Data Processing Addendum (DPA) — MultiLipi

Effective date: 10 Septermber 2025

This DPA forms part of the agreement between MultiLipi Technologies Private Limited ("MultiLipi") and the entity identified in the Order/Subscription ("Customer"). It governs MultiLipi's processing of Personal Data on behalf of Customer under applicable Data Protection Laws, including the GDPR and UK GDPR. See also our Privacy Policy and current Subprocessors.

1) Definitions

Capitalized terms not defined here have the meaning in the Agreement. "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the GDPR (EU) 2016/679 and UK GDPR, and any local implementing laws. "Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Supervisory Authority" have the meanings in the GDPR.

"Sensitive Data" means information requiring extra protection or subject to special rules (for example: special‑category data under GDPR Article 9 such as health/biometric/genetic data; personal data of children under 16; government‑issued identifiers; financial account or payment data; precise geolocation; or credentials/passwords/API keys/secrets). The Services are not designed to process Sensitive Data.

2) Scope and Roles

  1. Customer is a Controller, and MultiLipi is a Processor in relation to the Personal Data described in Annex I.
  2. Where Customer acts as a Processor for a third‑party Controller, MultiLipi acts as Customer's Subprocessor. Customer warrants it has the Controller's authorization to appoint MultiLipi.
  3. MultiLipi will Process Personal Data solely: (a) to provide the Services; (b) as documented by Customer in the Agreement and this DPA; and (c) as required by law.

3) Customer Instructions

  1. Customer instructs MultiLipi to Process Personal Data to provide and improve the Services (in privacy‑preserving ways), including translation, routing by language, glossary/TM, media translation, analytics, and SEO features enabled by Customer.
  2. Customer will not submit or cause the Services to Process Sensitive Data. If Customer nevertheless submits Sensitive Data, Customer is solely responsible for obtaining all necessary consents and safeguards; MultiLipi has no obligation to monitor for Sensitive Data.
  3. MultiLipi will notify Customer if it cannot follow instructions due to a legal requirement, unless prohibited.
  4. MultiLipi will not sell Personal Data, nor use it to build or train generalized AI models without Customer's explicit opt‑in.

4) Confidentiality

MultiLipi ensures persons authorized to Process Personal Data are bound by confidentiality obligations and receive appropriate data protection training.

5) Security Measures

MultiLipi implements and maintains appropriate technical and organizational measures ("TOMs") to protect Personal Data as described in Annex II, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of Processing, as well as the risks for the rights and freedoms of natural persons.

6) Subprocessors

  1. Customer provides a general authorization for MultiLipi to engage Subprocessors to provide the Services. Current Subprocessors are listed at /legal/subprocessors.
  2. MultiLipi will impose data protection obligations on Subprocessors equivalent to this DPA and remains responsible for their performance.
  3. If Unsatisfied with the Subprocessors, Customer must contact MultiLipi and provide an opportunity to object on reasonable grounds related to data protection. If unresolved in good faith, Customer may suspend or terminate the affected Services (pro‑rata refund of prepaid fees).

7) Assistance, DPIAs & Prior Consultations

Taking into account the nature of Processing and information available to MultiLipi, we will assist Customer in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notifications, DPIAs and prior consultations), including by providing relevant documentation about our TOMs and subprocessors.

8) Personal Data Breach Notification

  1. MultiLipi will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include information reasonably available to MultiLipi at the time, including: nature of the breach, categories and approximate number of Data Subjects and records, likely consequences, and measures taken or proposed to address the breach.
  2. MultiLipi will promptly take steps to mitigate adverse effects and cooperate with Customer's reasonable requests to meet any breach notification obligations.

9) Data Subject Requests

To the extent legally permitted, MultiLipi will promptly notify Customer if we receive a request from a Data Subject exercising rights under Data Protection Laws relating to Customer Data. MultiLipi will not respond except on Customer's documented instructions and will provide reasonable assistance for Customer to respond to such requests.

10) Return & Deletion of Data

  1. On Customer's documented request, MultiLipi will delete or return all Personal Data (and delete existing copies) within a commercially reasonable period, unless retention is required by law.
  2. Backups are overwritten on scheduled cycles; deletion from backups will occur in the ordinary course.

11) International Data Transfers (SCCs/UK Addendum)

  1. EEA Transfers. Where Processing involves a transfer of Personal Data subject to GDPR to a third country without an adequacy decision, the parties agree that the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914 (the "SCCs") are incorporated by reference and form part of this DPA as set out below:
    • Module 2 (Controller to Processor) and/or Module 3 (Processor to Subprocessor), as applicable.
    • Clause 7 (Docking Clause): applies.
    • Clause 11 (Redress): does not apply.
    • Clause 17 (Governing law): laws of Ireland.
    • Clause 18 (Forum and jurisdiction): courts of Ireland.
    • Annex I–III to the SCCs are completed by the information in Annex I, Annex II, and Annex III of this DPA.
  2. UK Transfers. For transfers subject to UK GDPR, the parties agree to the ICO's International Data Transfer Addendum (IDTA) Addendum B to the EU SCCs, incorporated by reference. In case of conflict, the UK Addendum prevails for UK Transfers.
  3. Swiss Transfers. For transfers subject to the Swiss FADP, references to the GDPR in the SCCs shall be read as references to the FADP; references to EU Member States become Switzerland; and the competent authority is the FDPIC.

