Data Processing Addendum

Customer determines the purposes and means of processing. Autobotix processes personal data only on documented Customer instructions, as required to deliver the Services.

Processing covers personal data submitted to the Services by or on behalf of Customer, for the duration of the subscription and any agreed retention period thereafter.

• End users, customers, prospects, and personnel of the Customer.
• Identifiers, contact data, communications, behavioural and usage data.
• No special-category data unless explicitly agreed in writing.

Customer authorises Autobotix to engage sub-processors listed at autobotix.pro/sub-processors. We notify Customer of any new sub-processor at least 30 days in advance and impose equivalent data-protection obligations.

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Role-based access control with least-privilege principle.
• Continuous logging, monitoring, and quarterly access reviews.
• Annual penetration testing and SOC 2-aligned controls.

Autobotix will assist Customer in responding to data principal / data subject requests (access, correction, erasure, portability, objection) within statutory timelines.

Autobotix notifies Customer without undue delay — and in any event within 48 hours — of becoming aware of a personal-data breach, with sufficient detail to satisfy DPDP and GDPR notification duties.

Where personal data is transferred outside India or the EEA, Autobotix implements appropriate safeguards, including Standard Contractual Clauses and supplementary measures where required.

Customer may request an annual audit on reasonable notice. Autobotix may satisfy this obligation by providing a recent independent audit report.

On termination, Autobotix will, at Customer's choice, return or delete personal data within 60 days, except where retention is legally required.

dpo@autobotix.pro