1. Agreement and Acceptance
These Terms of Use and Services (“Terms”) constitute a binding legal agreement between
Satin Technologies Limited, a company incorporated under the Companies Act, 2013 and
having its registered office at Unit Number 002, Tower B, 8th Floor, Emaar Digital Greens
Tower, Golf Course Extension Road, Sector 61, Gurugram, 122011, Haryana (“STL”, “we”,
“our”, or “us”), and the entity or person accessing or using the Services (“Client”, “you”,
or “your”).
By executing an order form, registering for, or otherwise using STL’s human resources
management software-as-a-service platform, applications, websites, or related services
(collectively, the “Services”), you agree to be bound by these Terms. If you are accepting
these Terms on behalf of a company, organization, or other legal entity, you represent that
you have the authority to bind such entity to these Terms.
2. Definitions
For the purposes of these Terms:
a. “Applicable Law” means all applicable laws, statutes, regulations, rules, and binding
codes, including but not limited to the Digital Personal Data Protection Act, 2023 as
amended, and any other relevant privacy or technology law.
b. “Client Data” means any data, content, or information, including Personal Data,
submitted or uploaded to the Services by or on behalf of Client.
c. “Order Form” means an ordering document executed by Client and STL that specifies the
Services subscribed to, fees, and any additional terms.
d. “Personal Data” has the meaning given under Applicable Law, and includes Sensitive
Personal Data such as government identifiers, biometric data, and financial account
information.
e. “Sub-processor” means any third party engaged by STL to process Client Data.
3. Provision of Services
STL shall provide the Services to the Client in accordance with the applicable Order Form,
these Terms, and STL’s then current documentation. STL may enhance, modify, or update
the Services from time to time, provided such changes do not materially diminish the
overall functionality.
STL shall use commercially reasonable efforts to make the Services available on a twentyfour (24) hours per day, seven (7) days per week basis, subject to planned maintenance
windows and circumstances beyond STL’s reasonable control.
4. Client Obligations
The Client shall:
a. Ensure that all access credentials, usernames, and passwords for the Services are kept
secure and confidential;
b. Obtain and maintain all necessary consents and legal bases required under Applicable
Law for STL to process Client Data as instructed by Client;
c. Be solely responsible for the accuracy, quality, and legality of Client Data;
d. Notify STL promptly of any unauthorized access or use of the Services or Client Data;
e. Comply with STL’s Acceptable Use Policy (Schedule 1).
5. Acceptable Use
Client shall not, and shall ensure its Users do not:
a. use the Services in violation of any Applicable Law;
b. attempt to reverse engineer, decompile, or otherwise extract the source code of the
Services except to the extent permitted by law;
c. upload or transmit viruses, malware, or malicious code;
d. use the Services for discriminatory, fraudulent, or illegal HR practices;
e. interfere with or disrupt the security or integrity of the Services; or
f. use the Services to provide services to third parties in competition with STL.
6. Data Protection and Security
STL shall process Client Data solely in accordance with these Terms, the Data Processing
Addendum (Schedule 2), and the Client’s documented instructions.
STL shall implement and maintain industry standard administrative, technical, and
organizational measures designed to protect Client Data against unauthorized access,
disclosure, alteration, or destruction. Details of such measures are described in the
Security Exhibit (Schedule 3).
Client acknowledges that STL uses Amazon Web Services (AWS) as its primary hosting
provider.
7. Sub-Processors
Client authorizes STL to engage Sub-processors to process Client Data. A current list of
Sub-processors shall be maintained at STL’s website or notified to the Client. STL shall
ensure Sub-processors are bound by written agreements imposing data protection
obligations no less protective than those contained herein.
8. Intellectual Property Rights
All intellectual property rights in the Services, including software, designs, and
documentation, are and shall remain the exclusive property of STL and its licensors.
STL grants the Client a limited, nonexclusive, non-transferable, revocable license to access
and use the Services during the subscription term, strictly for internal business purposes.
Client retains all rights in and to Client Data. STL shall not use Client Data except to
provide the Services or as otherwise expressly permitted herein.
9. Fees and Payment
Client shall pay STL the fees specified in the applicable Order Form or agreement. Unless
otherwise stated, fees are payable in Indian Rupees, exclusive of applicable taxes. Unless
otherwise stated, payments shall be due within thirty (30) days from the date of invoice.
Late payments may accrue interest at the rate of 1.5% per month or the maximum
permitted by law, whichever is lower.
10. Warranties and Disclaimers
STL warrants that:
a. The Services will perform substantially in accordance with the applicable documentation;
b. STL will provide the Services using reasonable skill and care.
