Sample Work & Drafts

Representative excerpts from live engagements. Client names and commercially sensitive terms are redacted. All drafts reflect current applicable law.

Contract Drafting High Complexity

Master SaaS Agreement

B2B agreement for an AI-driven marketing analytics platform. Governed the subscription model, data ownership, acceptable use, IP protection, and enterprise-grade liability framework for a Series A SaaS company onboarding mid-market clients.

Context: Drafted for a B2B SaaS vendor (the "Company") licensing an AI-powered marketing analytics platform to enterprise clients. The agreement governed a multi-tenant, subscription-based deployment with customer data ingestion, model training exclusions, and a tiered SLA.

1. Definitions (Selected)

"Customer Data" means all data, content, and information submitted by Customer or its Authorized Users to the Platform, or collected by the Platform on Customer's behalf, during the Subscription Term, excluding Aggregated Statistics and Usage Data.

"Aggregated Statistics" means data and information related to Customer's use of the Platform that is used by Company in an aggregated and anonymised manner, including to compile statistical and performance information related to the provision and operation of the Platform. For the avoidance of doubt, Aggregated Statistics do not include any Customer Data or data that identifies or is reasonably identifiable to Customer or any individual.

"Malicious Code" means viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.

"Professional Services" means implementation, configuration, training, or other professional services provided by Company to Customer as described in an applicable Order Form, and governed by this Agreement unless a separate Statement of Work is executed.

2. Subscription License; Restrictions

2.1 Grant of License. Subject to the terms and conditions of this Agreement, including timely payment of all Fees, Company grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right to access and use the Platform during the Subscription Term, solely for Customer's internal business purposes and in accordance with the Documentation and applicable Order Form.

2.2 Restrictions. Customer shall not, and shall ensure that its Authorized Users do not: (a) license, sublicense, sell, resell, transfer, assign, distribute, or otherwise commercially exploit or make available to any third party the Platform or any Company Confidential Information; (b) modify or make derivative works based upon the Platform; (c) reverse engineer or access the Platform in order to build a competitive product or service; (d) use the Platform to store or transmit infringing, libellous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights; (e) use the Platform to send spam or otherwise duplicative or unsolicited messages; (f) use the Platform to store or transmit Malicious Code; (g) interfere with or disrupt the integrity or performance of the Platform or the data contained therein; or (h) attempt to gain unauthorised access to the Platform or its related systems or networks.

2.3 Model Training Exclusion. Notwithstanding any other provision of this Agreement, Company shall not use Customer Data to train, fine-tune, or improve any AI or machine learning model that is made available to third parties, without Customer's prior written consent. Company may use Customer Data to operate, maintain, and improve the Platform as used by Customer, and to generate Aggregated Statistics.

3. Intellectual Property

3.1 Company IP. As between the parties, Company exclusively owns all right, title, and interest in and to the Platform, Documentation, Aggregated Statistics, and all improvements, modifications, and derivative works thereof, including all associated intellectual property rights. No rights are granted to Customer hereunder other than as expressly set forth in this Agreement.

3.2 Customer Data. As between the parties, Customer exclusively owns all right, title, and interest in and to Customer Data. Customer grants Company a limited, non-exclusive, royalty-free licence to use, copy, store, transmit, and display Customer Data solely to the extent necessary to provide the Platform and Professional Services to Customer in accordance with this Agreement.

3.3 Feedback. If Customer or any Authorised User provides Company with any feedback or suggestions regarding the Platform ("Feedback"), Customer grants Company a perpetual, irrevocable, royalty-free licence to use such Feedback for any purpose without restriction or payment to Customer.

4. Limitation of Liability

4.1 Exclusion of Consequential Loss. IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS, LOSS OF USE, LOSS OF REVENUE, LOSS OF GOODWILL, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

4.2 Cap on Liability. EACH PARTY'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, SHALL NOT EXCEED THE GREATER OF: (A) THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE INCIDENT GIVING RISE TO THE CLAIM; OR (B) INR 10,00,000 (TEN LAKH RUPEES).

