OriginChain
legal

Data Processing Addendum

Last updated: 29 April 2026

draft for review

This DPA is the standard form OriginChain signs with new customers. We will counter-sign a redlined version on request — email privacy@originchain.ai. For regulated industries (healthcare, financial services), Enterprise customers also receive sector-specific addenda (BAA, SOC 2 mapping).

1. Parties & scope

This Addendum forms part of the Master Services Agreement between the customer ("Controller") and Silicoyn Technologies Pvt Ltd ("OriginChain" or "Processor"). It governs the processing of Personal Data the Controller submits to the OriginChain Service.

2. Roles

The Controller is the data controller; OriginChain is the data processor. OriginChain processes Personal Data only on documented instructions from the Controller — typically the API and console actions taken by the Controller's authenticated users.

3. Categories of data & data subjects

The Service is a general-purpose database; the Controller decides what to store. OriginChain does not classify Personal Data on the Controller's behalf. Typical categories include:

  • End-user identifiers (email, account id)
  • Application content (rows, schema, query history)
  • Operational telemetry (request timestamps, error codes)

Special-category data (health, biometrics, political opinion etc.) may only be processed under an Enterprise contract with appropriate sector-specific addenda.

4. Sub-processors

OriginChain uses the following sub-processors as of the date above. We notify Controllers in advance of any addition or replacement.

  • Amazon Web Services Compute (EC2), storage (EBS), backups (AWS Backup), DNS (Route 53), object storage (S3), control plane database (RDS PostgreSQL).
  • Razorpay Payment processing. Card data is tokenised — OriginChain never receives PAN or CVV.
  • Anthropic / Amazon Bedrock Natural-language compilation of /v1/ask requests. Prompts are submitted to the model and discarded; we do not store model output beyond the response we return.

5. International transfers

Customer data is stored in the AWS region selected by the Controller. Today the only live region is ap-south-1 (Mumbai). Cross-border transfers, if any, occur only when the Controller routes traffic through Bedrock in another region — controlled by the Controller's tenant configuration.

6. Security

See /security for the full posture. Summary: TLS for every external endpoint, Argon2id for stored credentials, IAM-isolated tenant resources, daily backups encrypted at rest, principle-of-least-privilege for engineer access via SSM Session Manager (no SSH).

7. Data subject requests

On the Controller's instruction, OriginChain will assist with the rectification, erasure, restriction, or export of Personal Data. Self-serve mechanisms:

  • Erasure: cancel a subscription with the "delete data" option, or contact privacy@originchain.ai to expedite.
  • Export: scan the affected schemas via the API. We do not gate exports.
  • Rectification: standard write API.

8. Deletion & retention

On termination of a tenant subscription with the "delete data" flag set:

  • Per-tenant EC2 + EBS volume are destroyed within 24 hours.
  • EBS snapshots in the AWS Backup vault age out after 30 days per the standard retention policy. Earlier deletion is available on written request.
  • Operational metadata in the control plane (instance and subscription rows) is retained for 7 years to satisfy financial record-keeping obligations under Indian tax law (Section 44AA, Income Tax Act, 1961).
  • Security logs (auth events, failed login attempts) are retained for 90 days.

9. Breach notification

OriginChain will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting the Controller's data. Notification includes the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address it.

10. Audit

OriginChain provides on request: SOC 2 Type 1 reports as they are issued (Type II available on request once attested), the security questionnaire (today: /security), and access to engagement-specific evidence (penetration test reports, vulnerability scans, access logs filtered to the Controller's tenant). On-site audits are negotiated per Enterprise contract.

11. Liability

Liability under this Addendum is governed by the limitation-of-liability clause in the Master Services Agreement.

12. Governing law

This Addendum is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka. Where a Controller is established in the EU/UK and EU/UK data protection law applies to the processing, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller to Processor) as a separate signed annex.

13. Contact

Privacy office: privacy@originchain.ai
Postal address: Silicoyn Technologies Pvt Ltd, Bengaluru, Karnataka, India.