Legal / 03   —   GDPR

GDPR & Data Protection.

This page is the EU-client-facing companion to our Privacy Policy. It describes our roles under the GDPR, our Data Processing Agreement, our subprocessor list, the safeguards for international transfers, and how to raise a data subject request.

Last updated 18 May 2026   Back to home

Our roles — controller or processor

Under GDPR Articles 4(7) and 4(8), our role depends on the data:

ActivityOur roleWhy
Website enquiries, marketing, sales Controller We determine the means and purposes of processing.
Our own employees, contractors, vendors Controller Internal HR & operations.
Client data processed under an SOW Processor You decide the means and purposes; we process on your documented instructions.
Anonymous/aggregate analytics across engagements Controller For our own service improvement; never re-identifiable.

When we are a processor, the DPA governs the relationship and Article 28 obligations apply.

Data Processing Agreement

We offer a standard GDPR-compliant DPA (Article 28) that we counter-sign at engagement start for any client whose work involves processing personal data of EU residents. The DPA covers:

  • Subject matter, duration, nature and purpose of processing.
  • Categories of data subjects and personal data.
  • Instructions, confidentiality, security measures.
  • Subprocessor authorisation (general written authorisation with prior notification of changes).
  • Assistance with DSRs, DPIAs and breach notification.
  • Deletion or return of data on termination.
  • Audit and inspection rights.
  • EU Standard Contractual Clauses (2021/914) annexed for India-bound transfers.
Request a DPA Email info@larissainfotech.com with your legal entity name, address, and the engagement reference. We countersign within 5 business days.

Subprocessors

We use a small, carefully chosen set of subprocessors. The list below reflects subprocessors that may handle personal data of EU residents in connection with our services.

Category Purpose Region Safeguard
Cloud hosting Application, database & backup storage EU / India SCCs
CDN Asset delivery, DDoS protection Global edge SCCs
Transactional email Replies, invoices, system notifications EU / US SCCs
Business email Inbox, docs, calendar EU / US SCCs
Accounting Statutory accounts & GST returns India India adequacy pending
Internal documentation Engagement wikis & runbooks US / India SCCs
Named vendor list The specific vendor we use in each category is disclosed under the Data Processing Agreement at engagement start. Email info@larissainfotech.com to request the current named list before signing.

Notifications. When we add or change a subprocessor that may process personal data of EU residents, we notify active clients by email at least 30 days before the change takes effect. You may object on reasonable data-protection grounds; we will either replace the subprocessor or release the affected portion of the engagement.

Transfer mechanisms

The European Commission has not (as of this date) issued an adequacy decision for India. We rely on EU Standard Contractual Clauses (Module 2 & Module 3, Decision 2021/914) as the transfer mechanism for personal data leaving the EU/EEA.

Supplementary measures

  • Encryption. TLS 1.2+ in transit; AES-256 at rest for production storage and backups.
  • Pseudonymisation. Production identifiers are not used in development or staging environments.
  • Access control. Role-based access with MFA. Audit logging on production.
  • Contractual. Confidentiality clauses with all personnel and subprocessors.
  • Government access transparency. We publish (or will publish on request) the volume and nature of any government access requests received.

Data subject requests

Where we are the controller (e.g. for website enquiries), data subjects can exercise their rights directly with us. Where we are the processor (e.g. for client data), please direct your request to the controller — the client — in the first instance. We will assist them in fulfilling the request as required by Article 28.

How we handle requests

  1. Verification. We confirm identity before acting on the request.
  2. Acknowledgement. Within 5 business days of receipt.
  3. Response. Within 30 calendar days, extendable by 60 days for complex cases (with notice).
  4. Cost. Free, unless the request is manifestly unfounded or excessive.

To submit a DSR, email info@larissainfotech.com.

Breach notification

Our commitment When acting as a processor, we will notify the controller of any personal data breach without undue delay and within 72 hours of becoming aware of it, as required by Article 33(2). Our notification will include the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed.

When we are the controller, we will notify the competent supervisory authority within 72 hours where notification is required by Article 33(1), and affected data subjects without undue delay where required by Article 34.

DPO contact

We have appointed an internal Privacy Officer responsible for GDPR compliance. We are not currently required to appoint a Data Protection Officer under Article 37, but the same officer fulfills equivalent functions and is your point of contact.

Privacy Officer Larissa InfoTech Pvt. Ltd.
Attn: Privacy Officer
302, Techno Park, Andheri East, Mumbai – 400069, Maharashtra, India
Email: info@larissainfotech.com
Phone: +91 97697 61782

Supervisory authorities

If we cannot resolve a concern to your satisfaction, you have the right to lodge a complaint with your local supervisory authority. Some examples:

  • France — CNIL (cnil.fr).
  • Germany — BfDI or the relevant Land authority (bfdi.bund.de).
  • Ireland — DPC (dataprotection.ie).
  • Netherlands — Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
  • Spain — AEPD (aepd.es).
  • United Kingdom — ICO (ico.org.uk).

Need a DPA, the subprocessor list, or a security questionnaire?

We answer compliance questions from a real engineer, not a copy-paste form. Most requests turn around the same day.

info@larissainfotech.com Talk to us →