Data Processing Agreement

Version 1.0•Effective: 4 May 2026•Download .md

For execution alongside the Principal Agreement (Terms of Service).

Status: Final draft, pending qualified legal review.

This DPA has been finalised by Loudcurtain in good faith based on GDPR Article 28, the EU Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum (Version B1.0), and the India Digital Personal Data Protection Act 2023. It is published for transparency and beta-cohort review. Loudcurtain reserves the right to amend on advice of counsel before counter-signature with any merchant. Direct review feedback to [email protected].

Parties

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Principal Agreement”) between:

(1) The Customer / Merchant

The natural or legal person identified in the Principal Agreement who has accepted this DPA, hereinafter the “Controller”.

(2) LOUDCURTAINS PRIVATE LIMITED

A Private Limited Company organised under the laws of India, registered office: Level 18, One Horizon Center, Golf Course Rd, Gurugram, Haryana 122009, India. Hereinafter the “Processor” (operator of the Loudcurtain Queuer Service).

1. Definitions

1.1. “Applicable Data Protection Laws” means, as applicable, (a) Regulation (EU) 2016/679 (“GDPR”) and any implementing or supplementing national legislation; (b) the United Kingdom General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018; (c) the Digital Personal Data Protection Act, 2023 of India (“DPDP Act”); and (d) any other data protection or privacy laws applicable to the processing of Personal Data under this DPA.

1.2. “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Controller is the Customer / Merchant.

1.3. “Data Subject” means an identified or identifiable natural person whose Personal Data is processed under this DPA, including (without limitation) the Controller’s customers, end-users, and the Controller’s staff and team members.

1.4. “Personal Data” means any information relating to a Data Subject which is processed by the Processor on behalf of the Controller in connection with the Service, as further described in Annex 1.

1.5. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

1.6. “Processor” means the natural or legal person which processes Personal Data on behalf of the Controller. For the purposes of this DPA, the Processor is Loudcurtain.

1.7. “Service” means the Loudcurtain Queuer software-as-a-service platform, including its Order Queue Management feature, made available to the Controller under the Principal Agreement.

1.8. “Sub-processor” means any third-party processor engaged by the Processor to process Personal Data on behalf of the Controller. The current list of Sub-processors is set out in Annex 3.

1.9. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914 of 4 June 2021, as amended.

1.10. Capitalised terms not defined in this DPA shall have the meanings given to them in the Principal Agreement.

2. Subject matter, duration, nature, and purpose

2.1. Subject matter. The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the Service in accordance with the Principal Agreement.

2.2. Duration. This DPA shall apply for the duration of the Principal Agreement and shall continue thereafter only to the extent necessary for the Processor to comply with its obligations under Section 11 (Return and deletion of Personal Data).

2.3. Nature and purpose of processing. The nature and purpose of the processing are set out in Annex 1 and consist principally of: (a) hosting and operating the Service; (b) enabling the Controller to operate queues, take orders, generate receipts, and communicate with their own customers; (c) providing related support, security, billing, and analytics functions in accordance with the Principal Agreement.

2.4. Categories of Data Subjects are set out in Annex 1.

2.5. Types of Personal Data processed are set out in Annex 1.

3. Roles of the Parties

3.1. The Controller is the controller of Personal Data and the Processor is a processor of Personal Data, in respect of the processing carried out by the Processor on behalf of the Controller pursuant to this DPA.

3.2. The Controller represents and warrants that it has all necessary rights, consents, and lawful bases under Applicable Data Protection Laws to provide Personal Data to the Processor, and to instruct the Processor to process Personal Data in accordance with this DPA and the Principal Agreement.

3.3. Each Party shall comply with its obligations under Applicable Data Protection Laws.

4. Processor’s obligations

The Processor shall:

4.1. Process on documented instructions. Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law to which the Processor is subject. In the latter case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.2. Confidentiality. Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. Security. Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The minimum technical and organisational measures are set out in Annex 2.

4.4. Sub-processors. Engage Sub-processors only in accordance with Section 6.

4.5. Data Subject rights. Assist the Controller, taking into account the nature of the processing and insofar as is reasonably possible, by appropriate technical and organisational measures, to fulfil the Controller’s obligation to respond to requests for exercising Data Subject rights (including rights of access, rectification, erasure, restriction of processing, data portability, objection, and rights related to automated decision-making) under Applicable Data Protection Laws.

