Legal

Data Processing Agreement

Last updated 25 June 2026
Working template — have Indian counsel review the version live on this URL before signing a real customer.

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Order Form between the Customer Institution ("Data Fiduciary") and StageBridge ("Data Processor") for the processing of personal data through the Service. It implements Sections 5–9 of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), Rule 8 of the SPDI Rules, 2011, and the relevant outsourcing directions of the National Housing Bank ("NHB") and the Reserve Bank of India ("RBI").

1. Roles

For all personal data the Data Fiduciary uploads or directs to be collected through the Service (including borrower identity, verification photographs, GPS readings, and loan metadata), the Data Fiduciary is the Data Fiduciary and StageBridge is the Data Processor.

2. Scope and purpose

The Data Processor will process personal data only on the documented instructions of the Data Fiduciary, as set out in the Order Form, in the Service's configuration screens, and through the API. The lawful purpose is the verification of construction-stage progress against a disbursement request and the maintenance of an immutable audit trail.

3. Categories of data subjects and personal data

  • Data subjects: borrowers, co-borrowers, builders, and operator personnel of the Data Fiduciary.
  • Personal data: name, contact details, government-issued identifiers (only as forwarded by the Data Fiduciary), photographs of the property and the borrower at site, GPS coordinates at capture, EXIF metadata, loan number, sanctioned amount, property address.
  • Sensitive personal data or information (under the SPDI Rules): none, except where the Data Fiduciary chooses to upload financial information for operational reasons. Biometric data is not collected.

4. Duration

This DPA continues for the term of the Order Form, plus the post- termination retention period required by Section 7 of this DPA.

5. Sub-processors

The Data Fiduciary authorises the Data Processor to engage the sub-processors listed in Annexure A. The Data Processor will notify the Data Fiduciary 30 days before adding any new sub-processor and will allow the Data Fiduciary to object on reasonable grounds. The Data Processor remains liable for the acts and omissions of its sub-processors.

6. Security measures

The Data Processor maintains, at minimum, the following safeguards:

  1. Encryption in transit (TLS 1.2+) and at rest (AES-256).
  2. Row-level security in the database keyed to org_id; per-request JWT verification.
  3. Append-only audit table with hash-chained rows.
  4. HMAC-bound upload nonces; signed object URLs with a default TTL of 10 minutes.
  5. Constant-time secret comparisons; secrets stored in environment with restricted access.
  6. Vendor SOC 2 / ISO 27001 verification before sub-processor onboarding.
  7. Penetration test at least annually; remediation tracked to closure.
  8. Background verification of personnel with access to production data.

A full statement of the system's security model is published at backend/SECURITY.md and updated when changes are made.

7. Retention and deletion

The Data Processor retains verification photographs and the audit trail for the longer of (a) seven (7) years from the date of the relevant disbursement (NHB / PMLA retention), or (b) the period the Data Fiduciary instructs in writing. On termination of the underlying Order Form, the Data Processor will (i) cease all processing within 24 hours; (ii) deliver an export of all personal data within 30 days on request; and (iii) irreversibly delete or pseudonymise the remaining personal data within 90 days, subject to the retention requirement above.

8. Data subject rights

Where a data subject contacts the Data Processor directly to exercise rights under Sections 11–14 of the DPDP Act, the Data Processor will forward the request to the Data Fiduciary within 72 hours and will assist the Data Fiduciary's response — but will not respond directly without instruction.

9. Breach notification

The Data Processor will notify the Data Fiduciary within 24 hours of becoming aware of a personal data breach affecting the Data Fiduciary's data, including (a) the nature of the breach; (b) the categories and approximate number of data subjects and records affected; (c) the likely consequences; and (d) the measures taken or proposed to address the breach. The Data Processor will also notify the Data Protection Board where it has independent reporting obligations under Section 8(6) of the DPDP Act.

10. Audit rights

On reasonable written notice and no more than once per calendar year (except following a breach), the Data Fiduciary may audit the Data Processor's compliance with this DPA. The Data Processor will provide the Data Fiduciary's auditor reasonable access to relevant records, systems, and personnel. The audit is conducted at the Data Fiduciary's cost unless the audit reveals a material non-compliance, in which case the Data Processor bears the audit cost.

11. International transfer

Personal data is stored within India (Supabase, Mumbaiap-south-1). The only routine transfer of the Data Fiduciary's personal data outside India is to Anthropic PBC (United States) — and, only in opt-in ensemble mode, Google LLC (United States) — for the limited purpose of obtaining an AI verdict on a photograph (Annexure A). Only the photograph bytes are transmitted, by a short-lived signed URL, with no borrower identifiers attached; the AI vendor does not retain the input beyond the request and does not train on it. By authorising Annexure A the Data Fiduciary consents to this cross-border sub-processor. The transfer is subject to Section 16 of the DPDP Act. Where the Central Government notifies a list of restricted countries, the Data Processor will reconfigure the vendor list to comply and will notify the Data Fiduciary accordingly.

12. Use of personal data for AI / model training

The Data Processor will not use the Data Fiduciary's personal data to train, fine-tune, or evaluate any machine-learning model that is shared between Clients or made available to third parties. Any model developed by the Data Processor may be trained on the Data Fiduciary's photographs only where it is (a) isolated to the Data Fiduciary and never serves another Client, (b) trained on fully de-identified images — faces blurred, EXIF GPS and device identifiers stripped, no borrower identifiers, no cross-Client mixing — or (c) covered by an explicit written training carve-out in the Order Form. The Data Processor may use fully de-identified, aggregated metrics (counts, rates, latencies; no images or free-text) to operate, secure, and improve the Service.

13. Liability and indemnity

Each party's liability under this DPA is governed by the limitation provisions in the Master Services Agreement or Order Form. Nothing in this DPA caps liability for breach of confidentiality, gross negligence, or wilful misconduct.

14. Order of precedence

In the event of conflict between this DPA and the Master Services Agreement, this DPA prevails on matters of data processing. The Order Form prevails over both on commercial terms.

Annexure A — Sub-processors

Sub-processorPurposeLocation
Supabase (Postgres, Auth, Storage)Primary data hostingMumbai (ap-south-1)
Fly.ioAPI + worker computeMumbai (bom)
Anthropic PBCAI verdict on photographs (primary vendor)United States
Google LLC (Gemini)AI verdict on photographs (secondary vendor; ensemble mode only)United States
ResendTransactional email deliveryUnited States
Twilio / MSG91 (planned)SMS OTP deliveryIndia / United States

Anthropic PBC (United States) is the only routine cross-border recipient of borrower photographs; Google LLC receives them only where the Data Fiduciary opts into ensemble mode. Both receive photograph bytes only, by short-lived signed URL, retain nothing beyond the request, and do not train on the input. Authorising this Annexure constitutes the Data Fiduciary's consent to these cross-border sub-processors under Section 16 of the DPDP Act.

Annexure B — Documented instructions

The instructions in effect are: (i) verify each submission per the Service's documented workflow; (ii) maintain an immutable audit log; (iii) deliver decisions only through Authorised Users of the Data Fiduciary; (iv) call AI vendors only where the Data Fiduciary has not disabled them for its organisation; (v) any further written instruction lodged through legal@stagebridge.in.