofar as reasonably possible, in fulfilling Customer's obligations to respond to requests by Data Subjects/Data Principals exercising their rights under Data Protection Laws.

3.7 Cooperation. Assist Customer in ensuring compliance with the obligations under Articles 32 to 36 GDPR (and equivalent obligations under UK GDPR and the DPDP Act), including security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of Processing and the information available to Recomnext.

3.8 Return or Deletion. At the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of services relating to Processing, and delete existing copies, unless applicable law requires storage of the Personal Data. See Section 11.

3.9 Audit Information. Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to Section 9.

4. Sub-processors

4.1 General Authorization. Customer grants Recomnext a general authorization to engage Sub-processors. Recomnext's current Sub-processors are listed in Annex 2.

4.2 Notice of Changes. Recomnext shall provide Customer with at least thirty (30) days' prior notice of the addition or replacement of any Sub-processor, by updating Annex 2 and posting the change at https://recomnext.com/subprocessors or notifying Customer by email.

4.3 Right to Object. Customer may, on reasonable grounds relating to data protection, object to a proposed addition or replacement of a Sub-processor within fifteen (15) days of receiving notice under Section 4.2 by sending a written objection to legal@driffle.com. If Customer raises a legitimate objection, the Parties shall discuss the objection in good faith. If the Parties cannot reach resolution within thirty (30) days, Customer may terminate the affected portion of the principal agreement, without penalty, by written notice; Customer's exclusive remedy under this Section 4.3 is such termination right.

4.4 Sub-processor Obligations. Recomnext shall impose on each Sub-processor, by way of a written contract, data-protection obligations no less protective than those set out in this DPA. Recomnext remains fully liable to Customer for the performance of each Sub-processor's obligations.

5. International Transfers

5.1 General. Personal Data may be transferred to, and Processed in, jurisdictions outside the Customer's country of establishment, including India and other jurisdictions where Recomnext or its Sub-processors operate.

5.2 EEA and UK Transfers. Where transfers of Personal Data from the European Economic Area or the United Kingdom to a country not recognized as providing an adequate level of protection occur:

(a) the Parties enter into the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: Controller-to-Processor), which are incorporated by reference into this DPA; (b) for UK transfers, the Parties enter into the UK International Data Transfer Addendum to the EU SCCs; (c) docking, optional clauses, and selections shall be as set out in Annex 4.

5.3 India / DPDP Transfers. Cross-border transfers from India shall be conducted in accordance with the DPDP Act and any rules issued thereunder, including any country-specific restrictions notified by the Central Government from time to time.

5.4 Other Jurisdictions. For transfers subject to other Data Protection Laws requiring transfer mechanisms (for example, Switzerland, Brazil's LGPD), the Parties shall implement equivalent safeguards reasonably required by applicable law.

5.5 Supplementary Measures. Recomnext shall implement supplementary technical, organisational, and contractual measures where necessary to ensure that the Personal Data transferred receives a level of protection essentially equivalent to that guaranteed in the originating jurisdiction.

6. Data Subject Rights

6.1 Forwarding Requests. Where Recomnext receives a request from a Data Subject/Data Principal directly relating to Personal Data Processed on Customer's behalf, Recomnext shall, without undue delay, forward the request to Customer and shall not respond to the request itself except on Customer's documented instructions or as required by applicable law.

6.2 Assistance. Recomnext shall provide reasonable assistance to Customer (including by providing functionality in the Recomnext Service and/or technical assistance) to enable Customer to respond to requests for access, rectification, erasure, restriction, objection, portability, withdrawal of consent, and any other rights granted to Data Subjects/Data Principals under Data Protection Laws.

7. Personal Data Breach

7.1 Notification to Customer. Recomnext shall notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer's Personal Data.

7.2 Contents of Notification. The notification shall, to the extent reasonably available, describe:

(a) the nature of the breach, including, where possible, the categories and approximate number of Data Subjects/Data Principals and Personal Data records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its possible adverse effects; (d) the name and contact details of Recomnext's data protection contact.

7.3 Cooperation. Recomnext shall cooperate with Customer and provide reasonable assistance in Customer's investigation, mitigation, and notification of the Personal Data Breach to supervisory authorities and affected Data Subjects/Data Principals.

7.4 No Admission. Notification under this Section 7 is not an acknowledgement by Recomnext of any fault or liability.

8. Data Protection Impact Assessments

Recomnext shall, taking into account the nature of Processing and information available to it, provide Customer with reasonable assistance in carrying out data protection impact assessments and prior consultations with supervisory authorities as required under Articles 35 and 36 GDPR (and equivalent obligations under UK GDPR and the DPDP Act).

