1. When this DPA applies
This Data Processing Addendum (“DPA”) supplements the Terms of Service between you (“Controller”) and Trigunatita Technologies (“Processor”). It applies when Trigunatita processes personal data on your behalf under applicable data-protection laws, including:
- India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”)
- EU General Data Protection Regulation 2016/679 (“GDPR”)
- UK Data Protection Act 2018 and UK GDPR
- Any other regional law substantially equivalent to the above
To countersign this DPA, email legal@trigunatita.com with your legal entity details. We issue a countersigned copy within 5 business days at no additional cost.
2. Definitions
Unless otherwise stated, capitalised terms have the meaning given in the GDPR, DPDP Act, or Terms of Service as applicable.
- Customer Data — personal data you provide to Trigunatita or that we collect in operating the service on your behalf (excluding our own business and marketing data).
- Data Subject — the identified or identifiable individual to whom the Customer Data relates.
- Sub-processor — any third-party processor engaged by Trigunatita to process Customer Data.
3. Roles and scope
You are the Controller / Data Fiduciary. Trigunatita is the Processor / Data Processor. Each party will comply with its respective obligations under applicable data-protection laws.
4. Scope and purpose of processing
| Element | Description |
|---|---|
| Nature of processing | Upload, mirror, archive, and restore of video content and associated metadata. |
| Purpose | Providing the Trigunatita service as described in the Terms of Service. |
| Duration | For the life of your subscription + retention periods described in the Privacy Policy. |
| Categories of data subjects | Primarily you and your team members; secondarily, any identifiable individuals depicted in video content. |
| Categories of personal data | Contact data, authentication credentials (hashed / tokenised), billing identifiers, content data, usage telemetry. |
5. Processor obligations
Trigunatita will:
- Process Customer Data only on documented instructions from you, unless required otherwise by law (in which case we will inform you unless the law prohibits it).
- Ensure that all personnel with access to Customer Data are bound by confidentiality obligations.
- Implement technical and organisational measures appropriate to the risk, as described in Schedule A below and on the /security page.
- Only engage sub-processors that satisfy equivalent data-protection obligations and are listed in Schedule B, with prior general authorisation from you (Section 7).
- Assist you in responding to Data Subject requests (access, correction, erasure, portability, etc.) within reasonable timeframes.
- Assist you in meeting your security-incident notification, data-protection impact assessment, and consultation obligations, taking into account the nature of processing and information available to us.
- Notify you of a personal-data breach without undue delay, and in any event within 72 hours of becoming aware of it.
- Upon termination, delete or return Customer Data in accordance with Section 8.
- Make available information necessary to demonstrate compliance with this DPA, and allow audits as described in Section 9.
6. Controller obligations
You warrant that:
- You have provided all required notices to and obtained all required consents from Data Subjects for the processing contemplated by the service.
- Your instructions to Trigunatita are lawful under applicable data-protection laws.
- Customer Content you upload does not contain personal data you are not authorised to process.
7. Sub-processors
You authorise Trigunatita to engage the sub-processors listed in Schedule B. We will notify you of intended additions or replacements at least 30 days in advance (via email or our sub-processor update page). You may object in writing within that window on reasonable data-protection grounds. If we cannot address your objection, either party may terminate the affected service with a pro-rated refund.
Each sub-processor is bound by a written agreement containing data-protection obligations no less protective than those in this DPA.
8. International transfers
Customer Data is primarily processed and stored in the India region. Where personal data is transferred outside India or outside the EEA/UK, we will implement appropriate safeguards, including:
- EU Standard Contractual Clauses (for transfers from the EU/EEA)
- UK International Data Transfer Addendum (for transfers from the UK)
- Equivalent safeguards under DPDP Act rules as notified from time to time
Transmissions to YouTube (Google LLC) occur because the destination service requires them and are covered by your direct consent to YouTube under its own terms.
9. Data subject rights
We provide tools (in your dashboard and via the privacy@trigunatita.com address) that allow you to respond to Data Subject requests for access, correction, erasure, portability, and restriction. Where we cannot action a request directly, we will assist you with information reasonably required to fulfil it.
10. Security incidents
If Trigunatita becomes aware of a personal-data breach affecting your Customer Data, we will: (a) notify you without undue delay and within 72 hours; (b) provide the information reasonably required for you to meet your own notification obligations; and (c) take reasonable steps to mitigate and remedy the breach. Our incident-response timeline is published at /security.
11. Audits
We provide annual third-party audit summaries (when available — SOC 2 on the roadmap), responses to standard security questionnaires, and attestations for specific frameworks on request. In-person audits may be requested by Studio-tier customers with 60 days’ notice, limited to once per year, during business hours, subject to reasonable confidentiality undertakings, and at your cost unless a material breach is documented.
12. Return and deletion
On termination of the service, we will (at your choice) return or delete Customer Data within 30 days, unless applicable law requires longer retention (e.g., GST records). Deletion is documented and confirmation is provided.
13. Liability
Each party’s liability under this DPA is subject to the same caps and exclusions set out in the Terms of Service. Nothing in this DPA limits either party’s liability to a Data Subject to the extent required by applicable law.
Schedule A — Technical and organisational measures
Current TOMs are described at /security and are updated as our posture evolves. In summary:
- Encryption at rest using key-management-service customer-managed keys.
- TLS 1.2+ in transit everywhere, HSTS enforced.
- Least-privilege IAM per service component; no shared human access to production data stores.
- Multi-factor authentication required for all personnel with any production access.
- Structured audit logs retained for 90 days (operational) and 7 years (billing/audit).
- Quarterly restore drills against synthetic data.
- Security-incident response per the published playbook.
Schedule B — Authorised sub-processors
The following sub-processors are authorised as of 4 May 2026:
| Sub-processor | Service | Location |
|---|---|---|
| Amazon Web Services India Pvt. Ltd. | Cloud infrastructure: compute, storage, identity, key management | India (ap-south-1) |
| Google LLC | YouTube Data API destination and OAuth; only reached with your explicit consent | Global |
| Razorpay Software Pvt. Ltd. | Payment processing and subscription billing | India |
| Resend (or equivalent transactional email provider) | Transactional email: invoices, account notices, security alerts | USA / EU |
| Plausible Analytics (or equivalent) | Cookieless, privacy-first site analytics (aggregated only) | EU |
| Cloudflare (where used) | CDN and DDoS protection for the marketing site only; no Customer Data in scope | Global |
Schedule C — Contact
- Data Protection Queries: privacy@trigunatita.com
- DPA Countersignature: legal@trigunatita.com
- Security Incidents: security@trigunatita.com
- Grievance Officer (India DPDP): grievance@trigunatita.com
Change log
- v0.9 · 4 May 2026 — pre-launch draft, pending legal review.