OUSHVAA
Legal

Data Processing Agreement.

Starter draft, not lawyer-vetted. Drafted to DPDP Act 2023 + GDPR Article 28 + standard processor-DPA patterns. Indian counsel must review before this is executed with any paying customer. Enterprise customers may substitute a negotiated DPA in their MSA; in case of conflict, the negotiated DPA controls.

Last updated: 2026-05-27 · Effective: 2026-05-27

This Data Processing Agreement ("DPA") supplements the MedevIQ Terms of Service and Privacy Policy, and forms part of the agreement between Oushvaa Technologies ("Processor," "Oushvaa," "we," "us") and the user organization ("Controller," "Customer," "you") when you process personal data of third parties through your use of the MedevIQ Service (the "Service").

This DPA implements the obligations of a Data Processor under Section 8 of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the related DPDP Rules, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and, where applicable, Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR").

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service. Additionally:

  • Controller / Data Fiduciary — the natural or legal person determining the purposes and means of processing Personal Data.
  • Processor / Data Processor — Oushvaa, processing Personal Data on the Controller's documented instructions.
  • Personal Data — any data about an identified or identifiable individual that the Controller submits to or causes to be processed through the Service. Includes "Sensitive Personal Data or Information" (SPDI) under the SPDI Rules and special-category data under GDPR.
  • Data Principal / Data Subject — the individual to whom Personal Data relates.
  • Sub-processor — any third party engaged by us to process Personal Data on behalf of the Controller.
  • Personal Data Breach — a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data.

2. Scope and roles

With respect to Personal Data, the Customer is the Controller and Oushvaa is the Processor. Oushvaa processes Personal Data only on the documented instructions of the Customer, which are reflected in (a) the Terms of Service, (b) this DPA, (c) any active access agreement between the parties, and (d) the Customer's in-product configuration and actions (for example, creating a watchlist, uploading a document, configuring delivery channels).

With respect to Personal Data Oushvaa collects directly from individuals (account-holders signing up for access), Oushvaa is the Controller; that processing is governed by our Privacy Policy, not this DPA.

3. Subject matter, duration, nature, and purpose

  • Subject matter — Personal Data that the Customer submits, uploads, or otherwise makes available through the Service.
  • Duration — for the term of the Customer's access plus the post-termination retention windows described in our Privacy Policy and Section 9 of this DPA.
  • Nature and purpose — providing the Service, including query resolution, document parsing, structured field extraction, change-detection, alert delivery (email), and authenticated session management.
  • Categories of Data Principals — depends on the Customer's use; typically authorized employees, contractors, sponsors, regulators, clinicians, pharmacists, or others referenced in Customer-submitted content.
  • Categories of Personal Data — depends on the Customer's use; may include contact information, professional credentials, regulatory or pharmacovigilance metadata. The Customer is responsible for not submitting categories of data outside the scope of these Terms (Section 6 of the Privacy Policy).

4. Oushvaa's obligations as Processor

We will:

  • Process Personal Data only on documented instructions from the Customer, including with regard to cross-border transfers, unless required to do otherwise by applicable law (in which case we will notify the Customer before processing, unless prohibited).
  • Ensure personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain the technical and organizational security measures set out in Schedule A of this DPA.
  • Engage Sub-processors only in accordance with Section 5.
  • Assist the Customer in fulfilling its obligations to respond to Data Principal rights requests (Section 7).
  • Assist the Customer in meeting its security, breach-notification, data-protection-impact-assessment, and prior-consultation obligations.
  • At the Customer's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage (Section 9).
  • Make available to the Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits subject to Section 11.

5. Sub-processors

5.1 General authorization

The Customer grants Oushvaa a general authorization to engage Sub-processors to perform parts of the Service, subject to the conditions in this Section.

5.2 Current Sub-processors

The Sub-processors currently engaged by Oushvaa for the MedevIQ Service are:

  • Cloudflare, Inc. — edge compute (Workers, Pages), authentication front-end (Access), object storage (R2), DNS, embeddings. Data location: Cloudflare global network.
  • Supabase Inc. — managed PostgreSQL (project sahrvukeczulzwzkkmft). Data location: AWS ap-south-1 (Mumbai, India).
  • Anthropic PBC — Claude API for natural-language synthesis. Data location: United States.
  • Resend, Inc. — transactional email. Data location: United States with EU-region failover.
  • GitHub, Inc. — source-code and CI/CD only; Customer data does not flow through GitHub.

5.3 Sub-processor commitments

We have entered into written agreements with each Sub-processor that impose data protection obligations substantially equivalent to those in this DPA, and we remain responsible to the Customer for the performance of those Sub-processors.

5.4 Notification of new Sub-processors

We will notify the Customer at least 30 days before engaging a new Sub-processor (the "Notice Period"). Notice will be sent to the email address on file for the Customer's designated contact, and the updated list will be published on this page.

5.5 Customer objection

The Customer may object to a new Sub-processor by sending written notice to [email protected] within the Notice Period, stating reasonable grounds for the objection. The parties will work in good faith to resolve the objection. If the parties cannot agree, the Customer's sole remedy is to terminate the affected portion of the Service without penalty.

6. Cross-border transfers

The Customer acknowledges that Personal Data may be transferred to and processed in countries other than India where our Sub-processors operate, including the United States. Cross-border transfers are made in compliance with Section 16 of the DPDP Act and any applicable notifications by the Central Government.