EXCEPT AS EXPRESSLY PROVIDED ABOVE, THE SERVICES ARE PROVIDED “AS IS”
AND STL DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
NONINFRINGEMENT. STL DOES NOT WARRANT THAT THE SERVICES WILL BE
UNINTERRUPTED OR ERRORFREE.
11. Indemnification
a. By STL. STL shall indemnify, defend, and hold harmless Client from any third-party claim
alleging that the Services infringe any valid intellectual property right, provided that
Client gives prompt notice, reasonable cooperation, and sole control of defence to STL.
b. By Client. Client shall indemnify, defend, and hold harmless STL from any claim arising
out of: (i) Client Data, (ii) Client’s violation of Applicable Law, or (iii) Client’s breach of
these Terms.
12. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY LAW:
a. STL’S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THESE
TERMS SHALL NOT EXCEED THE FEES PAID BY CLIENT TO STL IN THE THREE (3)
MONTHS PRECEDING THE EVENT GIVING RISE TO SUCH LIABILITY;
b. STL SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL,
CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS,
DATA, OR GOODWILL.
Nothing in this clause limits liability for death, personal injury, willfull misconduct, or
any liability which cannot be excluded under Applicable Law.
13. Suspension and Termination
STL may suspend access to the Services in the event: (i) the Client fails to pay fees when
due, (ii) the Client breaches these Terms or the Acceptable Use Policy, or (iii) STL
reasonably believes suspension is necessary to protect the security or integrity of the
Services.
14. Governing Law and Dispute Resolution
These Terms shall be governed by and construed in accordance with the laws of India.
Any dispute arising out of or in connection with these Terms shall be finally resolved by
arbitration in New Delhi, India, in accordance with the rules of the Delhi International
Arbitration Centre (“DIAC”). The seat and venue of arbitration shall be New Delhi, and
proceedings shall be conducted in English. Courts at New Delhi shall have exclusive
jurisdiction for interim relief.
15. Confidentiality
Each party shall keep confidential all non-public information disclosed by the other party
in connection with these Terms, and shall use such information solely for performance
under these Terms.
16. Publicity
Client grants STL the right to use Client’s name and logo for marketing purposes only
with Client’s prior written consent.
17. Force Majeure
Neither party shall be liable for failure or delay in performance caused by events beyond
its reasonable control, including natural disasters, labor disputes, internet failures, or
government actions.
18. Changes to Terms
STL may update these Terms from time to time. Material changes may be notified to
Clients in advance, and continued use of the Services after the effective date of such
changes constitutes acceptance.
Schedule 1 – Acceptable Use Policy
1. Purpose and Binding Nature
a. This Acceptable Use Policy (“AUP”) forms part of the Agreement between Satin
Technologies Limited (“STL”) and the Client. Capitalised terms not defined here take the
meanings in the Agreement.
b. By accessing or using the Services, Client and its Users agree to comply with this AUP.
STL may update this AUP to reflect changes in Indian law or STL’s security posture in
accordance with the Agreement.
2. Lawful Use; Client Responsibility
a. Client is solely responsible for (a) all acts/omissions of Users; (b) ensuring its use of the
Services complies with Applicable Indian Law (including the DPDP Act, Information
Technology Act, 2000, IT (Intermediary Guidelines and Digital Media Ethics Code) Rules,
2021 as amended, CERT-In Directions, labour and employment laws, and sectoral norms);
and (c) providing all DPDP-compliant notices and obtaining valid consent or other lawful
ground (including deemed consent where applicable) from Data Principals for Processing
through the Services.
b. Client shall implement reasonable safeguards (including MFA where offered) to prevent
unauthorised access and promptly notify STL of any suspected compromise.
3. Prohibited Content and Activities
Client and Users shall not use the Services to:
a. violate Applicable Indian Law, court/tribunal orders, or third-party rights (including IP,
privacy, publicity);
b. upload, store, transmit, or otherwise make available content that is unlawful, defamatory,
obscene, pornographic, paedophilic, invasive of privacy, insulting/harassing on the basis
of gender, racially/ethnically objectionable, relating to/encouraging money laundering
or gambling, harmful to minors, or otherwise prohibited under IT Rules;
c. conduct unfair/illegal HR practices (including automated decision-making without
lawful basis, transparency, or human review avenues where required under internal
policies);
d. introduce malware, backdoors, time bombs, or code intended to disrupt or degrade the
Services;
e. probe or circumvent authentication/security controls; perform penetration testing or
vulnerability scanning without STL’s prior written authorisation;
f. scrape, spider, harvest, or bulk-download the Services or use automated means that
materially burden the platform;
g. reverse engineer, decompile, or create derivative works, except to the limited extent
permitted by Indian law with prior written notice to STL;
h. send unsolicited commercial communications in violation of TRAI/DLT and other antispam rules;
i. Process Sensitive Personal Data (e.g., Aadhaar numbers, financial account data,
biometrics, health data) without a lawful ground, purpose limitation, minimisation,
retention controls, and device/vendor due-diligence;
j. engage in activities prejudicial to the sovereignty/integrity of India, security of the State,
friendly relations with foreign States, public order, or that incite a cognisable offence.
