Terms of Service (B2B)

Utkrusht Skill Assessment Platform — For Recruiters and Organizations

Last Updated: February 3, 2026 Effective Date: February 3, 2026 Version: 1.0 (Audit-Ready)

Scope: This agreement governs the relationship between Utkrusht and business customers (recruiters, organizations, testmakers). A separate privacy notice applies to candidates taking assessments.

1. DEFINITIONS

In these Terms of Service ("Terms"), the following definitions apply:

Term	Definition
"Agreement"	These Terms of Service, including all annexes, schedules, and documents incorporated by reference.
"Assessment Data"	All data generated through or in connection with assessments conducted on the Platform, including candidate responses, scores, AI-generated analysis, timestamps, and behavioral patterns.
"Candidate"	An individual who participates in assessments administered through the Platform by a Customer.
"Candidate Personal Data"	Personal data relating to Candidates that is processed through the Platform, including identity data, contact information, assessment responses, proctoring recordings, and derived insights.
"Controller"	As defined in GDPR Article 4(7), the natural or legal person which determines the purposes and means of the processing of personal data.
"Customer"	The organization that has entered into this Agreement with Utkrusht to use the Platform for recruitment and assessment purposes.
"Customer Content"	Data, materials, and content uploaded to the Platform by Customer, including candidate information, custom questions, position descriptions, and organization branding.
"Data Processing Agreement" or "DPA"	The data processing agreement attached as Annex A, governing processing of personal data under GDPR.
"De-identified Data"	Assessment Data that has been processed to remove or obscure personal identifiers such that the data cannot reasonably be used to identify a specific individual.
"GDPR"	The General Data Protection Regulation (EU) 2016/679.
"Platform"	The Utkrusht skill assessment platform, including all web applications, APIs, AI systems, and related services provided by Utkrusht.
"Platform AI"	Utkrusht's proprietary artificial intelligence systems, including ranking algorithms, competency frameworks, response analysis models, and proctoring detection systems.
"Proctoring Data"	Video recordings, audio recordings, screen captures, transcripts, and behavioral analysis generated during proctored assessments.
"Processor"	As defined in GDPR Article 4(8), a natural or legal person which processes personal data on behalf of the Controller.
"Services"	The skill assessment, candidate management, and related services provided by Utkrusht through the Platform.
"Subscription"	Customer's selected service tier (LITE, STARTER, PLUS, PRO, or ENTERPRISE) and associated resource allocations.
"Utkrusht"	Utkrusht Learning Services Private Limited, a company incorporated under the laws of India.
"User"	Any individual authorized by Customer to access the Platform, including administrators, testmakers, and source partners.

2. SERVICE DESCRIPTION

2.1 Platform Capabilities

Utkrusht provides a comprehensive skill assessment platform that enables Customers to:

Create and manage job positions with defined competencies
Design and deliver assessments (aptitude tests, coding tasks, video responses)
Administer proctored examinations with AI-powered monitoring
Analyze candidate performance using artificial intelligence
Generate candidate rankings and recommendations
Manage candidate pipelines and recruitment workflows
Access analytics and reporting dashboards

2.2 Third-Party Service Integrations

The Platform integrates with the following third-party services to deliver the Services:

Service Provider	Location	Purpose
Amazon Web Services (S3)	Mumbai, India	Video and document storage
Supabase	Singapore	Database and authentication
OpenAI (via Portkey)	USA	AI-powered response analysis
AssemblyAI	USA	Audio/video transcription
Sarvam AI	India	Indic language transcription
MSG91	India	SMS notifications and OTP
WhatsApp/Meta	Ireland/USA	Candidate messaging
Dodo Payments	India	Payment processing
GitHub	USA	Task submission repositories
Google OAuth	USA	Authentication services

Customer acknowledges that use of the Platform involves processing of data by these third-party services, each governed by their respective terms and privacy policies.

2.3 Subscription Tiers

The Platform offers the following subscription tiers:

Tier	Description
LITE	Trial tier with date-based access period
STARTER	Entry-level tier for small organizations
PLUS	Mid-tier with expanded resources
PRO	Advanced tier with priority features
ENTERPRISE	Custom tier with unlimited resources and dedicated support

Resource allocations (assessments, tasks, candidates) are defined by tier and tracked through the Platform's credit system.

