Data Protection Addendum
Last Updated: May 2026
This Data Protection Addendum is effective as of May 1, 2026.
For an executable copy, please reach out to support@graditto.com.
The customer agreeing to these terms ("Customer") has entered into either a Terms of Service Agreement or SaaS Services Agreement with Kudoby Technologies Pvt. Ltd. ("Graditto") under which Graditto has agreed to provide services to Customer (as amended from time to time, the "Agreement").
This Data Protection Addendum, including its applicable Appendices (the "Addendum"), will be effective and replace any previously applicable data processing and security terms as of the Addendum Effective Date. This Addendum forms part of the Agreement.
Any capitalized term used but not otherwise defined in this Addendum shall have the meaning provided to it in the Agreement.
1. Definitions
For purposes of this Addendum, the terms below shall have the meanings set forth below. Capitalized terms that are used but not otherwise defined in this Addendum shall have the meanings set forth in the Agreement.
1.1. “Addendum Effective Date” means the date on which the parties agreed to this Addendum.
1.2. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
1.3. “Audit Reports” has the meaning given in Section 5.4.4 (Audit Reports).
1.4. “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (CPRA), and its implementing regulations.
1.5. “Customer Personal Data” means any personal data or personal information of data subjects contained within the data provided to or accessed by Graditto by or on behalf of Customer or Customer end users in connection with the Services.
1.6. “DPDPA” means the Indian Digital Personal Data Protection Act, 2023, as amended from time to time.
1.7. “Global Data Protection Legislation” means the European Data Protection Legislation, DPDPA, CCPA, and LGPD as applicable to the processing of Customer Personal Data under the Agreement.
1.8. “EEA” means the European Economic Area.
1.9. “EU” means the European Union.
1.10. “European Data Protection Legislation” means the GDPR and other data protection laws of the EU, its Member States, Switzerland, Iceland, Liechtenstein, Norway, and the United Kingdom, applicable to the processing of Customer Personal Data under the Agreement.
1.11. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data of EU data subjects.
1.12. “Information Security Incident” means a breach of Graditto's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Graditto's possession, custody, or control. This will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data.
1.13. “LGPD” means the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados).
1.14. “Standard Contractual Clauses” or “SCCs” has the meaning set forth in Appendix 3 of this Addendum.
1.15. “Security Documentation” means all documents and information made available by Graditto under Section 5.4.1 (Audits).
1.16. “Security Measures” has the meaning given in Section 5.1.1.
1.17. “Services” means the services and/or products to be provided by Graditto to Customer under the Agreement.
1.18. “Subprocessors” means third parties authorized under this Addendum to process Customer Personal Data in relation to the Services.
1.19. “Term” means the period from the Addendum Effective Date until the end of Graditto's provision of the Services.
1.20. “Transfer Solution” means the Standard Contractual Clauses or another solution that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR.
1.21. The terms “personal data”, “data subject”, “processing”, “controller”, “processor”, and “supervisory authority” as used in this Addendum have the meanings given in the GDPR, DPDPA, and LGPD, as applicable. The terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses. The terms “personal information”, “Business”, and “Service Provider” have the meanings set forth in the CCPA.
2. Duration of Addendum
This Addendum will take effect on the Addendum Effective Date and, notwithstanding the expiration of the Term, will remain in effect until, and automatically expire upon, Graditto's deletion of all Customer Personal Data as described in this Addendum.
3. Processing of Data
3.1. Roles and Regulatory Compliance; Authorization
3.1.1. Processor and Controller Responsibilities. This Addendum only applies to the extent that we are processing Customer Personal Data on behalf of Customer. If the European Data Protection Legislation, DPDPA, LGPD, or CCPA apply to the processing of Customer Personal Data, the parties acknowledge and agree that:
(a) the subject matter and details of the processing are described in Appendix 1;
(b) Graditto is a processor of that Customer Personal Data under the European Data Protection Legislation or LGPD, a data fiduciary/processor under the DPDPA, and/or a Service Provider with respect to that Customer Personal Data under the CCPA, as applicable;
(c) Customer is either a controller or processor of that Customer Personal Data under European Data Protection Legislation or LGPD, a significant data fiduciary under the DPDPA, and/or a Business with respect to that Customer Personal Data under the CCPA, as applicable; and
(d) each party will comply with the obligations applicable to it under the applicable Global Data Protection Legislation with respect to the processing of that Customer Personal Data.
3.1.2. Authorization by Third Party Controller. If the European Data Protection Legislation applies to the processing of Customer Personal Data and Customer is a processor, Customer warrants to Graditto that Customer's instructions and actions with respect to that Customer Personal Data, including its appointment of Graditto as another processor and its consent to Graditto's onward transfers of Customer Personal Data to its Subprocessors, have been authorized by the relevant controller.
3.2. Scope of Processing
3.2.1. Customer's Instructions. By entering into this Addendum, Customer instructs Graditto to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as authorized by the Agreement, including this Addendum and its Appendices; and (c) as further documented in any other written instructions given by Customer and acknowledged in writing by Graditto.
