Data Processing Agreement

The DPA covers sepia.live's operation as a travel-management SaaS platform. Tangible Spin LLP processes personal data only to provide and improve the service, including storing itinerary records, managing customer and trip records, generating invoices and notifications, supporting reviews and workflows, and enabling user and staff access.

Processing continues for the term of the controller's subscription. After termination, data may be retained for up to 90 days for export and recovery before secure deletion or anonymisation, unless longer retention is required by law.

Tangible Spin LLP processes personal data only on documented instructions from the controller, including instructions given through use of the service and the DPA itself. If law requires a different processing action, Tangible Spin LLP will notify the controller unless legally prohibited from doing so.

The controller remains responsible for having a lawful basis for the data entered into sepia.live, providing necessary notices, obtaining required consents, and making sure any customer-facing legal terms configured in the product do not conflict with privacy law or this DPA.

Minimum stated security measures include encryption in transit and at rest, access controls, role-based permissions, vulnerability monitoring, secure software development practices, and incident response procedures. The public security summary is available at Security and Data Handling.

Current subprocessors are published at Subprocessors and Service Providers. The DPA states that intended additions or replacements should be announced with at least 14 days' prior notice through that page and, where required by law, by direct notice.

Controllers may request information reasonably necessary to demonstrate compliance. The DPA also allows audits by the controller or an independent auditor, subject to advance written notice, business-hours scheduling, confidentiality obligations, and reasonable cost allocation.

Tangible Spin LLP may satisfy an audit request by providing a relevant third-party certification or audit summary, such as SOC 2 Type II or ISO 27001, instead of an on-site audit where appropriate.

The controller remains primarily responsible for responding to rights requests. If a data subject contacts Tangible Spin LLP directly, the request should be forwarded to the relevant controller unless Tangible Spin LLP has separate instructions to respond.

The DPA provides for export and deletion support, including forwarding identifiable deletion requests received through the privacy request page where appropriate.

Personal data may be processed outside the controller's home country where sepia.live infrastructure or subprocessors are located. For EU and UK transfers, the DPA incorporates recognised transfer mechanisms by reference rather than reproducing their full legal text on this page.

The DPA states that supplementary security measures for EU and UK transfer mechanisms include the measures described in the DPA itself and on the security page.

Liability under the DPA is subject to the limitations in the sepia.live Terms of Service, except where law does not allow limitation. Each party is responsible for the share of any damage attributable to its own privacy-law breach.

The DPA takes effect when the controller accepts it at signup or via legal settings and continues for the duration of the subscription. For data-processing issues, the DPA prevails over conflicting general terms.

Governing law is stated as India, with exclusive jurisdiction in the courts of Bengaluru, Karnataka, India, without limiting obligations imposed by applicable privacy laws.

Privacy and DPA questions can be sent to privacy@sepia.live or legal@sepia.live.