C
COGNOSHIFT
Legal

Data Processing Agreement

Version 1.0 · Effective: April 2026 · Governed by the Digital Personal Data Protection Act, 2025

This Data Processing Agreement ("DPA") is incorporated into and forms part of the CognoShift Terms of Service between COGNOSHIFT PRIVATE LIMITED ("Processor") and the subscribing institution ("Controller"). By using CognoShift services, the Controller agrees to the terms of this DPA.

1. Definitions

Controller — The subscribing institution (school, hospital, MSME, or government body) that determines the purposes and means of processing personal data.

Processor — COGNOSHIFT PRIVATE LIMITED (CIN: U85499HR2025PTC130446), which processes personal data on behalf of the Controller.

Personal Data — Any data relating to an identified or identifiable natural person as defined in the Digital Personal Data Protection Act, 2025.

Processing — Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

2. Subject Matter and Duration

CognoShift processes personal data on behalf of the Controller solely to provide the compliance monitoring services described in the Terms of Service, including:

  • Hardware compliance telemetry collection and analysis
  • DPDP consent record management (guardian consent under §9 / Rule 10)
  • CERT-In directive compliance monitoring
  • Audit report generation

Processing continues for the duration of the active subscription and ceases upon subscription termination or upon written request.

3. Nature of Personal Data Processed

Data CategorySpecific DataPurpose
Hardware IdentifiersSMBIOS UUID hash, MAC hash (12-char)Device compliance fingerprinting
Network TelemetryFirewall status, patch flags (no IPs stored)CERT-In Dir-2022 compliance
Guardian ContactHMAC-hashed mobile number onlyDPDP §9 OTP verification
Student IdentifiersHMAC-SHA256 hash only — never plaintextConsent ledger linkage
Organisation DataName, official email, sectorLicense and billing

4. Processor Obligations

CognoShift as Processor shall:

  • Process personal data only on documented instructions from the Controller and as required by applicable law.
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures including AES-256-GCM encryption at rest and TLS 1.3 in transit.
  • Assist the Controller in responding to Data Principal rights requests (§11–§14) within the statutory timeframes.
  • Delete or return all personal data upon termination of services, within 30 days of written request.
  • Notify the Controller without undue delay upon becoming aware of a personal data breach (DPDP §29).
  • Make available all information necessary to demonstrate compliance with this DPA.

5. Sub-Processors

CognoShift uses the following authorised sub-processors:

Supabase Inc.Database (PostgreSQL) · Mumbai, India (AWS ap-south-1)
Razorpay Software Pvt. Ltd.Payment processing · India
Resend Inc.Transactional email · USA (SCCs apply)
Fast2SMSSMS OTP delivery · India
Vercel Inc.Application hosting · USA / Edge (SCCs apply)

The Controller authorises engagement of these sub-processors by accepting this DPA. CognoShift will notify Controllers of any change to the sub-processor list with 30 days' notice.

6. Data Residency

All personal data is stored on Supabase infrastructure in Mumbai, India (AWS ap-south-1 region). No personal data is transferred outside India except for transactional email delivery (Resend) and application hosting (Vercel Edge), both of which process only operational metadata and not personal data content. Standard Contractual Clauses (SCCs) are in place for cross-border transfers.

7. Security Measures

  • Encryption at rest: AES-256-GCM (Supabase managed + endpoint vault)
  • Encryption in transit: TLS 1.3 with HSTS (max-age 1 year)
  • Access control: Row-Level Security (RLS) on all Supabase tables; service-role key server-side only
  • PII minimisation: Guardian names stored as HMAC-SHA256 hash; student IDs never stored in plaintext
  • IP anonymisation: All IP addresses HMAC-hashed before storage
  • Integrity: SHA-256 hash chain on all compliance reports (tamper-evident)
  • Automated deletion: pg_cron trigger purges telemetry after 365 days

8. Data Principal Rights Assistance

CognoShift provides the following mechanisms to assist Controllers in fulfilling Data Principal rights:

  • Erasure (§12c): 1-click deletion in Tenant Portal triggers cloud + endpoint vault shred.
  • Correction (§12b): Submit via /api/rights/correction — DPO review within 30 days.
  • Nomination (§14): Submit via /api/rights/nominate — nominee registered immediately.
  • Access (§11): Contact grievance@cognoshift.in — response within 30 days.

9. Breach Notification

In the event of a personal data breach involving the Controller's data, CognoShift will notify the Controller within 72 hours of becoming aware of the breach (DPDP §29). The notification will include: nature of the breach, categories of data affected, estimated number of Data Principals affected, and measures taken or proposed.

10. Term and Termination

This DPA is effective for the duration of the CognoShift subscription. Upon termination, CognoShift will delete all Controller personal data within 30 days, unless retention is required by applicable law. A deletion certificate will be provided on request.

11. Governing Law

This DPA is governed by the laws of India, including the Digital Personal Data Protection Act, 2025 and Information Technology Act, 2000. Disputes shall be subject to the jurisdiction of courts in Haryana, India.

12. Contact

Data Protection Officer: grievance@cognoshift.in

Grievance Officer (§13): grievance@cognoshift.in

Company: COGNOSHIFT PRIVATE LIMITED · CIN: U85499HR2025PTC130446 · GSTIN: 06AAMCC6054B1ZW

Jurisdiction: Haryana, India