Data Processing Agreement
This agreement governs how BossMa Studio Works processes personal data on behalf of institutional partners using the NariBot PaaS platform.
Last Updated: April 14, 20261. Parties and Scope
This Data Processing Agreement ("DPA") is entered into between:
- Data Fiduciary / Controller: The institutional partner organisation ("Partner") that deploys NariBot for its programme beneficiaries
- Data Processor: BossMa Studio Works Private Limited (CIN: U62099KA2024PTC215560), Bengaluru, Karnataka, India ("BossMa")
This DPA forms part of the Master Services Agreement (MSA) or Memorandum of Understanding (MoU) between BossMa and the Partner. In the event of conflict, the MSA takes precedence over this DPA; and this DPA takes precedence over BossMa's general Terms and Conditions with respect to data processing matters.
This DPA is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India. Where the Partner or end users are based in the European Economic Area, this DPA also incorporates obligations under the EU General Data Protection Regulation (GDPR) including Standard Contractual Clauses (SCCs) as applicable.
2. Definitions
- Personal Data — any data about an identified or identifiable natural person (data principal), including mobile number, name, SHG details, livelihood data, and conversation transcripts
- Data Principal — the individual (SHG women, field trainer) whose personal data is processed
- Processing — any operation on personal data including collection, storage, use, disclosure, transfer, or deletion
- NariBot Platform — BossMa's AI livelihood assistant system including IVR, WhatsApp, SMS channels, Voice-to-Ledger, NariScore engine, trainer dashboards, and Looker Studio analytics
- DAR Data — Digital Aajeevika Register format data generated from NariBot conversations
- NariScore — BossMa's proprietary 180-day financial behaviour metric computed from ledger entries
- Sub-Processor — a third-party processor engaged by BossMa to process personal data
3. Data Processing Details
| Element | Details |
|---|---|
| Subject matter | AI-powered livelihood guidance and income tracking for SHG women and allied programme beneficiaries |
| Duration | For the term of the MSA, plus the data retention periods specified in Section 6 |
| Nature of processing | Collection via IVR/WhatsApp/SMS, AI processing (transcription, NLP, ledger extraction), structured storage, analytics, reporting |
| Purpose | Delivering NariBot services to Partner's beneficiaries; generating DAR exports and NariScore; providing partner dashboards |
| Categories of data principals | Rural women SHG members; field trainers; programme coordinators |
| Types of personal data | Name, mobile number, SHG details, district/state, language, daily sales, costs, surplus, scheme participation, NariScore records, consent records |
| Special categories | None collected by default. Financial data (income, loans) is treated with enhanced security controls. |
4. BossMa's Obligations as Processor
BossMa shall:
- Process personal data only on documented instructions from the Partner, including with regard to transfers of personal data to a third country, unless required to do so by applicable law
- Ensure that all BossMa personnel authorised to process the personal data are bound by appropriate confidentiality obligations
- Implement technical and organisational security measures appropriate to the risk (see Section 5)
- Notify the Partner without undue delay (and within 72 hours) after becoming aware of a personal data breach affecting Partner's data principals
- Assist the Partner in responding to requests from data principals to exercise their rights under the DPDP Act
- At the Partner's choice, delete or return all personal data to the Partner upon termination of the DPA, unless applicable law requires storage
- Make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Partner or a mandated auditor
- Not engage any new sub-processor without prior written consent of the Partner
5. Security Measures
BossMa maintains the following technical and organisational measures:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all API communications; HTTPS for all web endpoints |
| Encryption at rest | AES-256 encryption for Supabase and Firestore databases |
| Access control | Role-based access; Firebase Phone Auth OTP for trainer logins; least-privilege principle |
| Data minimisation | Only data necessary for service delivery is collected and retained |
| Sub-processor security | All sub-processors maintain ISO 27001 or equivalent certifications |
| Incident response | Documented breach response procedure; 72-hour notification commitment |
| Data localisation | All personal data stored on Indian cloud infrastructure (GCP asia-south1, Yotta Cloud India) |
| Pseudonymisation | Analytics and AI training use pseudonymised or aggregated data only |
