Legal
The terms under which nextdooh processes personal data on your behalf as your processor — sub-processors, transfers, security, breach handling and audit. Part of our Terms of Service.
Effective: 7 June 2026 · Last updated: 7 June 2026
This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("you", the "Controller") and KRYIL INFOTECH PRIVATE LIMITED ("Kryil", the "Processor") for use of the nextdooh platform (the "Service"). It applies where Kryil processes personal data on your behalf — principally the media and audience-free content you manage, and any end-user data you choose to put into the Service.
For your own operator-account data (the people who log in to manage screens), Kryil is the controller and the processing is governed by our Privacy Policy (/privacy). For data you upload or configure as a customer, you are the controller and Kryil is the processor under this DPA.
Subject-matter & duration: processing for the term of your subscription plus any legally required retention period. Nature & purpose: hosting, storing, transmitting, scheduling and displaying your content across your registered devices, generating proof-of-play and operational reports, and providing support. Types of personal data: any personal data contained in content you upload or in fields you complete. Categories of data subjects: those you choose to include in your content or configuration. We do not require, and the player apps do not collect, audience biometric or device-identifier data.
Kryil will: (a) process personal data only on your documented instructions, including this DPA and your use of the Service, unless required by law; (b) ensure persons authorised to process the data are bound by confidentiality; (c) implement the security measures in Section 6; (d) assist you, taking into account the nature of processing, with data-subject requests and with your own security, breach-notification and impact-assessment obligations; and (e) make available the information needed to demonstrate compliance.
You authorise Kryil to engage the sub-processors below to deliver the Service. Each is bound by data-protection terms no less protective than this DPA. We will give notice of any intended change so you may object on reasonable data-protection grounds.
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Hosting — compute, PostgreSQL database, Blob Storage for media; application + audit logs | India |
| Zoho Corporation (ZeptoMail) | Transactional email delivery | India (api.zeptomail.in) |
| Cashfree Payments | Subscription payment processing (card / UPI / net-banking) | India |
| Microsoft Azure Content Safety | Automated moderation of uploaded media | Microsoft region |
The Service is hosted primarily in India and Indian operators' data is processed within India. Where personal data is transferred to a country without an adequacy decision (for example, to serve EU/UK customers), the transfer is made under the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum, a copy of which is available on request to [email protected].
Kryil maintains technical and organisational measures appropriate to the risk, including: HTTPS/TLS in transit with HSTS; bcrypt password hashing with per-row salts; SHA-256 hashing of API keys and device tokens (full keys shown once, revocable); encryption of stored third-party secrets; HMAC-signed proof-of-play; short-lived signed URLs for media; rate-limiting and account lockout; role-based admin access with email-code MFA on sensitive actions; security headers; and tamper-evident audit logging.
Taking into account the nature of the processing, Kryil will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests to exercise data-subject rights (access, correction, erasure, portability, objection). The Service provides self-service data export and account erasure that you and your authorised users can use directly.
Kryil will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting personal data processed on your behalf, and will provide the information reasonably needed for you to meet your own notification obligations. We maintain a documented incident-response process covering detection, containment, communication and post-mortem.
Kryil will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality, and frequency limits, and conducted so as not to compromise the security or privacy of other customers.
On termination of the Service, Kryil will, at your choice, delete or return the personal data processed on your behalf and delete existing copies, unless retention is required by law (for example, billing records under Indian tax law). Account erasure anonymises operator-account data and deletes associated devices, media and tickets.
Requests under this DPA: [email protected]. KRYIL INFOTECH PRIVATE LIMITED, Workflow Ranka Junction, 3rd Floor, 224, KR Puram, Bengaluru – 560016, Karnataka, India.