4.6. Assistance with compliance. Assist the Controller in ensuring compliance with the obligations relating to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to the Processor.

4.7. Personal Data Breach notification. Notify the Controller without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach. Such notification shall include, at minimum: (a) the nature of the breach including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) a contact point for further information.

4.8. Records of processing. Maintain a written (which may be in electronic form) record of all categories of processing activities carried out on behalf of the Controller, in accordance with Applicable Data Protection Laws.

4.9. Audits. Make available to the Controller all information necessary to demonstrate compliance with the obligations under this DPA and Applicable Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, in accordance with Section 9.

4.10. Information regarding instructions. Inform the Controller immediately if, in its opinion, any instruction received from the Controller infringes Applicable Data Protection Laws.

5. Controller’s obligations

The Controller shall:

5.1. Comply with its obligations as a data controller under Applicable Data Protection Laws, including in respect of the lawfulness of processing, the providing of notice to Data Subjects, and the obtaining of consents where required.

5.2. Provide the Processor with documented instructions in compliance with Applicable Data Protection Laws, and ensure that any such instructions are not in conflict with the Principal Agreement, this DPA, or Applicable Data Protection Laws.

5.3. Be responsible for the security and lawful collection of Personal Data prior to providing it to the Processor.

5.4. Inform the Processor without undue delay if the Controller becomes aware of any Personal Data Breach involving the Service that the Controller has independently identified.

6. Sub-processors

6.1. General authorisation. The Controller hereby grants the Processor general authorisation to engage Sub-processors for the processing of Personal Data, subject to the conditions in this Section 6.

6.2. Current Sub-processors. A list of current Sub-processors is set out in Annex 3. The Controller acknowledges and accepts the engagement of these Sub-processors as of the effective date of this DPA.

6.3. New or replacement Sub-processors. The Processor shall provide the Controller with at least thirty (30) days’ prior notice of any intended addition or replacement of Sub-processors. Such notice shall be given (a) by updating the publicly accessible Sub-processors page at loudcurtain.com/legal/sub-processors AND (b) by email to the Controller’s primary contact email registered in the Service.

6.4. Right to object. The Controller may, on reasonable grounds related to the protection of Personal Data, object to the engagement of a new or replacement Sub-processor by giving written notice to the Processor within fifteen (15) days of the Processor’s notice. If the Parties cannot resolve the objection in good faith within thirty (30) days, the Controller may, as its sole remedy, terminate the affected portion of the Service for which the Sub-processor is required by giving written notice to the Processor; in such event, no further fees shall be due in respect of the terminated portion of the Service from the date of termination.

6.5. Flow-down obligations. Where the Processor engages a Sub-processor, it shall do so by way of a written contract that imposes on the Sub-processor data protection obligations no less protective than those set out in this DPA. The Processor shall remain liable to the Controller for the performance of each Sub-processor’s obligations.

7. International data transfers

7.1. General. The Controller acknowledges that the Processor’s principal place of business is in India and that processing of Personal Data may take place in India, the European Economic Area, the United Kingdom, and other jurisdictions in which Sub-processors are located, as set out in Annex 3.

7.2. Transfers from the EEA, UK, or Switzerland. Where Personal Data originating from a Data Subject located in the European Economic Area, the United Kingdom, or Switzerland is transferred by the Processor or a Sub-processor to a country that is not subject to an adequacy decision under Applicable Data Protection Laws, such transfer shall be governed by the Standard Contractual Clauses, which are hereby incorporated by reference, with the following choices:

Module Two (Controller-to-Processor) shall apply;
In Clause 7 (Docking clause), the optional clause is included;
In Clause 9 (Use of Sub-processors), Option 2 (general authorisation) is selected, with prior notice of at least thirty (30) days as set out in Section 6;
In Clause 11 (Redress), the optional language is omitted;
In Clause 17 (Governing law), the law of the Federal Republic of Germany shall apply (selected to align with the location of the Processor’s primary hosting infrastructure at Hetzner Online GmbH in Germany; lawyer to confirm prior to first execution);
In Clause 18 (Choice of forum and jurisdiction), the courts of the Federal Republic of Germany shall apply.

7.3. Annexes to the SCCs. Annex 1, Annex 2, and Annex 3 of this DPA shall serve as the corresponding annexes to the SCCs.

