Twiinix

Data Processing Addendum (Services)

Effective date: June 1, 2026 · Version: v1.0

This DPA applies when I (Anand R Nair, trading as Twiinix, Trivandrum, Kerala, India — the "Processor") process personal data on behalf of a services client (the "Controller") under a signed statement of work (SOW). It supplements the Terms of Service and the SOW. This DPA does not apply to the NinjaSaaS product sold via Gumroad, because buyers host and operate their own Derivative Products.

1. Definitions

Terms such as "Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Supervisory Authority" have the meanings given in the GDPR and the UK GDPR. Equivalent DPDP Act terms apply where Indian law governs.

2. Roles and scope

  • Controller is the customer.
  • Processor is Anand R Nair, acting under the SOW.
  • Processor processes personal data only on Controller's documented instructions, except where required by law.

3. Processor's obligations

  • Process personal data only to perform the services described in the SOW.
  • Keep personal data confidential. As a solo operator, Processor is the only person with access.
  • Implement the technical and organisational measures in Annex II.
  • Notify Controller without undue delay, and in any case within 72 hours where practical, after becoming aware of a personal data breach affecting Controller's data.
  • Assist Controller with data subject requests, DPIAs, and regulator enquiries at reasonable cost.
  • At Controller's choice, delete or return Controller's personal data within 30 days of the end of the engagement, except where retention is required by law.

4. Sub-processors

Controller authorises Processor to use the sub-processors listed in the Privacy Policy. Processor will:

  • enter a written contract with each sub-processor imposing equivalent data-protection obligations;
  • remain liable for sub-processor acts and omissions;
  • give Controller at least 30 days' advance notice of new or replaced sub-processors so Controller can object on reasonable data-protection grounds.

5. International transfers

Processor is located in India. Where personal data is transferred from the EEA or UK to Processor, the parties adopt the EU Standard Contractual Clauses (Commission Decision 2021/914), Module 2 (Controller to Processor), and the UK International Data Transfer Addendum, with the selections in Annex III. Where the DPDP Act applies to onward transfers, Processor will comply with any restriction issued by the Central Government.

6. Audits

On written request, no more than once per year (unless a regulator or a material incident requires otherwise), Processor will respond to a reasonable security questionnaire. An on-site audit is available on 30 days' notice and at Controller's cost.

7. Data subject requests

If a Data Subject contacts Processor directly, Processor will forward the request to Controller within 5 business days and will not respond substantively except to confirm receipt and forwarding. Processor will help Controller respond within the statutory deadline.

8. Liability

Each party's liability under this DPA is subject to the limitation of liability in the Terms of Service and the SOW. Nothing excludes liability that cannot be excluded under applicable data protection laws.

9. Conflict

If this DPA conflicts with the Terms of Service or the SOW, this DPA wins for data-protection matters.

Annex I — processing details

  • Subject matter: services described in the SOW.
  • Duration: term of the SOW plus a 30-day return/deletion period.
  • Nature and purpose: the data processing activities necessary to deliver the services.
  • Types of personal data: as Controller uploads or shares during the engagement. Sensitive data only if the SOW says so.
  • Categories of Data Subjects: Controller's employees, customers, and other individuals whose data Controller shares.

Annex II — technical and organisational measures

  • TLS 1.2+ encryption for data in transit.
  • Full-disk encryption on the workstation used to develop and review data.
  • Strong, unique passwords managed by a password manager and MFA.
  • Least-privilege access to cloud tools; separate client-specific credentials where practical.
  • Code review and secure software-development practices, including dependency scanning.
  • Encrypted backups; deletion verified when the engagement ends.
  • Written incident response procedure with a 72-hour notification path to Controller.

Annex III — SCC module selections

  • Module: Module 2 (Controller to Processor).
  • Clause 7 docking: allowed.
  • Clause 9 sub-processor consent: general authorisation, 30 days' notice.
  • Clause 11 redress: no independent dispute resolution body.
  • Clause 17 governing law: Republic of Ireland (for EU transfers), as required by the SCCs.
  • Clause 18 forum: Irish courts (for EU transfers).
  • Annex I.A parties: Controller (customer) and Processor (Anand R Nair).
  • Annex I.B processing details: see Annex I above.
  • Annex I.C supervisory authority: the lead authority of the Controller.
  • Annex II measures: see Annex II above.

Contact

Anand R Nair · [email protected].