top of page

Data Processing Addendum (DPA)

Last Updated: 1-March-2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service, Master Services Agreement (“MSA”), or Order Form (“Agreement”) between:

GFX Enterprise (“Processor”)
and
Customer (“Controller”)

This DPA applies where GFX processes Personal Data on behalf of the Customer.

1. Definitions

For the purposes of this DPA:

  • “Personal Data” means any information relating to an identified or identifiable natural person.

  • “Processing” means any operation performed on Personal Data.

  • “Controller” means the entity determining the purposes and means of Processing.

  • “Processor” means the entity Processing Personal Data on behalf of the Controller.

  • “Data Protection Laws” means GDPR, DPDP Act (India), PDPA (Singapore), and other applicable data protection regulations.

Where GDPR applies, definitions align with Article 4 of GDPR.

2. Scope & Roles

2.1 The Customer acts as the Controller of Personal Data.

2.2 GFX Enterprise acts as a Processor of Personal Data processed through:

  • AI Core systems

  • Conversational commerce platforms

  • Agentic intelligence workflows

  • Private cloud deployments

  • API integrations

2.3 GFX shall process Personal Data only:

  • On documented instructions from the Customer

  • For the purpose of delivering Services

3. Nature & Purpose of Processing

Processing activities may include:

  • Hosting and infrastructure management

  • AI-driven conversational processing

  • Workflow automation

  • Storage and retrieval

  • System monitoring and logging

The purpose of processing is to provide enterprise AI and commerce services as defined in the Agreement.

4. Categories of Data

Personal Data processed may include:

  • Business contact information

  • End-customer interaction data

  • Transaction data

  • Support logs

  • Technical metadata (IP address, device information)

Sensitive Personal Data is processed only where explicitly agreed.

5. Processor Obligations

GFX Enterprise shall:

5.1 Confidentiality

Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.

5.2 Security Measures

Implement appropriate technical and organizational measures, including:

  • Encryption in transit and at rest

  • Role-Based Access Control (RBAC)

  • Audit logging

  • Private cloud infrastructure isolation

  • Secure authentication mechanisms

5.3 Limited Processing

Process Personal Data only as necessary to perform Services.

5.4 No Unauthorized Disclosure

Not sell or disclose Personal Data without legal basis.

6. Sub-Processors

6.1 GFX may engage Sub-Processors for:

  • Cloud hosting

  • Security services

  • Infrastructure support

6.2 All Sub-Processors are bound by contractual data protection obligations equivalent to this DPA.

6.3 GFX remains responsible for Sub-Processor compliance.

7. Cross-Border Transfers

Where Personal Data is transferred internationally:

  • GDPR-compliant safeguards (e.g., Standard Contractual Clauses) will be applied where required.

  • Transfers comply with DPDP Act requirements for lawful cross-border processing.

  • Transfers comply with PDPA transfer limitation obligations.

Customers may request additional safeguards in writing.

8. Data Subject Rights

GFX shall assist the Customer, where technically feasible, in responding to Data Subject requests, including:

  • Access

  • Rectification

  • Erasure

  • Restriction

  • Data portability

GFX will notify Customer promptly if it receives a direct request from a Data Subject.

9. Data Breach Notification

9.1 GFX shall notify Customer without undue delay after becoming aware of a Personal Data breach.

9.2 Notification will include:

  • Nature of breach

  • Affected data categories

  • Mitigation steps

  • Recommended actions

Where required, Customer remains responsible for regulatory notifications unless otherwise agreed.

10. AI Processing Safeguards

GFX acknowledges that AI systems may process Personal Data within conversational and workflow environments.

GFX shall:

  • Maintain guardrails and system monitoring

  • Avoid using Customer Personal Data for unrelated model training without consent

  • Ensure appropriate governance controls

AI outputs remain probabilistic and subject to human oversight by Customer.

11. Data Retention & Deletion

Upon termination of Services:

  • GFX shall delete or return Personal Data as instructed by Customer.

  • Retention may occur where required by law.

  • Secure deletion procedures shall be applied.

12. Audits

Upon reasonable written notice:

  • Customer may request documentation demonstrating compliance.

  • Audits must not disrupt operations or compromise other customers’ data.

  • Independent third-party certifications may satisfy audit requests.

13. DPDP Act (India) Alignment

Where DPDP Act applies:

  • Processing is limited to lawful purposes.

  • Reasonable security safeguards are implemented.

  • Grievance redressal mechanisms are maintained.

14. PDPA (Singapore) Alignment

Where PDPA applies:

  • Personal Data is processed with consent or legal exception.

  • Comparable protection standards are applied for cross-border transfers.

  • A Data Protection Officer (DPO) is designated.

15. Liability

Liability under this DPA is governed by the primary Agreement unless otherwise specified.

16. Governing Law

This DPA shall be governed by the governing law defined in the primary Agreement.

17. Order of Precedence

In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection obligations.

18. Contact

GFX Enterprise, Data Protection Contact
privacy@revsspace.com

Operating address: C 112, 2nd Cross Rd, East of NGEF Layout, Kasturinagar, Bengaluru, KA - 560043, CIN: U74999KA2022PTC157867, GSTIN: 29AAACG5787G1Z3

bottom of page