This Data Processing Addendum ("DPA") forms part of the agreement between Brainhive Labs Private Limited ("Calibr") and the Customer, and is incorporated by reference into Calibr's Terms of Service and any Master Service Agreement("MSA") executed between the parties. By accepting the Terms of Service or executing an MSA, the Customer agrees to the terms of this DPA.
This DPA applies where Calibr processes personal data on behalf of the Customer in the course of providing the Services.
| Term | Meaning |
|---|---|
| Personal Data | Any data relating to an identified or identifiable individual processed by Calibr on behalf of the Customer through the Services, including Learner Data. |
| Processing | Any operation performed on Personal Data, including collection, storage, use, disclosure, deletion, or any combination thereof. |
| Data Fiduciary / Controller | The Customer, who determines the purposes and means of Processing Personal Data. |
| Data Processor | Calibr, which processes Personal Data on behalf of and under the instructions of the Customer. |
| Data Principal / Data Subject | The individual to whom the Personal Data relates — primarily the Customer's employees and learners using the Services. |
| Sub-Processor | Any third party engaged by Calibr to process Personal Data in connection with the Services. |
| Security Incident | Any confirmed unauthorised access to, disclosure of, loss of, or destruction of Personal Data processed under this DPA. |
| Applicable Data Protection Law | The Digital Personal Data Protection Act, 2023 and its Rules, as applicable; and, where the Customer is subject to it, the EU General Data Protection Regulation (EU GDPR) or UK GDPR. |
- The Customer is the Data Fiduciary / Controller. The Customer determines the purposes for which, and the means by which, Personal Data is processed through the Services.
- Calibr is the Data Processor. Calibr processes Personal Data only to provide the Services to the Customer, and only in accordance with the Customer's documented instructions.
Each party is responsible for its own compliance with Applicable Data Protection Law in its respective role.
| Item | Detail |
|---|---|
| Subject matter | The provision of the Calibr platform and associated Services |
| Duration | The Subscription Term and the post-termination data retention period set out in Section 8 |
| Nature of processing | Hosting, storage, access management, delivery of learning content, analytics, and AI-assisted content generation Services |
| Purpose | Enabling the Customer to deliver corporate learning and training to its employees and learners |
| Categories of Personal Data | Name, email address, job title, department, learning progress, assessment results, engagement data, and any other data the Customer uploads to the platform |
| Categories of Data Principals | The Customer's employees, contractors, and other individuals enrolled as learners on the platform |
Calibr will process Personal Data solely on the documented instructions of the Customer, including as set out in the Terms of Service, MSA, and this DPA. Calibr will not process Personal Data for any purpose other than providing the Services, unless required to do so by applicable law. Where applicable law requires processing beyond the Customer's instructions, Calibr will inform the Customer as soon as practicable unless prohibited by law.
Calibr will ensure that personnel authorised to process Personal Data are subject to appropriate confidentiality obligations and receive training on data protection requirements relevant to their role.
Calibr will implement and maintain appropriate technical and organisational security measures to protect Personal Data against unauthorised access, accidental loss, destruction, or alteration. These measures include, at minimum:
- Encryption of Personal Data in transit and at rest;
- Role-based access controls limiting access to Personal Data to personnel who require it to provide the Services;
- Regular security assessments and vulnerability monitoring;
- Incident detection and response procedures.
Calibr's security programme is subject to ongoing review as part of its information security management system. Details of specific security measures are available to enterprise Customers upon written request to support@calibr.ai.
Authorisation. The Customer authorises Calibr to engage Sub-Processors to assist in providing the Services. Calibr will ensure that each Sub-Processor is bound by data protection obligations no less protective than those in this DPA.
Current Sub-Processor List. A current list of Sub-Processors is available to Customers upon written request to privacy@calibr.ai. Calibr will update this list as Sub-Processors are added or removed.
Calibr will notify the Customer without undue delay upon becoming aware of a confirmed Security Incident affecting Personal Data processed under this DPA. Notification will be made to the Customer's registered account email address and will include, to the extent known at the time of notification:
- A description of the nature of the Security Incident;
- The categories and approximate volume of Personal Data and Data Principals affected;
- The likely consequences of the Security Incident;
- The measures taken or proposed to address the Security Incident.
Calibr will provide further information as it becomes available. Calibr's notification under this Section does not constitute an admission of fault or liability.
The Customer warrants and agrees that:
(a) it has a lawful basis under Applicable Data Protection Law for collecting and transferring Personal Data to Calibr for processing under this DPA;
(b) it has provided all required notices to, and obtained all required consents from, Data Principals in connection with the processing activities described in this DPA;
(c) its instructions to Calibr regarding the processing of Personal Data comply with Applicable Data Protection Law;
(d) it is responsible for the accuracy, quality, and legality of the Personal Data it submits to the Services;
(e) it will promptly notify Calibr if it becomes aware of any actual or potential breach of Applicable Data Protection Law in connection with the processing activities under this DPA.
Upon expiry or termination of the Customer's Subscription, Calibr will:
(a) make Customer Data available for export for a period of thirty (30) days following termination (the "Data Access Period"), via the account dashboard or upon written request to support@calibr.ai; and
(b) following the Data Access Period, permanently delete or anonymise all Personal Data processed under this DPA, unless retention is required by applicable law.
Upon the Customer's written request, Calibr will provide written confirmation that deletion has been completed.
Personal Data processed by Calibr under this DPA is stored and processed in India and may be transferred to Sub-Processors located in other jurisdictions in connection with the delivery of the Services.
DPDP Act. Cross-border transfers of Personal Data are subject to the Digital Personal Data Protection Act, 2023 and any restrictions notified by the Government of India under that Act. Calibr will not transfer Personal Data to a jurisdiction notified as a restricted destination.
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service or, where applicable, the MSA. This DPA does not create any additional or separate liability cap beyond what is agreed in those instruments.
In the event of a conflict between this DPA and the Terms of Service or MSA on matters relating to the processing of Personal Data, this DPA will take precedence.
Calibr may update this DPA from time to time to reflect changes in Applicable Data Protection Law, regulatory guidance, or Calibr's data processing practices. For material changes, Calibr will give the Customer no less than thirty (30) days' prior written notice via email to the registered account address. Continued use of the Services after the effective date of a material change constitutes acceptance of the updated DPA.
For questions about this DPA, data protection matters, or to request the Sub-Processor list please contact: