1. Definitions
In this DPA, the following terms have the meanings given:
- "Customer": the individual or business that has agreed to Omako's Terms of Service and uses the Service.
- "Customer Personal Data": personal data that the Customer provides to, or which is collected by, Omako in connection with the Service and which relates to the Customer's end clients or other third parties.
- "Data Fiduciary": as defined in the Digital Personal Data Protection Act, 2023 (DPDP Act); in this context, the Customer.
- "Data Processor": Shwez Studio LLP, trading as Omako, processing Customer Personal Data on the Customer's behalf.
- "DPDP Act": India's Digital Personal Data Protection Act, 2023, and any regulations made thereunder.
- "Processing": any operation performed on personal data, including collection, storage, use, disclosure, deletion, or erasure.
2. Scope and nature of processing
| Attribute | Detail |
|---|---|
| Subject matter | Providing the Omako freelance workspace service |
| Duration | For the term of the Customer's subscription, plus up to 90 days post-termination |
| Nature | Storage, retrieval, display, and AI-assisted analysis of project data |
| Purpose | To enable the Customer to manage proposals, timelines, approvals, invoices, and client communications |
| Types of personal data | Client names, email addresses, company names, project feedback, approval decisions, payment amounts |
| Categories of data principals | The Customer's end clients and counterparties |
3. Customer obligations
As the Data Fiduciary, the Customer is responsible for:
- Having a lawful basis under the DPDP Act for processing and sharing Customer Personal Data with Omako.
- Providing appropriate privacy notices to their end clients informing them that their data is processed through Omako.
- Ensuring accuracy of Customer Personal Data uploaded to the Service.
- Responding to data principal rights requests (access, correction, erasure) within the timeframes required by law. Omako will assist with this under Section 6.
- Not instructing Omako to process Customer Personal Data in a way that violates applicable law.
4. Omako's obligations as processor
Omako undertakes to:
- Process Customer Personal Data only on the documented instructions of the Customer (as set out in the Terms of Service and this DPA), unless required to do so by law.
- Ensure that personnel with access to Customer Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organisational security measures as described in our Security page.
- Not engage sub-processors for the processing of Customer Personal Data without following the process in Section 5.
- Assist the Customer with data principal rights requests to the extent technically feasible.
- On termination of the Service, delete or return Customer Personal Data within 90 days, at the Customer's election, subject to legal retention requirements.
5. Sub-processors
The Customer provides general written authorisation for Omako to engage the following categories of sub-processors. Omako will notify the Customer of intended changes (additions or replacements) with at least 14 days' notice, during which the Customer may object in writing.
| Sub-processor | Location | Processing activity |
|---|---|---|
| Amazon Web Services, Inc. | India (ap-south-1) | Cloud infrastructure, database hosting, object storage |
| Anthropic, PBC | USA (inference only; no data stored) | AI inference for Omi (per-request context only) |
| Postmark (Wildbit LLC) | USA | Transactional email delivery (notifications, magic links) |
| Cloudflare, Inc. | Global edge (traffic only) | CDN, DDoS protection, TLS termination |
Omako has entered into written data processing agreements with each sub-processor that imposes obligations no less protective than those in this DPA. Omako remains fully liable to the Customer for the performance of sub-processors.
6. Data principal rights
Where a data principal (your end client) exercises a right under the DPDP Act in relation to Customer Personal Data held by Omako on your behalf, Omako will:
- Notify you within 5 business days if the request is received directly by Omako.
- Provide you with self-service tools in the dashboard to export, correct, or delete Customer Personal Data for a specific client.
- Assist with technically complex requests on a best-efforts basis within 20 business days of the Customer's written request.
7. Security measures
Omako implements the technical and organisational measures described in our Security page, which include encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, audit logging, and regular security reviews. These measures are reviewed and updated at least annually.
Upon written request, Omako will provide a summary of the current security measures applicable to Customer Personal Data processing.
8. Personal data breaches
In the event of a personal data breach affecting Customer Personal Data, Omako will:
- Notify the Customer without undue delay and, in any event, within 72 hours of becoming aware of the breach.
- Provide, to the extent available: the nature of the breach, categories and approximate number of data principals affected, likely consequences, and measures taken or proposed to address the breach.
- Cooperate with the Customer to mitigate the effects of the breach and to comply with any notification obligations the Customer has to the Data Protection Board of India or affected data principals.
Omako shall not make public statements about a breach affecting Customer Personal Data without the Customer's prior written consent, except where required by law.
9. Data transfers
Customer Personal Data is stored and processed within India (AWS ap-south-1) as a primary matter. Transfers to sub-processors outside India (Anthropic for AI inference, Postmark for email delivery, Cloudflare for traffic routing) are governed by contractual safeguards equivalent to Standard Contractual Clauses. Anthropic receives only per-request context and does not persist data beyond inference.
10. Audits
Omako will, upon at least 30 days' written notice and no more than once per calendar year, make available information reasonably necessary to demonstrate compliance with this DPA. Omako may satisfy audit requests by providing relevant third-party audit reports (e.g. SOC 2, once available) or completing written questionnaires in lieu of on-site audits.
11. Duration and deletion
This DPA remains in effect for as long as Omako processes Customer Personal Data under the Terms of Service. On expiry or termination of the Terms of Service, Omako will, within 90 days, either delete or return all Customer Personal Data at the Customer's election, and certify deletion in writing. Deletion may be delayed for data subject to legal retention obligations (e.g. GST records), which will be deleted as soon as retention obligations permit.
12. Governing law
This DPA is governed by the laws of India, including the DPDP Act, 2023. Disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms of Service.
Questions about this document? Write to us at privacy@omako.app and a real person will respond.