(HRMS + Payroll + CLMS + Contract Labour Compliance)
Groniva Corporation Private Limited
Effective Date: 01-10-2025
Version: 1.0
Jurisdiction: Pune, Maharashtra
A. Purpose & Scope
A.1 This Data Processing Addendum (“DPA”) forms an integral part of the Terms of Use and governs Groniva’s processing of Customer Data on behalf of employers, contractors, or other subscribing organisations (“Customer”).
A.2 This DPA applies to:
- HRMS data
- Payroll data
- Contract labour workforce details
- Worker KYC & onboarding
- Attendance & muster records
- Compliance registers & filing-related data
B. Roles Under Law
B.1 Under DPDP principles:
| Entity |
Role |
| Customer (Employer / Principal Employer) |
Data Fiduciary / Controller |
| Contractor / Sub-Contractor |
Co-Processor / Executor |
| Groniva |
Data Processor / SaaS Enabler |
B.2 Under Labour Law (CLRA / ISMW / BOCW):
| Function |
Responsibility |
| Regulatory accountability |
Principal Employer / Contractor |
| Digital facilitation |
Groniva |
| Workforce deployment legality |
Contractor |
| Compliance records |
Customer/Contractor |
B.3 Groniva does NOT become:
- Employer of record
- Labour law principal employer
- Wage-liable entity
C. Instructions & Limitation Of Use
C.1 Groniva processes Customer Data only:
- On documented instructions
- For service delivery
- For compliance facilitation
- For legitimate security reasons
C.2 Groniva does not determine:
- Purpose of processing
- Category of workforce to be deployed
- Statutory thresholds
- CLRA licensing validity
D. Data Security Controls
D.1 Groniva maintains:
- Transport encryption (TLS)
- Controlled access (RBAC)
- Audit logs
- Limited admin access
- Masking of identity data wherever feasible
- Segregated tenant data architecture
D.2 Infrastructure safeguards include:
- Cloud redundancy
- Managed backups
- Vulnerability assessments
- Hardening of access nodes
- IAM & credential hygiene
E. Sub-processors
E.1 Groniva may engage verified sub-processors (cloud/infra/SMS gateways/backup providers).
E.2 All sub-processors:
- Are under contract
- Cannot use data for their own purposes
- Follow equivalent protection
E.3 On written request, Customer can obtain current list.
F. Worker Data (Clra / Payroll Specific)
F.1 Worker personal data is ingested for:
- Deployment mapping
- Muster/attendance
- Payroll/wage computation
- Register maintenance
- Compliance inspection readiness
F.2 Responsibility for accuracy:
| Category |
Accountable Party |
| Worker identity |
Contractor/Employer |
| Statutory eligibility |
Contractor |
| Pay/wages correctness |
Employer/Contractor |
| Digital enablement |
Groniva |
G. Data Location & Cross-border
G.1 Default storage:
India
G.2 Cross-border transfer
only:
- On explicit Customer instruction, OR
- If infra redundancy requires it (with equivalent protections)
H. Breach Notification
H.1 In the event of a security breach:
- Groniva will notify Customer without undue delay
- Provide details and mitigation plan
- Support Customer for regulatory obligations
H.2 Customer is responsible for:
- External disclosure to regulators/workers (if mandated)
- Statutory reporting obligations
I. Data Retention & Deletion
I.1 Data is retained for subscription period + lawful retention.
I.2 Upon termination:
Customer may request:
- Return of data
or
- Deletion (after statutory hold)
I.3 CLRA/Payroll retention may override deletion timelines.
J. Audit & Inspection Rights
J.1 Customer may:
- Request summary of security controls
- Review updated compliance artefacts
- Conduct an audit (virtual/desk-based) with notice
J.2 Frequency:
One per year, unless breach or legal mandate.
K. Indemnity
Each party indemnifies the other for:
- Its own data misuse
- Breach of this DPA
- Violation of applicable data protection obligations
L. Limitation Of Liability
As per Terms of Use — capped at fees paid in last 12 months — excluding gross negligence or wilful misconduct.
M. Precedence
If this DPA conflicts with Terms:
DPA prevails, but only for data protection matters.
View More Industry