13) Liability & Indemnity

Liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, except to the extent prohibited by applicable law. Each party shall be liable for its own acts and omissions under Data Protection Laws.

14) Miscellaneous

  1. In case of conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict regarding data protection.
  2. If any provision of this DPA is held invalid, the remainder remains in effect.
  3. MultiLipi may update this DPA to reflect changes in law or our Services.

Annex I — Description of Processing

A. Parties

Data ExporterCustomer (Controller) — details as per Order/Subscription.
Data ImporterMultiLipi Technologies Private Limited (Processor). Contact: privacy@multilipi.com

B. Details of Processing

Subject matterProvision of the MultiLipi multilingual SEO and translation Services.
DurationDuring the term of the Agreement and as otherwise required for deletion/return and backups.
Nature and purposeProcessing to deliver features selected by Customer (translation, language routing, glossary/TM, media translation, analytics, SEO), support, billing, and security. Translation workflow: to provide translations, the textual content of Customer’s webpages is transmitted to MultiLipi’s servers and to our third‑party translation provider (e.g., Azure Translation Services) acting as our Subprocessor. For performance optimization and caching, MultiLipi may store the original text and its corresponding translation.
Categories of Data SubjectsCustomer personnel (admins, users), Customer's end users/visitors, and any individuals whose data appears in content provided by Customer.
Categories of Personal DataContact data (name, email), account identifiers, usage logs (IP, user-agent, timestamps), content provided for translation/localization (may incidentally contain personal data), preferences (e.g., language), billing identifiers (handled via payment processor).
Sensitive data (if any)Not required for the Services. Customer must not submit Sensitive Data; the Services are not designed to process it.
FrequencyContinuous, as initiated by Customer's use of the Services.
RetentionAs specified in the Privacy Policy and Agreement; retained no longer than necessary for the purposes, then deleted or anonymized.
TransfersAs described in Section 12 of this DPA.

C. Competent Supervisory Authority

For the SCCs, the competent authority is determined in accordance with Clause 13 of the SCCs (e.g., the authority of the Member State of Customer's main EU establishment or Data Subjects).

Annex II — Technical & Organizational Measures (TOMs)

  1. Information Security Program. Written policies covering access control, data handling, incident response, change management, vendor risk, and secure development.
  2. Access Control. Role-based access, least privilege, strong authentication, MFA for admins, session management, regular access reviews, immediate revocation on role change/termination.
  3. Encryption. TLS for data in transit; encryption of stored secrets and keys; key rotation and limited access to key material.
  4. Network & Application Security. Segmented networks; firewall/WAF; DDoS protections (via CDN/edge where applicable); hardening baselines; secure SDLC including code review and dependency scanning.
  5. Logging & Monitoring. Centralized logging of security-relevant events; alerting on anomalies; time synchronization; tamper-resistant log storage.
  6. Vulnerability & Patch Management. Regular vulnerability scanning; timely remediation; third‑party testing as appropriate.
  7. Business Continuity & Disaster Recovery. Redundant infrastructure for critical components; tested backups; documented RTO/RPO targets.
  8. Data Segregation. Logical separation of customer environments and data.
  9. Personnel Security & Training. Background checks as permitted by law; onboarding/annual security and privacy training; confidentiality undertakings.
  10. Incident Response. Documented plan with defined roles, triage, containment, eradication, recovery, lessons learned, and customer notification workflows.
  11. Vendor & Subprocessor Management. Risk-based assessment, contractual security/privacy obligations, continuous monitoring.
  12. Physical Security. Data centers operated by vetted providers with industry-standard controls (badging, CCTV, visitor logs).
  13. Data Minimization. Collect only what is necessary; retention limits; anonymization/pseudonymization where suitable.
  14. Customer Controls. Admin tools for access management; audit trails in the dashboard (where available); API key management; MFA support.

Annex III — Subprocessors

The current list of approved Subprocessors is maintained at https://multilipi.com/legal/subprocessors. For each Subprocessor, MultiLipi will disclose: name, purpose, location(s) of processing, and transfer mechanism (e.g., SCCs).

Signatures

Customer MultiLipi Technologies Private Limited
Name: ___________________________
Title: ___________________________
Date: ___________________________
Signature: ______________________ 		Name: Kunal Singh Shekhawat
Title: Co-Founder @MultiLipi
Date: 10/09/2025
Signature: Kunal Singh Shekhawat signature

By signing, the parties agree that the EU SCCs (Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Addendum, are incorporated by reference and completed as set out in this DPA.