Where Personal Data of EU/EEA Data Subjects is transferred outside the EEA, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914, Module Two: Controller-to-Processor) as varied by any applicable UK addendum or Swiss equivalent. The Customer is the data exporter; Oushvaa is the data importer. Annex I (Description of Transfer) and Annex II (Technical and Organizational Measures) are completed by reference to Section 3 and Schedule A of this DPA respectively.

7. Data Principal rights

Taking into account the nature of the processing, we will assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligation to respond to requests from Data Principals exercising their rights under the DPDP Act, the GDPR, or other applicable law.

Where a Data Principal contacts Oushvaa directly with a rights request relating to Personal Data processed on behalf of the Customer, we will (a) not respond substantively except to acknowledge and redirect the Data Principal to the Customer, (b) notify the Customer of the request within 5 business days, and (c) assist the Customer in responding as reasonably requested.

8. Personal Data Breach

We will notify the Customer of a Personal Data Breach affecting the Customer's Personal Data without undue delay, and in any event within 72 hours of becoming aware of the Breach. The notification will include, to the extent then known:

  • The nature of the Breach, including the categories and approximate number of Data Principals affected and the categories and approximate number of records concerned;
  • The name and contact details of the Grievance Officer or other point of contact for further information;
  • The likely consequences of the Breach;
  • The measures taken or proposed to be taken to address the Breach, including measures to mitigate its possible adverse effects.

We will cooperate with the Customer and provide reasonable assistance in the Customer's investigation and notification obligations under the DPDP Act, the GDPR (where applicable), and other applicable law. Our notification to the Customer is not an acknowledgment of fault or liability.

9. Return or deletion of Personal Data

On termination of the Service or earlier written request from the Customer, we will, at the Customer's choice:

  • Delete all Personal Data processed on behalf of the Customer (default), or
  • Return the Personal Data in a commonly used machine-readable format (CSV / JSON / database dump), at no additional cost for one-time export within 30 days of termination.

Deletion is completed from primary stores within 30 days and from standard backups within 90 days. Encrypted backup tapes are overwritten on their regular rotation schedule. We may retain Personal Data where required by applicable law (in which case we will maintain its confidentiality and not process it further).

10. Security (Schedule A)

We implement and maintain the following technical and organizational measures:

10.1 Encryption

  • TLS 1.2 or higher for all data in transit, with HSTS enforced on public endpoints.
  • AES-256 encryption at rest for the primary database (Supabase Postgres) and object storage (Cloudflare R2).
  • Customer-provided documents: encrypted at rest and accessible only via signed URLs scoped to the uploading user's session.

10.2 Access controls

  • User authentication via Supabase Auth with email verification and configurable session length.
  • SSO via Customer's identity provider available on Enterprise tier.
  • Internal access to production data restricted to authorized Oushvaa personnel by role; access actions logged.
  • Production secrets (API keys, database credentials) stored in Cloudflare encrypted secret storage with rotation procedures documented internally.

10.3 Monitoring and audit

  • Application and authentication logs retained for 24 months minimum.
  • Cloudflare DDoS protection and WAF in front of all public endpoints.
  • Vulnerability monitoring on dependencies via automated tooling.
  • Annual security review and incident-response drill.

10.4 Personnel

  • All personnel with access to Personal Data are bound by written confidentiality obligations.
  • Background verification of personnel with administrative access to production systems.
  • Periodic security awareness training; annual refresher required.

10.5 Resilience

  • Daily encrypted backups of the primary database with 30-day rolling retention.
  • Point-in-time recovery available within the retention window.
  • Documented disaster-recovery procedures; recovery time objective (RTO) 24 hours, recovery point objective (RPO) 24 hours, for the v1 Service tier (more aggressive RTO/RPO available on Enterprise tier).

10.6 Roadmap

SOC 2 Type I attestation: target Q4 2026. ISO/IEC 27001 alignment work in parallel. See the Trust page for current compliance posture and roadmap.

11. Audit rights

The Customer may, no more than once per 12-month period and upon at least 60 days' prior written notice, request a remote audit of our compliance with this DPA. We will provide the Customer with (a) our most recent SOC 2 report (when available), (b) responses to a reasonable security questionnaire, and (c) attestations from our Sub-processors as available. Where the Customer can demonstrate that the information so provided is insufficient, the parties will agree in good faith on the scope and conduct of additional audit activities. Audits will be conducted during business hours, must not unreasonably interfere with operations, and the Customer bears the costs of the audit unless the audit reveals a material breach of this DPA.

12. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability in the Terms of Service, the Customer's access agreement, or any subsequent agreement between the parties addressing limitations of liability, in that order of precedence. Nothing in this DPA excludes or limits liability that cannot be excluded under applicable law.

13. Conflicts

In the event of a conflict between this DPA and the Terms of Service or Privacy Policy with respect to the processing of Personal Data, this DPA controls. In the event of a conflict between this DPA and a fully-negotiated DPA executed as part of an Enterprise Master Services Agreement, the negotiated DPA controls.

14. Governing law

This DPA is governed by the laws of India, consistent with the Terms of Service, and disputes are subject to the same jurisdiction and dispute-resolution provisions.

15. Contact

Data Protection / DPA inquiries: [email protected]

Grievance Officer: Vishnu Surendranath — [email protected]

Security incidents and breach notifications received from Sub-processors: [email protected]

Early access

MedevIQ is in private preview.

We're onboarding hospitals, manufacturers, regulators and research teams in waves. Tell us how you'd use MedevIQ and we'll get back within a working week.

We'll reply within a working week.

Access by invitation while v1 finalizes.