4. Platform, API, and Rate Limits
a. Client shall comply with API documentation, authentication, and rate limits. STL may
throttle, suspend, or revoke API access that risks security or platform stability.
b. Local caching is permitted only as documented; Client must not bypass access controls or
retention limits.
5. Security Research and Disclosure
a. Client shall not exploit discovered vulnerabilities. Responsible disclosures may be sent to
STL’s designated security email; limited testing may be authorised in writing.
b. STL may block/suspend accounts to address exploitation or imminent risk.
6. Export, Sanctions, and Telecom Compliance
Client shall comply with Indian export controls/sanctions and any telecom compliance
(e.g., DLT registration for promotional/transactional SMS templates and headers).
7. Monitoring; Enforcement
a. STL may analyse usage metadata (not Client content) for abuse detection, incident
response, and performance tuning.
b. STL may investigate suspected violations and remove content, suspend access, or
terminate accounts, with notice to Client where legally permitted and practicable, except
in exigent circumstances.
8. Consequences; Cooperation
a. Client will cooperate with STL and competent authorities (where legally required) to
remediate violations.
b. Client remains responsible for fees and any damages arising from breach of this AUP.
9. Changes
STL may modify this AUP to reflect legal/technical changes; material updates will be
notified per the Agreement.
Schedule 2 – Data Processing Addendum
1. Purpose, Scope, and Priority
a. This Data Processing Addendum (“DPA”) supplements the Agreement and governs
STL’s Processing of Personal Data contained in Client Data under the DPDP Act.
b. In case of conflict between this DPA and the Agreement on data protection matters, this
DPA prevails.
2. Roles and Nature of Processing
a. Client is the Data Fiduciary; STL is the Data Processor under the DPDP Act.
b. Subject Matter & Duration- STL Processes Client Data solely for providing the Services
during the Term and any post-termination export/deletion window.
c. Nature & Purpose- Hosting, storage, HR workflows (attendance, leave, performance),
authentication, audit logging, support, privacy-preserving analytics, backup/DR, and
security.
d. Data Principals- Client’s employees, workers, contractors, interns, candidates,
administrators, and other personnel whose data Client elects to Process.
e. Categories of Personal Data- Identifiers, contact details, employment information,
bank/account identifiers (for payroll interface), login/authentication data, access logs,
uploaded documents; optional Sensitive Personal Data (e.g., Aadhaar, biometrics, healthrelated leave reasons) if enabled by Client.
f. Sensitive Personal Data- Processed only where Client has established a lawful ground and
configured appropriate controls.
3. Client (Data Fiduciary) Obligations
a. Client shall: (a) issue DPDP-compliant Notice and obtain/record valid Consent (or rely on
Deemed Consent where permitted); (b) ensure purpose limitation, data minimisation,
accuracy, and retention controls; (c) implement appropriate technical/organisational
measures; (d) conduct risk assessments where warranted (e.g., biometrics deployment);
and (e) handle Data Principal rights requests.
b. Client warrants that its instructions to STL are lawful and do not cause STL to violate the
DPDP Act or other Indian law. STL may notify Client if instructions appear unlawful.
4. STL (Data Processor) Obligations
a. Documented Instructions- STL shall Process Client Data only on Client’s documented
instructions (including via Service configurations), except where required by Indian law;
in such case STL will inform Client unless prohibited.
b. Confidentiality- STL ensures authorised personnel are bound by confidentiality
obligations.
c. Security- STL implements the technical and organisational measures described in
Schedule 3 (Security Exhibit).
d. Assistance- Considering the nature of Processing, STL will provide reasonable assistance
to Client with (a) Data Principal requests routed by Client; (b) security of Processing; and
(c) incident/breach management and notifications.
e. Records- STL maintains records of Processing activities where required by Indian law and
will cooperate with competent authorities per lawful requests.
f. Audit & Assurance- See Section 10.