3. ACCOUNT AND ACCESS

3.1 Registration Requirements

To use the Platform, Customer must:

(a) Provide accurate and complete registration information, including organization name, contact details, and billing information;

(b) Designate at least one administrator with authority to bind Customer to this Agreement;

(d) Promptly notify Utkrusht of any unauthorized access or security breach.

3.2 User Roles

Customer may designate Users with the following roles:

Role	Permissions
Administrator	Full platform access, user management, billing, settings
Testmaker	Position management, assessment creation, candidate management
Source Partner	Limited access to assigned candidate pools

Customer is responsible for all activities conducted through User accounts.

3.3 Authentication Methods

The Platform supports the following authentication methods:

Email and password authentication
Google OAuth single sign-on
Magic link authentication (email-based)
One-time password (OTP) verification

Customer agrees to use strong passwords and enable additional security measures where available.

3.4 Security Obligations

Customer shall:

(a) Implement appropriate access controls within its organization;

(b) Not share account credentials or authentication tokens;

(d) Report suspected security incidents to naman@utkrusht.ai within 24 hours.

4. CUSTOMER OBLIGATIONS

4.1 Lawful Basis for Processing

Prior to uploading any Candidate Personal Data to the Platform, Customer must:

(a) Establish a valid lawful basis for processing under applicable data protection law (including GDPR where applicable);

(b) Obtain any required consents from Candidates;

Customer represents and warrants that it has the legal authority to upload Candidate Personal Data and engage Utkrusht as a processor.

4.2 Candidate Notice Requirements

Customer must provide Candidates with clear notice before any assessment, including:

(a) Assessment Recording: That their responses (text, audio, video) will be recorded and stored;

(b) AI Analysis: That artificial intelligence will analyze their responses and generate scores, ratings, and insights;

(d) Cross-Organization Data Usage: That de-identified assessment data may be used by Utkrusht to improve its AI systems and generate benchmarks that inform candidate rankings across all organizations using the Platform;

(e) Data Retention: How long data will be retained and how Candidates can exercise their data rights.

4.3 Template Candidate Notice

Utkrusht provides the following template notice, which Customer may adapt for its purposes. Customer must include disclosures that are at minimum equivalent to this template:

Assessment Platform Notice

Your assessment will be conducted on the Utkrusht platform. By proceeding, you acknowledge and consent to the following:

Data Collection:

Your assessment responses (text, audio, and/or video) will be recorded

[If proctored] Your webcam, microphone, and screen activity will be recorded throughout the assessment

Your performance data will be analyzed using artificial intelligence

Data Usage:

Your assessment data will be shared with [Organization Name] for recruitment purposes

De-identified data from your assessment may be used by Utkrusht to improve its AI ranking systems

Your ranking may be informed by anonymized benchmarks from assessments conducted at other organizations

Your Rights:

You may request access to, correction of, or deletion of your personal data

You may opt out of cross-organization data usage by contacting naman@utkrusht.ai

For questions about how [Organization Name] uses your data, contact them directly

By clicking "Start Assessment," you confirm you have read and understood this notice.

4.4 Prohibited Uses

Customer shall not:

(a) Use the Platform to process data of individuals under 16 years of age;

(b) Upload sensitive personal data (racial/ethnic origin, political opinions, religious beliefs, health data, sexual orientation) except where expressly permitted and legally compliant;

(d) Attempt to re-identify De-identified Data or circumvent technical safeguards;

(e) Share assessment content, questions, or answers outside the Platform in violation of Utkrusht's intellectual property rights;

(f) Use the Platform in any manner that violates applicable law or regulation.