3.2.2. Graditto's Compliance with Instructions. Graditto will only process Customer Personal Data in compliance with Global Data Protection Legislation and in accordance with Customer's instructions described in Section 3.2.1 unless the applicable Global Data Protection Legislation to which Graditto is subject requires other processing of Customer Personal Data by Graditto.
3.2.3. Purpose Limitation. Graditto will not (i) sell or share (as such terms are defined in the CCPA) Customer Personal Data, (ii) process Customer Personal Data outside of the direct business relationship between Graditto and Customer, (iii) process Customer Personal Data for any purpose other than for the specific purposes set forth in the Agreement, or (iv) otherwise engage in any processing of the Customer Personal Data outside of what a processor or Service Provider may engage in under Global Data Protection Legislation, unless obligated or permitted to do otherwise by applicable law. Graditto shall comply with any applicable restrictions under the CCPA or DPDPA on combining Customer Personal Data with personal data that Graditto receives from, or on behalf of, another person or persons.
3.2.4. Notification of Inability to Comply; Remediation. Graditto will notify Customer after Graditto makes a determination that it can no longer meet its obligations under the applicable Global Data Protection Legislation, and Customer shall have the right, upon seven (7) business days' written notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Data by Graditto.
4. Data Deletion
4.1. Deletion on Termination. Unless otherwise set forth in the Agreement, upon expiration of the Term, Customer instructs Graditto to delete all Customer Personal Data from Graditto's systems as required by and in accordance with applicable law as soon as reasonably practicable, unless applicable law prevents Graditto from deleting such data.
5. Data Security
5.1. Graditto's Security Measures, Controls, and Assistance
5.1.1. Graditto's Security Measures. Graditto will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data as described in Appendix 2. Graditto may update or modify the Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.
5.1.2. Security Compliance by Graditto Staff. Graditto will grant access to Customer Personal Data only to employees, contractors, and Subprocessors who need such access for the scope of their performance and are subject to appropriate confidentiality arrangements.
5.1.3. Graditto's Security Assistance. Graditto will provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Customer Personal Data under Global Data Protection Legislation by:
(a) implementing and maintaining the Security Measures in accordance with Section 5.1.1;
(b) complying with the terms of Section 5.2; and
(c) providing Customer with the Security Documentation in accordance with Section 5.4.1.
5.2. Information Security Incidents
5.2.1. Information Security Incident Notification. If Graditto becomes aware of an Information Security Incident, Graditto will (a) notify Customer without undue delay after becoming aware of the incident, and (b) take reasonable steps to identify the cause of such incident, minimize harm, and prevent recurrence.
5.2.2. Details of Information Security Incident. Notifications will describe, to the extent reasonably practicable: (i) the nature of the incident, including affected data categories and records; (ii) contact points; (iii) the likely consequences; and (iv) the steps taken or proposed to be taken to mitigate the potential risks.
5.2.3. Notification. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations.
5.2.4. No Acknowledgement of Fault by Graditto. Graditto's notification or response under this Section 5.2 will not be construed as an acknowledgement by Graditto of any fault or liability.
5.3. Customer's Security Responsibilities and Assessment
5.3.1. Customer's Security Responsibilities. Customer is solely responsible for its use of the Services, including securing account credentials, managing the secure transmission of data, and making appropriate backups. Graditto has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Graditto's systems.
5.3.2. Customer's Security Assessment. Customer is solely responsible for reviewing the Security Documentation to determine whether the Services meet Customer's legal needs.
5.4. Reviews and Audits of Compliance
5.4.1. Audits. Customer may audit Graditto's compliance with its obligations under this Addendum up to once per year. Graditto will contribute to such audits by providing reasonable information and assistance.
5.4.2. Objections to Third Party Auditor. Graditto may object to any third-party auditor if the auditor is not suitably qualified, not independent, or a competitor of Graditto.
5.4.3. Request for Audit. To request an audit, Customer must submit a detailed proposed audit plan to Graditto at least two weeks in advance. Graditto will work cooperatively with Customer to agree on a final plan.
5.4.4. Audit Reports. If the requested audit scope is addressed in an SSAE 16/18/ISAE 3402 Type 2, AICPA SOC 2, ISO, NIST, or similar audit report within twelve (12) months of Customer's audit request, Customer agrees to accept those findings in lieu of requesting a new audit.
6. Impact Assessments and Consultations
Graditto will reasonably assist Customer in complying with its obligations in respect of data protection impact assessments and prior consultation by making available Audit Reports and other security documentation.
7. Data Subject Rights
7.1. Customer's Responsibility for Requests. If Graditto receives any request from a data subject in relation to Customer Personal Data, Graditto will advise the data subject to submit the request directly to Customer. Customer is responsible for responding to the request.
7.2. Graditto's Data Subject Request Assistance. Graditto will provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to fulfill its obligation under the applicable Global Data Protection Legislation.
8. Data Transfers
8.1. Data Storage and Processing Facilities. Graditto may store and process Customer Personal Data anywhere Graditto or its Subprocessors maintain facilities.
8.2. Transfers of Data Out of the EEA, the UK, or India. If the storage and/or processing of Customer Personal Data involves transfers of personal data out of the EEA, the United Kingdom, Switzerland, or India, the terms set forth in Appendix 3 will apply.