4.3 Exceptions. The limitations in Clauses 4.1 and 4.2 shall not apply to: (a) either party's indemnification obligations under Clause 8; (b) Customer's payment obligations; (c) either party's obligations of confidentiality; or (d) damages arising from a party's gross negligence, fraud, or wilful misconduct.

5. Service Level Agreement (Key Extract)

5.1 Uptime Commitment. Company shall use commercially reasonable efforts to ensure that the Platform is available 99.5% of the time in any given calendar month, excluding Scheduled Downtime and any downtime caused by factors outside Company's reasonable control, including Customer's acts or omissions, third-party service failures, or Force Majeure Events.

5.2 Service Credits. If Company fails to meet the Uptime Commitment in any calendar month, Customer shall be entitled to a service credit equal to: (a) 10% of the monthly Subscription Fee for availability between 99.0% and 99.5%; or (b) 25% of the monthly Subscription Fee for availability below 99.0%. Service credits are Customer's sole and exclusive remedy for Company's failure to meet the Uptime Commitment and shall not exceed the monthly Subscription Fee for the affected month.

Drafting Note: The model training carve-out in Clause 2.3 was specifically negotiated by the client following concerns raised post-OpenAI's early ToS controversies. The liability cap was structured on a trailing-12-months basis rather than total contract value to give the vendor meaningful protection on multi-year deals where early-period incidents would otherwise expose the full contract value.
Contract Drafting High Complexity

Vendor Services Agreement

Full-form vendor agreement for a managed IT services engagement. Covered scope of work, deliverable acceptance, change control, IP assignment, audit rights, and termination mechanics including step-in rights for a mid-market IT services company.

Context: Drafted on behalf of the Client (buyer-side) engaging a technology vendor for a multi-phase digital transformation project. The agreement was structured around a Master Services Agreement with project-specific Statements of Work.

1. Deliverables and Acceptance

1.1 Delivery of Deliverables. Vendor shall deliver each Deliverable to Client by the date specified in the applicable Statement of Work. Each Deliverable shall conform to the specifications, standards, and acceptance criteria set out in the relevant SOW ("Acceptance Criteria").

1.2 Acceptance Testing. Upon receipt of each Deliverable, Client shall have fifteen (15) Business Days (the "Acceptance Period") to evaluate the Deliverable against the Acceptance Criteria. Client shall notify Vendor in writing within the Acceptance Period of either: (a) acceptance of the Deliverable; or (b) rejection of the Deliverable, specifying in reasonable detail the manner in which the Deliverable fails to meet the Acceptance Criteria. Silence at the end of the Acceptance Period shall not constitute deemed acceptance unless expressly stated in the SOW.

1.3 Remediation. If Client rejects a Deliverable, Vendor shall, at no additional charge, correct the identified deficiencies and resubmit the Deliverable within ten (10) Business Days of receipt of Client's rejection notice. If the resubmitted Deliverable continues to fail to meet the Acceptance Criteria, Client may, at its option: (a) grant Vendor an additional remediation period; (b) terminate the applicable SOW for material breach; or (c) accept the Deliverable with a mutually agreed fee reduction.

2. Change Control

2.1 Change Request Process. Either party may request changes to the scope of Services described in an SOW by submitting a written Change Request to the other party. A Change Request shall describe in reasonable detail the proposed change, the estimated impact on timelines, and the estimated cost impact.

2.2 Evaluation. Within ten (10) Business Days of receipt of a Change Request, Vendor shall provide Client with a written Change Order setting out: (a) a detailed description of the proposed change; (b) any adjustment to the fees; (c) any adjustment to the project timeline; and (d) any other material impact on the Services.

2.3 No Obligation. Neither party shall be obligated to proceed with a proposed change until a Change Order has been executed in writing by authorised representatives of both parties. Vendor shall not perform any work in excess of the scope of the applicable SOW without a signed Change Order.

