1. Data Processing Agreement (DPA)

This Data Processing Agreement (DPA) governs the processing of personal data between the Data Controller and Data Processor. The purpose of this agreement is to outline the scope, responsibilities, and obligations of both parties in relation to the processing, protection, and management of personal data that is collected, stored, and used within the operations of the platform. It serves as a binding document to ensure the protection of personal data in compliance with applicable privacy and data protection laws.

2. Data Controller

The Data Controller is the party that determines the purposes for which and the manner in which personal data is processed. The Controller has ultimate responsibility for ensuring that data is collected, stored, and used in a manner consistent with the applicable legal frameworks. The Data Controller must also ensure that personal data is processed lawfully, fairly, and transparently, providing appropriate notices to data subjects regarding their rights and how their data will be used. The Data Controller must oversee the implementation of necessary security measures to safeguard personal data.

3. Data Processor

The Data Processor is the party responsible for processing personal data on behalf of the Data Controller. The Data Processor must only process personal data according to the specific instructions provided by the Data Controller and in compliance with applicable data protection laws. The Data Processor’s role includes storing, handling, or transmitting data as necessary to fulfill the services or operations outlined in the agreement. They are also obligated to take all necessary steps to ensure that personal data remains secure and is not used for unauthorized purposes.

4. Personal Data

Personal data refers to any information that relates to an identified or identifiable individual. This can include direct identifiers such as names, email addresses, and phone numbers, as well as indirect identifiers such as location data or unique identifiers like IP addresses. Personal data may also include sensitive information, such as payment details, financial information, or government-issued identification numbers. Both parties agree to handle and process personal data with the highest degree of care to protect individual privacy and to ensure compliance with all relevant data protection laws and regulations.

5. Processing Activities

Processing activities encompass a wide range of actions performed on personal data. These activities include the collection, storage, organization, structuring, alteration, retrieval, consultation, use, disclosure, and erasure of personal data. The Data Processor may perform these activities under the instructions of the Data Controller as part of providing services, fulfilling contractual obligations, or ensuring legal compliance. The processing activities must be performed in accordance with the principles of data protection, ensuring that data is handled securely, accurately, and appropriately for the specified purpose.

6. Data Security Measures

Both the Data Controller and Data Processor must implement and maintain robust technical and organizational measures to ensure the security and confidentiality of personal data. These measures should address risks such as unauthorized access, accidental loss, alteration, disclosure, or destruction of data. Measures may include encryption, firewalls, secure data storage, access controls, regular security audits, and employee training programs. Both parties must work together to regularly review and update security practices to adapt to emerging threats or vulnerabilities in the data processing environment.

7. Confidentiality

All individuals involved in the processing of personal data must maintain strict confidentiality regarding the data they access. This includes employees, contractors, or any third parties engaged in processing personal data. Confidentiality obligations apply even after the termination of employment or contractual agreements. Any unauthorized disclosure of personal data can lead to serious consequences, including legal penalties. Both the Data Controller and Data Processor must ensure that all relevant personnel are bound by confidentiality agreements and understand the importance of safeguarding personal data.

8. Data Subject Rights

Data subjects, or individuals whose personal data is being processed, have specific rights under data protection laws. These rights include the right to access personal data, correct inaccuracies, request deletion, object to processing, or request a restriction on the processing of their data. Data subjects may also have the right to data portability, which allows them to receive their data in a structured, commonly used format for transfer to another service provider. Both the Data Controller and Data Processor are responsible for facilitating these rights and ensuring that data subjects are able to exercise them effectively.

9. Data Breach Response

In the event of a data breach or unauthorized access to personal data, both parties must act swiftly to mitigate the damage and prevent further exposure. The Data Processor is obligated to notify the Data Controller without undue delay if they suspect or identify a breach. A thorough investigation must be conducted, and appropriate remedial actions must be taken to address the breach, including notifying affected data subjects and regulators when required. Both parties must work together to implement corrective actions and review security practices to prevent future incidents.

10. Subprocessing

The Data Processor may engage sub-processors to assist in processing personal data, but only with the prior written consent of the Data Controller. The Data Processor must ensure that any sub-processor is bound by the same obligations as those set forth in this agreement. The Data Processor is responsible for the actions of any sub-processors and must ensure that they comply with the relevant data protection regulations. Additionally, the Data Controller must be informed of any sub-processor engagements in a timely manner to maintain transparency.

11. Compliance with Laws

Both the Data Controller and Data Processor must comply with all relevant data protection laws and regulations that govern the processing of personal data. This includes the protection of data privacy, adherence to fair processing principles, and the safeguarding of data subject rights. Both parties must remain informed about legal requirements in the jurisdictions where personal data is being processed and ensure that their practices align with the applicable standards.

12. Audit Rights

The Data Controller reserves the right to audit or review the Data Processor’s data processing activities to ensure compliance with the terms outlined in this agreement. The Data Processor must provide the necessary assistance to facilitate audits and provide evidence of compliance. Audits may include assessments of security measures, documentation, and operational practices related to personal data processing.

13. Data Deletion

Upon the termination of the contract or at the request of the Data Controller, the Data Processor must delete all personal data in its possession, unless retention is required by law. Data deletion must be carried out securely, ensuring that all personal data is erased in a manner that makes it irrecoverable. If the Data Controller requests the return of the data rather than deletion, this must be facilitated in a secure and efficient manner.

14. Data Retention

Personal data should only be retained for as long as necessary to fulfill the purpose for which it was collected or as required by law. Both parties must establish clear retention periods and ensure that personal data is securely deleted once it is no longer required. Regular reviews of data retention policies must be conducted to ensure compliance with applicable regulations and to minimize unnecessary retention.

15. Notification Obligations

Both the Data Controller and Data Processor have an obligation to notify each other of any changes, incidents, or events that may affect the security, confidentiality, or integrity of personal data. This includes potential security risks, breaches, legal obligations, or changes in business operations that may impact data processing activities. Both parties must communicate promptly and ensure that any necessary actions are taken to address the situation.

16. Liability

Each party’s liability in the event of non-compliance with this agreement or applicable data protection laws will be outlined in the agreement. The Data Processor is liable for any damages or losses resulting from its failure to adhere to the terms of this agreement or from processing personal data in an unlawful or unauthorized manner. The Data Controller may also be liable for failure to provide accurate data instructions or for failing to inform the Data Processor of relevant legal obligations.

17. Indemnification

The Data Processor agrees to indemnify the Data Controller for any claims, losses, damages, or legal actions that arise due to the Data Processor’s failure to comply with the provisions of this agreement. Similarly, the Data Controller may be required to indemnify the Data Processor in cases where their actions lead to harm or violations of data protection laws. Both parties agree to cooperate fully in defending any claims.

18. Governing Law

This agreement shall be governed by and construed in accordance with Indian laws. Any disputes or legal matters arising from this agreement shall be subject to the jurisdiction of the appropriate courts within the agreed jurisdiction.

19. Amendments to the Agreement

Any changes or amendments to this agreement must be made in writing and mutually agreed upon by both the Data Controller and Data Processor. Both parties must acknowledge the changes before they take effect, and any such changes will be documented as part of this agreement to ensure transparency and compliance with data protection obligations.