Data Processing Agreement

Effective date: 5 May 2026

This Data Processing Agreement ("DPA") is entered into between Spaciora Technologies Pvt. Ltd. ("Spaciora", "we", or "Processor") and the customer identified in the relevant Order Form or online sign-up (the "Customer", "you", or "Controller"). It supplements and forms part of the Terms of Service or master subscription agreement between the parties (the "Agreement") and governs the processing of personal data by Spaciora on the Customer's behalf.

This DPA is designed to satisfy applicable data protection laws, including the Digital Personal Data Protection Act, 2023 (the "DPDPA"), the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the United Kingdom Data Protection Act 2018 and UK GDPR, and other equivalent laws as applicable.

1. Parties and roles

The Customer is the Data Fiduciary (under the DPDPA) or Controller (under GDPR and UK GDPR) of the personal data it provides to or generates within the Service, and Spaciora is the Data Processor of that personal data, acting on the Customer's documented instructions.

2. Subject matter and duration

The subject matter of the processing is the personal data processed by Spaciora in providing the Service to the Customer. The duration of processing is the duration of the Customer's Subscription, plus any post-termination periods set out in the Agreement.

3. Nature and purpose of processing

The nature and purpose is to operate Spaciora's integrated workplace management system on behalf of the Customer, including hosting, displaying, transmitting, and processing personal data to provide visitor management, lease and tenant administration, helpdesk operations, energy and asset monitoring, audit logging, communications, analytics, security, and support.

4. Categories of Data Subjects

• The Customer's employees and personnel;
• The Customer's contractors and service providers;
• Visitors to the Customer's premises;
• Tenants and occupants of the Customer's properties and their authorised representatives;
• Vendors and suppliers of the Customer interacting through the Service; and
• Other individuals whose personal data the Customer or its Authorised Users submit to the Service.

5. Categories of personal data

• Identification data such as full name, employee or badge number, and government identifier references;
• Contact data such as email address, mobile number, and postal address;
• Visitor data such as photograph, signature, vehicle registration, host employee, time of arrival and exit, and approval records;
• Lease and tenancy data such as unit number, lease term, rent and charges, GSTIN, and invoice records;
• Helpdesk and operational data such as ticket descriptions, attachments, and resolution notes;
• Authentication and access data such as user identifiers, role assignments, login records, and audit trails;
• Device and technical data such as IP address, device type, and application logs.

Special categories of personal data should not be submitted to the Service unless the Customer has confirmed in writing with Spaciora that the relevant module is appropriate.

6. Spaciora's obligations as Processor

• process personal data only on the Customer's documented instructions, except where required by applicable law;
• ensure that personnel authorised to process personal data are subject to a duty of confidentiality;
• implement and maintain appropriate technical and organisational measures, as set out in Annex 1;
• engage sub-processors only in accordance with section 8 below and Annex 2, and remain responsible for the acts and omissions of its sub-processors;
• assist the Customer in fulfilling its obligation to respond to requests from Data Principals or Data Subjects;
• notify the Customer without undue delay, and in any event within 72 hours after becoming aware of a personal data breach;
• provide reasonable assistance to the Customer in carrying out data protection impact assessments; and
• at the Customer's choice, delete or return all personal data to the Customer at the end of the provision of the Service.

7. Customer obligations

• The Customer has, and will maintain, a valid lawful basis for the processing of personal data by Spaciora;
• The Customer's instructions to Spaciora regarding the processing of personal data comply with applicable data protection law;
• The Customer will configure the Service in accordance with the Documentation;
• The Customer will respond promptly to requests from Data Principals who have a direct relationship with the Customer.

8. Sub-processing

The Customer provides Spaciora with general written authorisation to engage sub-processors. The current list of approved sub-processors is set out in Annex 2.

Spaciora will give the Customer at least 14 days' prior notice of the addition or replacement of a sub-processor. Within that notice period, the Customer may object on reasonable data protection grounds. If the parties cannot agree on a resolution, the Customer may terminate the affected portion of the Service for cause and receive a pro-rata refund of any pre-paid unused fees.

9. International transfers

By default, the personal data processed under this DPA is hosted in our primary region in Mumbai, India. Customers subject to GDPR may elect, where supported by their plan, to host their data in a European Union region.

Where personal data of Data Subjects in the EEA, the United Kingdom, or Switzerland is transferred outside those jurisdictions to a country that is not the subject of an adequacy decision, the transfer will be governed by the European Commission's Standard Contractual Clauses, supplemented by the United Kingdom International Data Transfer Addendum where applicable.

10. Audit rights

Spaciora will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including summaries of independent third-party audits and certifications. Where the Customer reasonably requires further information, the Customer may, at its own cost and no more than once per calendar year, conduct an audit of Spaciora's compliance with this DPA, subject to (a) at least 30 days' prior written notice; (b) the audit being carried out during normal business hours; (c) the auditor being an independent reputable third party not in competition with Spaciora and bound by confidentiality; and (d) compliance with Spaciora's reasonable security and confidentiality requirements.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Claims under this DPA and the Agreement are aggregated for the purposes of the cap on liability set out in the Agreement.

Annex 1: Technical and organisational measures

• Encryption. Personal data is encrypted at rest using AES-256 and in transit using TLS 1.3 or higher.
• Access controls. Multi-factor authentication is required for all administrative access. Role-based access control and least privilege apply to internal access. Quarterly access reviews are performed.
• Audit logging. Security-sensitive and administrative actions are recorded in immutable, append-only audit logs.
• Vulnerability management. Production systems are subject to continuous vulnerability scanning. Identified vulnerabilities are triaged and remediated according to documented severity-based timelines.
• Penetration testing. Independent third-party penetration tests are conducted at least annually.
• Secure software development. Source code is subject to peer review, automated security testing, and dependency vulnerability scanning.
• Personnel security. Personnel with access to personal data are subject to background checks where permitted by law, written confidentiality undertakings, and mandatory annual security and privacy training.
• Incident response. A documented incident response plan governs the detection, containment, eradication, and recovery from security incidents.
• Business continuity. Backups are performed at regular intervals, encrypted, and tested. BCP/DR plans are reviewed and exercised at least annually.
• Physical security. Production data is hosted in data centres with 24/7 monitoring, access logging, and environmental safeguards.

Annex 2: Approved sub-processors