This Data Processing Addendum (“DPA“) forms part of, and is incorporated by reference into, the Master Services Agreement, Subscription Agreement, Terms of Service, or other written agreement (the “Agreement“) entered into between Andolasoft India Private Limited (“Andolasoft” or “Processor”) and the customer identified in the Agreement (“Customer” or “Controller”) under which Customer subscribes to or uses the Orangescrum multi-tenant Software-as-a-Service platform (the “Services”).

This DPA reflects the Parties’ agreement regarding the processing of Personal Data in connection with Customer’s use of the Services. To the extent of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

---

1. Definitions

Capitalized terms not defined below have the meanings given to them in the Agreement or in applicable Data Protection Laws.

• “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including, as applicable, the Information Technology Act, 2000 and rules thereunder, the Digital Personal Data Protection Act, 2023 (India), the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, and equivalent national or state laws.
• “Controller” means the natural or legal person which alone or jointly with others determines the purposes and means of the Processing of Personal Data.
• “Customer Data” means any data, including Personal Data, that Customer or its Authorized Users upload to, submit to, or generate within the Services.
• “Customer Personal Data” means Personal Data contained within Customer Data which Andolasoft Processes on behalf of Customer in the course of providing the Services.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “Personal Data” means any information relating to an identified or identifiable natural person, or such other meaning as ascribed under Applicable Data Protection Laws.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Andolasoft or its Sub-processors.
• “Processing / Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, use, disclosure, transmission, erasure, or destruction.
• “Processor” means the natural or legal person which Processes Personal Data on behalf of the Controller.
• “Services” means the Orangescrum multi-tenant SaaS project management platform and related services provided by Andolasoft to Customer under the Agreement.
• “Sub-processor” means any third party (including affiliates of Andolasoft) engaged by Andolasoft to Process Customer Personal Data in connection with the Services.

2. Roles and Responsibilities

2.1 Roles of the Parties

The Parties acknowledge and agree that, with respect to the Processing of Customer Personal Data under this DPA:

• Customer is the Controller of Customer Personal Data and is responsible for compliance with its obligations as a Controller under Applicable Data Protection Laws.
• Andolasoft is a Processor acting on behalf of Customer with respect to Customer Personal Data.
• Each Party is an independent Controller in respect of (i) its own employee data, and (ii) data each Party Processes for its own legitimate business purposes such as billing, account administration, service analytics, fraud prevention, and security monitoring.

2.2 Customer Responsibilities

Customer represents and warrants that:

• It has established and shall maintain a valid lawful basis under Applicable Data Protection Laws for the Processing of Customer Personal Data via the Services, including by providing all required notices and obtaining all required consents from Data Subjects.
• Its instructions to Andolasoft regarding the Processing of Customer Personal Data comply with Applicable Data Protection Laws.
• It is responsible for the accuracy, quality, content, and lawfulness of Customer Data uploaded to or generated within the Services.
• It will configure the Services using the access controls, role-based permissions, and security features made available within the platform to protect Customer Personal Data consistent with its risk profile.

3. Scope, Purpose, and Customer Instructions

3.1 Subject Matter and Duration

The subject matter, duration, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of Data Subjects are set out in Annex 1 (Description of Processing).

3.2 Customer Instructions

Andolasoft shall Process Customer Personal Data only on the documented instructions of Customer. The Parties agree that the Agreement (including this DPA), Customer’s configuration and use of the Services through the platform’s standard product functionality, and any subsequent written instructions reasonably agreed by the Parties, constitute Customer’s complete instructions to Andolasoft.

3.3 Multi-Tenant Operation

Customer acknowledges that the Services are a multi-tenant SaaS platform. Accordingly, Andolasoft will Process Customer Personal Data in accordance with the standard product functionality of the Services, which is provided on a uniform basis to all customers. Customer-specific modifications to the platform, infrastructure, or processing procedures shall be subject to a separate written agreement and applicable fees.

3.4 Notification of Unlawful Instructions

Andolasoft shall promptly inform Customer if, in its reasonable opinion, an instruction from Customer infringes Applicable Data Protection Laws. In such case, Andolasoft may, without liability, suspend performance of the affected instruction until Customer modifies or confirms it in writing.

4. Confidentiality of Processing

Andolasoft shall ensure that any person (including its employees, contractors, and agents) authorized to Process Customer Personal Data is bound by appropriate confidentiality obligations (whether contractual or statutory) and has received appropriate training on data protection and information security.

