Data Processing Addendum
Last updated: 29 April 2026
1. Parties & scope
This Addendum forms part of the Master Services Agreement between the customer ("Controller") and Silicoyn Technologies Pvt Ltd ("OriginChain" or "Processor"). It governs the processing of Personal Data the Controller submits to the OriginChain Service.
2. Roles
The Controller is the data controller; OriginChain is the data processor. OriginChain processes Personal Data only on documented instructions from the Controller - typically the API and console actions taken by the Controller's authenticated users.
3. Categories of data & data subjects
The Service is a general-purpose database; the Controller decides what to store. OriginChain does not classify Personal Data on the Controller's behalf. Typical categories include:
- End-user identifiers (email, account id)
- Application content (rows, schema, query history)
- Operational telemetry (request timestamps, error codes)
Special-category data (health, biometrics, political opinion etc.) may only be processed under an Enterprise contract with appropriate sector-specific addenda.
4. Sub-processors
OriginChain uses the following sub-processors as of the date above. We notify Controllers in advance of any addition or replacement.
- Amazon Web Services Cloud infrastructure: compute, storage, backups, DNS, object storage, and our managed account database.
- Razorpay Payment processing. Card data is tokenised - OriginChain never receives PAN or CVV.
- Anthropic Natural-language compilation of
/v1/askrequests. Prompts are submitted to the model and discarded; we do not store model output beyond the response we return.
5. International transfers
Customer data is stored in the region selected by the Controller. Today the only live region is Mumbai (Asia Pacific). Cross-border transfers, if any, occur only when the Controller routes AI traffic through a model endpoint in another region - controlled by the Controller's tenant configuration.
6. Security
See /security for the full posture. Summary: TLS for every external endpoint, Argon2id for stored credentials, isolated tenant resources, daily backups encrypted at rest, and principle-of-least-privilege engineer access that is brokered and audit-logged (no direct SSH).
7. Data subject requests
On the Controller's instruction, OriginChain will assist with the rectification, erasure, restriction, or export of Personal Data. Self-serve mechanisms:
- Erasure: cancel a subscription with the "delete data" option, or contact privacy@originchain.ai to expedite.
- Export: scan the affected schemas via the API. We do not gate exports.
- Rectification: standard write API.
8. Deletion & retention
On termination of a tenant subscription with the "delete data" flag set:
- The per-tenant compute and storage volume are destroyed within 24 hours.
- Backup snapshots age out after 30 days per the standard retention policy. Earlier deletion is available on written request.
- Operational metadata in our management systems (instance and subscription rows) is retained for 7 years to satisfy financial record-keeping obligations under Indian tax law (Section 44AA, Income Tax Act, 1961).
- Security logs (auth events, failed login attempts) are retained for 90 days.
9. Breach notification
OriginChain will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting the Controller's data. Notification includes the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address it.
10. Audit
OriginChain provides on request: SOC 2 Type 1 reports as they are issued (Type II available on request once attested), the security questionnaire (today: /security), and access to engagement-specific evidence (penetration test reports, vulnerability scans, access logs filtered to the Controller's tenant). On-site audits are negotiated per Enterprise contract.
11. Liability
Liability under this Addendum is governed by the limitation-of-liability clause in the Master Services Agreement.
12. Governing law
This Addendum is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka. Where a Controller is established in the EU/UK and EU/UK data protection law applies to the processing, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller to Processor) as a separate signed annex.
13. Contact
Privacy office: privacy@originchain.ai
Postal address: Silicoyn Technologies Pvt Ltd, Bengaluru, Karnataka, India.