7.4. UK Addendum. Where Personal Data originating from a Data Subject located in the United Kingdom is transferred internationally, the Parties incorporate by reference the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022), modifying the SCCs as required.

7.5. Transfers from India. Where Personal Data originating from a Data Subject located in India is transferred to another country, the Processor shall ensure compliance with the DPDP Act and any rules issued thereunder, including by ensuring that transfers are made only to countries permitted by the Central Government of India.

8. Data Subject rights and assistance

8.1. The Processor shall provide the Controller with reasonable assistance, taking into account the nature of the processing, by appropriate technical and organisational measures, to enable the Controller to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including:

the right of access (Article 15 GDPR);
the right to rectification (Article 16 GDPR);
the right to erasure (Article 17 GDPR);
the right to restriction of processing (Article 18 GDPR);
the right to data portability (Article 20 GDPR);
the right to object (Article 21 GDPR);
rights related to automated decision-making and profiling (Article 22 GDPR);
corresponding rights under the DPDP Act and other Applicable Data Protection Laws.

8.2. If a Data Subject contacts the Processor directly with a request to exercise any of the foregoing rights, the Processor shall, without undue delay, forward the request to the Controller and inform the Data Subject that they should address their request to the Controller. The Processor shall not respond substantively to such a request without the Controller’s prior written instruction.

8.3. The Processor may charge the Controller a reasonable fee to cover the administrative costs of providing assistance under this Section 8 if the Controller’s requests are manifestly unfounded or excessive, in particular because of their repetitive character.

9. Audits

9.1. Audit rights. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations under this DPA. Subject to Sections 9.2 and 9.3, the Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

9.2. Conditions on audits. Any audit shall be: (a) conducted at the Controller’s expense; (b) carried out during regular business hours upon at least thirty (30) days’ written notice; (c) conducted in a manner that does not unreasonably interfere with the Processor’s ordinary business operations; (d) limited to one audit per twelve (12) month period (unless following a Personal Data Breach); and (e) subject to a confidentiality agreement reasonably acceptable to the Processor.

9.3. Third-party reports. Where the Processor has commissioned a recognised third-party audit (e.g., SOC 2 Type II, ISO 27001, or equivalent), the Processor may satisfy its obligations under Section 9.1 by providing the Controller with a copy of the most recent audit report. (Loudcurtain has not yet obtained a third-party audit; this clause is forward-compatible.)

10. Personal Data Breach notification

10.1. The Processor shall notify the Controller of any Personal Data Breach in accordance with Section 4.7.

10.2. The notification shall be sent to the Controller’s primary contact email registered in the Service. The Controller is responsible for keeping such contact details up to date.

10.3. The Processor shall, taking into account the nature of the processing and the information available to the Processor, assist the Controller in complying with the Controller’s own breach-notification obligations under Applicable Data Protection Laws.

11. Return and deletion of Personal Data

11.1. On termination. Upon termination or expiry of the Principal Agreement, the Processor shall, at the Controller’s choice and without undue delay, delete or return to the Controller all Personal Data processed on behalf of the Controller, and delete existing copies, unless retention is required by applicable law.

11.2. Retention by Processor. The Processor may retain Personal Data: (a) to the extent and for the period required by applicable law (for example, retention of receipts for tax/audit purposes); (b) in routine system backups, which shall be overwritten or deleted in accordance with the Processor’s standard backup-retention policy as set out in Annex 2; or (c) where Personal Data has been anonymised in such a way that it can no longer be associated with a Data Subject.

11.3. Confirmation. Upon the Controller’s written request, the Processor shall provide written confirmation that the deletion of Personal Data has been carried out in accordance with this Section 11.

12. Liability

12.1. The liability of each Party under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.

12.2. Nothing in this DPA shall limit or exclude the liability of either Party where such limitation or exclusion is prohibited by Applicable Data Protection Laws.

13. General

13.1. Order of precedence. In the event of any conflict or inconsistency between the provisions of this DPA and the Principal Agreement, the provisions of this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the SCCs (where applicable), the SCCs shall prevail.

13.2. Severability. If any provision of this DPA is held to be invalid, illegal, or unenforceable in any respect, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired.

