How we process your personal data.
When personal data is part of the engagement, this DPA forms part of the contract between Sloper and you. It satisfies Article 28 GDPR, the UK GDPR equivalent, and the relevant provisions of India's Digital Personal Data Protection Act 2023.
◆ The short version
- You're the controller. Sloper is the processor. We process your data only on your documented instructions.
- The full list of who handles your data, where, and what they do is below — and updated whenever it changes.
- If your jurisdiction requires it, we sign the EU Standard Contractual Clauses and the UK Addendum.
- If we have a breach, we notify you within 24 hours of detection — well inside the 72-hour GDPR window.
- You can audit us once per year, or we'll provide an independent audit report on request.
01Parties
This DPA is between Sloper Private Limited, an Indian private company ("Sloper", "Processor"), and the entity engaging Sloper for services ("Client", "Controller").
It applies whenever Sloper processes personal data on the Client's behalf in connection with the services described in any signed Statement of Work or the Terms of Service.
02Definitions
The terms controller, processor, personal data, processing, data subject, sub-processor, and supervisory authority have the meanings given to them under Regulation (EU) 2016/679 (the GDPR), the UK GDPR, or India's DPDP Act 2023, as applicable.
Standard Contractual Clauses means Module Two of the European Commission's Implementing Decision (EU) 2021/914 (controller-to-processor), as amended.
03Scope & roles
The Client is the controller of personal data submitted to Sloper. Sloper acts as a processor and processes personal data only on documented instructions from the Client, except where required by applicable law (in which case Sloper notifies the Client beforehand unless the law prohibits).
If a sub-processor or other party determines purposes and means of processing on its own, it acts as an independent controller for that processing — outside the scope of this DPA.
04Details of processing
Default details of processing (overridable by SOW):
| Subject matter | Manual data entry, document digitization, data cleansing, enrichment, deduplication, normalization, and labeling services as described in the relevant SOW. |
|---|---|
| Duration | For the duration of the engagement, plus a maximum of 30 days for return or deletion, plus any retention period required by applicable law. |
| Nature & purpose | To deliver the services contracted by the Client. No secondary use. |
| Categories of data subject | Determined by the Client. Typically: Client's customers, employees, suppliers, or beneficiaries whose records appear in the source data. |
| Categories of personal data | Determined by the Client. Typically: name, contact details, identifiers, transactional data, claim or case details. Special-category data only where explicitly part of the SOW. |
| Special categories | Processed only where explicitly authorised in the SOW (e.g., medical records digitization), with additional safeguards. |
05Documented instructions
The Client's documented instructions are: this DPA, the Terms of Service, the SOW, and any further written instructions the Client gives during the engagement (including by email).
If Sloper believes an instruction violates applicable data-protection law, it will inform the Client without delay.
06Confidentiality
Sloper ensures that every person authorised to process personal data:
- has committed to confidentiality (NDA) or is under a statutory duty of confidentiality;
- processes personal data only as instructed;
- has received training on data-protection obligations.
07Security measures
Sloper implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These include:
- Encryption — TLS 1.2+ in transit; AES-256 at rest on all production storage.
- Access control — role-based access; least-privilege principle; multi-factor authentication on all administrative accounts; quarterly access reviews.
- Network security — production environments segmented from corporate IT; perimeter monitoring; intrusion detection.
- Endpoint security — managed devices only; full-disk encryption; remote wipe capability.
- Personnel — pre-employment screening; signed NDAs; ongoing security training.
- Audit logging — access and change logs retained for 12 months minimum.
- Backup & recovery — encrypted backups; tested restoration procedures.
- Incident response — documented IR plan; named on-call responder; post-incident review.
- Vendor management — security review of every sub-processor before onboarding.
A more detailed description of measures is available to enterprise clients on request, under NDA.
