Data Processing Agreement
Effective: April 10, 2026
Under the Digital Personal Data Protection Act, 2023 (India)
1. Parties
This Data Processing Agreement ("DPA") forms part of the Terms of Service between:
- Data Fiduciary ("You", "Organization"): The NGO, Trust, or Foundation registered on Sevastack.
- Data Processor ("We", "Sevastack"): NaviByte Innovations, operating the Sevastack platform.
Under DPDP Act 2023 Section 8(2), this agreement governs how Sevastack processes personal data on your behalf.
2. Scope of processing
Sevastack processes personal data solely on your instructions for the following purposes:
| Data category | Processing activities |
|---|---|
| Donor data | Storage, receipt generation, 80G/10BD compliance, email communication, reporting |
| Volunteer data | Registration, coordination, assignment tracking, communication |
| Employee data | Payroll processing, PF/ESI/TDS computation, compliance filing |
| Financial data | Donation tracking, expense management, fund accounting, audit trail |
3. Obligations of Sevastack (Data Processor)
We shall:
- Process personal data only on your documented instructions and not for our own purposes.
- Ensure that persons authorized to process data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (DPDP S.8(1)), including:
- AES-256 encryption for sensitive fields (PAN, Aadhaar, bank details)
- HTTPS/TLS for all data in transit
- Role-based access control (RBAC) with 5 permission levels
- Comprehensive audit logging with IP tracking
- Rate limiting on all public endpoints
- Multi-tenant data isolation per organization
- Not engage another processor without your prior authorization. Current sub-processors are listed in Section 5.
- Assist you in responding to data subject requests (access, correction, erasure, portability) under DPDP S.11-14.
- Notify you without unreasonable delay upon becoming aware of a personal data breach (DPDP S.8(6)).
- Delete or return all personal data upon termination of services, unless retention is required by law.
- Make available all information necessary to demonstrate compliance and allow for audits.
4. Obligations of the Organization (Data Fiduciary)
You shall:
- Ensure you have a lawful basis (consent or legitimate use) for all personal data provided to Sevastack.
- Provide clear notice to data principals about the processing of their data (DPDP S.5).
- Respond to data subject requests within the timeframes prescribed by law (typically 30 days).
- Not instruct Sevastack to process data in a manner that violates the DPDP Act.
- Maintain accurate records of processing activities using the audit log functionality provided.
5. Sub-processors
Sevastack uses the following sub-processors. We will notify you before adding new sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (S3) | Document and file storage | India (ap-south-1, Mumbai) |
| Neon (PostgreSQL) | Primary database | Singapore (ap-southeast-1) |
| Razorpay | Payment processing | India |
| Resend | Transactional email delivery | United States |
| Vercel | Application hosting and CDN | Global (edge network) |
6. Cross-border data transfers
Under DPDP Act Section 16, personal data may be transferred outside India unless restricted by Central Government notification. Data processed by Resend (US) and Neon (Singapore) involves cross-border transfer. We monitor government notifications and will update data residency accordingly.
7. Data retention and deletion
We retain personal data only for the duration necessary to fulfill the processing purpose or as required by law. Default retention periods:
- Donor records: 7 years after last donation (Income Tax Act)
- Volunteer records: 3 years after last activity
- Employee records: 8 years post-employment (PF/ESI/TDS requirements)
- Audit logs: 5 years
Organizations can configure custom retention periods. Automated cleanup runs daily. Upon termination, we provide a full data export within 30 days and delete all data within 90 days.
8. Data breach notification
In the event of a personal data breach affecting your organization's data, we will:
- Notify you without unreasonable delay (target: within 72 hours of discovery).
- Provide details of: nature of breach, data affected, estimated number of data principals affected, and remedial measures taken.
- Cooperate with you in notifying the Data Protection Board of India and affected data principals as required under DPDP S.8(6).
- Take immediate steps to contain and remediate the breach.
9. Audits and compliance
We will make available to you all information necessary to demonstrate compliance with this DPA and the DPDP Act. Upon reasonable notice, we will allow and contribute to audits, including inspections, conducted by you or an auditor mandated by you.
10. Term and termination
This DPA shall remain in effect for the duration of your use of Sevastack services. Upon termination:
- We will provide a complete data export (CSV/JSON) within 30 days of request.
- We will delete all personal data within 90 days of termination, except where retention is legally required.
- We will provide written confirmation of deletion upon request.
Contact
Data Protection Officer — Sevastack
Email: privacy@sevastack.in
NaviByte Innovations, Pune, Maharashtra, India