NeoNeev AI | India's #1 AI-Powered Education-to-Employment Platform

Preamble

This Data Processing Agreement ("DPA") forms part of the Terms of Service and governs the processing of personal data by NeoNeev AI Private Limited ("NeoNeev AI", "Data Fiduciary", "we", "us") on behalf of institutional customers — including colleges, universities, and employer organisations ("Customer", "Data Controller").

This DPA also describes our obligations as a Data Fiduciary to all end-users (students, college staff, employer representatives) under the Digital Personal Data Protection Act, 2023 ("DPDP Act").

For institutional customers: If you are an educational institution or employer using NeoNeev AI platform under a subscription agreement, this DPA is automatically incorporated into your Master Service Agreement. No separate execution is required. A countersigned copy is available upon request by emailing legal@neoneev.ai.

1. Definitions

Terms used in this DPA shall have the meanings ascribed to them under the DPDP Act, 2023, and the following specific definitions:

"Personal Data" — Any data about an individual who is identifiable by or in relation to such data, as defined in Section 2(t) of the DPDP Act, 2023.

"Data Fiduciary" — NeoNeev AI Private Limited — the entity that determines the purpose and means of processing personal data.

"Data Principal" — The individual to whom the personal data relates (students, college staff, employer contacts, etc.).

"Data Processor / Sub-Processor" — A third-party entity engaged by NeoNeev AI to process personal data on its behalf for a specific purpose under a binding agreement.

"Processing" — Any operation or set of operations performed on personal data, including collection, recording, storage, retrieval, use, disclosure, transmission, erasure, or destruction.

"Data Breach" — Any unauthorised or accidental access, disclosure, alteration, destruction, or use of personal data that compromises its confidentiality, integrity, or availability.

"Services" — The NeoNeev AI multi-portal platform and all associated features, AI systems, dashboards, data exports, and support services.

2. Scope and Nature of Processing

2.1 Subject Matter

NeoNeev AI processes personal data of students, college staff, and employer contacts to deliver the Platform's core services: AI-powered placement scoring, skill gap analysis, job-description matching, campus drive management, NAAC report generation, and enterprise analytics.

2.2 Categories of Data Subjects

Students enrolled at or recently graduated from partner institutions
Training and Placement Officers (TPOs) and college administrative staff
Employer-side contacts (HR managers, talent acquisition leads)
Platform administrators and support staff

2.3 Categories of Personal Data Processed

Data Category	Processing Purpose	Retention Period
Identity & Contact Data	Account creation, authentication, support	Duration of account + 30 days
Academic & Skill Data	AI placement score, skill gap analysis, job matching	Duration of account + 30 days
Institutional Data	College dashboard analytics, NAAC reports, employer matching	Duration of contract + 1 year
Usage & Behavioural Data	Platform improvement, AI model training (anonymised)	2 years (anonymised)
Payment & Billing Data	Subscription management, invoicing	7 years (statutory)
Communication Records	Support tickets, AI coach interactions, notifications	3 years

3. Obligations of NeoNeev AI (Data Fiduciary)

As the Data Fiduciary, NeoNeev AI commits to the following obligations in accordance with the DPDP Act, 2023:

3.1 — Lawful and Purpose-Limited Processing

NeoNeev AI shall process personal data only for the purposes described in this DPA, the Privacy Policy, and the consent notice presented to Data Principals. We shall not process personal data for any other purpose unless a new consent is obtained or a separate legal basis applies.

3.2 — Data Minimisation

We collect only the minimum personal data necessary to deliver the requested feature or service. Requests for data beyond this minimum will be designed as optional inputs with clear explanations of the benefit.

3.3 — Accuracy and Integrity

NeoNeev AI shall take reasonable steps to ensure that personal data held is accurate and, where necessary, kept up to date. Platform features allow Data Principals to update or correct their own data at any time through their account settings.

3.4 — Security safeguards

NeoNeev AI implements appropriate technical and organisational measures including AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, regular penetration testing, and a documented incident response plan.

3.5 — Breach Notification

In the event of a personal data breach, NeoNeev AI shall notify affected Data Principals and, where required by law, the Data Protection Board of India within the timelines prescribed under the DPDP Act. We will also notify affected institutional customers (Data Controllers) without undue delay.

3.6 — Data Deletion

Upon account deletion, withdrawal of consent, or fulfilment of the processing purpose, NeoNeev AI shall delete personal data within 30 days, except where retention is required by law (e.g., financial records under the Companies Act, 2013).

4. Approved Sub-Processors

NeoNeev AI engages the following sub-processors under binding Data Processing Agreements that impose equivalent obligations to those in this DPA. All sub-processors are assessed for security and compliance before engagement.

Institutional customers will be notified at least 14 days in advance of any changes to this sub-processor list that materially affect data processing. The current list was last reviewed: March 2026.