5. DATA OWNERSHIP AND LICENSING

5.1 Customer Content Ownership

Customer retains all ownership rights in Customer Content uploaded to the Platform, including:

Candidate lists and contact information provided by Customer
Custom assessment questions created by Customer
Position descriptions and requirements
Organization branding and materials

5.2 Dual Role Structure

The parties acknowledge the following data protection roles:

(a) Utkrusht as Processor:

When processing Candidate Personal Data on Customer's documented instructions to deliver the Services, Utkrusht acts as a Processor and Customer acts as Controller. This processing is governed by the Data Processing Agreement in Annex A and includes:

Storing and displaying Candidate Personal Data
Delivering assessments to Candidates
Generating scores and reports for Customer
Transmitting data to Customer-authorized recipients

(b) Utkrusht as Independent Controller:

For the following purposes, Utkrusht acts as an independent Controller with its own lawful basis for processing:

Purpose	Legal Basis	Description
Platform AI Improvement	Legitimate Interest	Using De-identified Assessment Data to train and improve Platform AI, including ranking algorithms and competency frameworks
Cross-Organization Benchmarking	Legitimate Interest	Using De-identified Assessment Data to generate performance benchmarks that inform candidate rankings across all Customers
Aggregate Analytics	Legitimate Interest	Generating anonymized statistics about assessment performance, industry trends, and platform usage
Service Development	Legitimate Interest	Developing new features and services using insights derived from De-identified Data
Fraud Prevention	Legitimate Interest	Detecting and preventing cheating, identity fraud, and platform abuse
Security Monitoring	Legitimate Interest	Maintaining platform security and investigating incidents

For all legitimate interest processing, Utkrusht has conducted balancing tests and implemented appropriate safeguards as described in the Privacy Policy.

5.3 Assessment Data Rights

(a) Utkrusht Ownership:

Utkrusht owns and retains all intellectual property rights in:

Assessment questions created by Utkrusht (Question Bank)
Platform AI algorithms, models, and methodologies
Scoring rubrics and competency frameworks
AI-generated analysis, ratings, and insights
Aggregated and anonymized data derived from Assessment Data

(b) License Grant to Utkrusht:

Customer grants Utkrusht a non-exclusive, worldwide, royalty-free license to:

Process Assessment Data to deliver the Services
Use De-identified Assessment Data for the independent Controller purposes specified in Section 5.2(b)
Create derivative works from De-identified Assessment Data for platform improvement

This license survives termination of this Agreement with respect to De-identified Data existing as of termination.

5.4 Proctoring Data

Proctoring Data is subject to special handling:

(a) Proctoring Data is processed solely to verify assessment integrity;

(b) Proctoring Data is not used for cross-organization purposes, AI training, or benchmarking;

(d) Access to Proctoring Data is limited to Customer and authorized Utkrusht personnel investigating integrity concerns.

5.5 Cross-Organization Data Transparency

What Utkrusht uses across organizations:

De-identified assessment response patterns
Aggregated performance metrics
Statistical benchmarks and distributions

What Utkrusht never shares across organizations:

Candidate names, contact information, or identifiers
Specific assessment responses attributable to individuals
Proctoring recordings or transcripts
Customer-specific position details or requirements
Any data that could reasonably identify a specific Candidate

5.6 Data Export Rights

Customer may export Customer Content and Candidate Personal Data at any time through:

Platform export functionality (where available)
Written request to naman@utkrusht.ai

Utkrusht will provide exported data in a commonly used, machine-readable format (JSON or CSV) within thirty (30) days of verified request.

5.7 Aggregated and Anonymized Data

Utkrusht may create, use, and share aggregated and anonymized data that does not identify Customer, Candidates, or any individual. Such data is owned by Utkrusht and may be used for any lawful purpose, including:

Publishing industry reports and benchmarks
Marketing Utkrusht's services
Research and academic collaboration
Product development and improvement

6. INTELLECTUAL PROPERTY

6.1 Platform Intellectual Property

Utkrusht retains all rights, title, and interest in the Platform, including:

Software, source code, and documentation
User interface designs and workflows
Platform AI and machine learning models
Trade names, trademarks, and branding
Patents, copyrights, and trade secrets

Nothing in this Agreement transfers any intellectual property rights to Customer except the limited license to use the Platform during the Subscription term.

6.2 Question Bank

The Utkrusht Question Bank is proprietary and confidential. Customer may use Question Bank content only within the Platform for authorized assessments. Customer shall not:

Copy, reproduce, or distribute Question Bank content
Share questions with Candidates outside the assessment context
Attempt to extract or reverse-engineer questions
Use questions on any other platform or service

6.3 Custom Questions

Customer retains ownership of custom questions created by Customer on the Platform. By creating custom questions, Customer grants Utkrusht a non-exclusive license to:

Host and display the questions within the Platform
Include de-identified response patterns in aggregate analytics
Use question structure (not content) to improve Platform AI

Customer may delete custom questions at any time, subject to retention requirements for completed assessments.

