Skip to content
ikanResidences
Inquire now

Data Processing Agreement

DPA

This Data Processing Agreement (DPA) forms part of the Master Services Agreement between ikan Talent Mobility Pvt. Ltd. (‘Processor’) and the corporate Client (‘Controller’). It governs the processing of personal data of Client travelers, employees, and contractors.

Last updated: 25 April 2026

1. Definitions

Terms used in this DPA have the meanings given to them under the EU General Data Protection Regulation (GDPR) and the Indian Digital Personal Data Protection Act, 2023 (DPDP Act), as applicable. ‘Personal data’, ‘processing’, ‘controller’, and ‘processor’ are interpreted accordingly.

2. Subject matter and duration

ikan acts as Processor and processes personal data on behalf of the Client (Controller) solely to deliver the corporate-housing services described in the underlying agreement. Processing continues for the term of the agreement and the legally required retention period thereafter.

3. Categories of data subjects and personal data

  • Data subjects: the Client’s relocating employees, accompanying family members, and procurement contacts.
  • Personal data: name, email, phone, employer, assignment city, check-in/out dates, government ID where required for hotel registration, dietary or accessibility requests where given voluntarily.

4. Controller obligations

The Client warrants it has a lawful basis to share personal data with ikan and that it has provided the data subjects with all required notices.

5. Processor obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure all personnel authorized to process the data are bound by written confidentiality.
  • Implement appropriate technical and organisational security measures (TLS in transit, AES-256 at rest, role-based access, audit logs).
  • Assist the Controller, taking into account the nature of processing, with data-subject rights requests, breach notifications, and DPIAs.
  • Make available all information necessary to demonstrate compliance and submit to audits as required.

6. Sub-processors

ikan engages the following sub-processors. Material changes are notified at least 14 days in advance, and the Controller may object on reasonable grounds.

  • Vercel Inc. — application hosting (US/EU).
  • Supabase Inc. — managed Postgres database (Singapore region for India workloads).
  • Resend — transactional email delivery.
  • Sentry — error monitoring; PII scrubbed before upload.
  • Property suppliers — only the data needed to confirm a single booking (name, dates, ID for hotel registration).

7. International transfers

Personal data of EEA/UK data subjects is transferred under the Standard Contractual Clauses (Module 2). DPDP-regulated personal data is processed within India unless the Government of India has notified the destination country.

8. Breach notification

ikan will notify the Controller without undue delay (and in any case within 48 hours) after becoming aware of a personal-data breach affecting Controller data, including the nature of the breach, likely consequences, and remediation steps taken.

9. Return or deletion

On termination, ikan returns or securely deletes all personal data within 90 days, except where retention is required by law (e.g. GST records, hotel registers).

10. Liability and governing law

Liability for breaches of this DPA is governed by the limitation of liability clause in the underlying Master Services Agreement. Disputes are subject to Indian law and the exclusive jurisdiction of the courts of Mumbai.

11. Contact

Data Protection Officer — privacy@ikan.co.in.
Postal: ikan Talent Mobility Pvt. Ltd., Mumbai, India.