Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ("Zero Assist", "Data Processor") and the organisation registering for or using the Service ("Customer", "Data Fiduciary"). It governs the processing of personal data of interview candidates by Zero Assist on behalf of the Customer, in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA 2023) and GDPR.

"Personal Data" — any data relating to an identifiable natural person (candidate), as defined under DPDPA 2023 and GDPR.
"Processing" — any operation performed on Personal Data, including collection, transmission, storage, analysis, and deletion.
"Data Fiduciary / Controller" — the Customer, who determines the purpose and means of processing candidate Personal Data.
"Data Processor" — Zero Assist, who processes Personal Data on the Data Fiduciary's behalf.

Zero Assist processes Personal Data solely for the following purposes:

Zero Assist does not process screen recordings, video, audio, or document contents on behalf of the Customer.

The Customer, as Data Fiduciary, represents and warrants that:

It has a lawful basis to deploy monitoring sessions under DPDPA 2023 or GDPR.
It will not instruct candidates to bypass or dismiss the agent's built-in notice screen.
It will inform candidates of the monitoring prior to the session.
It will not deploy monitoring sessions for any candidate under 18 years of age, in line with the heightened protections for children's data under DPDPA 2023 §9.
It will comply with all candidate rights requests (information, correction, erasure) within the statutory 30-day period.

Zero Assist, as Data Processor, agrees to:

Process Personal Data only on documented instructions from the Customer.
Ensure that all personnel with access to Personal Data are bound by confidentiality.
Implement appropriate security measures, including TLS 1.2+ in transit and AES-256 at rest.
Delete or anonymise candidate session data within 90 days of the session date.
Notify the Customer of a confirmed Personal Data breach within 72 hours of discovery.
In transit: TLS 1.2 or higher for all data transmission.
At rest: AES-256 encryption on all database storage.
Access control: Role-based access; database credentials restricted.

The Customer authorises Zero Assist to engage the sub-processors listed at zeroassist.in/subprocessors to process candidate Personal Data. Zero Assist:

Imposes data-protection obligations on each sub-processor no less protective than those in this DPA.
Remains liable to the Customer for the performance of each sub-processor's obligations.
Stores and processes all primary candidate-session and account data within India (OCI, Mumbai). US-based sub-processors handle only website telemetry, transactional email, payment routing, or scheduling — never primary candidate forensic data.
Will update the sub-processor list and, on request, notify subscribed Customers before adding or replacing a sub-processor that processes candidate Personal Data, giving the Customer a reasonable opportunity to object on legitimate data-protection grounds.

To verify compliance with this DPA, the Customer may, on reasonable prior notice and no more than once per year (or following a confirmed breach), request documentation of Zero Assist's security and data-protection controls. Zero Assist will respond with its security overview, sub-processor register, policy summaries, and — when available — SOC 2 reports, which the parties agree satisfy audit obligations in lieu of on-site inspection except where an on-site audit is required by law or a supervisory authority.

Upon termination of the Terms of Service for any reason:

Zero Assist will cease processing Personal Data within 30 days
All candidate session data will be permanently deleted within 90 days of termination

This DPA is governed by the laws of India, including the Digital Personal Data Protection Act, 2023. Disputes shall be subject to the exclusive jurisdiction of the courts of Pune, Maharashtra.