6. Approved Sub-Processors
The Partner provides general written authorisation for BossMa to engage the following sub-processors. BossMa will inform the Partner of any changes to this list with at least 14 days' notice:
| Sub-Processor | Role | Location |
|---|---|---|
| Google Cloud Platform | Hosting, Firestore, Vertex AI (Gemini) | India (asia-south1) |
| Supabase Inc. | Relational database (women, trainers, NariScore) | India / migrating to Yotta Cloud |
| BHASHINI (MeitY, Govt. of India) | ASR, TTS, NMT, language detection | India |
| Samora AI | IVR telephony, WhatsApp Business API, SMS delivery | India |
| Google LLC (Looker Studio) | Analytics dashboards (uses anonymised/aggregated data) | India region |
7. Partner's Obligations as Data Fiduciary
The Partner shall:
- Ensure a valid legal basis exists for processing each data principal's personal data before onboarding them to NariBot
- Obtain and document DPDP-compliant, explicit, informed consent from each data principal in their preferred language before data collection begins
- Ensure consent notices meet the requirements of Section 6 of the DPDP Act, 2023
- Not instruct BossMa to process personal data in any manner that would violate applicable law
- Promptly inform BossMa of any changes to processing instructions that may affect BossMa's security or compliance obligations
- Not direct BossMa to transfer personal data outside India without ensuring an adequate legal mechanism exists
- Maintain a register of data principals enrolled under the Partner's deployment
8. IP Ownership and Data Ownership
- Personal data of end users (name, phone, livelihood data) is owned by the data principal. The Partner, as data fiduciary, holds custodial responsibility. BossMa processes it on the Partner's behalf.
- Conversation transcripts generated through the Partner's deployment are jointly held, with BossMa retaining a licence to use anonymised/aggregated transcripts for AI model improvement
- NariScore methodology, computation logic, and NariScore outputs are the sole intellectual property of BossMa Studio Works Private Limited
- DAR-format exports provided to the Partner are the Partner's data for their programme reporting purposes
- Platform code, APIs, AI models, and dashboards remain BossMa's exclusive property
9. Data Breach Notification
In the event of a personal data breach:
- BossMa will notify the Partner within 72 hours of becoming aware of a breach affecting Partner's data
- The notification will include: nature of the breach, categories and approximate number of data principals affected, likely consequences, and measures taken or proposed
- The Partner, as data fiduciary, is responsible for notifying the Data Protection Board of India and affected data principals as required by law
- BossMa will cooperate fully with the Partner's breach investigation and remediation
10. Data Returns and Deletion
Upon termination of the MSA or this DPA:
- BossMa will provide the Partner with a complete data export in DAR/CSV/JSON format within 30 days of termination
- Following successful export confirmation, BossMa will securely delete all Partner-specific personal data within 60 days, except data required to be retained by law
- BossMa will provide a written certification of deletion upon request
- Anonymised and aggregated data (not attributable to individuals) may be retained by BossMa indefinitely for research and model improvement
11. Liability and Indemnification
Each party shall be liable for its own violations of this DPA. Where a data principal suffers damage due to a processing violation:
- If the damage results from BossMa's breach of its processor obligations, BossMa bears liability to the extent of its breach
- If the damage results from the Partner's unlawful instructions or failure to obtain consent, the Partner bears liability
- BossMa's total aggregate liability under this DPA shall not exceed the fees paid by the Partner in the 6 months preceding the incident giving rise to the claim
12. Governing Law
This DPA is governed by the laws of India. Disputes shall be resolved in accordance with the dispute resolution provisions of the applicable MSA, or failing that, before the courts of Bengaluru, Karnataka.
For Partners with operations in the EU/EEA, EU Standard Contractual Clauses (Module 2: Controller-to-Processor) as adopted by the European Commission will be incorporated as an addendum to this DPA upon request.
13. Contact and Execution
This DPA becomes effective upon execution of the applicable MSA/MoU. Partners wishing to execute a standalone DPA or request an addendum should contact:
Data Protection and Legal Contact
BossMa Studio Works Private Limited
Attention: Data Protection Officer / Grievance Officer
Email: privacy@bossma.in
For partnership enquiries: hello@bossma.in
Address: Bengaluru, Karnataka — 560001, India