5. Security of Processing

5.1 Security Measures

Andolasoft shall implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk presented by the Processing of Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. Andolasoft’s current measures are described in Annex 2 (Technical and Organizational Measures).

5.2 Updates to Security Measures

Andolasoft may update its security measures from time to time, provided that such updates do not materially decrease the overall level of protection of Customer Personal Data.

6. Sub-processors

6.1 General Authorization

Customer provides general authorization for Andolasoft to engage Sub-processors to Process Customer Personal Data in connection with the Services. A current list of Sub-processors is maintained by Andolasoft and is available at the location set out in Annex 3, or upon written request.

6.2 Notice of New Sub-processors

Andolasoft shall provide Customer with at least thirty (30) days’ prior notice of any addition or replacement of a Sub-processor that Processes Customer Personal Data, by updating the published Sub-processor list or by such other means as Andolasoft reasonably determines.

6.3 Right to Object

Within the notice period in Section 6.2, Customer may object to the addition or replacement of a Sub-processor on reasonable data protection grounds by written notice to Andolasoft. The Parties shall discuss in good faith to resolve the objection. If the Parties are unable to reach resolution within a reasonable period, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services by written notice to Andolasoft.

6.4 Sub-processor Obligations

Andolasoft shall enter into a written agreement with each Sub-processor that imposes data protection obligations that are, in substance, materially the same as those in this DPA, taking into account the nature of the Services provided by the Sub-processor. For widely used infrastructure and platform providers (including cloud hosting, email, payment, and analytics providers), the Sub-processor’s standard published Data Processing Addendum or equivalent terms shall be deemed sufficient to satisfy this requirement.

6.5 Sub-processor Liability

Andolasoft shall remain liable to Customer for the performance of each Sub-processor’s data protection obligations to the same extent Andolasoft is liable under this DPA.

7. International Data Transfers

7.1 Permitted Transfers

Customer authorizes Andolasoft and its Sub-processors to transfer Customer Personal Data across national borders for the purposes of providing the Services, provided that any such transfer is conducted in accordance with Applicable Data Protection Laws.

7.2 Transfer Mechanisms

Where required by Applicable Data Protection Laws, Andolasoft shall implement appropriate safeguards for the transfer of Customer Personal Data, which may include the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, adequacy decisions, or other lawful transfer mechanisms. Such safeguards are incorporated into this DPA by reference and will apply automatically to the extent applicable.

7.3 Data Residency

The Orangescrum multi-tenant SaaS Services are hosted in the United States. Customer Personal Data Processed through the multi-tenant SaaS will reside in and be Processed from the United States, except for limited Processing by Sub-processors in other regions as set out in Annex 3.

For customers who require regional data residency, Andolasoft offers an Orangescrum Private Cloud deployment, under which the Services may be hosted in a customer-elected region (including India, the European Economic Area, the United Kingdom, the United States, or other regions supported by Andolasoft from time to time). The applicable hosting region for a Private Cloud deployment shall be set out in the Agreement or order form.

8. Data Subject Rights

Taking into account the nature of the Processing, Andolasoft shall provide reasonable assistance through appropriate technical and organizational measures, insofar as possible, to enable Customer to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

If Andolasoft receives a request from a Data Subject relating to Customer Personal Data, Andolasoft shall (i) promptly forward the request to Customer and (ii) not respond to the request directly, except to confirm that the request relates to Customer and to refer the Data Subject to Customer.

9. Personal Data Breach Notification

9.1 Notification Timing

Andolasoft shall notify Customer without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

9.2 Notification Content

Andolasoft’s notification shall, to the extent known at the time:

• Describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
• Communicate the name and contact details of the Andolasoft point of contact for the incident;
• Describe the likely consequences of the Personal Data Breach; and
• Describe the measures taken or proposed to be taken by Andolasoft to address the Personal Data Breach and mitigate its possible adverse effects.

9.3 Cooperation

Andolasoft shall provide reasonable cooperation and assistance to Customer in respect of the Personal Data Breach, including in connection with any notifications Customer is required to make to supervisory authorities or affected Data Subjects under Applicable Data Protection Laws.

9.4 No Admission

Andolasoft’s notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgment by Andolasoft of any fault or liability with respect to the incident.