9. Audits

9.1 Audit Reports. Recomnext shall make available to Customer, on written request and not more than once per twelve (12) month period, the most recent third-party audit reports, certifications (such as ISO/IEC 27001, SOC 2 Type II), and penetration test summaries demonstrating Recomnext's compliance with this DPA. Such reports shall be deemed Recomnext's Confidential Information.

9.2 On-Site Audits. If audit reports are insufficient to demonstrate compliance, Customer may, at its own expense and upon not less than thirty (30) days' prior written notice, conduct an on-site audit of Recomnext's facilities and Processing activities relevant to the Personal Data, subject to:

(a) audits taking place during normal business hours; (b) the auditor not being a competitor of Recomnext; (c) the auditor entering into reasonable confidentiality undertakings; (d) audits not unreasonably interfering with Recomnext's business operations; (e) audits not extending to other customers' data, Recomnext's source code, or commercially sensitive information unrelated to the audit's purpose.

9.3 Frequency. On-site audits under Section 9.2 shall not occur more than once per twenty-four (24) month period, except where required by a supervisory authority or following a confirmed Personal Data Breach affecting Customer.

10. Liability

The liability of each Party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the principal agreement between the Parties (including any negotiated commercial agreement). Where no such commercial agreement exists, the limitations of liability in the Recomnext Public SDK License Agreement apply.

For the avoidance of doubt, nothing in this DPA limits or excludes either Party's liability where it cannot be limited or excluded under applicable law, including liability for personal injury or death caused by negligence, fraud, or fraudulent misrepresentation.

11. Return or Deletion of Personal Data

11.1 On Termination. Within ninety (90) days after the end of the provision of services relating to Processing, Recomnext shall, at Customer's choice and written instruction, return all Personal Data to Customer (in a commonly used machine-readable format) or delete all Personal Data and existing copies thereof.

11.2 Retention by Operation of Law. Recomnext may retain Personal Data to the extent required by applicable law, in which case Recomnext shall (a) inform Customer of the retention requirement, (b) maintain the confidentiality of such Personal Data, and (c) Process such Personal Data only as necessary for the purpose specified by such applicable law.

11.3 Backups. Personal Data in routine backups shall be deleted in the ordinary course of Recomnext's backup-rotation cycle (not exceeding one hundred eighty (180) days from the date of the termination request); Recomnext shall not restore such Personal Data from backups for any operational purpose during this rotation period.

11.4 Certification. Upon Customer's request, Recomnext shall provide written confirmation of the deletion of Personal Data.

12. General

12.1 Order of Precedence. In the event of conflict, the order of precedence is: (i) the SCCs and any other transfer mechanism in Annex 4; (ii) this DPA; (iii) any signed commercial agreement between the Parties; (iv) the Recomnext Public SDK License Agreement.

12.2 Updates. Recomnext may amend this DPA from time to time to reflect changes in Data Protection Laws or business practices, provided that no amendment materially reduces the level of protection afforded to Personal Data. Recomnext shall provide Customer with notice of material amendments.

12.3 Governing Law and Jurisdiction. Except as required by the GDPR/UK GDPR (in which case the law of the EU Member State or the United Kingdom, as applicable, governs the SCCs), this DPA is governed by the laws of the Republic of India, and the Parties submit to the exclusive jurisdiction of the courts of New Delhi and Haryana, India, consistent with the Recomnext Public SDK License Agreement.

12.4 Severability; Survival. If any provision is held unenforceable, the remainder of this DPA remains in effect. Sections that by their nature should survive (including Sections 7, 10, 11, and this Section 12) survive termination.

Annex 1 — Details of Processing

Item	Description
Subject matter	Processing of Personal Data necessary for Recomnext to provide the Recomnext Service (a SaaS recommendations platform) to Customer.
Duration	The term of the principal agreement, plus the retention period in Section 11.
Nature and purpose	Generation, training, evaluation, and delivery of personalized product/content recommendations; analytics and reporting on recommendation performance; debugging and service support.
Types of Personal Data	User identifiers (hashed or pseudonymous user IDs, cookies, device IDs); behavioural data (page views, clicks, searches, add-to-cart events, purchases); product/content interaction metadata; technical data (IP address, user agent, locale, referrer); any additional fields Customer chooses to send via the SDK.
Special categories	None expected. Customer shall not transmit special categories of Personal Data (Article 9 GDPR) or sensitive Personal Data under the DPDP Act through the Recomnext Service without Recomnext's prior written agreement.
Categories of Data Subjects / Data Principals	Customer's end users and visitors to Customer's websites, applications, and digital properties.
Frequency of transfer	Continuous, in real time, for the duration of the agreement.
Retention period	Behavioural and event data: 24 months from collection (configurable); user profiles: until deletion request or end of services.

