Last modified: November 24, 2025
This Data Processing Agreement (“Agreement”) forms part of the Contract for Services under
GreenStitch’s Terms and Conditions (the “Principal Agreement”) between:
Processor:
GreenStitch Technologies Pvt Ltd.
(referred to as the “Processor” or “GreenStitch”)
and the company using GreenStitch’s services (referred to as the “Company” or
“Controller“).
This Agreement governs the specific requirements of Data Protection Laws to the extent that the Company’s use
of GreenStitch Services implies the processing of Personal Data subject to Data Protection Laws.
This Agreement is complementary to our Privacy Policy, which serves as the primary reference for our data
protection practices and measures.
The term of this Agreement shall follow the term of the Principal Agreement. Terms not defined herein shall
have the meaning as set forth in the Principal Agreement.
A) The Company acts as a Data Controller (the “Controller”).
B) The Company wishes to subcontract certain Services (as defined below), which imply the processing of
Personal Data, to GreenStitch Technologies Pvt Ltd., acting as the Data Processor (the “Processor”).
C) The Parties seek to implement a data processing agreement that complies with GDPR and other applicable
data protection laws.
D) The Parties wish to lay down their rights and obligations.
1.1) “Agreement” means this Data Processing Agreement and all Schedules;
1.2) “Company Personal Data” means any Personal Data related to the Company or Company’s
customers or employees Processed in connection with the Principal Agreement;
1.3) “Contracted Processor” means a Subprocessor;
1.4) “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable,
the data protection or privacy laws of any other country;
1.5) “EEA” means the European Economic Area;
1.6) “EU Data Protection Laws” means EU Directive 95/46/EC, GDPR, and implementing laws;
1.7) “GDPR” means EU General Data Protection Regulation 2016/679;
1.8) “Data Transfer” means:
1.8.1) a transfer of Company Personal Data from Controller to the Processor or a Contracted Processor;
1.8.2) an onward transfer of Company Personal Data from the Processor to a Subprocessor;
1.9) “Services” means sustainability, environmental data and workflow automation services
(including reporting, analytics, AI agents, and related tools) developed by the Processor.
1.10) “Subprocessor” means any person appointed by the Processor to process Personal Data.
Terms like “Controller”, “Data Subject”, “Member State”, “Personal Data Breach”, “Processing”,
and “Supervisory Authority” follow GDPR definitions.
Processor shall:
2.1) comply with Data Protection Laws;
2.2) not process Company Personal Data other than under Controller’s documented instructions.
Controller instructs Processor to:
2.3) provide the Services and related support;
2.4) fulfil legal obligations or resolve disputes;
2.5) enhance security, privacy, performance and functionality of the Services;
2.6) conduct internal reporting and financial tasks.
Processor shall ensure only authorized, reliable personnel access Company Personal Data, subject to
confidentiality obligations.
Processor shall implement appropriate technical and organizational measures consistent with GDPR Article 32.
Processor is authorized to engage Subprocessors and update the Subprocessor list per Privacy Policy procedures.
The Company authorizes the Processor to transfer Personal Data within its corporate group,
including GreenStitch Technologies Pvt Ltd.
Subprocessors must be bound by protections no less restrictive than those in this Agreement.
As of the Last modified date above, the Processor uses the following Subprocessors
in connection with the provision of the Services and related support activities:
| Subprocessor | Purpose of Processing | Location |
|---|---|---|
| Microsoft Azure | Cloud hosting, compute, storage, infrastructure services. | India, Azure Servers |
| Cloudways (by DigitalOcean) | Managed cloud hosting platform for application deployment. | HQ in New York, USA; global data centers (USA, EU, Asia). |
| Cloudflare, Inc. | CDN, DNS, edge security, DDoS protection. | HQ in San Francisco, USA; global edge network in 100+ countries. |
| HubSpot, Inc. | CRM, marketing automation, communication tools. | Cambridge, Massachusetts, USA; hosting in USA/EU. |
| Google Workspace (Google LLC) | Email, document storage, collaboration, internal communication. | Mountain View, California, USA; global cloud infrastructure. |
| Google Analytics (GA4) | Web analytics, traffic insights, usage patterns. | USA (Google LLC) with global processing infrastructure. |
| Microsoft Clarity | Session analytics and user interaction analysis. | USA (Microsoft Corporation); processing in USA/EU. |
| OpenAI | AI language model services supporting automation and analytics. | San Francisco, USA; processing in USA and cloud regions. |
The Processor may update this Subprocessor list from time to time. Where required by Data Protection Laws,
the Processor will provide the Company with notice of any intended changes to Subprocessors, giving the Company
an opportunity to object where such right is provided under applicable law.
Processor shall assist Company in responding to Data Subject rights requests.
6.1) Notify Company of any direct Data Subject request.
6.2) Not respond directly without instruction, except where required by law.
Processor shall notify Company without undue delay of any Personal Data Breach affecting Company Personal Data and
assist with investigation and remediation.
Each party bears costs for breaches caused by that party.
Processor shall assist Company in DPIAs and supervisory authority consultations as required under GDPR.
Upon cessation of Services, Processor shall delete all Company Personal Data unless law requires retention.
Company must request a copy before account deletion.
Processor shall permit audits once per year with 60 days notice (unless breach/regulator requirement).
Audits must protect confidentiality and avoid disruption.
Processor shall transfer Personal Data only to jurisdictions providing adequate protection or using appropriate
safeguards such as Standard Contractual Clauses or equivalent mechanisms.
Compliance. Processor will comply with applicable Data Protection Laws. Processor is not responsible for laws that apply solely to Company’s business.
Confidentiality. Each party must keep Confidential Information secure, except where disclosure is required by law or already public.
Notices. All notices must be sent by email. Processor notices shall be sent to:
[email protected]
This Agreement shall be governed by and construed in accordance with the laws of India.
All disputes, actions, claims, or proceedings arising out of or relating to this Agreement shall be subject to the
exclusive jurisdiction of the courts of Bengaluru, Karnataka, India.
EcoLoom
C-Suite Ready Insights — trusted by 5,000+ ESG leaders. Straight To Your Inbox. Twice A Month.