13.3. Amendments. The Processor may amend this DPA from time to time as required to reflect changes in Applicable Data Protection Laws, by giving the Controller at least thirty (30) days’ prior written notice. Where such amendment materially diminishes the protection afforded to Personal Data, the Controller may terminate the affected Service by giving written notice to the Processor before the amendment takes effect.

13.4. Governing law. This DPA shall be governed by the law specified in the Principal Agreement, except where the SCCs (or other Applicable Data Protection Laws) require otherwise.

13.5. Counterparts and electronic signature. This DPA may be executed in counterparts and by electronic signature, each of which shall be deemed an original.

Annex 1 — Description of Processing

A. Categories of Data Subjects

The Personal Data processed under this DPA concerns the following categories of Data Subjects:

The Controller’s customers and end-users, including persons who scan QR codes, place orders, join queues, schedule appointments, or otherwise interact with the Service operated by the Controller.
The Controller’s staff and team members, including authorised users of the Controller’s account on the Service (e.g., owners, managers, cashiers, kitchen staff).
The Controller’s contacts, where the Controller chooses to record information about its own contacts within the Service.

B. Categories of Personal Data

The Processor processes the following categories of Personal Data on behalf of the Controller:

Identifiers: device identifiers, customer session identifiers, and (where provided by the Data Subject) names, phone numbers, and email addresses of customers and end-users.
Authentication and account data (for the Controller’s staff): names, email addresses, hashed passwords, OAuth identifiers, session tokens, role and permission assignments.
Service-usage data: queue position, time of joining, time served, order content (items, modifiers, prices, notes), payment status and method label, receipt content, push notification subscriptions, scan events.
Technical data: IP addresses, user-agent strings, request logs, error logs, performance metrics, web push endpoints.
Communications data: notification delivery status, email-open/click events (where applicable), feedback and ratings.
Tax-relevant data on receipts: tax ID numbers (where the Controller has chosen to display them), customer-name and customer-address fields on tax invoices (where collected).

C. Nature and purpose of processing

Hosting the Service and storing the Personal Data in databases, queues, and object storage.
Operating queue management, order management, payment-call workflows, kitchen workflows, pickup workflows.
Generating receipts (HTML and PDF) including tax breakdowns where applicable.
Sending push notifications and transactional emails to Data Subjects.
Providing customer support to the Controller, including investigation of issues raised by the Controller.
Securing the Service, including authentication, authorisation, intrusion detection, fraud prevention, abuse mitigation, and rate limiting.
Analysing aggregate Service usage to operate, maintain, and improve the Service (in accordance with Section 4.1).
Billing the Controller for use of the Service.
Internal web analytics: the Processor operates a self-hosted instance of Umami (an open-source, privacy-focused analytics tool) on its own infrastructure within the European Economic Area, to measure aggregate usage of the Service’s web surfaces (marketing site, dashboard, dev portal). Umami does not use cookies, does not employ persistent client-side identifiers, and stores only a hashed daily session token derived from IP address, user-agent, and a rotating salt. Original IP addresses are not retained. No data leaves the Processor’s infrastructure for this purpose. The lawful basis for this processing is the Processor’s legitimate interests under Article 6(1)(f) GDPR (improvement of the Service); the customer-facing PWA at q.loudcurtain.com is excluded from this processing.

D. Duration of processing

For the duration of the Principal Agreement plus any retention period specified in Annex 2.

Annex 2 — Technical and Organisational Measures

The Processor shall implement and maintain at least the following technical and organisational measures, with the level of detail and completeness updated from time to time as the Service evolves:

A. Confidentiality (Article 32(1)(b) GDPR)

Access control to facilities: production servers are hosted at Hetzner Online GmbH facilities (Germany / Finland), which maintain ISO/IEC 27001 certification including physical access controls.
Access control to systems: production access requires multi-factor authentication; SSH keys are individually issued and rotated; no shared credentials.
Access control to data: role-based access control (RBAC) is enforced by the Service for the Controller’s account. Internally, the Processor enforces least-privilege access to production systems; access to Personal Data is logged.
Pseudonymisation: device identifiers are random; customer session identifiers are not derived from Personal Data; analytics events use hashed merchant identifiers.

B. Integrity (Article 32(1)(b) GDPR)

Data input control: all changes to the production database are made via authenticated API calls or vetted migration scripts; ad-hoc database access is logged and reviewed.
Forward-only schema migrations: database schema changes are additive and reviewed; destructive schema changes require a two-phase deprecation.

