Data Processing Agreement

"Controller" the entity that determines the purposes and means of processing personal data — in this context, Customer.

"Processor" the entity that processes personal data on behalf of the Controller — in this context, Birha.

"Data Subject" an identified or identifiable natural person to whom personal data relates.

"Personal Data" any information relating to a Data Subject as defined under applicable Data Protection Law.

"Data Protection Law" GDPR (EU 2016/679), UK GDPR, the Indian Digital Personal Data Protection Act 2023, or any other applicable data protection legislation, as relevant to the processing.

"Processing" any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Sub-processor" any third party engaged by Birha to carry out processing activities on Customer's behalf.

Birha will process Personal Data only on documented instructions from Customer, unless required to do so by applicable law. Customer's instructions are: (a) as set out in the Order; and (b) as set out in this DPA. If Birha believes an instruction infringes Data Protection Law, it will inform Customer promptly and may suspend processing of that instruction until Customer provides a lawful alternative.

Customer is responsible for ensuring it has a lawful basis for any Personal Data it shares with Birha and that its instructions to Birha are compliant with applicable Data Protection Law.

The categories of Personal Data, Data Subjects, and processing purposes that may apply under this DPA are:

• Business contact data (name, email, job title) provided by Customer personnel in connection with submitting a dataset request or managing an Order — processed for the purpose of service delivery and communication.
• Annotation configuration data provided by Customer that may reference individuals (e.g. taxonomy labels, attribute definitions) — processed for the purpose of configuring annotation tasks in Label Studio.
• Any other Personal Data that Customer expressly and knowingly includes in materials shared with Birha — processed only for the purposes specified in the accompanying Order.

Birha will ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations. Birha will limit access to Personal Data to those personnel who need it to fulfil the Order.

Birha implements and maintains technical and organisational security measures appropriate to the risk, including:

• Encryption of data in transit (TLS 1.2+) and at rest.
• Access controls and role-based permissions for internal systems.
• Regular security reviews of infrastructure and subprocessors.
• Incident response procedures, including notification to Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.

Birha will provide reasonable assistance to Customer in fulfilling its own security obligations under Data Protection Law upon written request.

Customer grants Birha general written authorisation to engage sub-processors. Birha's current sub-processors involved in processing Customer Personal Data are:

Birha will notify Customer at least 14 days in advance of adding or replacing a sub-processor that processes Customer Personal Data. Customer may object to a new sub-processor within that period; if the parties cannot agree, Customer may terminate the affected Order without penalty.

Birha imposes data protection obligations on sub-processors that are no less protective than those in this DPA.

Taking into account the nature of the processing, Birha will assist Customer, by appropriate technical and organisational measures, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Law (access, rectification, erasure, portability, restriction, objection). Birha will forward any Data Subject requests it receives directly to Customer within 5 business days.

Upon expiry or termination of the relevant Order, Birha will, at Customer's election, securely delete or return all Personal Data processed on Customer's behalf, unless applicable law requires retention for a longer period. Birha will certify deletion in writing upon request.

Birha will provide Customer with information reasonably necessary to demonstrate compliance with this DPA. Upon 30 days' prior written notice and no more than once per 12-month period, Customer (or an independent auditor bound by confidentiality) may conduct an audit of Birha's processing activities relevant to this DPA. Audit costs are borne by Customer unless material non-compliance is found.

Where Personal Data originating in the EEA or UK is transferred to Birha in India or to sub-processors in other third countries, such transfers are subject to appropriate safeguards under applicable Data Protection Law. Birha will enter into Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms with Customer upon request.

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except to the extent that Data Protection Law prohibits such limitation.

To request a signed DPA, raise a data protection question, or notify Birha of a potential Personal Data breach, email hello@birha.in with the subject line "DPA".