Data Processing Agreement

Data Processing Agreement (DPA)

  • This DPA outlines the terms and responsibilities involved in processing personal data through our services.
  • It forms part of the broader contractual relationship between the parties involved.
  • The agreement ensures that data processing is secure, lawful, and aligned with relevant regulations.
  • Both parties commit to protecting personal data in accordance with this agreement.

Data Controller

  • The Data Controller determines the purposes and means of processing personal data.
  • They are responsible for ensuring that data processing activities have a valid legal basis.
  • The Controller must provide clear instructions to the Processor for lawful data handling.

Data Processor

  • The Processor acts on behalf of the Controller to carry out specific data-related operations.
  • All processing activities are limited to those expressly defined in this agreement.
  • The Processor is prohibited from using the data for personal or unauthorized purposes.

Personal Data

  • Personal data refers to any information that can directly or indirectly identify an individual.
  • This may include contact details, transactional data, or behavioral identifiers.
  • Such data is handled strictly in line with applicable legal and contractual obligations.

Processing Activities

  • Processing includes operations such as collection, recording, storage, retrieval, and deletion of data.
  • All activities are conducted solely for providing services defined in the principal agreement.
  • Any change in scope requires prior written approval from the Controller.

Data Security Measures

  • Appropriate technical and organizational safeguards are implemented to prevent data misuse or loss.
  • These measures are regularly updated to address evolving risks and vulnerabilities.
  • Access to personal data is strictly controlled and limited to authorized personnel.

Confidentiality

  • All parties agree to maintain the confidentiality of personal data processed under this agreement.
  • Employees and subcontractors involved in processing are bound by confidentiality obligations.
  • Data shall not be disclosed to unauthorized third parties under any circumstances.

Data Subject Rights

  • Data subjects retain rights such as access, rectification, restriction, and deletion of their data.
  • The Processor shall assist the Controller in responding to such requests in a timely manner.
  • Requests must be handled within the timelines prescribed by applicable laws.

Data Breach Response

  • In the event of a data breach, the Processor must notify the Controller without undue delay.
  • The notification shall include details of the breach, potential impact, and mitigation steps taken.
  • Both parties shall cooperate in handling breach investigations and any legal reporting requirements.

Subprocessing

  • The Processor may engage subprocessors only with the Controller’s prior written approval.
  • Subprocessors must be bound by the same data protection obligations outlined in this agreement.
  • The Processor remains fully liable for actions of approved subprocessors.

Compliance with Laws

  • Both Controller and Processor commit to processing personal data in accordance with applicable data protection laws.
  • The agreement shall be interpreted in a manner consistent with such laws and any official guidelines.
  • Legal obligations take precedence over conflicting contract terms.

Audit Rights

  • The Controller reserves the right to audit the Processor’s compliance with this DPA.
  • Audits may be conducted directly or via an appointed independent auditor.
  • The Processor shall provide all necessary access and documentation required for the audit.

Data Deletion

  • Upon termination of the agreement or at the Controller’s request, the Processor must delete or return all personal data.
  • Any copies must also be securely erased unless retention is legally required.
  • Confirmation of data deletion must be provided in writing.

Data Retention

  • Personal data shall only be retained for as long as necessary to fulfill the defined purposes.
  • Extended retention requires legal basis or explicit instructions from the Controller.
  • Retention periods must be documented and followed strictly.

Notification Obligations

  • The Processor must inform the Controller of any changes that may impact data protection.
  • These include policy changes, security incidents, or subprocessors’ involvement.
  • Timely notification ensures proactive risk mitigation.

Liability

  • Each party is liable for breaches of this agreement resulting from their own actions or omissions.
  • The Processor is accountable for data mishandling or failure to implement agreed safeguards.
  • Liability does not extend to force majeure events or acts beyond reasonable control.

Indemnification

  • The Processor shall indemnify the Controller against claims arising from unlawful processing or data breaches caused by its negligence.
  • This includes legal fees, penalties, or damages incurred due to non-compliance.
  • Indemnity obligations survive the termination of the agreement.

Governing Law

  • This agreement shall be governed and interpreted in accordance with Indian laws.
  • All disputes shall be subject to the exclusive jurisdiction of Indian courts.

Amendments to the Agreement

  • Any changes to this agreement must be made in writing and signed by both parties.
  • Updates may be required due to regulatory changes, service modifications, or mutual business needs.
  • Continued processing after amendment implies acceptance of the revised terms.