10. Audits and Compliance Verification

10.1 Third-Party Audits and Certifications

Andolasoft shall maintain industry-recognized security audits, certifications, or attestations relevant to the Services, which may include ISO/IEC 27001, ISO/IEC 27701, or equivalent (“Audit Reports”). Andolasoft shall, upon written request and subject to confidentiality, make available to Customer a copy of the most recent Audit Reports.

10.2 Customer Audits

The Parties acknowledge that, given the multi-tenant nature of the Services, on-site audits by Customer of Andolasoft’s production environments are not feasible. Customer’s audit rights under Applicable Data Protection Laws shall be satisfied through the provision of the Audit Reports referred to in Section 10.1. Where Applicable Data Protection Laws mandate further audit rights that cannot be satisfied through Audit Reports, the Parties shall agree in good faith on the scope, timing, cost, and methodology of any additional audit, which shall:

• Be conducted no more than once per calendar year, except in the case of a confirmed Personal Data Breach or where required by a competent supervisory authority;
• Be conducted at Customer’s expense by a mutually agreed independent third-party auditor bound by appropriate confidentiality obligations;
• Be carried out during normal business hours upon not less than thirty (30) days’ prior written notice;
• Be subject to reasonable security and confidentiality requirements; and
• Not interfere unreasonably with Andolasoft’s business operations or other customers’ use of the Services.

10.3 Records of Processing

Andolasoft shall maintain reasonable records of its Processing activities under this DPA and shall make such information available to Customer on reasonable request to demonstrate compliance with this DPA.

11. Return and Deletion of Customer Personal Data

11.1 During the Term

During the term of the Agreement, Customer may export or delete Customer Data via the standard self-service functionality made available within the Services.

11.2 Upon Termination

Upon termination or expiration of the Agreement, Andolasoft shall, at Customer’s written election:

• Make Customer Data available for export by Customer through the standard export functionality of the Services for a period of thirty (30) days from the effective date of termination; and/or
• After such 30-day period (or earlier if Customer so requests in writing), delete Customer Data from Andolasoft’s production systems.

11.3 Backups and Legal Retention

Customer acknowledges that copies of Customer Data may persist in routine system backups, disaster-recovery archives, or audit logs after deletion from production systems, and shall be deleted in the ordinary course in accordance with Andolasoft’s standard retention schedule. Such residual copies shall remain subject to the confidentiality and security obligations of this DPA until deletion. Andolasoft may also retain Customer Personal Data to the extent required by Applicable Data Protection Laws or other applicable laws, in which case such retained data shall remain subject to this DPA.

11.4 Certification

On Customer’s written request, Andolasoft shall provide written confirmation that it has complied with the deletion obligations of this Section 11.

12. Andolasoft as Independent Controller

To the extent Andolasoft Processes Personal Data as an independent Controller (for example, for billing, account administration, service analytics, security monitoring, fraud prevention, product improvement, or legal compliance), Andolasoft shall comply with Applicable Data Protection Laws and its own Privacy Policy, available at https://www.orangescrum.com/privacy-policy.

Andolasoft may also create and use aggregated, anonymized, and de-identified data derived from Customer’s use of the Services for service improvement, benchmarking, research, and statistical analysis, provided that such data cannot reasonably be used to identify Customer or any individual Data Subject.

13. Liability

Each Party’s liability arising out of or in connection with this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the exclusions and limitations of liability set out in the Agreement. For the avoidance of doubt, any reference in the Agreement to the liability of a Party means the aggregate liability of that Party under the Agreement together with this DPA.

Nothing in this DPA limits or excludes either Party’s liability where such limitation or exclusion is not permitted by Applicable Data Protection Laws.

14. Term and Survival

This DPA shall take effect on the effective date of the Agreement and shall continue in force for the duration of the Agreement. The obligations of Andolasoft and Customer in respect of the protection of Personal Data shall survive termination of the Agreement for so long as Andolasoft Processes or retains Customer Personal Data, and any longer period required by Applicable Data Protection Laws.

15. General Provisions

15.1 Order of Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. To the extent Standard Contractual Clauses or any other transfer mechanism applies, those clauses shall prevail over this DPA in the event of conflict with respect to international transfers.

15.2 Updates to this DPA

Andolasoft may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, regulatory guidance, industry standards, or the Services. Material changes that adversely affect Customer’s rights shall not take effect until thirty (30) days after notice to Customer.

15.3 Severability

If any provision of this DPA is held invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it enforceable.

15.4 Governing Law

This DPA shall be governed by the laws specified in the Agreement. Where the Agreement is silent, this DPA shall be governed by the laws of India, with exclusive jurisdiction of the courts at Bhubaneswar, Odisha, India.