Annex 2 — Sub-processors

The current list of Sub-processors is maintained at https://recomnext.com/subprocessors. As of the effective date, Recomnext engages the following categories of Sub-processors:

Sub-processor	Purpose	Location	Transfer Mechanism
[Cloud hosting provider]	Compute, storage, networking	[Region]	[SCCs / adequacy / DPDP]
[Managed database provider]	Database hosting	[Region]	[SCCs / adequacy / DPDP]
[Observability / monitoring]	Logs, metrics, traces	[Region]	[SCCs / adequacy / DPDP]
[Email / transactional comms]	Customer notifications	[Region]	[SCCs / adequacy / DPDP]
[Customer support tool]	Ticketing and support	[Region]	[SCCs / adequacy / DPDP]

⚠️ Customer should complete this table with the specific vendors actually used (e.g., AWS eu-north-1, MongoDB Atlas, SigNoz, etc.) before signing.

Annex 3 — Technical and Organisational Measures

Recomnext implements and maintains, at minimum, the following measures:

A. Access control

Identity provider with SSO and MFA enforced for all employee access to production systems.
Role-based access control (RBAC) following the principle of least privilege.
Documented joiners/movers/leavers process with quarterly access reviews.

B. Encryption

Personal Data in transit encrypted using TLS 1.2 or higher.
Personal Data at rest encrypted using AES-256 or equivalent.
Encryption keys managed via a managed KMS with rotation policies.

C. Network and infrastructure security

Network segmentation with private subnets for data-processing workloads.
WAF and rate-limiting at edge.
Centralised logging and SIEM/observability with retention sufficient for incident investigation.
Regular vulnerability scans of infrastructure and dependencies.

D. Application security

Secure software development lifecycle with code review and automated testing.
Static and dynamic application security testing in CI/CD.
Annual third-party penetration testing.
Documented vulnerability disclosure and patching policies.

E. Operational security

24×7 monitoring and on-call response.
Documented incident response plan with annual tabletop exercise.
Change management process with approval and rollback procedures.
Configuration-as-code with peer review.

F. Backup and resilience

Daily automated backups with off-region replication.
Documented and tested business continuity and disaster recovery plans (RTO/RPO defined per service).

G. Personnel

Background checks for personnel with access to Personal Data (subject to local law).
Mandatory annual security and data protection training.
Written confidentiality obligations in employment contracts.

H. Sub-processor management

Pre-engagement due diligence on Sub-processors.
Contractual data-protection obligations imposed on Sub-processors no less protective than this DPA.

I. Certifications and audits

[ISO/IEC 27001 certification — target/in-progress]
[SOC 2 Type II — target/in-progress]

Annex 4 — Transfer Mechanism Selections

EU Standard Contractual Clauses (2021/914), Module Two (Controller to Processor):

Clause 7 (Docking clause): not used / used (select).
Clause 9 (Sub-processors): Option 2 — General written authorization (notice period: 30 days, per Section 4.2 of this DPA).
Clause 11(a) (Optional independent dispute resolution): not selected.
Clause 17 (Governing law): the law of [EU Member State, e.g., Republic of Ireland].
Clause 18 (Choice of forum and jurisdiction): courts of [EU Member State, e.g., Ireland].

Annex I.A (List of Parties): the Parties as identified above. Annex I.B (Description of transfer): as set out in Annex 1 of this DPA. Annex I.C (Competent supervisory authority): the supervisory authority of [EU Member State], or the EDPB lead authority where applicable. Annex II (Technical and organisational measures): as set out in Annex 3 of this DPA. Annex III (List of sub-processors): as set out in Annex 2 of this DPA.

UK International Data Transfer Addendum:

Table 1 (Parties): as identified above.
Table 2 (Selected SCCs): the EU SCCs as referenced above.
Table 3 (Appendix Information): Annexes 1–3 of this DPA.
Table 4 (Ending the Addendum when the Approved Addendum changes): neither Party.

Acceptance

For Recomnext (Processor):

Name: ______________________________ Title: ______________________________ Signature: __________________________ Date: ______________________________

For Customer (Controller):

Name: ______________________________ Title: ______________________________ Signature: __________________________ Date: ______________________________