6.4 AI Training Rights

Customer acknowledges and agrees that Utkrusht may use De-identified Assessment Data to train and improve Platform AI systems. This includes:

Improving response analysis accuracy
Enhancing ranking algorithm performance
Developing new competency frameworks
Refining proctoring detection models

Training occurs only on De-identified Data that cannot reasonably be used to identify specific Candidates.

6.5 Feedback

Any feedback, suggestions, or ideas provided by Customer or Users regarding the Platform ("Feedback") is assigned to Utkrusht. Customer waives any rights to Feedback and agrees that Utkrusht may use Feedback for any purpose without compensation.

7. PAYMENT TERMS

7.1 Subscription Fees

Customer agrees to pay the subscription fees associated with the selected tier. Fees are:

(a) Invoiced in advance (monthly or annually, as selected);

(b) Due within fifteen (15) days of invoice date;

7.2 Credit System

The Platform uses a credit-based resource pool system:

Resource Type	Description
Assessments	Number of candidate assessments that can be administered
Tasks	Number of coding/practical tasks that can be assigned
Candidates	Number of unique candidates that can be managed

Credits are tracked in Customer's resource pool with:

Subscription credits: Allocated based on tier
Add-on credits: Purchased separately

Consumption priority: Subscription credits are consumed before add-on credits when subscription is active.

7.3 Immutable Ledger

All credit transactions are recorded in an immutable ledger for audit purposes. This includes:

Credit allocations and expirations
Credit consumption events
Add-on purchases
Refunds and adjustments

Customer may request ledger exports for reconciliation.

7.4 Add-on Purchases

Customer may purchase additional credits at any time through the Platform. Add-on credits:

Do not expire until used
Remain available regardless of subscription status
Are non-refundable once purchased

7.5 Refund Policy

(a) Subscription Refunds: Subscriptions may be cancelled at any time, but no pro-rata refunds are provided for unused portions of prepaid periods.

(b) Add-on Refunds: Add-on credits are non-refundable.

(c) Service Failures: If the Platform is unavailable for more than forty-eight (48) consecutive hours due to Utkrusht's fault, Customer may request a pro-rata credit for the affected period.

7.6 Taxes

Fees are exclusive of taxes. Customer is responsible for all applicable taxes, including GST, VAT, or similar taxes, unless Customer provides valid exemption documentation.

8. LIMITATION OF LIABILITY

8.1 Exclusion of Consequential Damages

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY SHALL BE LIABLE FOR ANY:

Indirect, incidental, special, or consequential damages
Loss of profits, revenue, or business opportunities
Loss of data (except as required by the DPA)
Loss of goodwill or reputation
Cost of substitute services

This exclusion applies regardless of the theory of liability (contract, tort, strict liability, or otherwise) and even if the party was advised of the possibility of such damages.

8.2 Liability Cap

UTKRUSHT'S TOTAL CUMULATIVE LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED THE GREATER OF:

(a) The total fees paid by Customer to Utkrusht in the twelve (12) months preceding the claim; or

(b) Ten thousand Indian Rupees (₹10,000).

8.3 Carve-outs

The limitations in Sections 8.1 and 8.2 shall not apply to:

(a) Either party's indemnification obligations under Section 9;

(b) Breach of confidentiality obligations;

(d) Customer's payment obligations;

(e) Infringement of intellectual property rights.

8.4 Third-Party Service Disclaimer

Utkrusht is not liable for failures, errors, or unavailability of third-party services integrated with the Platform. Customer acknowledges that:

Third-party services may experience outages
Data processing by third parties is subject to their terms
Utkrusht will use reasonable efforts to select reliable providers

8.5 AI Output Disclaimer

CUSTOMER ACKNOWLEDGES THAT:

(a) Platform AI provides recommendations and analysis, not definitive assessments;

(b) AI-generated scores and rankings should inform, not replace, human judgment;

(d) Customer is responsible for final hiring and recruitment decisions;

(e) Utkrusht does not guarantee that AI recommendations will result in successful hires.

