🔧This is a demonstration site — for demo purposes only. Ganexa-ArchNova is currently invite-only.

Legal

Data Processing Agreement

Last updated: 7 July 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service. A countersigned copy for Enterprise customers is available on request at legal@ganexas.com. This template is provided for review and should be validated by your legal counsel before execution.

1. Parties & Roles

This DPA is between the customer (the “Controller”) and Ganexa Consultancy Services Pvt. Ltd. (“Ganexa”, the “Processor”), operator of ArchNova (the “Platform”). It governs Ganexa’s processing of personal data on the Controller’s behalf and applies where such processing is subject to the EU/UK GDPR, the DPDP Act 2023 (India), or comparable data-protection law.

2. Subject Matter & Duration

The subject matter is the provision of the Platform. Processing continues for the term of the subscription and any wind-down period, after which data is returned or deleted per Section 9.

3. Nature & Purpose of Processing

Ganexa processes personal data only to host, operate, secure, support, and improve the Platform, and solely on the Controller’s documented instructions (including via configuration of the Platform). Ganexa will not process personal data for its own purposes or sell it.

4. Categories of Data & Data Subjects

Data subjects: the Controller’s authorised users and any individuals named in architecture content. Personal data: account identity (name, work email, role), authentication and audit metadata, and any personal data the Controller chooses to include in models, comments, or uploads. The Platform is not intended for special-category data; Controllers should avoid entering it.

5. Processor Obligations

Ganexa will: (a) process only on documented instructions; (b) ensure personnel are bound by confidentiality; (c) implement the security measures in Section 7; (d) assist the Controller with data-subject requests and DPIAs insofar as reasonable; (e) notify the Controller of a personal-data breach without undue delay (see Section 8); and (f) make available information necessary to demonstrate compliance.

6. Sub-processors

The Controller authorises Ganexa to engage sub-processors (e.g. cloud hosting, email delivery, and, where enabled by the Controller, AI model providers). Ganexa imposes data-protection terms on each sub-processor no less protective than this DPA and remains liable for their performance. A current sub-processor list is available on request, and Ganexa will give notice of intended changes so the Controller may object.

7. Security Measures

Ganexa maintains appropriate technical and organisational measures, including: encryption in transit (TLS); role- and attribute-based access control; tenant isolation; audit logging of data mutations; least-privilege administrative access; automated encrypted backups with tested restore; and security monitoring and alerting. Measures are reviewed and updated as the service evolves.

8. Personal-Data Breach

On becoming aware of a personal-data breach affecting the Controller’s data, Ganexa will notify the Controller without undue delay, describe the nature and likely consequences, and detail measures taken or proposed to address it, to help the Controller meet its own notification obligations.

9. Return & Deletion

On termination, the Controller may export its data for 30 days. After that period Ganexa will delete or return the personal data and delete existing copies, save where retention is required by law. Backups are purged on their normal rotation.

10. International Transfers

Where personal data is transferred across borders, Ganexa relies on an appropriate transfer mechanism (such as Standard Contractual Clauses) and applies supplementary measures where required.

11. Audits

Ganexa will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an appointed auditor, subject to reasonable notice, confidentiality, and frequency limits.

12. Contact

Data-protection queries and DPA execution requests: legal@ganexas.com.