Last updated: May 10, 2026

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between BreakNCo Global Private Limited ("Packets," "Processor") and the customer ("Controller") and governs the processing of personal data by Packets on behalf of the customer in connection with the Packets platform.

Request a signed DPA

Enterprise customers and any organisation whose data is subject to GDPR, UK GDPR, or similar regulation may request a pre-signed DPA. We will return a countersigned copy within 5 business days.

Request DPA →

1. Definitions

Controller: The customer organisation that determines the purposes and means of processing personal data within the Packets platform.

Processor: BreakNCo Global Private Limited, which processes personal data on behalf of the Controller.

Data Subject: An identified or identifiable natural person whose personal data is processed.

Personal Data: Any information relating to a Data Subject, as defined under applicable data protection law.

Sub-processor: Any third party engaged by Packets to process personal data on the Controller's behalf. See our Subprocessors page.

2. Scope and Nature of Processing

Subject matterOperation of the Packets compliance automation platform
DurationFor the term of the customer's subscription agreement
NatureCollection, storage, retrieval, use, analysis, disclosure, deletion of compliance data
PurposeProviding the platform services as described in the subscription agreement
Data categoriesProfessional/employment data, compliance programme data, evidence files, risk and vendor information
Data subjectsCustomer's employees, contractors, and administrators using the platform

3. Processor Obligations

Packets shall:

  • Process personal data only on documented instructions from the Controller (the subscription agreement and this DPA constitute such instructions)
  • Ensure that authorised personnel are subject to confidentiality obligations
  • Implement appropriate technical and organisational security measures (see Security page)
  • Assist the Controller in responding to Data Subject rights requests within 30 days
  • Assist the Controller with security obligations, breach notifications, impact assessments, and prior consultations
  • Delete or return all personal data on termination of the agreement, in accordance with the retention schedule in our Privacy Policy — Section 9
  • Provide all information necessary to demonstrate compliance with this DPA

4. Sub-processors

The Controller grants general authorisation for Packets to engage sub-processors listed on our Subprocessors page. Packets will provide 30 days' advance notice of any new or replacement sub-processor via the notification subscription on that page.

The Controller may object to a new sub-processor within the 30-day notice period by emailing admin@packets.build. If a commercially reasonable resolution cannot be found, the Controller may terminate the relevant services on written notice.

5. International Data Transfers

Where personal data is transferred outside the country of origin, transfers are protected as follows:

  • EU/EEA → USA: Standard Contractual Clauses (SCC) — Module 2 (Controller to Processor), incorporated into this DPA as Annex I
  • UK → USA: UK International Data Transfer Addendum (IDTA) or UK Addendum to EU SCCs, incorporated as Annex II
  • India → USA: Contractual safeguards per applicable Indian law; DPDP Act 2023 obligations observed

India-based processing: the vast majority of Packets' infrastructure is in India (Mumbai) and Singapore. See the Subprocessors page for full detail.

6. Security Measures

Packets implements appropriate technical and organisational measures including:

  • Encryption of personal data in transit (TLS 1.2+) and at rest
  • Role-based access control and multi-factor authentication
  • Immutable audit logging of all data access and mutations
  • Rate limiting, DDoS protection, and infrastructure-level security controls
  • Regular security reviews and vulnerability management

Full details are on our Security page.

7. Data Breach Notification

Packets will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach affecting the Controller's data. Notification will include: nature of the breach, categories and approximate number of Data Subjects affected, categories and approximate number of records affected, likely consequences, and measures taken or proposed.

8. AI Processing Addendum

For customers in regulated industries or with specific requirements regarding AI data handling, an AI Processing Addendum is available on request. It covers in detail: what data is transmitted to the AI layer, the contractual basis for disabling AI model training, and the controller/processor relationship in the AI context. Request via admin@packets.build.

9. Audit Rights

Packets will provide all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct audits or inspections, with reasonable prior written notice (minimum 30 days), no more than once per calendar year, at the Controller's expense, and subject to confidentiality obligations.

10. Governing Law

This DPA is governed by the laws of India, subject to any mandatory provisions of GDPR, UK GDPR, or CCPA applicable to the Controller. The SCC and UK Addendum annexes are governed by their respective applicable laws.

11. Contact

For DPA requests, questions, or data subject assistance requests: admin@packets.build
BreakNCo Global Private Limited, Ernakulam — 683104, Kerala, India