3. Intellectual Property Assignment

3.1 Assignment of Project IP. All Deliverables, and all intellectual property rights therein, that are created, conceived, or developed by Vendor or its personnel specifically for Client under this Agreement ("Project IP") shall be deemed works made for hire to the fullest extent permitted by applicable law. To the extent that any Project IP does not qualify as a work made for hire, Vendor hereby irrevocably assigns to Client all right, title, and interest in and to the Project IP, including all patent, copyright, trade secret, and other intellectual property rights therein.

3.2 Vendor Background IP. Nothing in this Agreement shall be construed to assign to Client any of Vendor's pre-existing intellectual property, tools, methodologies, know-how, or software that Vendor uses in connection with performing the Services and that is not developed specifically for Client under this Agreement ("Vendor Background IP"). Vendor grants Client a non-exclusive, royalty-free, perpetual licence to use Vendor Background IP to the extent embedded in or necessary to use the Deliverables.

3.3 Open Source. Vendor shall not incorporate any open source software into any Deliverable without Client's prior written consent. Where consent is granted, Vendor shall disclose the applicable open source licence and confirm that such licence does not impose any obligations on Client's proprietary software.

4. Step-In Rights

4.1 Trigger. If Vendor: (a) fails to meet a material milestone specified in an SOW and such failure is not remedied within fifteen (15) Business Days of written notice from Client; (b) becomes insolvent or enters any insolvency proceeding; or (c) commits a material breach of this Agreement that is not capable of remedy, Client may exercise its step-in rights under this Clause.

4.2 Exercise of Step-In. Upon exercise of step-in rights, Client may: (a) take over the performance of the affected Services itself or engage a third party to do so; (b) require Vendor to provide reasonable access to all project documentation, materials, systems, and key personnel to facilitate the transition; and (c) deduct from any amounts owed to Vendor the reasonable additional costs incurred by Client as a result of the step-in.

Drafting Note: The deemed-acceptance exclusion in Clause 1.2 was a heavily negotiated point — vendors typically push for silence-equals-acceptance to protect project cash flow. The step-in right was included at the client's insistence following a prior engagement where a vendor went into voluntary liquidation mid-project, leaving the client stranded with no contractual recourse for asset handover.
Contract Drafting Medium Complexity

Mutual Non-Disclosure Agreement

Bilateral NDA for a pre-deal technology partnership between an AI startup and a BFSI enterprise. Tightly scoped confidentiality obligations, residuals clause calibrated to client risk appetite, and compelled disclosure protocol aligned with SEBI listing obligations.

Context: Drafted for a mutual disclosure scenario during early-stage commercial negotiations between a fintech AI startup (Disclosing Party in the primary stream) and a listed NBFC exploring a technology licensing arrangement. The NDA was intended to survive the transaction process regardless of whether a deal was concluded.

1. Definition of Confidential Information

1.1 "Confidential Information" means any information disclosed by one party (the "Disclosing Party") to the other party (the "Receiving Party"), whether disclosed orally, in writing, electronically, or by any other means, that: (a) is designated as confidential at the time of disclosure; (b) should reasonably be understood to be confidential given the nature of the information and the circumstances of disclosure; or (c) is identified in Schedule 1 as confidential information of that party.

1.2 Exclusions. Confidential Information shall not include information that: (a) is or becomes publicly available through no act or omission of the Receiving Party; (b) was rightfully known to the Receiving Party prior to disclosure by the Disclosing Party without restriction; (c) is rightfully received by the Receiving Party from a third party without restriction on disclosure; (d) is independently developed by the Receiving Party without use of or reference to the Disclosing Party's Confidential Information, as evidenced by written records predating disclosure; or (e) is required to be disclosed by applicable law, court order, or regulatory requirement, subject to Clause 4.

2. Obligations of the Receiving Party

2.1 The Receiving Party shall: (a) hold the Confidential Information of the Disclosing Party in strict confidence using the same degree of care it uses to protect its own confidential information of a similar nature, but in no event less than reasonable care; (b) not disclose the Confidential Information to any person other than its Representatives who need to know the Confidential Information for the Purpose and who are bound by confidentiality obligations no less protective than those set out in this Agreement; (c) not use the Confidential Information for any purpose other than the Purpose; and (d) promptly notify the Disclosing Party in writing upon becoming aware of any actual or reasonably suspected unauthorised disclosure of or access to Confidential Information.