9. INDEMNIFICATION

9.1 Utkrusht Indemnification

Utkrusht shall defend, indemnify, and hold harmless Customer from claims, damages, and costs (including reasonable attorneys' fees) arising from:

(a) Claims that the Platform infringes a third party's intellectual property rights;

(b) Utkrusht's gross negligence or willful misconduct;

Exclusions: Utkrusht has no obligation for claims arising from:

Customer's use of the Platform in violation of this Agreement
Modifications made by Customer
Combination with third-party products not provided by Utkrusht
Customer Content

9.2 Customer Indemnification

Customer shall defend, indemnify, and hold harmless Utkrusht from claims, damages, and costs (including reasonable attorneys' fees) arising from:

(a) Customer's failure to obtain required consents or provide required notices;

(b) Customer's violation of data protection laws;

(d) Customer Content that infringes third-party rights;

(e) Customer's use of the Platform in violation of this Agreement.

9.3 Indemnification Procedures

The indemnified party shall:

(a) Promptly notify the indemnifying party of any claim;

(b) Provide reasonable cooperation in the defense;

The indemnifying party shall not settle any claim in a manner that imposes liability on the indemnified party without prior written consent.

10. TERM AND TERMINATION

10.1 Term

This Agreement commences on the date Customer accepts these Terms and continues until terminated as provided herein.

10.2 Subscription Renewal

Subscriptions automatically renew for successive periods equal to the initial subscription period unless:

(a) Customer cancels at least seven (7) days before renewal; or

(b) Either party provides written notice of non-renewal.

10.3 Termination for Convenience

Either party may terminate this Agreement:

(a) At the end of any subscription period with seven (7) days' notice; or

(b) Immediately if the other party materially breaches and fails to cure within thirty (30) days of notice.

10.4 Termination for Cause

Either party may terminate immediately upon written notice if the other party:

(a) Becomes insolvent or files for bankruptcy;

(b) Makes an assignment for benefit of creditors;

(d) Engages in illegal activity using the Platform.

10.5 Effect of Termination

Upon termination:

(a) Customer's access to the Platform terminates;

(b) Customer must cease using Utkrusht's intellectual property;

(d) Each party must return or destroy the other's confidential information.

10.6 Data Export Period

For thirty (30) days following termination, Customer may request export of Customer Content and Candidate Personal Data. Utkrusht will provide data in a commonly used format within thirty (30) days of verified request.

10.7 Post-Termination Data Handling

After the thirty (30) day export period:

(a) Utkrusht will delete Customer Content and Candidate Personal Data from active systems;

(b) Backup copies will be deleted according to standard backup rotation (maximum ninety (90) days);

(d) Data required for legal compliance (e.g., payment records) will be retained as required.

10.8 Survival

The following sections survive termination: 5 (Data Ownership), 6 (Intellectual Property), 8 (Limitation of Liability), 9 (Indemnification), 11 (Compliance), 12 (General Provisions), and Annex A (DPA, to the extent required).

11. COMPLIANCE OBLIGATIONS

11.1 Data Processing Agreement

The Data Processing Agreement attached as Annex A is incorporated by reference and governs all processing of personal data under GDPR.

11.2 Sub-processor Authorization

Customer provides general authorization for Utkrusht to engage sub-processors listed in Section 2.2 and the Privacy Policy. Utkrusht will:

(a) Maintain an up-to-date list of sub-processors in the Privacy Policy;

(b) Notify Customer of new sub-processors at least fourteen (14) days before engagement;

(d) Remain liable for sub-processor compliance.

Customer may object to new sub-processors by providing written notice within fourteen (14) days. If the objection cannot be resolved, Customer may terminate affected Services without penalty.

11.3 Security Measures

Utkrusht implements and maintains appropriate technical and organizational security measures, including:

Technical Measures:

TLS 1.3 encryption for data in transit
AES-256 encryption for data at rest
Multi-factor authentication for administrative access
Regular security vulnerability scanning
Automated backup with encryption

Organizational Measures:

Role-based access control
Personnel security training
Vendor security assessment
Incident response procedures
Regular security audits

11.4 Incident Response

Utkrusht will notify Customer of any personal data breach within seventy-two (72) hours of becoming aware, including:

(a) Description of the breach;

(b) Categories and approximate number of affected data subjects;

(d) Measures taken or proposed to address the breach.