15.5 Notices

All notices under this DPA shall be given in accordance with the notice provisions of the Agreement. Data protection notices to Andolasoft shall additionally be sent to the contact details set out in Annex 3.

---

Annex 1 – Description of Processing

A. Subject Matter

The provision of the Orangescrum multi-tenant SaaS project management platform and related services to Customer under the Agreement.

B. Duration

For the term of the Agreement, plus any post-termination retention period set out in Section 11.

C. Nature and Purpose of Processing

Hosting, storage, transmission, organization, retrieval, display, and deletion of Customer Data to enable Customer’s use of project management, task management, sprint management, time tracking, resource planning, reporting, and related collaboration functionalities.

D. Types of Personal Data

• Identification and contact data of Authorized Users (e.g., name, work email, role, profile photo, login credentials);
• Identification and contact data of individuals referenced by Customer within Customer Data (e.g., assignees, collaborators, external contacts);
• Activity and usage data (e.g., timestamps, IP address, device information, audit logs);
• Any other Personal Data Customer uploads to or generates within the Services in accordance with the Agreement.

E. Categories of Data Subjects

• Customer’s employees, contractors, and Authorized Users of the Services;
• Customer’s clients, prospects, partners, and other individuals whose Personal Data Customer chooses to upload to the Services.

F. Processing Operations

Collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, and destruction, as required to provide the Services.

Annex 2 – Technical and Organizational Measures

Andolasoft implements and maintains the following technical and organizational measures designed to protect Customer Personal Data, which may be updated from time to time provided that the overall level of protection is not materially decreased.

1. Information Security Governance

• Documented information security policies and procedures, reviewed at least annually.
• Designated security and data protection function with defined responsibilities.
• Security awareness training for all personnel with access to Customer Personal Data.
• Background verification for personnel, where permitted by law.

2. Access Control

• Role-based access control to systems Processing Customer Personal Data, on a least-privilege and need-to-know basis.
• Multi-factor authentication for administrative access to production systems.
• Periodic review and revocation of access rights, including on personnel role change or departure.
• Customer-facing role-based permissions within the Services for Customer-managed access control.

3. Encryption

• Encryption of Customer Personal Data in transit using TLS 1.2 or higher.
• Encryption of Customer Personal Data at rest using industry-standard encryption (e.g., AES-256).
• Secure management of cryptographic keys.

4. Network and Infrastructure Security

• Hosting on enterprise-grade cloud infrastructure with physical and environmental controls maintained by the underlying infrastructure provider.
• Network segmentation, firewalls, and intrusion detection/prevention systems.
• Regular vulnerability scanning and timely patching of systems.
• Hardening of operating systems and application stacks against published best practices.

5. Application Security

• Secure software development lifecycle, including code review and security testing.
• Periodic penetration testing by qualified internal or external testers.
• Multi-tenant logical isolation of Customer Data.

6. Logging and Monitoring

• Logging of administrative and security-relevant events on production systems.
• Tenant-level audit logs available within the Services for Customer review, where supported by the product.
• Continuous monitoring for anomalous activity and security incidents.

7. Business Continuity and Backups

• Regular backups of Customer Data to support disaster recovery.
• Documented business continuity and disaster recovery plans, tested periodically.
• Defined recovery point objectives (RPO) and recovery time objectives (RTO).

8. Incident Response

• Documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review.
• Defined escalation paths and breach notification procedures, including the timeline set out in Section 9 of this DPA.

9. Vendor and Sub-processor Management

• Due diligence on Sub-processors Processing Customer Personal Data.
• Contractual data protection obligations with Sub-processors, consistent with Section 6 of this DPA.

Annex 3 – Sub-processors and Contact Information

1. Current Sub-processors

A current list of Sub-processors engaged by Andolasoft to Process Customer Personal Data is maintained at the location below and shall be updated in accordance with Section 6 of this DPA.

Sub-processor list URL:
https://www.orangescrum.com/privacy-policy/sub-processors

Sub-processors include:

• Cloud hosting and infrastructure providers (e.g., AWS, Google Cloud).
• Email and notification delivery providers.
• Payment processing providers.
• Customer support and helpdesk platforms.
• Analytics, monitoring, and security service providers.

2. Data Protection Contact

Data protection notices, Data Subject request escalations, and breach communications to Andolasoft shall be sent to: