Legal
Data Processing Agreement
Last updated: 7 July 2026
1. Parties & Roles
This DPA is between the customer (the “Controller”) and Ganexa Consultancy Services Pvt. Ltd. (“Ganexa”, the “Processor”), operator of ArchNova (the “Platform”). It governs Ganexa’s processing of personal data on the Controller’s behalf and applies where such processing is subject to the EU/UK GDPR, the DPDP Act 2023 (India), or comparable data-protection law.
2. Subject Matter & Duration
The subject matter is the provision of the Platform. Processing continues for the term of the subscription and any wind-down period, after which data is returned or deleted per Section 9.
3. Nature & Purpose of Processing
Ganexa processes personal data only to host, operate, secure, support, and improve the Platform, and solely on the Controller’s documented instructions (including via configuration of the Platform). Ganexa will not process personal data for its own purposes or sell it.
4. Categories of Data & Data Subjects
Data subjects: the Controller’s authorised users and any individuals named in architecture content. Personal data: account identity (name, work email, role), authentication and audit metadata, and any personal data the Controller chooses to include in models, comments, or uploads. The Platform is not intended for special-category data; Controllers should avoid entering it.
5. Processor Obligations
Ganexa will: (a) process only on documented instructions; (b) ensure personnel are bound by confidentiality; (c) implement the security measures in Section 7; (d) assist the Controller with data-subject requests and DPIAs insofar as reasonable; (e) notify the Controller of a personal-data breach without undue delay (see Section 8); and (f) make available information necessary to demonstrate compliance.
6. Sub-processors
The Controller authorises Ganexa to engage sub-processors (e.g. cloud hosting, email delivery, and, where enabled by the Controller, AI model providers). Ganexa imposes data-protection terms on each sub-processor no less protective than this DPA and remains liable for their performance. A current sub-processor list is available on request, and Ganexa will give notice of intended changes so the Controller may object.
7. Security Measures
Ganexa maintains appropriate technical and organisational measures, including: encryption in transit (TLS); role- and attribute-based access control; tenant isolation; audit logging of data mutations; least-privilege administrative access; automated encrypted backups with tested restore; and security monitoring and alerting. Measures are reviewed and updated as the service evolves.
8. Personal-Data Breach
On becoming aware of a personal-data breach affecting the Controller’s data, Ganexa will notify the Controller without undue delay, describe the nature and likely consequences, and detail measures taken or proposed to address it, to help the Controller meet its own notification obligations.
9. Return & Deletion
On termination, the Controller may export its data for 30 days. After that period Ganexa will delete or return the personal data and delete existing copies, save where retention is required by law. Backups are purged on their normal rotation.
10. International Transfers
Where personal data is transferred across borders, Ganexa relies on an appropriate transfer mechanism (such as Standard Contractual Clauses) and applies supplementary measures where required.
11. Audits
Ganexa will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an appointed auditor, subject to reasonable notice, confidentiality, and frequency limits.
12. Contact
Data-protection queries and DPA execution requests: legal@ganexas.com.