Customer is responsible for any legally required notifications to data protection authorities and affected individuals.

11.5 SOC2 Compliance

Utkrusht maintains security practices aligned with SOC2 Trust Services Criteria. Upon request:

(a) STARTER, PLUS, PRO tiers: Annual security questionnaire and summary documentation;

(b) ENTERPRISE tier: SOC2 Type II report (under NDA) and audit rights as specified in the DPA.

11.6 Audit Rights

Customer's audit rights are as follows:

(a) All tiers: Annual written security questionnaire;

(b) ENTERPRISE tier: On-site audit with thirty (30) days' notice, no more than once per year, at Customer's expense;

Utkrusht will cooperate with reasonable audit requests that do not disrupt operations or compromise other customers' data.

12. GENERAL PROVISIONS

12.1 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of India, without regard to conflict of law principles.

12.2 Jurisdiction

The courts of Bangalore, Karnataka, India shall have exclusive jurisdiction over any disputes arising under this Agreement.

EU Data Protection Disputes: Notwithstanding the foregoing, disputes arising solely under GDPR or EU data protection law may be brought before the competent courts of the European Union member state where the affected data subject resides.

12.3 Dispute Resolution

Before initiating litigation, the parties agree to:

(a) Attempt good faith negotiation for thirty (30) days;

(b) If unsuccessful, submit to non-binding mediation;

12.4 Amendment

Utkrusht may amend these Terms by:

(a) Posting updated Terms on the Platform;

(b) Notifying Customer via email at least thirty (30) days before changes take effect;

Continued use of the Platform after the effective date constitutes acceptance of amended Terms.

12.5 Assignment

(a) Customer may not assign this Agreement without Utkrusht's prior written consent;

(b) Utkrusht may assign this Agreement to an affiliate or in connection with a merger, acquisition, or sale of assets;

12.6 Force Majeure

Neither party shall be liable for delays or failures caused by circumstances beyond reasonable control, including natural disasters, war, terrorism, government actions, pandemics, or infrastructure failures. The affected party must provide prompt notice and use reasonable efforts to mitigate.

12.7 Severability

If any provision is held unenforceable, the remaining provisions continue in effect. The unenforceable provision will be modified to the minimum extent necessary to make it enforceable while preserving its intent.

12.8 Entire Agreement

This Agreement, including all annexes and documents incorporated by reference, constitutes the entire agreement between the parties regarding its subject matter. It supersedes all prior agreements, understandings, and representations.

12.9 Waiver

Failure to enforce any provision does not waive the right to enforce it later. Waivers must be in writing and signed by the waiving party.

12.10 Notices

Notices must be in writing and delivered to:

To Utkrusht:

Email: naman@utkrusht.ai
India Office: A-18 Shreenathji Kurpa Society, Subhanpura, Vadodara, India - 390023 | Phone: +91-9023239479
US Office: 572 Amboy Dr, San Jose, CA, United States of America - 95136 | Phone: +1-919-793-6081

To Customer:

Email address on file in the Platform
Address provided during registration

12.11 Independent Contractors

The parties are independent contractors. Nothing in this Agreement creates an employment, agency, partnership, or joint venture relationship.

12.12 Third-Party Beneficiaries

This Agreement does not create third-party beneficiary rights, except that Candidates may enforce data protection rights as provided in the DPA and Privacy Policy.

ANNEX A: DATA PROCESSING AGREEMENT

A.1 Scope and Roles

This Data Processing Agreement ("DPA") governs the processing of personal data by Utkrusht (Processor) on behalf of Customer (Controller) in connection with the Services.

This DPA is incorporated into and forms part of the Terms of Service.

A.2 Processing Details

Element	Description
Subject Matter	Processing of Candidate Personal Data to deliver skill assessment services
Duration	Term of the Agreement plus retention periods specified herein
Nature of Processing	Collection, storage, analysis, display, transmission, deletion
Purpose	Administering assessments, generating scores, providing reports, enabling recruitment workflows
Categories of Data Subjects	Candidates, Users (recruiters, administrators)
Types of Personal Data	Identity (name, email, phone), professional (resume, skills), assessment (responses, scores), proctoring (video, audio, transcripts)

A.3 Controller Obligations

Controller shall:

(a) Ensure it has a valid lawful basis for processing;

(b) Provide required notices to data subjects;

(d) Provide documented instructions to Processor;

(e) Respond to data subject requests within legally required timeframes.