9. Subprocessors
9.1. Consent to Subprocessor Engagement. Customer generally authorizes the engagement of third parties as Subprocessors and authorizes the onward transfer of Customer Personal Data.
9.2. Information about Subprocessors. Information about Subprocessors is available at graditto.com/terms/subprocessors.
9.3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, Graditto will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in the Agreement.
9.4. Opportunity to Object to Subprocessor Changes. When any new Subprocessor is engaged during the Term, Graditto will provide notice via email at least 30 days prior. Customer may object within ten (10) business days. If unable to reach a mutually acceptable resolution, Customer may terminate the Agreement by providing written notice.
10. Processing Records
Graditto is required under the GDPR to collect and maintain records of certain processing information. Customer will, where requested, provide such information to Graditto.
11. Liability
The total combined liability of either party and its Affiliates under or in connection with the Agreement, this Addendum, and the Standard Contractual Clauses combined will be limited to limitations on liability agreed to in the Agreement.
12. Analytics
Customer acknowledges and agrees that Graditto may create and derive from processing related to the Services anonymized and/or aggregated data that does not identify Customer or any natural person, and use or share such data to improve its products and services.
13. Notices
Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Graditto to Customer may be given via standard electronic mail or through the Service's normal notification channels.
14. Effect of These Terms
Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between this Addendum and the remaining terms of the Agreement, this Addendum will govern.
Appendix 1: Subject Matter and Details of the Data Processing
• Data Importer: The Data Importer (or Service Provider/Processor) is Graditto (Kudoby Technologies Pvt. Ltd.), a provider of productivity and ERP solutions.
• Data Exporter: The Data Exporter (or Business/Controller) is the Customer that is a party to the Addendum.
• Subject Matter: Graditto's provision of the Services to Customer as set forth in the Agreement and the Addendum.
• Duration of the Processing: The Term plus the period from the expiry of the Term until deletion of all Customer Personal Data by Graditto in accordance with the Addendum.
• Nature and Purpose of the Processing: Graditto will receive, process, and store Customer Personal Data for the purposes of providing the Services to Customer in accordance with the Agreement.
• Categories of Personal Data: First and last name, title, position, employer, contact information, ID data, connection data, localization data, and other electronic data submitted, stored, sent, or received by an end user.
• Sensitive Data: Graditto does not request or require any sensitive or special categories of personal data for provision of the Services.
• Data Subjects: Employees, agents, advisors, students, parents, and end users authorized by Customer to use the Services.
• Subprocessors: Customer hereby consents to subprocessing by the entities set out at graditto.com/terms/subprocessors.
Appendix 2: Technical and Organizational Security Measures
Graditto implements and maintains the technical and organizational Security Measures set out at graditto.com/terms/security-policy.
Appendix 3: Cross Border Data Transfer Solutions
1. Definitions
• 1.1. “Standard Contractual Clauses” means either the UK International Data Transfer Addendum or the EU 2021 Standard Contractual Clauses ("EU SCCs").
• 1.2. “UK International Data Transfer Addendum” means the UK Addendum to the EU SCCs.
• 1.3. “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
2. Cross Border Data Transfer Solutions
2.1. Order of Precedence. In the event the Services are covered by more than one Transfer Solution, the transfer of personal data will be subject to a single Transfer Solution in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses; and, if not applicable, then (b) other data Transfer Solutions permitted under applicable Global Data Protection Legislation.
2.2. 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to personal data that is transferred via the Services from the European Economic Area, either directly or via onward transfer, to any country or recipient outside the EEA.
2.2.3. Annex I Parties
• Data Exporter: Customer.
• Data Exporter Role: Either a controller or processor.
• Data Importer: Kudoby Technologies Pvt. Ltd. (Graditto).
• Address: C208, Sec-6, Lane No. 7, HMH JN., RAJ., IN 335512.
• Contact details: Graditto Data Security Team – data@graditto.com
• Data Importer Role: Processor.
2.3. Conflict. To the extent there is any direct conflict between the Standard Contractual Clauses and any other terms in this Addendum, the Agreement, or the Privacy Policy, the provisions of the Standard Contractual Clauses will prevail.
| Technical & Organizational Security Measure | Evidence in Security Policy |
|---|---|
| Pseudonymization and encryption of personal data | See Section 5.4 (Data Encryption) |
| Confidentiality, integrity, availability and resilience | See Section 7.1 (Availability and Resiliency) |
| Restore availability and access in a timely manner | See Section 7.2 (Disaster Recovery) |
| Regular testing and evaluating effectiveness | See Section 6.1 (Vulnerability Detection & Response) |
| User identification and authorization | See Section 3 (Identity and Access Management) |
| Protection of data during transmission | See Section 5.4 (Data Encryption) |
| Protection of data during storage | See Section 4.2 (Configuration Management) |
| Ensuring physical security of locations | See Section 2.4 (Physical Office Environment) |
| Ensuring events logging | See Section 4.2 (Configuration Management) |
| Internal IT security governance and management | See Section 1.3 (Risk Management Framework) |