5. Sub-Processors
a. Client authorises STL to engage Sub-Processors for the purposes set forth herein. STL shall
(a) impose written obligations on Sub-Processors no less protective than this DPA; (b)
remain responsible for Sub-Processors’ performance; and (c) maintain an up-to-date SubProcessor list per Schedule 4.
b. Notice/Objection- STL may provide prior notice of material Sub-Processor
additions/replacements. Client may object on reasonable, documented DPDP risk
grounds within thirty (30) days. Parties will work in good faith to mitigate. If unresolved
within thirty (30) days, Client may terminate the affected Services (or Agreement if
inseparable) with a pro-rated refund of prepaid fees for the terminated portion.
6. Cross-Border Transfers (DPDP)
a. STL shall not transfer Personal Data outside India to any country or territory that the
Central Government may notify as restricted under the DPDP Act.
b. Subject to 6.1, cross-border transfers are permitted by the DPDP Act; where used, STL will
ensure contractual and technical safeguards commensurate with risk and provide
visibility to Client of material sub-processor locations.
7. Personal Data Breach; Incident Management
a. Breach Notice to Client- STL will notify Client without undue delay upon becoming aware
of a Personal Data Breach impacting Client Data, sharing available details (nature/scope,
categories of Personal Data, likely impact, remedial measures, and recommended steps
for Client).
b. Regulatory/Principal Notice- Client (as Data Fiduciary) is responsible for notifications to
the Data Protection Board of India and Data Principals, as required by the DPDP Act. STL
will assist with information reasonably required for such notifications.
c. CERT-In- Where applicable (e.g., cybersecurity incidents enumerated by CERT-In
Directions), STL will support Client’s obligations, including timely incident information
and log availability.
8. Return and Deletion
a. Upon termination/expiry, STL shall make available export tools for Client Data for a
reasonable window. Thereafter, on Client instruction or window expiry, STL shall delete
or irreversibly anonymise Client Data from active systems within ninety (90) days and
from backups within one hundred eighty (180) days, unless a longer retention is required
by Indian law.
b. Upon request, STL will provide a deletion/anonymisation confirmation. Media
sanitisation will align to cloud-industry standards appropriate for AWS.
9. Service Provider Conduct; Use Restrictions
a. STL shall not: (a) disclose Client Data to any third party except Sub-Processors and as
required by law; (b) Process Client Data for STL’s independent purposes; (c) combine
Client Data with other datasets in a manner that re-identifies Data Principals or expands
purpose beyond Client’s instructions; or (d) use Client Data for marketing.
b. AI/Model Training- STL may train general-purpose models on Client Data unless
expressly agreed in writing by Client with appropriate safeguards.
10. Audit and Verification
a. Documentation- Under NDA, STL may make available reasonable compliance artefacts
(e.g., policy summaries, control descriptions, independent assessment summaries)
sufficient to demonstrate alignment with this DPA and Schedule 3.
b. Audit Right- No more than once per twelve (12) month period (and additionally after a
material incident), Client may conduct a proportionate audit (remote or on-site) of STL’s
relevant facilities and controls during business hours on thirty (30) days’ prior written
notice, subject to confidentiality, safety, and non-disclosure of STL trade secrets or other
customers’ data.
c. Scope Limits- Pen-tests of production, raw log exfiltration, or access to source code require
STL’s prior written consent and a mutually agreed test plan.
11. Government/Lawful Access Requests
If STL receives a lawful request from a competent Indian authority for access to Client
Data, STL will, to the extent permitted by law, notify Client and limit disclosure to what
is legally required, challenging overbroad requests where feasible.
12. Liability and Precedence
The Agreement’s limitations and exclusions of liability apply to this DPA. Nothing limits
liability to the extent prohibited by Indian law.
13. Governing Law and Dispute Resolution
This DPA is governed by the laws of India and disputes are resolved as per the
Agreement’s dispute resolution clause.
Annex I – Processing Details: As per Sections 2.4–2.6.
Annex II – TOMs: Incorporated by reference from Schedule 3.
Annex III – Sub-Processors: As per Schedule 4.
Schedule 3 – Security Exhibit
1. Security Governance
STL maintains a written information security program approved by senior management,
reviewed at least annually, with risk assessments covering confidentiality, integrity,
availability, DPDP compliance, vendor risk, and resiliency.
2. Personnel & Confidentiality
Access is role-based (least privilege); background vetting is performed as
lawful/appropriate; staff receive onboarding and annual security/privacy training;
NDAs/confidentiality obligations are enforced.
3. Access Control & Identity
a. Strong authentication; MFA for administrative/production access; SSO supported for
Client tenants (if enabled).
b. Periodic access reviews (≥ quarterly) for privileged roles; segregation of duties for change
and deployment.
4. Cryptography & Key Management
a. Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
b. Keys managed in cloud KMS/HSM; role-restricted access; key rotation and logging.
