COOKIESSPACE – DATA PROCESSING ADDENDUM POLICY

Version:

2025

Effective Date:

01/01/26

Between:

CookiesSpace Private Limited, Christo Tower, Esakiamman Kovil Street, KP Road, Nagercoil – 629001, Tamil Nadu, India (“Processor” or “CookiesSpace”)
and
The Customer (“Data Fiduciary” or “Customer”).

This Data Processing Addendum governs Cookiesspace’s processing of Personal Data on behalf of the Customer as part of providing cloud infrastructure and platform services under the CookiesSpace Terms of Service (“Agreement”).

1. DEFINITIONS

1.1 “DPDP Act” means the Digital Personal Data Protection Act, 2023 of India.

1.2 “Personal Data” has the meaning assigned under the DPDP Act and includes any personal data processed under this Agreement.

1.3 “Data Fiduciary” means the Customer who determines the purpose and means of processing Customer Personal Data.

1.4 “Data Processor” means CookiesSpace when processing personal data on behalf of the Customer.

1.5 “Customer Data” includes all personal and non-personal data uploaded, stored, transmitted, or processed using CookiesSpace Services.

1.6 “Security Incident” means any unauthorized access, disclosure, loss, or alteration of Customer Personal Data.

1.7 “Sub-Processor” means any third-party service provider engaged by CookiesSpace.

2. ROLE OF PARTIES

2.1 Customer acts as the Data Fiduciary.

2.2 CookiesSpace acts solely as the Data Processor and processes Personal Data strictly in accordance with Customer instructions.

2.3 If Customer uses CookiesSpace to store or process personal data of end-users, the Customer alone determines the purpose of processing and is responsible for obtaining consent.

3. SCOPE & PURPOSE OF PROCESSING

CookiesSpace processes Customer Personal Data for the following purposes:

  • Provision of IaaS and PaaS
  • Authentication and access control
  • Logging, monitoring, and security operations
  • Technical support and troubleshooting
  • Billing and invoicing
  • Compliance with Indian law (DPDP, CERT-In, IT Act)
  • Backup, replication, and redundancy
  • Improvement of service reliability and performance (non-identifiable data only)

CookiesSpace does not use Customer Personal Data for marketing, profiling, or advertising.

4. CUSTOMER OBLIGATIONS (DATA FIDUCIARY DUTIES)

Customer is responsible for:

  • Obtaining legally valid consent from individuals (Data Principals)
  • Providing privacy notices to their users
  • Implementing necessary technical and organizational controls within their workloads
  • Ensuring lawfulness of all Customer Data stored on CookiesSpace infrastructure
  • Ensuring cross-border data transfers comply with DPDP Act

CookiesSpace does not vet the legality of Customer Data.

5. COOKIESSPACE OBLIGATIONS (DATA PROCESSOR DUTIES)

CookiesSpace shall:

5.1 Process Only on Documented Instructions

CookiesSpace will process Customer Personal Data only:

  • As instructed in writing
  • As required to provide Services
  • As required under Indian law

5.2 Confidentiality

All employees, contractors, and sub-processors must be bound by confidentiality obligations.

5.3 Security Measures

CookiesSpace implements industry-standard controls including:

  • Encryption at rest & transit
  • Access control & MFA
  • Network segmentation & firewalls
  • Vulnerability scanning
  • Secure configurations
  • Physical data center security
  • Redundant infrastructure
  • Security monitoring (SOC)

5.4 Data Minimization

Personal Data is processed only to the extent necessary.

5.5 Data Retention (Legal & Operational)

CookiesSpace implements industry-standard controls including:

  • Logs retained for 180 days (CERT-In requirement)
  • Identity/KYC data retained for 5 years
  • Backups retained for limited periods (30–90 days)
  • Customer Personal Data deleted upon account closure

5.6 Sub-Processors

CookiesSpace may use sub-processors such as:

  • Data center operators
  • Payment gateways
  • Email/SMS service providers
  • Monitoring & security vendors

CookiesSpace ensures all sub-processors implement equivalent data protection safeguards.

6. CROSS-BORDER DATA TRANSFERS

If Customer selects a Non-India Region, Customer Data may be stored outside India.

CookiesSpace shall:

  • Transfer data only to jurisdictions not restricted by the Government of India
  • Ensure equivalent or stronger protections
  • Notify customer if any transfer becomes restricted in the future

Customer remains responsible for ensuring user-level consent for any cross-border transfer.

7. RIGHTS OF DATA PRINCIPALS

CookiesSpace assists the Customer in fulfilling obligations related to:

  • Access requests
  • Correction requests
  • Data erasure
  • Consent withdrawal
  • Nomination rights

Customer must submit requests to:

mail-iconprivacy@cookiesspace.com

CookiesSpace is not required to respond directly to end users unless mandated by law.

8. SECURITY INCIDENT MANAGEMENT

CookiesSpace shall:

  1. Notify Customer without undue delay of any actual or suspected breach
  2. Notify CERT-In within 6 hours, as legally required
  3. Provide details including nature, impact, and mitigation steps
  4. Work with Customer to resolve the incident
  5. Retain logs for forensic analysis

Customer must promptly notify CookiesSpace of any breach affecting their own environment.

9. AUDIT RIGHTS

9.1 CookiesSpace maintains internal/external audits for data security compliance.

9.2 Customer may request audit reports like ISO, or equivalent under NDA.

9.3 On-site audits are allowed only when:

  • Legally required OR
  • Material breach is suspected

Audits must not compromise infrastructure security or other customers.

10. DATA DELETION & RETURN

Upon termination or Customer request:

  • Customer may export their data
  • CookiesSpace will delete Customer Personal Data after a defined retention period (30–90 days)
  • Backups containing data will be deleted after expiry of automated cycles
  • CERT-In mandated logs cannot be deleted before 180 days

CookiesSpace will provide a written confirmation of deletion on request.

11. COMPLIANCE WITH LAW

CookiesSpace will comply with:

  • DPDP Act 2023
  • CERT-In 2022 Cybersecurity Directions
  • IT Act 2000
  • Indian Penal Code
  • Any lawful order of government or court

Customer must comply with all laws governing the Customer’s content and application.

12. LIABILITY

Liability follows the main Terms of Service.

Cookiesspace’s liability for data protection claims is limited to:

  • Amounts paid in the preceding 12 months, unless caused by Cookiesspace’s gross negligence or wilful misconduct.

13. TERM & TERMINATION

This DPA remains effective:

  • As long as the Customer uses CookiesSpace Services OR
  • Until the Agreement is terminated

Sections involving confidentiality, security, deletion, and legal compliance survive termination.

14. GOVERNING LAW & DISPUTES

This DPA is governed by the laws of India, with exclusive jurisdiction in Tamil Nadu courts.

15. CONTACT

For Data Protection matters:

mail-iconprivacy@cookiesspace.com
mail-icongrievance@cookiesspace.com
location-iconCookiesSpace Pvt Ltd, Nagercoil, Tamil Nadu, India