2.2 Liability for Representatives. The Receiving Party shall be liable for any breach of this Agreement by its Representatives as if such breach were a breach by the Receiving Party itself.

3. Residuals Clause

3.1 Notwithstanding the foregoing, a Representative of the Receiving Party who has had access to Confidential Information may use the Residual Knowledge (as defined below) that is retained in the unaided memory of such Representative, provided that such Representative was not deliberately attempting to memorise the Confidential Information for the purpose of subsequent use or disclosure. "Residual Knowledge" means information in non-tangible form that may be incidentally retained in the memory of a person who has had access to Confidential Information, not including any tangible reproductions thereof.

3.2 Limitation. The residuals exception in Clause 3.1 shall not permit: (a) use of Confidential Information that constitutes a trade secret to the extent such use would constitute misappropriation under applicable law; (b) disclosure of Confidential Information to third parties; or (c) any use of Confidential Information that infringes any intellectual property right of the Disclosing Party.

4. Compelled Disclosure

4.1 If the Receiving Party or any of its Representatives is required by applicable law, regulation (including SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015), court order, or the rules of any stock exchange to disclose any Confidential Information, the Receiving Party shall: (a) to the extent permitted by law, provide the Disclosing Party with prompt prior written notice of such requirement so that the Disclosing Party may seek an appropriate protective order or other remedy; (b) cooperate with the Disclosing Party, at the Disclosing Party's cost, in seeking such protective order; and (c) in any event, disclose only that portion of the Confidential Information which is legally required to be disclosed, and use reasonable efforts to ensure that the disclosed information is accorded confidential treatment.

5. Term and Return of Information

5.1 Term. This Agreement shall commence on the Effective Date and continue for a period of two (2) years (the "Term"), unless earlier terminated by either party upon thirty (30) days' written notice. The confidentiality obligations under this Agreement shall survive termination or expiry for a further period of three (3) years in respect of information that does not constitute a trade secret, and indefinitely in respect of information that constitutes a trade secret under applicable law.

5.2 Return or Destruction. Upon termination or expiry of this Agreement, or upon written request from the Disclosing Party, the Receiving Party shall promptly: (a) return to the Disclosing Party all tangible materials containing Confidential Information; or (b) at the Disclosing Party's election, destroy all such materials and confirm such destruction in writing. The Receiving Party may retain one archival copy of Confidential Information in encrypted form solely for the purposes of compliance with applicable law or regulatory requirements, subject to ongoing confidentiality obligations.

Drafting Note: The residuals clause was a specific ask from the startup's engineering team, who were concerned about knowledge bleed across joint working sessions. The SEBI-specific carve-out in the compelled disclosure clause was included because the NBFC counterparty was a listed entity with price-sensitive information obligations — a standard "applicable law" reference would not have been specific enough given their compliance team's requirements.
Privacy Framework High Complexity

DPDPA Compliance Framework & Gap Assessment

End-to-end compliance framework for an Indian healthtech startup under the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. Covered data inventory, consent architecture, rights fulfilment workflows, Significant Data Fiduciary analysis, and cross-border transfer assessment.

Context: Engagement for a Series B healthtech company operating a patient-facing telehealth platform and a B2B hospital SaaS product. The company processed sensitive personal data (health data) of patients across 12 Indian states, with limited cross-border data flows to a cloud infrastructure provider hosted in Singapore. Engagement commenced post-notification of DPDP Rules in November 2025.

1. Consent Architecture Assessment

Issue Identified: The client's existing privacy notice bundled consent for health data processing, marketing communications, and analytics into a single checkbox at patient onboarding. This structure is non-compliant with Section 6 of the DPDPA, which requires that consent be sought separately for each distinct purpose, in clear and plain language, and with a separate notice for each category of personal data.