A.4 Processor Obligations

Processor shall:

(a) Process personal data only on Controller's documented instructions;

(b) Ensure personnel are bound by confidentiality;

(d) Engage sub-processors only with authorization and equivalent obligations;

(e) Assist Controller with data subject requests;

(f) Assist Controller with DPIAs and prior consultations;

(g) Delete or return personal data upon termination;

(h) Provide information necessary for compliance audits.

A.5 Security Measures

Processor implements the security measures described in Section 11.3 of the Terms of Service, including:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Access controls and authentication
Regular security testing
Incident response procedures
Personnel training

A.6 Sub-processing

(a) Controller provides general authorization for sub-processors listed in Section 2.2 of the Terms and the Privacy Policy;

(b) Processor will notify Controller of new sub-processors at least fourteen (14) days before engagement;

(d) Processor ensures sub-processors are bound by equivalent data protection obligations;

(e) Processor remains liable for sub-processor compliance.

A.7 Data Subject Requests

(a) Processor will promptly forward any data subject requests to Controller;

(b) Processor will assist Controller in responding to requests within ten (10) business days;

(d) Processor will not respond directly to data subjects except to redirect them to Controller.

A.8 Personal Data Breach

(a) Processor will notify Controller of any personal data breach within forty-eight (48) hours of becoming aware;

(b) Notification will include: description, categories affected, likely consequences, mitigation measures;

(d) Controller is responsible for notifications to authorities and data subjects.

A.9 Data Protection Impact Assessments

Upon request, Processor will provide reasonable assistance with Data Protection Impact Assessments (DPIAs), including:

Information about processing operations
Security measure documentation
Assessment of necessity and proportionality

A.10 Audit Rights

(a) Processor will make available information necessary to demonstrate compliance;

(b) Processor will allow audits conducted by Controller or an independent auditor;

(d) Audits must not unreasonably disrupt operations or access other customers' data;

(e) Audit costs are borne by Controller.

A.11 International Data Transfers

(a) Processor may transfer personal data to countries listed in Section 2.2 of the Terms;

(b) For transfers to countries without adequacy decisions, Processor relies on Standard Contractual Clauses (SCCs);

(d) Transfer impact assessments are available upon request.

A.12 Return and Deletion

(a) Upon termination, Controller may request data export within thirty (30) days;

(b) After the export period, Processor will delete personal data from active systems;

(d) Processor may retain data required for legal compliance;

(e) De-identified data may be retained per Section 5.2(b) of the Terms.

A.13 Liability

Processor's liability under this DPA is subject to the limitations in Section 8 of the Terms of Service, except as prohibited by applicable law.

BY USING THE PLATFORM, CUSTOMER ACKNOWLEDGES HAVING READ, UNDERSTOOD, AND AGREED TO THESE TERMS OF SERVICE.

VERSION ROADMAP

V1.0 (Current — Audit-Ready)

This version is designed to be immediately publishable and compliant with GDPR and SOC2 requirements. All commitments in this document are achievable through manual processes where automation does not yet exist.

V1.0 Capabilities:

Manual data subject request handling (30-day response)
Manual data export upon verified request
Manual incident response and breach notification
Static sub-processor list maintained in documentation
Terms acceptance tracked via timestamp

V2.0 (Target — Enhanced Automation)

Future version with enhanced automation and self-service capabilities:

Enhancement	Description	Target
Self-service data export	In-app data download for customers	Q2 2026
Automated DSR workflow	Ticketing system for data subject requests	Q2 2026
Sub-processor portal	Real-time sub-processor list with change notifications	Q3 2026
Automated retention	Policy-based data deletion automation	Q3 2026
Privacy preference center	Customer-facing privacy controls	Q4 2026

Utkrusht Learning Services Private Limited India: A-18 Shreenathji Kurpa Society, Subhanpura, Vadodara, India - 390023 USA: 572 Amboy Dr, San Jose, CA 95136 Email: naman@utkrusht.ai

Document Version: 1.0 (Audit-Ready) Last Updated: February 3, 2026