ManaSmurti for Teams

This DPA is entered into between:

• ManaSmurti (operated by Rakesh Krishnan, Bangalore, Karnataka, India), acting as the Data Processor for the purposes of this agreement.
• The Client, being the corporate entity that has subscribed to ManaSmurti for Teams, acting as the Data Controller(referred to as "Data Fiduciary" under the DPDP Act, 2023).

In this DPA, the following terms have the meanings set out below. Where a term is also defined in the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the statutory definition prevails to the extent of any inconsistency.

• Personal Data means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDP Act, 2023.
• Sensitive Personal Datameans passwords, financial information, health data, biometric data, and other categories specified under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").
• Employee Data means Personal Data and Sensitive Personal Data relating to employees of the Client who are enrolled in the ManaSmurti for Teams service.
• Processing means any operation performed on Personal Data, including collection, storage, use, transmission, encryption, anonymisation, and deletion.
• Data Principal means the individual to whom the Personal Data relates, as defined under Section 2(j) of the DPDP Act, 2023. In the context of this DPA, the Data Principals are the employees of the Client.
• Data Fiduciary means any person who, alone or in conjunction with other persons, determines the purpose and means of processing Personal Data, as defined under Section 2(i) of the DPDP Act, 2023.
• Data Processor means any person who processes Personal Data on behalf of a Data Fiduciary, as defined under Section 2(k) of the DPDP Act, 2023.

ManaSmurti processes Employee Data solely for the purpose of providing the ManaSmurti companion service to employees enrolled by the Client under a ManaSmurti for Teams subscription. This includes:

• Creating and managing employee accounts on the platform.
• Processing employee messages and generating companion responses during conversation sessions.
• Generating anonymised, aggregate wellbeing signals for the Client's HR dashboard.
• Providing guided wellness exercises and reflective practices to enrolled employees.
• Routing safety-sensitive situations to curated helpline resources.
• Sending transactional communications to employees (account invitations, policy updates, cancellation notices).

ManaSmurti shall not process Employee Data for any purpose other than those listed above without the prior written consent of the Client.

The following categories of Employee Data are collected and processed by ManaSmurti in the course of providing the service:

• Identity data: Employee name (encrypted at rest using AES-256-GCM) and corporate email address (encrypted at rest).
• Organisational data: Department and job role, as provided by the Client at the time of invitation.
• Conversation content: All messages sent by the employee and all responses generated by ManaSmurti. Encrypted at rest using AES-256-GCM. Never accessible to the Client under any circumstance.
• Usage metadata: Session timestamps, conversation counts, features used, and subscription activity. Used for service operation and rate limiting.
• Feedback signals: Thumbs reactions, questionnaire ratings, and guide ratings. Anonymised before any aggregation visible to the Client.
• Aggregate cohort signals: Derived wellbeing pulse, participation rate, and completion rate, calculated only for groups of five or more employees. These are the only data points visible to the Client's HR team.

Employee Data is processed on the following lawful bases under the DPDP Act, 2023 and the Information Technology Act, 2000:

• Consent: Each employee provides informed, affirmative consent at first login through the employee bill of rights acknowledgement screen. Consent is timestamped and version-stamped.
• Contractual necessity: Processing is necessary to perform the services contracted by the Client under the ManaSmurti for Teams agreement.
• Legal obligation: Processing required to comply with applicable Indian law, including responding to lawful requests from competent authorities.

The following restrictions are enforced at the database query layer and cannot be overridden by any user interface or API request:

• Minimum cohort size: Aggregate signals are calculated and displayed only for groups of five (5) or more employees. Cohorts smaller than five display "not enough data yet" and no numerical value.
• K-anonymity: K-anonymity is enforced at the database query layer with k=5. No query from the HR dashboard can return a result set that could be narrowed to fewer than five individuals.
• No individual conversations: The Client shall never have access to any individual employee's conversation content, message text, or conversation titles.
• No individual usage status: The Client shall never see whether a specific employee has logged in, how often they have used the service, or when they last used it.
• No individual activation status: The Client shall never see whether a specific employee has accepted the invitation and created an account.
• No individual feedback: The Client shall never see any individual feedback, ratings, or written comments submitted by an employee.
• Audit log: Every query run by the Client's HR team against the dashboard is written to an immutable audit log. Employees may request a frequency summary of queries against their cohort.