C. Availability (Article 32(1)(b) and 32(1)(c) GDPR)

Backups: daily encrypted backups of the production database are stored in a separate cloud account; backup-retention period is seven (7) days for point-in-time recovery and ninety (90) days for daily snapshots, unless extended for specific Controllers under separate agreement.
Disaster recovery target: Recovery Point Objective (RPO) of fifteen (15) minutes; Recovery Time Objective (RTO) of two (2) hours for SEV-1 data-loss scenarios. The Processor performs quarterly restore drills.

D. Resilience (Article 32(1)(b) GDPR)

Encryption in transit: all communication between the Service and Data Subjects is over TLS 1.3 (or higher); communication between internal services within the production network is also encrypted.
Encryption at rest: the production database, object storage (Cloudflare R2), and backup storage are encrypted at rest using industry-standard algorithms (AES-256 or equivalent).
Authentication: dual authentication system: a legacy JWT-based API auth and a Dashboard Auth system based on session tokens with rotation. Refresh tokens are stored hashed.

E. Procedure for regular testing, assessment, and evaluation

Vulnerability scanning of production dependencies via automated tooling on every release (including npm audit for Node.js dependencies and gosec for Go services).
Penetration testing: external penetration testing is commissioned at the launch of each phase that touches authentication, billing, or PII (at minimum: Phase 5 Scan-to-Pay; Phase 11 Public API; Phase 14 OAuth/Marketplace).
Incident response runbooks: maintained and reviewed quarterly. Severity ladder, communication templates, and post-mortem templates are documented.

F. Personnel and contractor measures

All persons authorised to process Personal Data are bound by written confidentiality obligations.
Personnel are provided with security awareness guidance appropriate to their role.
The Processor’s contractors are subject to written agreements that include confidentiality and data-protection clauses.

G. Incident response

The Processor maintains a documented incident response process, including a severity ladder (SEV-1 through SEV-4), communication templates for Controllers and Data Subjects, and post-mortem requirements.
Personal Data Breaches are notified to the affected Controller within seventy-two (72) hours of awareness, in accordance with Section 4.7 of this DPA.

H. Data minimisation and retention

The Processor applies the following retention periods to Personal Data, unless otherwise required by applicable law:

Category	Retention period
Queue entries (waiting / called / served / completed)	90 days
Customer sessions (anonymous device identifiers)	7 days after last activity
Application logs (request logs, error logs)	30 days
Aggregated analytics (privacy-preserving, no PII)	365 days
Receipts (per legal requirement)	7 years from issue
Backups	7 days (point-in-time) and 90 days (daily snapshots)
Push notification subscriptions	until revoked, or 90 days after last use

Personal Data outside these retention periods is deleted or anonymised in accordance with documented procedures.

I. Sub-processor management

A list of current Sub-processors and their respective security postures is set out in Annex 3. The Processor performs an annual review of each Sub-processor’s data-protection commitments.

Annex 3 — List of Sub-processors

The Processor engages the following Sub-processors as of the effective date of this DPA. The Controller is hereby notified that this list may be updated in accordance with Section 6.

Sub-processor	Service provided	Location of processing	Transfer mechanism
Hetzner Online GmbH	Hosting (compute, primary database, Redis, application backend, WebSocket gateway)	Germany / Finland	EU/EEA — no transfer mechanism required for EU Data Subjects; SCCs (where Indian Controllers’ data is stored on EU servers)
Cloudflare, Inc.	CDN, DNS, R2 object storage (rate-card images, receipt PDFs), Cloudflare Pages (PWA hosting), Workers (edge compute)	Global edge points of presence; primary storage in EU and US regions, configurable	SCCs for transfers from EEA/UK; data-residency settings configurable per Controller
Razorpay Software Pvt Ltd	Payment processing (subscription billing, day-pass top-ups) for Controllers in India	India	N/A for Indian Controllers
Polar Software, Inc. Delaware corporation 3500 South DuPont Highway, Dover, DE 19901, USA [email protected]	Payment processing (subscription billing, day-pass top-ups) for Controllers outside India	United States	SCCs for international transfers
Resend (Resend Inc.)	Transactional email (account notifications, receipts emailed to customers, beta-cohort communications)	United States	SCCs
Functional Software, Inc. (Sentry)	Error tracking and performance monitoring (limited PII; may incidentally include IP addresses and user identifiers in error contexts)	United States	SCCs

