On this page
- Parties & scope
- Definitions
- Roles of the parties
- Subject matter, duration & purpose
- Categories of data subjects & data
- Our obligations as processor
- Security measures
- Sub-processors
- International transfers
- Data subject rights & assistance
- Personal data breach
- Audit rights
- Return or deletion on termination
- Liability
- Governing law
- How to execute this DPA
1. Parties & scope
This DPA is between Aerovant Technologies Private Limited, an Indian company ("Processor," "we") and the Business Customer subscribed to ThreatReady ("Controller," "you"). It applies to all processing of Personal Data that we perform on your behalf in connection with the Service.
2. Definitions
- Applicable Data Protection Law
- The GDPR (Regulation (EU) 2016/679), the UK GDPR, the Indian Digital Personal Data Protection Act, 2023 ("DPDPA"), and any other applicable data protection or privacy laws.
- Personal Data
- Any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law.
- Controller / Data Fiduciary
- The entity that determines the purposes and means of processing Personal Data. Under this DPA, you are the Controller / Data Fiduciary.
- Processor / Data Processor
- The entity that processes Personal Data on behalf of the Controller. Under this DPA, we (Aerovant Technologies) are the Processor.
- Sub-processor
- Any third party engaged by us to process Personal Data as part of providing the Service.
- Data Subject
- The identified or identifiable person to whom Personal Data relates. In the context of this DPA, primarily the Candidates whom you invite to take assessments.
- Personal Data Breach
- A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3. Roles of the parties
For Personal Data that relates to your Candidates, employees, or other users you invite to ThreatReady:
- You are the Controller. You determine which Candidates to invite, what assessments to send, and what to do with the results.
- We are the Processor. We act only on your documented instructions as set out in the Terms of Service, this DPA, and your configuration of the Service.
For our own business data (your account holder's contact information, billing data, usage logs), we act as the Controller and our Privacy Policy governs that processing.
4. Subject matter, duration & purpose
- Subject matter: Processing of Candidate Personal Data to provide the ThreatReady assessment service.
- Duration: The term of your subscription, plus 30 days for deletion after termination (or sooner if you request).
- Nature & purpose: Collection, storage, evaluation, scoring, and presentation of Candidate assessment data; production of reports and badges; maintenance of audit logs.
5. Categories of data subjects & data
5.1 Data subjects
- Candidates invited by you to take assessments
- Your employees who administer the Service on your behalf (hiring managers, recruiters)
5.2 Categories of Personal Data
- Identity: Name, email address
- Professional: Job title, role applied for, referring source (if provided)
- Assessment data: Written and/or voice answers to scenarios, scores, dimension ratings, session timestamps, device and IP address of session
- Derived data: Percentile ranking, badge award, assessment outcome
5.3 We do not process
We do not ask for, store, or process special categories of Personal Data (health, religion, biometric, political opinions), government IDs, or payment card data.
6. Our obligations as processor
We will:
- Process Personal Data only on your documented instructions, including as configured through the Service, except where required otherwise by law (in which case we will notify you unless prohibited)
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (Section 7)
- Assist you in responding to Data Subject requests (Section 10)
- Notify you of Personal Data Breaches without undue delay (Section 11)
- Make available all information necessary to demonstrate compliance with this DPA
- Allow for audits subject to Section 12
- Return or delete Personal Data on termination (Section 13)
7. Security measures
We implement and maintain the technical and organizational measures described in our Security page, including but not limited to:
- TLS 1.3 encryption in transit; AES-256 encryption at rest
- Role-based access control, least privilege, mandatory MFA for staff
- Tenant isolation at the application level
- Audit logging with 12-month retention
- Regular vulnerability scanning and secure-development practices
- Incident response plan with 72-hour breach notification commitment
- Data residency in India (ap-south-1) for production data
We may update these measures from time to time, provided the updated measures do not materially reduce the overall level of security.