ManaSmurti engages the following subprocessors in the course of providing the service. Each subprocessor is contractually bound to maintain confidentiality and process data only for the purposes specified.

Cross-border data transfers to subprocessors in the United States are carried out in accordance with the provisions of the DPDP Act, 2023 and any notifications issued by the Central Government. Appropriate contractual safeguards are in place to ensure data protection standards equivalent to those required under Indian law. ManaSmurti does not transfer data to any country restricted by the Central Government under the DPDP Act.

ManaSmurti will provide the Client with at least 30 days advance written notice before engaging any new subprocessor. The Client may object to the engagement of a new subprocessor within that notice period.

ManaSmurti implements the following security measures in accordance with Section 8 of the Information Technology Act, 2000 and the SPDI Rules, 2011:

• Encryption at rest: All conversation content, employee names, email addresses, API keys, and sensitive personal data are encrypted using AES-256-GCM before being written to the database.
• Encryption in transit: All data transmitted between users and the ManaSmurti platform is encrypted using TLS 1.3. No plain-text HTTP endpoints are available.
• Session security: Authentication sessions use iron-session with httpOnly, secure, and sameSite:strict cookie attributes.
• Rate limiting: Database-backed IP rate limiting on all authentication endpoints to prevent brute-force attacks.
• API key storage: All third-party API keys and credentials are encrypted using AES-256-GCM and stored in the database. No credentials are stored in configuration files or environment variables.
• Password hashing: Passwords are hashed using bcrypt with a work factor of 12 and are never stored in plain text.
• Access control: Production system access is restricted to authorised personnel using SSH key-based authentication. Database access is restricted by IP allowlisting and encrypted connections.

• Active subscription: Employee Data is retained for the duration of the Client's active ManaSmurti for Teams subscription.
• 90-day grace period: Upon cancellation or expiry of the subscription, Employee Data is retained for ninety (90) days. During this period, employees retain full access to the service and may export their data.
• Deletion: At the end of the 90-day grace period, all Employee Data (including conversations, profile information, flagged content logs, and behavioural data) is permanently and irreversibly deleted from ManaSmurti's systems.
• Anonymised signals: Anonymised, aggregate signals that cannot be linked to any individual may be retained beyond deletion under the DPDP Act's anonymisation carve-out. This data cannot be traced back to any individual user.

If ManaSmurti is legally compelled to disclose specific data about an individual employee (for example, under a court order or lawful request from a competent authority under the Information Technology Act, 2000 or the Code of Criminal Procedure, 1973), the request will be processed through ManaSmurti's own legal process. It will not be routed through the Client. ManaSmurti will disclose the circumstance in its transparency report to the extent permitted by law.

Each employee enrolled in ManaSmurti for Teams is a Data Principal under the DPDP Act, 2023. ManaSmurti facilitates the exercise of the following rights directly by the employee, without requiring the involvement or approval of the Client:

• Right to access: The right to obtain a summary of personal data held by ManaSmurti and the processing activities related to it.
• Right to correction: The right to request correction of inaccurate or incomplete personal data.
• Right to erasure: The right to request permanent deletion of personal data. ManaSmurti will honour erasure requests unless legally required to retain the data.
• Right to data portability: The right to request a copy of personal data in a structured, commonly used, and machine-readable format.
• Right to withdraw consent: The right to withdraw consent to data processing at any time by contacting ManaSmurti's Grievance Officer. Withdrawal of consent will result in account closure and deletion of the employee's data.
• Right to grievance redressal: The right to file a complaint directly with ManaSmurti's Grievance Officer at grievance@manasmurti.com, and if unsatisfied, to approach the Data Protection Board of India.

These rights are exercised by the employee directly with ManaSmurti. The Client does not mediate, approve, or receive notice of any rights request made by an employee, unless the employee independently chooses to inform the Client.