08Sub-processors
The Client gives general written authorisation for Sloper to engage the sub-processors listed below. Sloper will give the Client at least 30 days' written notice before adding or replacing a sub-processor. The Client may object on reasonable data-protection grounds; the parties will then discuss in good faith, and if no resolution is reached, the Client may terminate the affected services without penalty.
Sloper enters a written contract with every sub-processor that imposes data-protection obligations no less protective than this DPA, and remains fully liable to the Client for the sub-processor's performance.
Current sub-processors
| Provider | Service | Location |
|---|---|---|
| [CLOUD HOSTING — INSERT] | Production storage & compute for keying environment | [REGION — INSERT] |
| [EMAIL — INSERT] | Business email & document collaboration | [REGION — INSERT] |
| [FILE TRANSFER — INSERT] | Encrypted client → Sloper file delivery | [REGION — INSERT] |
| [ACCOUNTING — INSERT] | Invoicing and bookkeeping (contact data only) | [REGION — INSERT] |
◆ Last updated: TBD. Subscribe to changes by writing to admin@sloper.in.
09Data subject rights
Sloper assists the Client, taking into account the nature of the processing, in fulfilling the Client's obligation to respond to data-subject requests under applicable law (access, rectification, erasure, restriction, portability, objection).
If a data subject contacts Sloper directly, Sloper will refer them to the Client and notify the Client within 5 business days.
10Personal data breach notification
Sloper notifies the Client of any personal data breach affecting the Client's data without undue delay, and in any case within 24 hours of becoming aware of it.
The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records affected, likely consequences, measures taken or proposed, and the contact point for further information.
Sloper assists the Client in meeting the Client's own breach-notification obligations to supervisory authorities and data subjects.
11DPIA & prior consultation
Sloper provides reasonable assistance to the Client with data protection impact assessments and any prior consultations with supervisory authorities required under Articles 35 and 36 GDPR (or equivalent), to the extent relevant to the processing under this DPA.
12International data transfers
Sloper processes personal data primarily in India, with delivery teams that may include personnel in [OTHER JURISDICTIONS — confirm]. Where personal data of EEA, UK, or Swiss data subjects is transferred outside the originating jurisdiction:
- For EEA data: the parties incorporate the EU Standard Contractual Clauses, Module Two (Controller to Processor), 2021/914 by reference. Annexes I, II, and III are completed by reference to this DPA and the SOW.
- For UK data: the parties incorporate the UK International Data Transfer Addendum issued under section 119A of the UK Data Protection Act 2018.
- For Swiss data: the SCCs apply with the references to the GDPR replaced by references to the FADP, and the Swiss FDPIC named as competent authority.
If a transfer mechanism above is invalidated, the parties will, in good faith, agree a successor mechanism without delay.
13Audit
Sloper makes available to the Client all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.
The Client (or an independent auditor mandated by the Client and reasonably acceptable to Sloper) may audit Sloper's relevant facilities and records once per year, on at least 30 days' written notice, during business hours, and subject to confidentiality obligations.
Once available, Sloper may meet this obligation by providing a current independent third-party audit report (e.g., SOC 2, ISO 27001) covering the relevant controls. As of 2026, no such report exists; the Client may instead request a written controls statement signed by Sloper.
14Return & deletion
On the Client's choice, Sloper will return or delete all personal data after the end of the provision of services, and delete existing copies, within 30 days. Deletion is confirmed in writing.
This obligation does not apply to copies that Sloper is required by applicable law to retain, in which case Sloper continues to protect them under this DPA until deletion is permitted.
15Liability
Each party's liability under this DPA is governed by the limitation-of-liability provisions in the Terms of Service, except that the cap will not apply to a party's liability for fines imposed by a supervisory authority on the other party as a direct result of the first party's breach of this DPA.
◆ Need a signed copy?
For enterprise customers, Sloper can countersign this DPA on company letterhead and provide it under your preferred contract package (DocuSign, AdobeSign, or wet-ink).
Write to admin@sloper.in with your entity name, registered address, and signatory contact.