Data Processing Agreement (Controller → Processor)
Last updated: 12 September 2025
This Data Processing Agreement (“DPA”) forms part of the agreement between Tangi5 Strategic Innovation Labs LLP (LLPIN ACK‑9545), trading as TringTring (“Processor”, “we”, “us”) and the entity identified in your Order Form, online sign‑up or Master Services Agreement (“Controller”, “you”).
Registered office: 3, Vora Industrial Estate, Navghar, Vasai Road E. Dist. Palghar, Maharashtra – 401202, India.
Contact for privacy/security: privacy@tringtring.ai
By using the Services in a manner that requires us to process Customer Personal Data on your behalf, you agree to this DPA.
Electronic records notice. This document may be executed electronically and is an electronic record under the Information Technology Act, 2000; no physical signature is required.
1. Definitions
Applicable Data Protection Law means all laws that apply to the processing of Customer Personal Data under this DPA, including GDPR, UK GDPR, the Swiss FADP, India’s DPDP Act, 2023, and applicable US state privacy laws where relevant.
Customer Personal Data means personal data for which you are the Controller and which we process on your behalf in providing the Services.
Services means the TringTring orchestration platform, APIs, SDKs, dashboards and related support.
Sub‑processor means any processor engaged by us to assist in providing the Services.
Capitalised terms not defined here have the meanings in the Agreement/Order Form/Terms of Service.
2. Roles and scope
a) Controller/Processor. You are the Controller (or a Processor acting on behalf of a third‑party controller); we are your Processor.
b) Documented instructions. We will process Customer Personal Data only on your documented instructions, including to provide and secure the Services, perform support, prevent abuse, and comply with law. Your configuration of the Services (including enabling specific Integrations) forms part of your instructions.
c) Restricted data. You are responsible for ensuring your instructions comply with Applicable Data Protection Law and for not sending Customer Personal Data that is unlawful or unnecessary (e.g., special‑category data) unless you have a lawful basis and have notified us in writing.
3. Nature and details of processing
Subject‑matter: Provision of the Services and related technical support.
Duration: For the term of the Agreement plus any retention period you configure or that is required by law or permitted backups.
Types of data: May include names, contact details, identifiers, call/message content and metadata, audio, transcripts, prompts, model inputs/outputs, and other data you submit.
Data subjects: Your end users, staff, prospects, customers and other participants you communicate with through the Services.
Processing operations: Collection, storage, transmission, routing, transformation, aggregation, analysis, logging, troubleshooting, deletion.
4. Confidentiality
We ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations and receive appropriate data protection and security training.
5. Security
We implement and maintain technical and organisational measures appropriate to the risk (see Annex II). Measures include encryption in transit, access controls/least privilege, network segmentation, logging/monitoring, vulnerability management, MFA for privileged access, and regular training.
6. Sub‑processing
a) You authorise our use of Sub‑processors listed in Annex III and at /legal/sub‑processors (as updated from time to time).
b) We impose data protection obligations on Sub‑processors that are no less protective than those in this DPA.
c) We will notify you of new Sub‑processors (via email or page update) and provide a reasonable opportunity to object on reasonable grounds related to data protection. If you reasonably object, we will work with you in good faith to find a solution; if none is feasible, you may terminate only the affected Services with a pro‑rata refund of prepaid fees.
7. Data subject requests
Taking into account the nature of the processing, we will assist you, by appropriate technical and organisational measures, to respond to requests to exercise data subject rights (e.g., access, rectification, erasure, restriction, portability and objection). You are responsible for verifying a requester’s identity and for the decision to act on a request.
8. Assistance, DPIAs and consultations
We will provide reasonable assistance (at your cost, if such assistance is material or outside standard support) with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to us.
9. Personal data breach
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. Our notice will include information available to us at the time (nature of breach, affected data categories, known consequences, measures taken or proposed). You are responsible for notifications to regulators or individuals, unless we have expressly agreed otherwise.
10. Return and deletion
Upon termination or expiry of the Services, on your written request we will delete or return Customer Personal Data and delete existing copies within our control, subject to: (i) retention required by law; and (ii) standard backup retention (typically 30–90 days) after which data is overwritten in the ordinary course.
11. Audits and information
a) We will make available information necessary to demonstrate compliance with this DPA, which may include third‑party reports (e.g., penetration tests, external audits) and responses to reasonable security questionnaires under NDA.
b) Where such information is insufficient, you may conduct an audit no more than once per 12 months, on 30 days’ notice, during business hours, and without disrupting operations. Audits are limited to controls relevant to Customer Personal Data and may not include third‑party or other customers’ information. You must use a qualified independent auditor bound by confidentiality. We may charge reasonable time and materials for audits.
12. International data transfers
a) We may process and transfer Customer Personal Data worldwide as necessary to provide the Services and Sub‑processor services.
b) Where a transfer is subject to cross‑border restrictions (e.g., EEA/UK/Switzerland to a country without adequacy), the parties agree that the EU Standard Contractual Clauses (SCCs) (Module 2 Controller→Processor and 3 Processor→Processor, as applicable) and, where relevant, the UK Addendum/IDTA and Swiss provisions are incorporated by reference and shall apply between you and us, and between us and Sub‑processors.
c) We will implement supplementary measures where appropriate and conduct transfer assessments as required.
13. Use of de‑identified and aggregated data
We may create and use aggregated and/or de‑identified data derived from Customer Personal Data for service analytics, benchmarking and improvement, provided that such data cannot reasonably be used to identify an individual or your organisation and we do not attempt to re‑identify it.
