Legal

Data Processing Agreement

Forms part of the Saaya Terms of Service and applies whenever we process personal data on your behalf as your processor.

This Data Processing Agreement (the "DPA") is entered into between you (the "Customer" or "Data Fiduciary") and illusionart AI Private Limited (the "Data Processor," "Saaya," "we"). It is incorporated by reference into the Terms of Service (the "Agreement") and applies whenever we process Personal Data on the Customer's behalf in connection with the Service.

The DPA is designed to satisfy the obligations of a Data Processor under the Digital Personal Data Protection Act, 2023 (the "DPDP Act"), the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (together, the "IT Rules"), the CERT-In Directions, April 2022, and any other Indian law applicable to the Processing performed under this DPA (together, the "Indian Data Protection Laws"). Capitalised terms not defined here have the meanings given in the Agreement or in the Indian Data Protection Laws.

Saaya is an Indian startup, accountable to the Government of India and its regulators. The DPA is governed by Indian law and reflects only what Indian law requires.

Plain English: when your AI agents process your end users' personal data through Saaya, this is the contract that says how we handle that data on your behalf, under Indian law.

1. Acceptance

The Customer accepts this DPA by accepting the Agreement, by using the Service, or by signing a counter-signed copy on request. If you require a counter-signed DPA, write to info@illusionart.ai with the subject "[DPA request]" and we will arrange one. The unsigned DPA on this page is binding from the effective date of the Agreement.

2. Definitions

  • Indian Data Protection Laws — the DPDP Act, the IT Act and IT Rules, the CERT-In Directions, April 2022, and any other Indian law, rules, or notifications applicable to the Processing performed under this DPA.
  • Personal Data — data about an individual who is identifiable by or in relation to such data, as defined in the DPDP Act, that the Customer submits to or has Processed by the Service.
  • Sensitive Personal Data or Information ("SPDI") — has the meaning given in the IT Rules, 2011.
  • Data Principal — the natural person to whom Personal Data relates, as defined in the DPDP Act.
  • Data Fiduciary, Data Processor, Significant Data Fiduciary, Personal Data Breach — have the meanings given in the DPDP Act.
  • Processing — any operation or set of operations performed on Personal Data, whether automated or not, as understood under the DPDP Act.
  • Sub-processor — a third party Saaya engages to process Personal Data on the Customer's behalf in connection with the Service.

3. Subject matter and duration

The subject matter of the Processing is the provision of the Saaya Service. The DPA takes effect on the effective date of the Agreement and continues for as long as we Process Personal Data on the Customer's behalf, plus any post-termination period required to return or delete Personal Data.

4. Nature, purpose, and details of Processing

| Field | Description | |---|---| | Subject matter | Provision of the Saaya real-time multimodal AI agent platform. | | Duration | Term of the Agreement plus return/deletion period. | | Nature and purpose | Running real-time voice, video, and chat agents; transcription; retrieval over knowledge bases; generating model outputs; observing sessions; supporting the Customer. | | Categories of Data Principals | The Customer's personnel; the Customer's end users that interact with agents (callers, leads, customers, students, patients, depending on the use case); any individuals referenced in Customer Content. | | Categories of Personal Data | Identifiers (name, email, phone, account ID); authentication data; audio/video/chat content of agent sessions; transcripts and structured event data; knowledge-base content; operational telemetry; and any other Personal Data the Customer chooses to submit through configuration. | | SPDI / sensitive categories | The Customer determines what flows through the Service. Voice and video recordings may include biometric information; agents in healthcare, financial, or social-services contexts may surface health or financial information classified as SPDI under the IT Rules, 2011. The Customer is responsible for the heightened consent and security obligations that apply to SPDI under Indian law. |

5. Roles

The Customer is the Data Fiduciary (or, where it Processes Personal Data on behalf of a third party, a Data Processor). Saaya is the Data Processor (or Sub-processor, as applicable) and Processes Personal Data only on documented instructions from the Customer, which are reflected in the Agreement, this DPA, the configuration of the Service, and the Customer's actions in the dashboard.

