Let's Talk

Data Processing Agreement

Standard DPA · Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the Service Agreement between Graviti Platforms (Pvt) Ltd., trading as Graviti Studio ("Processor"), and the client ("Controller"). It applies whenever Graviti Platforms (Pvt) Ltd. processes personal data on behalf of a client as part of delivering agreed services.

This DPA is incorporated by reference into the Service Agreement and takes effect on the date services commence. In the event of any conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to data protection matters.

1. Definitions

For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the Personal Data Protection Act No. 9 of 2022 of Sri Lanka and other applicable law.
  • "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • "Controller" means the client, who determines the purposes and means of processing personal data.
  • "Processor" means Graviti Platforms (Pvt) Ltd. (trading as Graviti Studio), who processes personal data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by the Processor to assist in processing personal data on behalf of the Controller.
  • "Data Subject" means the individual whose personal data is being processed.
  • "Applicable Law" means the Personal Data Protection Act No. 9 of 2022 of Sri Lanka ("PDPA"), and any other applicable data protection legislation including, where relevant, the EU GDPR or UK GDPR for data subjects located in those jurisdictions.

2. Scope and Nature of Processing

The Processor will process personal data only as necessary to deliver the services agreed in the Statement of Work. The nature, purpose, categories of personal data, and categories of data subjects will be documented in the relevant SOW or in a separate Schedule to this DPA.

Common examples of processing under this DPA include:

  • Managing email marketing campaigns using the Controller's subscriber lists
  • Accessing advertising platform accounts containing audience data
  • Handling CRM data to execute automation or integration projects
  • Uploading or organising client customer data for content or analytics purposes

3. Processor Obligations

The Processor agrees to:

  • Process personal data only on documented instructions from the Controller, unless required to do so by Applicable Law
  • Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations
  • Implement appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure, including encryption in transit and at rest, access controls, and regular security reviews
  • Notify the Controller without undue delay, and no later than 72 hours after becoming aware, of any personal data breach involving the Controller's data
  • Assist the Controller in responding to data subject rights requests (access, erasure, rectification, portability) within the timescales required by Applicable Law
  • Assist the Controller in meeting its obligations under the PDPA and, where applicable, equivalent provisions of the EU/UK GDPR (security, breach notification, impact assessments, prior consultation)
  • At the Controller's choice, delete or return all personal data to the Controller upon termination of services, and delete existing copies unless retention is required by law
  • Make available all information necessary to demonstrate compliance with this DPA and permit audits conducted by the Controller or an authorised third party, subject to reasonable prior notice and confidentiality obligations

4. Controller Obligations

The Controller warrants and agrees that:

  • It has a valid legal basis under Applicable Law for processing all personal data provided to the Processor
  • It has provided adequate notice to data subjects regarding the processing activities described in this DPA
  • Any instructions given to the Processor comply with Applicable Law
  • It will promptly inform the Processor of any changes to applicable data protection requirements that affect the processing described herein

5. Sub-processors

The Controller grants general authorisation for the Processor to engage sub-processors to assist in delivering the services. The Processor's current sub-processors include:

  • Supabase, Inc., database infrastructure
  • Vercel, Inc., hosting and deployment infrastructure
  • Sanity AS, content management infrastructure
  • Google LLC, website analytics (Google Analytics)

The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller reasonable opportunity to object. All sub-processors are required to comply with data protection obligations equivalent to those set out in this DPA.

6. International Transfers

The Processor will not transfer personal data across international borders without ensuring that an adequate level of protection is in place, including through:

  • An adequacy decision by the relevant authority
  • Standard Contractual Clauses (SCCs) or equivalent mechanisms recognised under applicable law
  • Other appropriate safeguards as permitted by Applicable Law

7. Data Subject Rights

Where the Processor receives a request directly from a data subject relating to the Controller's data, the Processor will promptly forward the request to the Controller and will not respond to the data subject directly unless instructed to do so. The Processor will provide all reasonable assistance to the Controller in fulfilling such requests within the required timeframes.

8. Security Measures

The Processor maintains the following technical and organisational measures as a minimum standard:

  • Encryption of personal data in transit (TLS 1.2 or higher) and at rest
  • Role-based access controls limiting access to authorised personnel only
  • Regular security assessments of systems used to process personal data
  • Secure credential management and multi-factor authentication for system access
  • Data minimisation, processing only data that is necessary for the stated purpose

9. Term and Termination

This DPA remains in effect for the duration of the Service Agreement. Upon termination, the Processor will, at the Controller's written request, delete or return all personal data within 30 days, confirming deletion in writing. The Processor may retain personal data where required by Applicable Law, in which case it will notify the Controller of the retention obligation.

10. Liability

Each party's liability under this DPA is subject to the limitations set out in the Service Agreement. However, nothing in this DPA limits either party's liability for breaches of Applicable Law relating to the processing of personal data.

11. Governing Law

This DPA is governed by the laws of Sri Lanka. The parties submit to the exclusive jurisdiction of the courts of Sri Lanka for the resolution of any disputes.

12. Contact

For data protection matters, contact the Processor's data protection contact at privacy@graviti.studio.