Recommendation: Implement a granular, purpose-specific consent framework at onboarding and at the point of each new processing activity. Each consent request must: (a) be presented in a clear, plain-language notice before processing commences; (b) identify the specific personal data to be processed; (c) specify the purpose of processing; (d) identify any Data Processors to whom data will be disclosed; and (e) inform the Data Principal of their right to withdraw consent at any time, without affecting the lawfulness of prior processing.

Legitimate Use Consideration: Health data processed for the primary purpose of rendering medical care to the Data Principal who provides it may qualify as "legitimate use" under Section 7(d) of the DPDPA (emergencies) and Section 7(f) (employment/medical purposes), reducing the consent burden for core clinical workflows. However, secondary use for analytics, research, or product improvement requires independent consent.

2. Rights Fulfilment Workflow

Rights Framework under DPDPA: Data Principals have the following rights under Chapter III of the DPDPA: (a) Right to access information about personal data (Section 11); (b) Right to correction, completion, update, and erasure (Section 12); (c) Right to grievance redressal (Section 13); and (d) Right to nominate (Section 14).

Gap Identified: The client had no documented process for responding to data principal requests. The DPDPA does not prescribe a statutory response timeline (unlike GDPR's 30-day standard), but the DPDP Rules require that the Data Fiduciary establish a "readily accessible" grievance mechanism and respond within the period specified in the Rules (Rule 13 prescribes 48 hours for acknowledgment and 30 days for resolution of grievance under Section 13).

Recommended Workflow: Implement an in-app data rights portal with: (a) identity verification before processing any rights request; (b) automated acknowledgment within 48 hours; (c) internal escalation SLA of 21 days for technical fulfilment; (d) documented rejection protocol where requests are refused under Section 12 exceptions; and (e) audit log of all rights requests and actions taken.

3. Significant Data Fiduciary Analysis

Threshold Assessment: Under Section 10 of the DPDPA, the Central Government may notify certain Data Fiduciaries as "Significant Data Fiduciaries" (SDFs) based on criteria including: volume of personal data processed, sensitivity of data, risk to rights of Data Principals, potential impact on national security, and risk to electoral democracy. The DPDP Rules 2025 do not yet specify the SDF notification thresholds.

Current Position: The client processes sensitive personal data (health data) of approximately 280,000 patients. Based on current volumes and the pending SDF notification framework, the client is not immediately at SDF threshold risk, but should implement SDF-ready architecture given the sensitivity of health data and anticipated growth trajectory.

SDF-Ready Measures Recommended: (a) Appoint a Data Protection Officer (DPO) even before mandatory obligation arises; (b) Commission an annual Data Protection Impact Assessment for all high-risk processing operations; (c) Conduct algorithmic audits for any automated decision-making tools used in clinical triage; (d) Establish data localisation readiness for data categories likely to be designated as sensitive under future Rules.

4. Cross-Border Transfer Assessment

Current Flow: Patient personal data is processed on AWS infrastructure deployed in the ap-southeast-1 region (Singapore). The client's cloud hosting agreement with its AWS reseller did not contain DPDPA-compliant data processing terms as of the date of assessment.

Legal Position: Section 16 of the DPDPA permits transfer of personal data outside India except to countries notified as restricted by the Central Government. As of the date of this assessment, no restricted countries have been notified. Singapore is not a restricted jurisdiction. However, transfers remain subject to: (a) the contractual obligations on the Data Processor (AWS) under Section 8(2); (b) the requirement that the Data Processor process data only on documented instructions; and (c) any sector-specific localisation requirements under IRDAI, RBI, or DPIIT frameworks applicable to the client's business (not applicable here).

Action Required: Execute a DPDPA-compliant Data Processing Agreement with the cloud reseller / AWS entity acting as Data Processor. The DPA must comply with Section 8 obligations and require the Processor to: (a) process data only on the Company's instructions; (b) implement adequate security safeguards; (c) notify the Company of any personal data breach without undue delay; (d) delete data upon termination; and (e) permit audits and inspections.

