GI
GCC Intelligence
UP & NCR Edition
Back

Data Processing Agreement

GCC Intelligence — UP & NCR Edition · Effective 7 June 2026 · Forms part of the customer’s commercial agreement and is issued under the Digital Personal Data Protection Act, 2023 (“DPDP Act”).

1. Parties & roles

This Data Processing Agreement (“DPA”) is between the customer organisation identified in the commercial agreement (“Customer”) and MarshallRidge Consulting Private Limited (“MarshallRidge”). For personal data the Customer’s users enter into the platform (for example, recipient names or contact details typed into generated documents), the Customer is the data fiduciary and MarshallRidge acts as its data processor, processing only on the Customer’s documented instructions. For platform account and security data, MarshallRidge is the data fiduciary as described in the Privacy Notice.

2. Scope, nature & purpose of processing

  • Subject matter — provision of the GCC Intelligence platform and its document-generation, analytics and API services.
  • Duration — the term of the commercial agreement, plus the deletion window in §8.
  • Categories of data — business contact data entered by users (names, titles, organisations, email addresses); account identifiers; usage and security metadata.
  • Data principals — the Customer’s authorised users and business contacts the Customer chooses to reference.
  • No sensitive personal data — the platform is not designed for, and must not be used to store, financial, health or biometric data.

3. Customer instructions

MarshallRidge processes Customer personal data only to provide the contracted services, comply with Indian law, or follow the Customer’s additional written instructions. If an instruction would, in our view, breach the DPDP Act, we will inform the Customer before proceeding.

4. Confidentiality & personnel

Personnel with access to Customer data are bound by written confidentiality obligations and access is limited to what their role requires (least privilege, role-based access control).

5. Security measures

MarshallRidge maintains the technical and organisational measures described in the Privacy Notice §8, including AES-256 encryption at rest, TLS 1.2+ in transit, multi-factor authentication, scrypt password hashing, signed sessions, web application firewall, rate limiting, continuous threat monitoring and 180-day tamper-evident security logs, all hosted in AWS Asia Pacific (Mumbai), India.

6. Sub-processors

The Customer authorises the following sub-processors:

  • Amazon Web Services (Asia Pacific — Mumbai, India) — cloud infrastructure hosting all platform data;
  • Anthropic (United States) — optional AI assistant features only; receives the text of AI queries and the deterministic figures needed to answer them, under contractual data-protection terms and without training on the data. Customers who do not use AI features send no data outside India.

MarshallRidge will give at least 30 days’ notice before adding or replacing a sub-processor; the Customer may object on reasonable data-protection grounds.

7. Data-principal rights & assistance

MarshallRidge will assist the Customer in fulfilling data-principal requests (access, correction, erasure, grievance) within the platform’s capabilities — including superadmin user management and verified deletion — and will forward to the Customer, without undue delay, any request received directly from the Customer’s data principals.

8. Retention, return & deletion

On termination of the commercial agreement, Customer data is deleted within 30 days of a verified request (or automatically at the end of the contracted off-boarding period), after which it ages out of rolling 14-day backups. Security logs are retained for 180 days as required by the CERT-In Directions of 28 April 2022, then deleted automatically.

9. Breach notification

MarshallRidge will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer data, providing the information reasonably required for the Customer’s own DPDP Act obligations. MarshallRidge separately complies with its CERT-In 6-hour incident-reporting obligation and, where it acts as data fiduciary, with notification to the Data Protection Board of India.

10. Audit & demonstration of compliance

On reasonable written notice (not more than once annually unless a breach has occurred), MarshallRidge will make available the information reasonably necessary to demonstrate compliance with this DPA — including its control documentation and summaries of independent infrastructure certifications (AWS ISO 27001 / SOC reports).

11. Cross-border transfers

All platform data is stored and processed in India. The sole cross-border flow is the optional AI sub-processing described in §6, which is not restricted under the DPDP Act’s current transfer framework and is disclosed in the Privacy Notice.

12. Liability & order of precedence

Liability under this DPA is subject to the limitations in the Terms of Use and the commercial agreement. If this DPA conflicts with the commercial agreement on data-protection matters, this DPA prevails.

13. Governing law

This DPA is governed by the laws of India; courts at Mumbai, Maharashtra have exclusive jurisdiction.

14. Contact

MarshallRidge Consulting Private Limited
Unit No. 52, 2nd Floor, C-39A, Gami Industrial Park, MIDC, Thane, Navi Mumbai 400705, India
contact@marshallridgeconsulting.in · +91 77188 66506