When the Client's ManaSmurti for Teams subscription is cancelled or expires, the following process applies:

• Same day: The Client's HR dashboard access is disabled. The Client can no longer run any query against employee data.
• Same day: Each employee receives an email and an in-app notice informing them that the corporate subscription has ended, when their account will be deleted, and how to export their conversation history before then.
• 90-day grace period: Employees retain full access to the service. They may finish conversations in progress, export their data, and register a separate personal account with a personal email address if they wish to continue using ManaSmurti independently.
• Day 90: All corporate accounts and all personal data linked to them are permanently deleted. Anonymised signals that cannot be traced back to any individual may be retained per Section 9.
• No data return to the Client: At no point before, during, or after cancellation will any Employee Data be returned to, shared with, or made accessible to the Client. Not a summary, not a count, not a name, not a snapshot. The data belongs to the employee.

In the event of a personal data breach affecting Employee Data, ManaSmurti will:

• Notify the Data Protection Board of India as required under the DPDP Act, 2023, within the prescribed timeframe.
• Notify the Client (as Data Controller) within seventy-two (72) hours of becoming aware of the breach.
• Notify affected employees by email within seventy-two (72) hours of becoming aware of the breach.
• Provide details of the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

The Client shall not attempt to re-identify any individual employee from the anonymised aggregate cohort signals provided through the HR dashboard. This includes, but is not limited to:

• Cross-referencing cohort signals with attendance records, leave data, or performance reviews to infer which employee contributed to a signal.
• Requesting signals for artificially narrow cohorts (for example, a "team" of exactly five people where the identity of each member is already known to the Client).
• Using any external data source to correlate with ManaSmurti cohort signals.

Any attempt at re-identification is a material breach of this DPA and may result in immediate termination under Section 16.

The Client shall not use any signal, data, or information obtained from the ManaSmurti for Teams service (including aggregate cohort signals, participation rates, or the mere fact that an employee has or has not used the service) for any adverse employment action. Adverse employment action includes, but is not limited to:

• Termination, demotion, or transfer.
• Negative performance reviews or reduced compensation.
• Exclusion from projects, promotions, or opportunities.
• Creating a hostile work environment based on perceived mental health status.

This prohibition applies regardless of whether the Client obtained the information through the HR dashboard, through inference, or through any other means.

This clause is consistent with the protections available under the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 ("POSH Act"), which prohibits retaliation against complainants. ManaSmurti extends the same anti-retaliation principle to all wellness service usage.

ManaSmurti may immediately terminate this DPA and the underlying ManaSmurti for Teams service agreement if the Client breaches any of the following provisions:

• The prohibition on re-identification (Section 14).
• The prohibition on retaliation (Section 15).
• Any attempt to access, intercept, or obtain individual employee data through means outside the ManaSmurti platform.

Upon termination for breach, the cancellation handling process in Section 12 applies. Employee accounts are preserved for the 90-day grace period. No refund is issued for the remaining subscription term.

This DPA is governed by and construed in accordance with the laws of the Republic of India, including:

• The Digital Personal Data Protection Act, 2023.
• The Information Technology Act, 2000 and the rules made thereunder, including the SPDI Rules, 2011.
• The Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013, to the extent relevant to the anti-retaliation provisions.

Any disputes arising out of or relating to this DPA shall be subject to the exclusive jurisdiction of the competent courts in Bangalore (Bengaluru), Karnataka, India.

ManaSmurti may amend this DPA from time to time to reflect changes in the service, applicable law, or security practices. When material changes are made, ManaSmurti will provide the Client with at least thirty (30) days written notice before the changes take effect.

Continued use of ManaSmurti for Teams after the changes take effect constitutes acceptance of the amended DPA. If the Client does not agree with the changes, the Client may terminate the subscription before the changes take effect.

For questions about this DPA or the data processing practices described in it, please contact:

For general privacy, terms, and compliance documentation, see:

• Privacy Policy
• Terms of Service
• Compliance and Security