Drafting Note: The SDF analysis is necessarily preliminary given that the Central Government had not notified SDF thresholds as of November 2025 (DPDP Rules only set out the criteria framework). The cross-border transfer position will require reassessment once the Government publishes the list of restricted countries under Section 16(1). The consent architecture rebuild was the most commercially significant recommendation — it required a full re-engineering of the app's onboarding flow, which the client's engineering team estimated at 3–4 sprints.
Privacy Framework High Complexity

GDPR-Compliant Data Processing Agreement

Controller-to-processor DPA for a SaaS vendor handling EU personal data on behalf of enterprise clients. Drafted to satisfy Article 28 GDPR requirements with comprehensive sub-processor regime, Annex II technical and organisational measures, and breach notification obligations.

Context: Drafted on behalf of a SaaS vendor (Processor) to be incorporated into its enterprise subscription agreements with EU-based clients (Controllers). The DPA was designed as a self-contained schedule to the Master Agreement and was required to comply with Article 28(3) GDPR and the EDPB's guidance on controller-processor relationships. The vendor was processing personal data of EU employees and end-users on behalf of its clients.

1. Article 28(3) Core Obligations

1.1 The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

1.2 The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

1.3 The Processor shall implement the technical and organisational measures specified in Annex II of this Agreement in accordance with Article 32 of the GDPR.

1.4 The Processor shall not engage another processor (a "Sub-Processor") without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Controller the opportunity to object to such changes within fourteen (14) calendar days of notification.

1.5 The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR.

1.6 The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.

1.7 At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of services relating to the processing, and shall delete existing copies unless Union or Member State law requires storage of the Personal Data.

1.8 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the audit procedures in Clause 6 of this Agreement.

2. Sub-Processor Regime

2.1 General Authorisation. The Controller hereby grants the Processor general written authorisation to engage Sub-Processors for the processing of Personal Data, subject to the conditions in this Clause 2. The current list of Sub-Processors is set out in Annex III of this Agreement.

2.2 Change Notification. The Processor shall notify the Controller of any intended addition or replacement of Sub-Processors by updating Annex III and providing written notice to the Controller at the email address specified in Annex I. The Controller may object to the addition or replacement of a Sub-Processor by providing written notice to the Processor within fourteen (14) calendar days of receiving notification, stating the reasonable grounds for the objection. If the Controller objects, the parties shall engage in good faith discussions to resolve the objection. If the parties are unable to resolve the objection within thirty (30) days, the Controller may terminate the affected services on thirty (30) days' written notice.

2.3 Downstream Obligations. The Processor shall impose on each Sub-Processor data protection obligations equivalent to those set out in this Agreement, by way of a written contract. The Processor shall remain fully liable to the Controller for the performance of a Sub-Processor's obligations.

3. Personal Data Breach Notification

3.1 Obligation to Notify. The Processor shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller. Such notification shall include: (a) a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of personal data records concerned; (b) the name and contact details of the Data Protection Officer or other point of contact where more information can be obtained; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to be taken to address the breach.

3.2 Staged Notification. Where it is not possible to provide all information simultaneously, such information may be provided in phases without undue further delay.

3.3 Cooperation. The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

4. Annex II: Technical and Organisational Measures (Extract)

The Processor has implemented the following technical and organisational security measures in accordance with Article 32 GDPR:

Encryption: All Personal Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Encryption keys are managed through a dedicated key management service with access controls limited to authorised personnel.

Access Controls: Access to systems processing Personal Data is governed by role-based access controls (RBAC). All access requires multi-factor authentication. Access rights are reviewed quarterly and revoked immediately upon termination of employment or change of role.

Data Minimisation and Retention: Personal Data is retained only for the duration of the service provision, unless longer retention is required by applicable law. Automated deletion routines are applied at the end of the applicable retention period.

Pseudonymisation: Where technically feasible and operationally appropriate, Personal Data is pseudonymised in analytics and reporting environments.