8. Sub-processors
8.1 Current sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Primary hosting, database, object storage | India (Mumbai, ap-south-1) |
| Anthropic PBC | AI evaluation of assessment answers via the Claude API. Anthropic does not train models on API inputs. | United States |
| Payment processor | Payment processing for subscriptions | Per processor T&Cs |
| Email service provider | Transactional and opt-in marketing emails | Per provider T&Cs |
8.2 Authorization & new sub-processors
You authorize the sub-processors listed above. We will notify you at least 30 days before engaging any new sub-processor with access to Candidate Personal Data. If you object on reasonable data-protection grounds, you may terminate the affected portion of the Service with a pro-rata refund of prepaid fees.
8.3 Sub-processor obligations
We enter into written agreements with each sub-processor that impose data-protection obligations substantially similar to those in this DPA. We remain liable to you for the performance of each sub-processor's obligations.
9. International transfers
Production data remains in India (ap-south-1). Transfers of assessment answers to Anthropic in the United States occur for the purpose of AI-based scoring. For such transfers:
- EEA / UK data: Protected by the European Commission's Standard Contractual Clauses (2021/914/EU, module 3 — processor to processor), which are incorporated into our agreement with Anthropic
- India data: Transfers comply with DPDPA 2023 cross-border rules
If you require that Candidate data be evaluated without cross-border transfer, contact [email protected] — we can discuss Enterprise-tier options.
10. Data subject rights & assistance
Candidates may exercise rights (access, correction, deletion, portability, objection) under Applicable Data Protection Law. Because you are the Controller, requests should primarily be directed to you. We will assist you by:
- Providing self-service tools (export, delete) within the Service where feasible
- Responding to specific instructions from you to action a request within 7 business days of receipt
- Forwarding to you any Data Subject request we receive directly, within 5 business days
We may charge a reasonable fee for assistance that goes beyond what is ordinarily required under Applicable Data Protection Law. We will discuss and agree any such fee with you before incurring it.
11. Personal data breach
We will notify you of a confirmed Personal Data Breach affecting your data within 72 hours of our confirmation. The notification will include, to the extent known:
- Nature of the breach and categories of data affected
- Approximate number of Data Subjects affected
- Likely consequences
- Measures taken or proposed to address the breach and mitigate effects
We will provide timely updates as the investigation progresses. We will not notify regulators or affected Data Subjects on your behalf unless you instruct us to do so — this is your obligation as Controller.
12. Audit rights
Once per 12-month period and on reasonable prior notice (at least 30 days), you may conduct an audit to verify our compliance with this DPA. Audits are subject to:
- Conducted during our business hours without undue disruption
- Subject to confidentiality obligations
- At your cost, except where the audit reveals a material breach of this DPA
We will make reasonable efforts to fulfill audit requirements through provision of existing reports (e.g., SOC 2, security questionnaire responses) before an on-site audit. You agree that third-party audit reports will generally satisfy audit obligations unless a specific unresolved concern requires on-site review.
13. Return or deletion on termination
Within 30 days of termination or expiry of the Service:
- You may export Candidate Personal Data via self-service tools
- After 30 days, we will delete Personal Data from production systems
- Encrypted backups may retain data for up to 30 additional days before cycling out, after which deletion is complete
- We will, on written request, certify deletion
We may retain anonymized, aggregated data (stripped of Personal Data) for legitimate business purposes such as scoring calibration and product improvement.
14. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Law.
15. Governing law
This DPA is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts of Chennai, Tamil Nadu, India — except that a Controller established in the EEA or UK may alternatively bring an action for breach of this DPA under the local data-protection law of that jurisdiction, where required to do so by Applicable Data Protection Law.
16. How to execute this DPA
- Team and Team Pro customers: This DPA is incorporated by reference when you subscribe. Acceptance occurs automatically on subscription.
- Enterprise customers: This DPA may be executed as a standalone signed agreement alongside your master subscription agreement. Contact [email protected] to initiate signature.
If your organization's procurement process requires a signed DPA even at the Team Pro tier, email [email protected] — we will countersign this document on request.