6. Customer instructions

We will Process Personal Data only as instructed by the Customer through the Agreement, this DPA, the Service's features and configuration, and any written instructions the Customer sends to info@illusionart.ai — except where Indian law requires otherwise. We will inform the Customer if we believe an instruction infringes the Indian Data Protection Laws (unless Indian law prohibits us from doing so).

7. Confidentiality

We ensure that personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations and have received training on data-protection requirements proportionate to their role.

8. Security

We implement and maintain reasonable security practices and procedures, in line with the IT Rules, 2011 and the security obligations of a Data Processor under the DPDP Act, to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access. The current measures are described at /security and summarised in Annex 2 of this DPA. We may update them from time to time provided the level of protection is not reduced.

9. Sub-processors

The Customer grants Saaya general written authorisation to engage Sub-processors to provide the Service. The current list is at /legal/subprocessors, reproduced as Annex 3 for reference.

Before engaging a new Sub-processor that Processes Personal Data, we will notify the Customer at least 30 days in advance through the dashboard or by email. The Customer may object on reasonable data-protection grounds within that window. If we cannot make a reasonable accommodation, the Customer may terminate the affected portion of the Service for that reason without penalty.

We impose data-protection obligations on Sub-processors that are no less protective than those in this DPA, and we remain liable to the Customer for the acts and omissions of our Sub-processors to the same extent as for our own under this DPA.

10. Data Principal requests

We will, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures so that the Customer can fulfil requests from Data Principals to exercise their rights under the DPDP Act (access summary, correction, completion, update, erasure, grievance redressal, nomination, and consent withdrawal).

If a Data Principal contacts us directly with a request relating to the Customer's Personal Data, we will not respond ourselves except as required by Indian law and will, where appropriate, refer the Data Principal to the Customer. We will inform the Customer of the request without undue delay.

11. Personal Data breach

We will notify the Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data, and in every case in time for the Customer to meet its own notification obligations to the Data Protection Board of India and to affected Data Principals under the DPDP Act and the rules issued under it.

Where the CERT-In Directions, April 2022 require us to report a cyber incident to CERT-In, we will do so within the 6-hour window prescribed by the directions and will keep the Customer informed of the report and any follow-up.

The notification to the Customer will include, to the extent then known to us:

  • the nature of the breach, including the categories and approximate number of Data Principals and records concerned;
  • the likely consequences of the breach;
  • the measures we have taken or propose to take to address the breach and to mitigate its possible adverse effects;
  • contact details of the person handling the response.

We will provide updates as additional information becomes available and will cooperate with the Customer's reasonable investigation and notification obligations.

12. Audits

We will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. The Customer may, no more than once per twelve months (and more frequently in case of a material incident or where required by an Indian regulator), request an audit by writing to info@illusionart.ai with the subject "[Audit request]".

The parties will agree on a reasonable scope, timing, and method of audit, conducted at the Customer's expense and under appropriate confidentiality undertakings, designed to minimise disruption to the Service and to protect other customers' data. Where available, we may satisfy audit requests by providing recent third-party audit reports, penetration-test summaries, or attestations under NDA.

13. Cross-border processing

Saaya operates from India. To deliver the Service, we engage Sub-processors that may store or process Personal Data outside India (for example, US-based AI model providers when the Customer selects them for an agent). Section 16 of the DPDP Act permits transfers of Personal Data to any country, except those notified by the Central Government as restricted. We comply with that notified list as it is published and updated.

Where any Indian law (including sector-specific localisation rules issued by the Reserve Bank of India, IRDAI, or other regulators) imposes a data-localisation or residency requirement that applies to the Customer or to its Personal Data, the Customer is responsible for selecting sub-processor and configuration options that meet the requirement. We will support the Customer's residency choices to the extent the Service allows, including by routing to in-India providers where available (see /legal/subprocessors).

The technical and organisational measures described in Annex 2 function as supplementary measures protecting Personal Data wherever it is Processed.