5. Hosting & Physical Controls
Services hosted on AWS India region(s) with multi-layer physical security and
environmental controls. STL relies on AWS’s certified controls and ensures logical tenant
segregation.
6. Operations Security
a. Hardened baseline images; infra-as-code; change approvals; separation of dev/test/prod.
b. Vulnerability management with target remediation timelines (Critical ≤ 7 days; High ≤ 15;
Medium ≤ 30; Low ≤ 90), subject to justified exceptions.
c. Centralised logging/monitoring; time synchronisation; security log retention ≥ 180 days
to support CERT-In directions.
7. Network Security
Network segmentation; default-deny security groups; managed WAF; DDoS protections;
secured bastions/VPN with MFA and auditable sessions.
8. Application Security & SDLC
a. Secure SDLC with threat modelling, code reviews, SAST/DAST, dependency/SBOM
scanning, secrets management (no hard-coded secrets).
b. Annual independent penetration testing of external surfaces and key components;
executive summaries available to Clients under NDA.
9. Data Lifecycle & Retention
a. Purpose limitation and minimisation; configurable retention; deletion/anonymisation per
Schedule 2.
b. Media sanitisation in line with cloud-industry standards; destruction records retained.
10. Backup & Disaster Recovery
Encrypted daily backups; integrity checks; target RPO/RTO: 24h/24h unless otherwise
agreed in an Order Form; annual DR test with remediation tracking.
11. Incident Response & Breach Management
a. Documented incident response playbooks (prepare, detect, contain, eradicate, recover,
lessons learned).
b. Client breach notices per Schedule 2, support for CERT-In reportable incident categories
where applicable.
12. Vendor/Sub-Processor Security
a. Security/privacy due-diligence prior to onboarding; contractual flow-downs; periodic
reassessment.
b. Continuous monitoring for material posture changes where feasible.
13. Sensitive Personal Data Controls
a. Heightened controls for Sensitive Personal Data: stricter access approvals, enhanced
logging/alerting, granular encryption/segregation where supported, and additional
operational checks.
b. Biometric/Attendance Devices- Where Client integrates devices, Client is responsible for
device-level compliance, notices/consents, and lawful configuration; STL will protect data
once ingested per these TOMs.
14. Client Audit Support
Reasonable cooperation, documentation, and controlled walkthroughs per Schedule 2.
Schedule 4 – Sub-Processor List
1. Current Authorised Sub-Processors
a. Amazon Web Services (AWS) — Cloud infrastructure (compute, storage, networking,
managed DB, KMS); Location: India region(s); Purpose: hosting/backup/DR; Notes: log
retention and security attestations available under NDA.
b. Email Delivery Provider— Transactional/notification emails; Data: recipient address,
templates, metadata; Location: configured regions.
c. SMS/OTP Gateway— OTP and service notifications; Data: MSISDN, message metadata;
Compliance: TRAI/DLT registration/templates/headers.
d. Support/Ticketing— Support case handling; Data: contact details, ticket
content/attachments.
e. Product Analytics (privacy-preserving configuration)— Aggregated usage metrics; Data:
pseudonymised event telemetry; Notes: no HR content fields captured; consent banner
where required.
STL may publish a live, versioned Sub-Processor page/URL for operational updates
(recommended), or maintain this list within contract schedules. Exact legal entity names
and regions can be inserted prior to go-live.
2. Onboarding & Flow-Downs
STL will (a) conduct security/privacy due-diligence; (b) impose written contractual
obligations no less protective than this DPA; (c) ensure deletion/return of Client Data
upon disengagement.
3. Notice and Objection
a. STL may provide thirty (30) days’ prior notice of any addition/replacement of a SubProcessor that Processes Client Data (via email or a public URL).
b. Client may object on reasonable, documented DPDP risk grounds within thirty (30) days.
Parties shall work in good faith to mitigate; failing which, Client may terminate the
affected Services (or Agreement if inseparable) with a pro-rated refund of prepaid fees for
the terminated portion.
4. Emergency Replacement
Where necessary to ensure availability/security/continuity, STL may appoint an interim
Sub-Processor and notify Client promptly thereafter. Objection rights apply postappointment.
5. Information Maintenance
For each Sub-Processor, STL will maintain (and share under NDA upon request): legal
name, address, Processing description, categories of Personal Data/Data Principals,
Processing location(s), and summary of security posture/attestations.
6. Termination & Data Deletion
Upon Sub-Processor termination, STL will ensure secure deletion/return of Client Data
and obtain written confirmation or equivalent assurance of destruction, subject to legal
retention.