E
ElevateU Back to home

Data Processing Addendum

For institutions and organisations using ElevateU under an Institution licence.

Effective 20 June 2026 · Last updated 20 June 2026

1. Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between MarshallRidge Consulting Private Limited ("ElevateU", "we", "us") and an institution or organisation (the "Customer") that subscribes to ElevateUon behalf of its students or staff. It governs our processing of personal data on the Customer's behalf and applies in addition to our Terms of Service and Privacy Policy.

2. Definitions

Terms such as "personal data", "processing" and "Data Principal" have the meanings given in the Digital Personal Data Protection Act, 2023 ("DPDP Act").

  • Controller / Data Fiduciary means the entity that determines the purpose and means of processing personal data.
  • Processor means an entity that processes personal data on behalf of a Controller.
  • Data Principal means the individual to whom the personal data relates (for example, a student of the Customer).
  • Sub-processor means a third party engaged by the Processor to process personal data.

3. Roles of the Parties

For personal data processed under this DPA, the Customer acts as the Controller / Data Fiduciaryand MarshallRidge Consulting Private Limited acts as the Processor. The Customer is responsible for establishing a lawful basis (including obtaining any required consent from Data Principals) for the processing it instructs us to carry out.

4. Subject-Matter, Duration, Nature and Purpose

The subject-matter of processing is the personal data of the Customer's Data Principals (such as students), including account, profile, assessment and activity data. The nature and purpose of processing is the provision of the ElevateUService — including assessments, reports, AI guidance and analytics — for the duration of the Customer's subscription and any wind-down period thereafter.

5. Processor Obligations

We will:

  • process personal data only on the Customer's documented instructions, including as set out in the agreement and this DPA;
  • process personal data only for the purposes of providing the Service, and not for our own unrelated purposes;
  • comply with applicable data-protection law, including the DPDP Act; and
  • promptly inform the Customer if, in our opinion, an instruction infringes applicable law.

6. Confidentiality

We will treat all personal data as confidential and ensure that personnel authorised to process personal data are bound by appropriate obligations of confidentiality and are made aware of the confidential nature of the data.

7. Security Measures

We will implement and maintain reasonable technical and organisational security measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, consistent with the SPDI Rules, 2011 and the DPDP Act.

8. Sub-Processors

The Customer authorises us to engage sub-processors to provide the Service. Our current sub-processors include:

  • Cloudflare — hosting and infrastructure (Cloudflare Workers);
  • Google — AI model processing via the Google Gemini API.

We will impose data-protection obligations on each sub-processor that are substantially equivalent to those in this DPA, and we will give the Customer reasonable advance notice of any intended addition or replacement of a sub-processor so that the Customer may object on reasonable grounds.

9. Assistance with Data-Principal Requests

Taking into account the nature of the processing, we will provide the Customer with reasonable assistance to respond to requests from Data Principals exercising their rights under the DPDP Act (such as access, correction, completion and erasure), to the extent the Customer cannot fulfil such requests itself through the Service.

10. Personal-Data Breach Notification

We will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal-data breach affecting the Customer's personal data, and will provide information reasonably available to us to help the Customer meet its own notification obligations.

11. Audits

On reasonable prior written notice, and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, no more than once per year except where required by a regulator or following a breach.

12. International Transfers

Where the provision of the Service involves transfer of personal data outside India (for example, through our sub-processors), we will carry out such transfers in accordance with applicable law, including any restrictions notified under the DPDP Act.

13. Deletion or Return on Termination

On termination or expiry of the agreement, we will, at the Customer's choice, delete or return the personal data processed on the Customer's behalf, and delete existing copies, unless retention is required by applicable law.

14. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the agreement between the parties.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of India. Subject to applicable law, the courts at Mumbai, Maharashtra, India will have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.

16. How to Execute this DPA

Institutions wishing to enter into this DPA, or to request a countersigned copy, should contact our legal team at contact@marshallridgeconsulting.in.

Contact