Incident Response: The Processor maintains a documented incident response plan reviewed annually. Security incidents are logged, triaged within 4 hours, and escalated to the Data Protection Officer within 8 hours of identification of a potential Personal Data Breach.

Vendor Assessment: All Sub-Processors are subject to a vendor security assessment prior to engagement and annual re-assessment thereafter. Sub-Processors processing Personal Data must maintain ISO 27001 certification or an equivalent recognised standard.

Drafting Note: The 24-hour breach notification standard (vs. GDPR's 72-hour window to supervisory authorities) was specifically negotiated by the Controller to give it adequate time to assess the breach and prepare its own regulatory notification. The sub-processor objection window of 14 days (vs. the typical 30 days used by hyperscalers) was accepted by the Processor in exchange for a narrowing of the Controller's termination right to only the "affected services" rather than the entire agreement.
Legal Policy High Complexity

Platform Terms of Service & Seller Agreement

Comprehensive Terms of Service and Seller Agreement for a multi-vendor B2C e-commerce marketplace. Structured to satisfy the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and Consumer Protection (E-Commerce) Rules, 2020, with integrated grievance redressal and IP enforcement mechanisms.

Context: Drafted for a multi-vendor marketplace operating in the fashion and lifestyle segment, governed by Indian law. The platform operates as an intermediary under the IT Act, 2000. The ToS document served a dual function: governing the relationship with buyers (consumers) and establishing the contractual framework for onboarded sellers, including liability allocation, prohibited listings, and IP complaint procedures.

1. Intermediary Status and Liability

1.1 Role of the Platform. [Company] operates the Platform as a technology intermediary facilitating transactions between Buyers and Sellers. [Company] is not a party to any transaction between a Buyer and a Seller and does not buy or sell goods itself. All contracts of sale are directly between the Buyer and the relevant Seller.

1.2 Intermediary Safe Harbour. [Company] claims protection as an intermediary under Section 79 of the Information Technology Act, 2000, read with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. [Company] shall not be liable for any third-party information, data, or communication link made available or hosted on the Platform, provided that it complies with its obligations under the IT Rules, including: (a) publishing its terms of service, privacy policy, and user agreement; (b) informing users not to host, display, upload, modify, publish, transmit, update or share prohibited information; and (c) acting within the prescribed timelines upon receipt of actual knowledge of unlawful content.

1.3 Loss of Safe Harbour. [Company] acknowledges that it may lose intermediary protection under Section 79(3) of the IT Act if it, upon receiving actual knowledge or being notified by the appropriate government that any information or communication link residing in or connected to a computer resource controlled by it is being used to commit an unlawful act, fails to expeditiously remove or disable access to such material.

2. Seller Obligations (Key Provisions)

2.1 Accurate Listings. Sellers shall ensure that all product listings are accurate, complete, and not misleading. Product descriptions, images, pricing, and availability must accurately represent the product offered. Sellers shall comply with all applicable labelling requirements under the Legal Metrology (Packaged Commodities) Rules, 2011, and the Bureau of Indian Standards Act, 2016, as applicable to their product category.

2.2 Consumer Protection Compliance. Sellers acknowledge that transactions conducted through the Platform are subject to the Consumer Protection Act, 2019, and the Consumer Protection (E-Commerce) Rules, 2020. In particular, Sellers shall: (a) not engage in unfair trade practices or restrict consumer rights; (b) honour the return and refund policies displayed on the Platform; (c) provide accurate information regarding country of origin as required under E-Commerce Rules 2020, Rule 5(1)(f); and (d) not engage in flash sales that are deceptive or designed to circumvent consumer rights.

2.3 IP Representations. Sellers represent and warrant that: (a) they have all necessary rights, licences, and authorisations to list and sell the products offered; (b) the products do not infringe any third-party intellectual property rights, including trademarks, patents, designs, or copyrights; (c) the products are not counterfeit, deceptive, or substantially similar to a registered trademark without authorisation; and (d) any brand names or logos used in listings are used with the consent of the relevant brand owner. Breach of this Clause is grounds for immediate Seller suspension and removal of listings.