Self-hosted software (not separate Sub-processors)

The Processor self-hosts the following software on Sub-processor infrastructure listed above; these are not Sub-processors in their own right because no Personal Data is transferred to a third-party operator:

Umami (open-source web analytics) — self-hosted by the Processor on Hetzner Online GmbH infrastructure in Germany. Used on the Processor’s marketing site (loudcurtain.com) and merchant dashboard (dashboard.loudcurtain.com). NOT used on the customer-facing PWA (q.loudcurtain.com). No data is shared with the Umami project or any third party. Configuration: DISABLE_TELEMETRY=1, IP hashing via rotating salt enabled, no cookies, no cross-site tracking.

Services NOT in use

For Controllers asking about specific vendors, the following are NOT in use:

Twilio — not in use; SMS notifications were considered and removed from the Service.
Plausible Analytics — not in use; replaced by self-hosted Umami running on the Processor’s infrastructure.
PostHog (hosted) / Mixpanel / Amplitude / Segment — not in use.
Google Analytics — not in use on the Service. The Processor reserves the right to use Google Analytics on its public marketing pages only; if so, this DPA will be amended to add Google Ireland Limited as a Sub-processor in accordance with Section 6.

Browser vendors (Apple, Google, Mozilla, Microsoft) deliver web push notifications to Data Subjects’ devices on behalf of the Data Subject’s browser. The Processor uses the standard W3C Web Push protocol (RFC 8030) and does not engage these vendors as Sub-processors of the Controller’s Personal Data — they are Sub-processors of the Data Subject’s chosen browser.

Drafter resolutions and remaining open items

Resolved on finalisation (4 May 2026)

#	Item	Resolution
R1	Company legal name and registered address	LOUDCURTAINS PRIVATE LIMITED, Level 18, One Horizon Center, Golf Course Rd, Gurugram, Haryana 122009, India
R2	Sub-processor change notice mechanism	Both website page (loudcurtain.com/legal/sub-processors) AND email — see Section 6.3
R3	Governing law for SCCs (Section 7.2)	Federal Republic of Germany (selected to align with Hetzner data residency)
R4	Privacy Policy linkage	Privacy Policy at /privacy updated 2026-05-04 to disclose the analytics processing described in Annex 1 §C(9)
R5	Optional clauses in the SCCs	Module Two; Clause 7 (Docking) included; Clause 11 redress optional language omitted; Clause 9 Option 2 (general authorisation) selected
R6	Polar Software, Inc. registered office	3500 South DuPont Highway, Dover, DE 19901, USA (Delaware corporation; legal contact: [email protected]; sourced from polar.sh/legal/privacy 2026-05-04)

Remaining open items (for lawyer review before counter-signature)

Lawyer review of the DPA in its entirety for GDPR Article 28 compliance, EU SCC integration, UK Addendum, and India DPDP Act 2023 alignment. Mandatory before execution.
Audit-cost reimbursement (Section 9.2). Section 9.2 currently allocates audit costs to the Controller. A lawyer may advise on whether to allow Controller reimbursement when audits reveal material non-compliance, and if so, what annual cap to apply (typical SaaS range: €5,000–€25,000 per audit). Loudcurtain’s default position is to keep audits at the Controller’s expense at this stage; the cap question is forward-compatible and can be addressed when an enterprise customer first requests it.
DPDP Act addendum. The DPDP Act 2023 of India is referenced generally. Once the DPDP Rules are finalised by the Government of India (in draft as of mid-2026), this DPA may require a thin addendum specifically addressing Indian-Data-Principal rights, consent mechanisms, and any cross-border-transfer rules issued by the Central Government.

Contact

For questions or to request a counter-signed copy of this DPA, contact us:

LOUDCURTAINS PRIVATE LIMITED

Level 18, One Horizon Center

Golf Course Rd, Gurugram, Haryana 122009, India

Legal: [email protected]

Privacy: [email protected]

DPA v1.0, effective 4 May 2026. Drafted by Loudcurtain (legal-framer + tech-writer agents) on 3 May 2026; finalised 4 May 2026. Pending qualified legal review before execution with any merchant.