Last updated June 28, 2026

Data Processing Agreement

1. Overview

This Data Processing Agreement (DPA) defines the relationship between you (the Controller) and Nexline Global Pvt. Ltd. (the Processor) when processing personal data.

Effective as of: June 28, 2026

Parties:

  • Data Controller: You (the user/organization)
  • Data Processor: Nexline Global Pvt. Ltd., 484 Near HP Petrol Pump, Kishanganj, District Baran, Rajasthan, India — PIN 325216

2. Scope & Applicability

This DPA applies when you use Lokly to process personal data of customers, employees, or other data subjects. It is mandatory for customers subject to:

  • GDPR (EU/UK): General Data Protection Regulation
  • DPDPA 2023 (India): Digital Personal Data Protection Act
  • CCPA/CPRA (California): California Privacy Laws
  • Other data protection laws requiring processor agreements

By using Lokly to process personal data, you agree to this DPA.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation on personal data (collection, storage, analysis, sharing, deletion)
  • Data Subject: The individual to whom personal data relates
  • Sub-processor: A third party engaged by the Processor to process personal data
  • Data Breach: Unauthorized access to or disclosure of personal data

4. Processing Instructions

The Processor processes personal data only on documented instructions from the Controller, including:

  • Purpose of processing (review management, analytics, reporting)
  • Duration of processing (until account deletion or policy change)
  • Nature of processing (collection, storage, analysis)
  • Categories of data (names, emails, business data, review content)
  • Categories of data subjects (customers, reviewers)

Instructions are defined in the Privacy Policy and Terms of Service.

5. Security Measures

The Processor implements appropriate technical and organizational measures to protect personal data:

  • Encryption in transit (TLS 1.3+) and at rest
  • Access control (authentication, authorization, role-based permissions)
  • Password security (hashing with Argon2, history enforcement, lockout policy)
  • WebAuthn / passkey support for multi-factor authentication
  • Daily encrypted backups stored in secure, redundant systems
  • Regular security audits and penetration testing
  • Data minimization (collect only necessary data)

See our Security page for full details.

6. Sub-processors

The Processor engages sub-processors (third-party service providers) to process personal data. The Controller is informed of all sub-processors via the Sub-processors list.

The Processor:

  • Only engages sub-processors with documented processing agreements
  • Ensures sub-processors provide equivalent security and confidentiality
  • Notifies the Controller of changes to the sub-processor list
  • Provides opt-out mechanisms where legally required

7. Data Subject Rights

The Processor assists the Controller in responding to data subject requests for:

  • Access: Providing a copy of their personal data (via data export feature)
  • Correction: Updating inaccurate data
  • Deletion: Removing their personal data (right to be forgotten)
  • Portability: Transferring data to another controller (via export)
  • Objection: Opting out of marketing or profiling
  • Restriction: Limiting processing pending investigation

Requests must be submitted through your account or via privacy@lokly.in. The Processor responds within 10 business days.

8. Data Breach Notification

Upon discovering a personal data breach, the Processor notifies the Controller without undue delay, and in any case within 72 hours of discovery (where legally required).

Notification includes:

  • Description of the breach (what data, how many individuals affected)
  • Likely impact and remediation measures
  • Contact point for further information

9. International Data Transfers

Personal data may be transferred to countries outside the data subject's jurisdiction. For transfers between India and the EU, the Processor relies on:

  • Standard Contractual Clauses (SCCs): EU-approved contractual safeguards
  • Adequacy Decisions: Where an equivalency determination exists
  • Explicit Consent: From the Controller or data subject where required

An SCCs annex is appended to this DPA and available upon request.

10. Term & Termination

This DPA remains in effect for the duration of the Service. Upon termination:

  • The Processor returns or deletes all personal data at the Controller's election
  • The Processor certifies deletion in writing within 30 days
  • Obligations regarding sub-processors and confidentiality survive termination

11. Audit Rights & Liability

The Controller may audit the Processor's compliance with this DPA through:

  • Annual security certifications (SOC 2 or equivalent)
  • Scheduled compliance audits (on request, with reasonable notice)
  • Review of incident logs and breach response procedures

The Processor's liability is limited to the fees paid in the prior 12 months.

12. Changes to This DPA

The Processor may modify this DPA if required by law. Material changes are communicated 30 days in advance. The Controller may terminate the Service if changes are unacceptable.

13. Execution

This DPA is executed by and between the Parties as of the Effective Date. It supplements the Terms of Service and Privacy Policy.

For Enterprise customers: A signed DPA PDF is available upon request. Email legal@lokly.in for execution.

14. Contact

Questions about this DPA?

Data Processing Agreement – Lokly