14. Return and deletion

On termination or expiration of the Agreement, the Customer may export Customer Data through the dashboard for 30 days. After that window, we delete or return remaining Personal Data within a reasonable period, except where applicable Indian law requires longer retention. Backups containing Personal Data are deleted in line with our backup-rotation schedule of up to 30 days, after which the data is overwritten.

If the Customer requests, we will provide written confirmation of deletion.

15. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. The DPA is not intended to expand either party's liability beyond what the Agreement and applicable Indian law provide.

16. Governing law & jurisdiction

This DPA is governed by, and shall be construed in accordance with, the laws of India. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka, India, save for the optional arbitration mechanism described in the Agreement.

17. Precedence

In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data. Where Indian law provides for a particular form of consent, notice, or processing record, that form prevails over any contrary provision in this DPA.

18. Changes

We may update this DPA from time to time. Material changes will be communicated through the dashboard or by email at least 15 days before they take effect. Continued use of the Service after the effective date of the change constitutes acceptance.

19. Contact

For DPA enquiries, audit requests, breach notifications, or to request the current Sub-processor list under NDA, write to info@illusionart.ai. Useful subject prefixes: "[DPA request]," "[Audit request]," "[Breach notification]."

Annex 1 — Description of Processing

Refer to Section 4 above. The fields in that section satisfy the description-of-Processing requirement under the DPDP Act and the IT Rules.

Annex 2 — Technical and organisational measures

Saaya's measures, in summary:

  • Encryption. TLS 1.2+ for all customer-facing and inter-service traffic. Managed-storage encryption at rest for the Postgres, MongoDB, Redis, and Qdrant data stores and for object storage. DTLS-SRTP for real-time media.
  • Authentication. Email + password for customers, hashed with a modern algorithm. Optional 2FA. Multi-factor authentication required for internal team access to production. JWT-based session tokens with short access TTL and rotating refresh tokens.
  • Authorisation. Two-level role-based access control (system roles + workspace roles), 23 fine-grained permissions, request-context scoping by X-Organization-Id. Least-privilege for internal access; just-in-time grants for incidents, all logged.
  • Audit logging. Sensitive actions written to an append-only log keyed by user, organisation, action, and timestamp.
  • Monitoring & incident response. Sentry for application errors; Loki + Grafana for latency and availability; on-call rotation; documented IR process; CERT-In 6-hour reporting where applicable; DPDP breach notifications to the Data Protection Board of India and to Data Principals as the rules under the Act require.
  • Segregation. Multi-tenant architecture with strict org-level isolation enforced at the application layer.
  • Backups. Recurring backups of production data stores; 30-day rolling retention; restoration exercised periodically.
  • Vulnerability management. Dependency tracking and patching; static analysis in CI; mandatory PR review; secrets in a managed secret store (never in source control or logs); third-party penetration test on the 2026 roadmap.
  • Personnel. Confidentiality obligations on personnel; least-privilege access to production; periodic access reviews.

The full description, with current state and roadmap, is at /security.

Annex 3 — Sub-processors

The current list of Sub-processors is maintained at /legal/subprocessors. At the effective date of this DPA, the categories include:

  • AI model providers — OpenAI, Anthropic, Google, Sarvam, ElevenLabs, Deepgram, Cartesia.
  • Real-time media — LiveKit.
  • Telephony & messaging — Twilio, Meta (WhatsApp Business).
  • Avatar providers — Anam, Simli, Tavus, AvatarIO, AvatarTalk, LiveAvatar, TruGen (where customers enable them).
  • Hosting & CDN — managed cloud infrastructure provider; Vercel for the dashboard and marketing-site CDN.
  • Observability & monitoring — Sentry; OpenTelemetry-compatible vendors as configured.
  • Payments — Razorpay (primary, INR collections) and Stripe (international cards), as configured.
  • Email — transactional email provider as configured.

Refer to the live list at /legal/subprocessors for the canonical, dated record.

Version history
  1. v1.0 · Initial publication.