3. Intellectual Property Complaint Procedure

3.1 Notice of Infringement. If you believe that content on the Platform infringes your intellectual property rights, you may submit a written notice to the Grievance Officer at [[[email protected]]] that includes: (a) your contact information; (b) identification of the intellectual property right claimed to be infringed; (c) identification of the infringing material and its location on the Platform; (d) a statement that you have a good faith belief that the use is not authorised by the rights owner, its agent, or law; and (e) a statement, made under penalty of applicable law, that the information in the notice is accurate and that you are the rights owner or authorised to act on behalf of the rights owner.

3.2 Takedown Timeline. Upon receipt of a valid IP complaint, [Company] shall: (a) acknowledge the complaint within twenty-four (24) hours; and (b) act upon the complaint by removing or disabling access to the infringing content within seventy-two (72) hours of acknowledgment, in accordance with Rule 3(2)(b) of the IT (Intermediary Guidelines) Rules, 2021.

3.3 Counter-Notice. A Seller whose listing has been removed pursuant to an IP complaint may submit a counter-notice to the Grievance Officer, providing: (a) identification of the removed material and its prior location; (b) a statement under penalty of perjury that the Seller has a good faith belief that the material was removed due to mistake or misidentification; and (c) the Seller's consent to the jurisdiction of the courts at [City]. Upon receipt of a valid counter-notice, [Company] may reinstate the content at its discretion, after providing notice to the complainant.

4. Limitation of Liability to Consumers

4.1 To the maximum extent permitted by applicable law, [Company]'s liability to any Buyer arising out of or related to the Platform or any transaction facilitated through the Platform shall be limited to the amount paid by the Buyer in the transaction giving rise to the claim.

4.2 Nothing in these Terms shall limit or exclude [Company]'s liability for: (a) death or personal injury caused by its negligence; (b) fraud or fraudulent misrepresentation; (c) any liability that cannot be excluded or limited by applicable law, including rights under the Consumer Protection Act, 2019; or (d) [Company]'s liability as a direct seller where it acts in that capacity.

4.3 Buyers are advised that their primary remedy for defective products, non-delivery, or misrepresentation lies against the Seller. [Company] operates a Buyer Protection Programme (details at [link]) under which it may, at its discretion, provide remedies to Buyers where Sellers are unreachable or non-cooperative, up to the amount paid in the relevant transaction.

5. Governing Law and Dispute Resolution

5.1 Governing Law. These Terms shall be governed by and construed in accordance with the laws of India, without regard to its conflict of law provisions.

5.2 Grievance Redressal. Any grievance or dispute arising out of or in connection with these Terms or the Platform shall first be submitted to the Grievance Officer of the Platform in accordance with the consumer grievance mechanism established under Rule 3(2)(c) of the IT (Intermediary Guidelines) Rules, 2021. The Grievance Officer shall acknowledge the grievance within twenty-four (24) hours and resolve it within fifteen (15) days of receipt.

5.3 Jurisdiction. Subject to the grievance process above, all disputes arising out of or in connection with these Terms that are not resolved through the grievance mechanism shall be subject to the exclusive jurisdiction of the courts at [City], India. Notwithstanding the foregoing, consumers retain the right to approach consumer forums under the Consumer Protection Act, 2019, including the National Consumer Disputes Redressal Commission, regardless of any forum selection clause.

Drafting Note: The explicit IT Act intermediary analysis in Clause 1 was included at the client's request following regulatory scrutiny in the e-commerce sector post-2021. The consumer protection carve-out in Clause 4.2 is mandatory and non-waivable — courts in India have consistently refused to enforce blanket liability exclusions against consumers under the Consumer Protection Act. The 72-hour takedown timeline in Clause 3.2 reflects the specific obligation in Rule 3(2)(b) of the IT Intermediary Rules for "other harmful content"; the Rule 3(2)(a) obligation for content relating to women's dignity (24-hour takedown) is addressed in a separate content policy schedule.