14. Controller responsibilities
You are responsible for:
Providing all required notices and obtaining all required consents (e.g., call‑recording, marketing, WhatsApp template usage);
Configuring retention, training and regional settings for Integrations to meet your compliance needs;
Ensuring your instructions are lawful and appropriate;
Responding to data subject requests and regulator inquiries relating to your use of the Services.
15. CCPA/CPRA and other US laws (service provider)
Where US state privacy laws apply, we act as your service provider/processor; we do not sell or share Customer Personal Data for cross‑context behavioural advertising, and we process Customer Personal Data only for the limited business purposes of providing the Services to you.
16. Liability
Each party’s aggregate liability under this DPA is limited as set out in the Agreement/Terms of Service. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Law.
17. Precedence and changes
If there is a conflict between this DPA and the Agreement/Terms of Service, this DPA prevails for the subject‑matter of data protection. We may update this DPA to reflect legal or operational changes; material changes will be notified to account holders. Continued use of the Services after the effective date constitutes acceptance.
Annex I – Details of Processing
A. Controller: The entity identified in the Order Form or online sign‑up.
B. Processor: Tangi5 Strategic Innovation Labs LLP (LLPIN ACK‑9545), trading as TringTring.
C. Data subjects: End users, staff, prospects, customers, conversation participants.
D. Categories of personal data: Contact details, identifiers, call/message metadata, audio and transcripts, prompts, model inputs/outputs, and other data submitted by Controller.
E. Special categories: Not intended; if processed, only as instructed by Controller with a lawful basis.
F. Processing operations: As described in Sections 2–3 of this DPA.
G. Duration: For the term of the Agreement plus retention as configured/required.
H. Transfers: Worldwide as necessary; safeguards per Section 12.
Annex II – Technical and Organisational Measures (TOMs)
Governance & access
Role‑based access control; least‑privilege; MFA for privileged accounts.
Background checks as permitted by law; confidentiality agreements; annual security training.
Data protection
Encryption in transit (TLS 1.2+) and at rest where applicable.
Secrets vaulting and rotation; separation of environments; key management controls.
Secure software development lifecycle (threat modelling, code review, dependency scanning, CI/CD hardening).
Configurable data retention and auto‑deletion; minimised logs.
Infrastructure & operations
Cloud providers with robust physical and environmental controls (see Annex III).
Network segmentation; WAF/CDN; rate limiting and bot protection.
Continuous monitoring, alerting and vulnerability management; regular penetration testing.
Backups with integrity checks and defined retention; restoration tests.
Incident management
Documented IR plan; 24×7 on‑call; breach notification per Section 9.
Post‑incident reviews and corrective actions.
Business continuity
High‑availability architecture; redundancy across availability zones where applicable.
Disaster‑recovery plans and periodic exercises.
Customer controls
- SSO/MFA; audit logs; regional and training/retention toggles for supported Integrations.
Annex III – Authorised Sub‑processors
Scope: These entities may process Customer Personal Data and/or Service Data to help deliver and support the Services. Locations reflect typical regions or data‑residency options; your configuration and network routing may affect where processing occurs. We contractually require appropriate security and data‑protection terms.
| Entity Name | Product or Service | Location of Processing | Purpose of Processing |
|---|---|---|---|
| Cloudflare | All Services | Processing at the data centre closest to the end user | Content delivery network and edge security |
| Amazon Web Services (AWS) | All Services | United States, Europe, Asia (region as configured) | Cloud infrastructure and storage |
| Google Cloud Platform (GCP) | All Services | United States, Europe, Asia (region as configured) | Cloud infrastructure and computing services |
| Microsoft Azure | All Services | United States, Europe, Asia (region as configured) | Cloud infrastructure and computing services |
| Supabase | All Services | United States (region as configured) | Database management and storage |
| Google Workspace | Internal Services | United States, Europe, Asia | Business productivity and collaboration tools |
| HashiCorp Cloud | Infrastructure Services | United States | Infrastructure‑as‑code and secrets management |
| Plivo | Customer Communication | United States, Europe, India, Singapore (region as configured) | Telephony and messaging APIs; call/SMS routing and delivery |
| Atlassian | Internal Services | United States, Europe (data‑residency options) | Project management and issue tracking |
| GitLab | Development Services | United States, Europe (SaaS regions) | Code repository, version control and CI/CD |
| Razorpay | Payment Services | India | Payment processing and subscription management |
| Zoho | Internal Services | India, United States, Europe | CRM, support desk and related operations |
| Mailchimp (Intuit Mailchimp) | Marketing Services | United States, Europe | Email marketing and (if enabled) transactional email |
| Meta Platforms (e.g., WhatsApp Business, Messenger, Instagram) | Channels / Customer Communication | Worldwide (per Meta’s infrastructure) | Messaging channels and delivery, subject to your configuration |
Change notifications and right to object apply as set out in Section 6.
Annex IV – CCPA/CPRA Service‑Provider Certification (if applicable to you)
We certify that we will not: (i) sell Customer Personal Data; (ii) share Customer Personal Data for cross‑context behavioural advertising; or (iii) retain, use or disclose Customer Personal Data for any purpose other than the business purpose of providing the Services to you, or as permitted by law. We will honour Global Privacy Control/Universal Opt‑Out signals where applicable to our own web properties.
Annex V – Execution
This DPA is effective on the earlier of: (i) the date you first use the Services in a manner requiring us to process Customer Personal Data on your behalf; or (ii) the date you click to accept or sign an Order Form that incorporates this DPA.
Processor
Tangi5 Strategic Innovation Labs LLP (LLPIN ACK‑9545)
By: __________________________
Name: ________________________
Title: _________________________
Date: _________________________
Controller
Entity: ________________________
By: __________________________
Name: ________________________
Title: _________________________
Date: _________________________