Amazon Web Services India (AWS)

India (ap-south-1 — Mumbai)

Service: Cloud infrastructure, data storage, compute

Safeguards: AWS Data Processing Addendum (GDPR-SCCs equivalent); ISO 27001 certified

Razorpay Software Private Limited

India

Service: Payment gateway and subscription billing

Safeguards: PCI-DSS Level 1 certified; RBI-regulated payment aggregator

Google LLC (Analytics)

India / USA

Service: Aggregated usage analytics (anonymised data only)

Safeguards: Google Analytics Processor Terms; data anonymisation enabled before transmission

Google LLC (OAuth / Workspace)

India / USA

Service: Single Sign-On (Google OAuth) and business email

Safeguards: Google Workspace DPA; OAuth 2.0 protocol; no user data stored by Google beyond authentication

Anthropic (Claude API)

USA

Service: AI Career Coach, JD analysis, recommendation engine

Safeguards: Anthropic API Terms of Service (zero-data-retention agreement); all prompts anonymised before transmission

SMTP / Email Delivery Provider

India

Service: Transactional and notification email delivery

Safeguards: Binding DPA in place; TLS-secured email transmission

5. Assistance with Data Principal Rights

NeoNeev AI shall assist institutional customers (where they act as Data Controllers for their own users) in fulfilling Data Principal rights requests under the DPDP Act within the following timelines:

Right	Description	Response Timeline
Right to Access	Summary of personal data held and how it is processed	Within 30 days
Right to Correction	Correcting inaccurate or incomplete personal data	Within 30 days
Right to Erasure	Deletion of personal data upon verified request	Within 30 days
Right to Withdraw Consent	Ceasing processing based on consent	Within 30 days
Right to Grievance	Formal response via Grievance Officer	Within 30 days
Right to Nominate	Registering a nominee for rights exercise	Acknowledged within 10 days

To submit a rights request, contact us at privacy@neoneev.ai or use the account settings panel on the Platform.

6. Audit Rights

NeoNeev AI shall, upon written request and with 30 days' notice, make available to institutional customers all information reasonably necessary to demonstrate compliance with this DPA and the DPDP Act, including:

Security certifications and audit reports (e.g., SOC 2 Type II, ISO 27001 where applicable)
Summary data processing records for the customer's user base
Sub-processor list and their DPA summaries
Evidence of employee data protection training
Incident response logs relevant to the customer's data (redacted)

On-site or third-party audits may be requested with appropriate notice and at the Customer's expense. Audits may not disrupt Platform operations and shall be conducted during normal business hours under a mutually agreed confidentiality arrangement. Audit requests should be directed to legal@neoneev.ai.

7. Cross-Border Data Transfers

In accordance with the DPDP Act, 2023, NeoNeev AI stores all primary personal data on servers located within India (AWS ap-south-1, Mumbai region). Transfers of personal data outside India are undertaken only in the following limited circumstances:

→

AI API Calls (Anonymised)

When the AI Career Coach processes a query, anonymised, non-personally-identifiable prompt data may be transmitted to Anthropic's API. Our agreement with Anthropic includes a zero-data-retention clause — no prompt data is stored or used to train their models.

→

Analytics (Anonymised)

Google Analytics 4 receives anonymised usage data (no PII) to support aggregated platform analytics. IP anonymisation is enabled. Personal data is never included in analytics transmissions.

NeoNeev AI shall comply with all government notifications regarding permissible cross-border data transfers issued under Section 16 of the DPDP Act, 2023, and will update this section accordingly.

8. Liability and Indemnification

Each party shall be responsible for ensuring that its own processing of personal data complies with applicable law. NeoNeev AI's liability for breaches of this DPA is subject to the limitations set out in the Master Service Agreement or Terms of Service.

NeoNeev AI shall indemnify the Customer against direct losses arising from NeoNeev AI's breach of this DPA, up to the amount paid by the Customer in the preceding 12 months.
NeoNeev AI shall not be liable for losses arising from the Customer's own failure to provide accurate, complete, or lawfully collected data to the Platform.
Each party shall take reasonable steps to mitigate losses upon becoming aware of any event that may give rise to a claim under this DPA.

9. Term, Termination and Data Return

This DPA remains in effect for the duration of the subscription agreement between NeoNeev AI and the institutional customer. Upon termination or expiry:

Data Export: The Customer may export all student placement data via the Platform's CSV export feature up to 30 days after the contract end date.

Data Deletion: NeoNeev AI shall securely delete all Customer-associated personal data within 60 days of contract termination, unless retention is required by law.

Deletion Certificate: Upon request, NeoNeev AI will issue a written confirmation that data deletion has been completed within the agreed timelines.

Anonymised Aggregates: Aggregated, fully anonymised statistical data (e.g., industry-level placement trends) that cannot be attributed to any individual or institution may be retained for ongoing platform improvement.

10. Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the Information Technology (Amendment) Act, 2008.

All disputes arising out of or in connection with this DPA shall first be attempted to be resolved through good-faith negotiations. If unresolved within 30 days, disputes shall be referred to binding arbitration under the Arbitration and Conciliation Act, 1996, with New Delhi as the seat of arbitration.

Nothing in this clause shall prevent a Data Principal from approaching the Data Protection Board of India as established under the DPDP Act, 2023, for redressal of grievances.

Contact for DPA Inquiries

For questions about this DPA, to request a countersigned copy, or to raise a data protection concern, contact:

Legal & Compliancelegal@neoneev.ai

Data Privacyprivacy@neoneev.ai

Registered OfficeNeoNeev AI Private Limited, New Delhi, India — 110001

CINU85300DL2026PTC000001

For personal data grievances, please refer to our Grievance Redressal page.