Parties.
This Data Processing Agreement ("DPA") is entered into between:
This DPA supplements the Statement of Work executed between the parties (the "SOW") and forms an integral part of it.
Definitions.
Capitalised terms not defined here have the meaning given in the SOW or, failing that, in the Digital Personal Data Protection Act, 2023 ("DPDPA") and the DPDP Rules 2025.
Purpose.
Reyatech processes Customer Data solely for: (a) one-time fine-tuning of an open-source base model and delivery of an adapter file; (b) deployment, integration, and ongoing maintenance of the on-prem AI system on Customer infrastructure, as scoped in the SOW.
Reyatech does not process Customer Data for any other purpose, including improving any other customer's model, marketing, profiling, or analytics outside the SOW scope.
Scope of processing.
Confidentiality.
Reyatech personnel with access to Customer Data are bound by written confidentiality obligations. Access is granted on a need-to-know basis, role-restricted via Keycloak, and logged in Langfuse. Reyatech maintains a current personnel access register and provides it to the Customer on request.
Security.
Reyatech implements technical and organisational measures appropriate to the risk, including:
- Encryption. AES-256 at rest (Restic + LUKS where applicable); TLS 1.3 in transit (training phase only).
- Access control. Keycloak RBAC, SAML/OIDC SSO, MFA mandatory for admin roles.
- Audit logging. Every prompt/response logged to Langfuse on-prem with hash-anchored integrity.
- Network isolation. No outbound calls from production; air-gap supported on request.
- Vulnerability management. Per-release CVE scanning; CVSS ≥ 7.0 patched within 7 days; CISA KEV within 24 hours.
- Backup. Restic incremental encrypted backups to Customer-designated target; RPO 24h default.
Detailed control mappings are published at /compliance.
Sub-processors.
Default: none in production. Production runs entirely on Customer hardware.
Training phase: Reyatech engages a cloud GPU provider for the duration of each fine-tuning run. The current provider is [RunPod, Inc.], vendor-substitutable. Reyatech notifies the Customer of any change in provider at least 30 days in advance and provides an opportunity to object on reasonable grounds.
Reyatech imposes contractual obligations on each sub-processor materially equivalent to those in this DPA.
Cross-border transfer.
Default: off. No Customer Data leaves India unless the Customer explicitly enables a non-India training location under SOW Exhibit B. The default cloud GPU provider operates in an India region.
Where the Customer enables a non-India training location, Reyatech complies with applicable DPDPA cross-border transfer obligations and provides evidence of the safeguards in place.
Audit.
The Customer (or a qualified third-party auditor it appoints) has the right to audit Reyatech's compliance with this DPA on reasonable notice (minimum 14 calendar days), no more than once per calendar year unless a Personal Data Breach has occurred or there is a reasonable belief of non-compliance.
Because production runs on Customer hardware, audits are typically conducted on Customer premises with no Reyatech intermediation required for evidence collection.
For NBFC engagements, the Customer's audit rights under RBI IT Outsourcing Master Direction §16(m–o) are preserved in full.
Breach notification.
Reyatech notifies the Customer of any Personal Data Breach affecting Customer Data without undue delay, and in any case within 24 hours of becoming aware. The notification includes, to the extent then known: nature, categories and approximate count of Data Principals and records, likely consequences, and the measures taken or proposed.
For RBI-regulated Customers, Reyatech supports the Customer's RBI §17(8) 6-hour reporting timeline by routing Langfuse alerts directly to the Customer's SIEM. Reyatech does not sit between the event and the Customer's reporting clock.
Term & termination.
This DPA remains in force for the duration of the SOW. On termination or expiry:
- Reyatech ceases all processing of Customer Data within 5 business days.
- Customer Data held by Reyatech (including the training adapter outputs, residual cloud-stage data, and operational backups under Reyatech custody) is, at the Customer's election, returned or securely destroyed; a signed certificate of destruction is provided within 14 calendar days.
- Adapter weights deployed on Customer hardware remain the Customer's property per SOW §7 and are unaffected by termination.
Sections that by their nature should survive termination — Confidentiality, Audit (for completed periods), Breach Notification (for breaches occurring before termination) — survive.