This Data Processing Agreement ("DPA") is entered into between Decipher Consultancy Services (operating as SignupDesk) as the Data Processor, and each Client of SignupDesk as the Data Fiduciary. This DPA is incorporated into and forms part of the Terms of Service. By using SignupDesk, the Client agrees to this DPA.
Section 01
Parties & Roles
Under the Digital Personal Data Protection Act, 2023 (India), the following roles apply:
- Data Fiduciary: The Client (event organiser) — the entity that determines the purpose and means of processing attendee personal data. The Client is legally responsible for compliance with DPDP Act 2023 obligations as a Data Fiduciary.
- Data Processor: Decipher Consultancy Services (SignupDesk) — the entity that processes personal data on behalf of and under the instructions of the Data Fiduciary.
This DPA governs the processing activities performed by the Processor on behalf of the Fiduciary in connection with the SignupDesk Platform.
Section 02
Scope of Processing
Nature of processing: Collection, storage, retrieval, organisation, display, and deletion of event attendee personal data via the SignupDesk Platform.
Categories of personal data processed:
- Name, email address, mobile number (mandatory)
- Company name, designation, city (optional system fields)
- Custom form field responses (as configured by the Fiduciary)
- Consent record (timestamp, consent text presented, boolean consent flag)
- Seat number, QR token, check-in status and timestamp
Data subjects: Event attendees who register via the Client's SignupDesk-powered registration page.
Duration: For the duration of the Client's subscription plus the data retention period specified in Section 10.
Section 03
Processor Obligations
As Data Processor, Decipher Consultancy Services (SignupDesk) undertakes to:
- Process personal data only on documented instructions from the Fiduciary (the Client's use of Platform features constitutes instructions)
- Ensure that persons authorised to process the personal data have committed to confidentiality
- Implement and maintain appropriate technical and organisational security measures (detailed in Section 7)
- Not engage sub-processors without the Fiduciary's general or specific authorisation (authorisation is granted by agreeing to this DPA — see Section 5)
- Assist the Fiduciary in responding to data subject rights requests where technically feasible
- Delete or return all personal data to the Fiduciary at the end of the service relationship
- Make available all information necessary to demonstrate compliance with this DPA
- Not process personal data for any purpose other than providing the SignupDesk Service
Section 04
Fiduciary Obligations
As Data Fiduciary, the Client undertakes to:
- Have a lawful basis for collecting each category of personal data from attendees
- Present a clear, informed, and specific consent notice to attendees before collecting their data (SignupDesk provides a default compliant consent text — the Client must not remove or materially weaken it)
- Not instruct the Processor to process personal data in a manner that would violate applicable law
- Handle attendee rights requests (access, correction, complaint) in their capacity as Data Fiduciary
- Ensure that any custom form fields added to their events comply with the DPDP Act 2023 and do not collect sensitive personal data without explicit additional consent
- Inform the Processor promptly of any legal process, court order, or regulatory request received that affects attendee data processed by the Processor
Key point for Clients: You are legally responsible as the Data Fiduciary for your attendees' data. SignupDesk provides the technical platform and compliant infrastructure — but the obligation to obtain valid consent, respond to attendee rights requests, and comply with DPDP Act 2023 as the data-collecting entity rests with you.
Section 05
Sub-Processors
The Client grants general authorisation for SignupDesk to engage the following categories of sub-processors:
- Amazon Web Services (AWS): Cloud infrastructure and data storage. Region: Asia Pacific (Mumbai, ap-south-1). AWS is bound by a Data Processing Addendum with us.
- Email delivery service: For transactional emails (registration confirmations). The service processes email addresses and names only for the purpose of delivering specified emails.
SignupDesk will:
- Notify the Client of any planned changes to the above sub-processor list with at least 30 days' notice
- Ensure all sub-processors are bound by data protection obligations equivalent to those in this DPA
- Remain fully liable to the Client for the performance of sub-processors' data protection obligations
Section 06
Data Subject Rights
When an attendee (data subject) exercises their rights:
- Self-service erasure: Attendees can request deletion of their personal data directly from their registration confirmation page. SignupDesk will anonymise the data immediately — no Client instruction required for this path.
- Client-instructed deletion: The Client can delete any registration record from their admin panel. This also anonymises and soft-deletes the record.
- Access/Correction requests: If an attendee contacts the Client with an access or correction request, the Client can view and manage data via the admin panel. If technical assistance is needed, the Client may contact us at privacy@signupdesk.in.
- Processor assistance: SignupDesk will respond to Client requests for technical assistance with data subject rights within 7 business days.
Anonymisation approach: For erasure requests, personal fields (name, email, mobile, company, designation, city) are overwritten with placeholder values. The seat number record is retained anonymously to preserve the event organiser's seat audit trail — this is a legitimate processing purpose and does not constitute retention of personal data.
Section 07
Security Measures
SignupDesk implements and maintains the following technical and organisational security measures:
- Encryption at rest: All database data and stored files are encrypted using AES-256.
- Encryption in transit: All data transmission is protected by TLS 1.2 or higher. HTTP is automatically redirected to HTTPS.
- Access control: Multi-tenant isolation ensures each Client can only access their own data. Admin access requires password authentication. Our engineering team access is on a need-to-know basis.
- Tenant isolation: Logical data isolation is enforced at the application level through automatic tenant scoping on all database queries.
- Vulnerability management: Platform dependencies are monitored and updated regularly. Security patches are applied within 7 days for critical vulnerabilities.
- Backups: Daily automated backups with 30-day retention, encrypted and stored in a separate AWS availability zone.
- Rate limiting: Registration endpoints are rate-limited to prevent automated abuse and data harvesting.
- CSRF protection: All form submissions are protected by CSRF tokens.
Section 08
Data Breach Notification
In the event of a personal data breach affecting Client data:
- SignupDesk will notify the affected Client(s) within 72 hours of becoming aware of the breach (or as soon as reasonably practicable)
- The notification will include: nature of the breach, categories of data affected, estimated number of data subjects affected, likely consequences, and measures taken or proposed
- The Client (as Data Fiduciary) is responsible for notifying the Data Protection Board of India and affected data subjects as required by DPDP Act 2023
- SignupDesk will cooperate fully with the Client's breach response and any regulatory investigation
Section 09
Audit Rights
The Client has the right to verify SignupDesk's compliance with this DPA:
- By requesting documentation of security practices and compliance measures (we will respond within 14 business days)
- Through a third-party audit, with at least 30 days' notice, no more than once per year, conducted during business hours and in a manner that does not disrupt Platform operations
- The Client bears the cost of any third-party audit unless the audit reveals material non-compliance by SignupDesk
Section 10
Data Retention & Deletion
During the subscription: Data is retained as long as the subscription is active and for event operational purposes.
After subscription termination:
- The Client may export all their data within 30 days of termination via the admin panel
- After 30 days from termination, all personal data is permanently and irreversibly deleted from all systems and backups (backups are purged within their 30-day rotation cycle)
On Client instruction: The Client may instruct deletion of specific records or all data at any time during the subscription. We will execute such instructions within 7 business days.
Proof of deletion: Upon request, we will provide written confirmation that deletion has been completed.
Section 11
Governing Law
This DPA is governed by the laws of India, with specific reference to the Digital Personal Data Protection Act, 2023, and any rules or regulations enacted thereunder. Any disputes shall be subject to the exclusive jurisdiction of the courts of Gurugram, Haryana, India.
In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.
Section 12
Contact
For DPA-related queries, data deletion instructions, or compliance assistance: