Data Processing Agreement

Data Processing Agreement (DPA)

This DPA outlines the terms and responsibilities involved in processing personal data through our services.

It forms part of the broader contractual relationship between the parties involved.

The agreement ensures that data processing is secure, lawful, and aligned with relevant regulations.

Both parties commit to protecting personal data in accordance with this agreement.

Data Controller

  • The Data Controller determines the purposes and means of processing personal data.
  • They are responsible for ensuring that data processing activities have a valid legal basis.
  • The Controller must provide clear instructions to the Processor for lawful data handling.

Data Processor

  • The Processor acts on behalf of the Controller to carry out specific data-related operations.
  • All processing activities are limited to those expressly defined in this agreement.
  • The Processor is prohibited from using the data for personal or unauthorized purposes.

Personal Data

  • Personal data refers to any information that can directly or indirectly identify an individual.
  • This may include contact details, transactional data, or behavioral identifiers.
  • Such data is handled strictly in line with applicable legal and contractual obligations.

Processing Activities

  • Processing includes operations such as collection, recording, storage, retrieval, and deletion of data.
  • All activities are conducted solely for providing services defined in the principal agreement.
  • Any change in scope requires prior written approval from the Controller.

Data Security Measures

  • Appropriate technical and organizational safeguards are implemented to prevent data misuse or loss.
  • These measures are regularly updated to address evolving risks and vulnerabilities.
  • Access to personal data is strictly controlled and limited to authorized personnel.

Confidentiality

  • All parties agree to maintain the confidentiality of personal data processed under this agreement.
  • Employees and subcontractors involved in processing are bound by confidentiality obligations.
  • Data shall not be disclosed to unauthorized third parties under any circumstances.

Data Subject Rights

  • Data subjects retain rights such as access, rectification, restriction, and deletion of their data.
  • The Processor shall assist the Controller in responding to such requests in a timely manner.
  • Requests must be handled within the timelines prescribed by applicable laws.

Data Breach Response

  • In the event of a data breach, the Processor must notify the Controller without undue delay.
  • The notification shall include details of the breach, potential impact, and mitigation steps taken.
  • Both parties shall cooperate in handling breach investigations and any legal reporting requirements.

Subprocessing

  • The Processor may engage subprocessors only with the Controller’s prior written approval.
  • Subprocessors must be bound by the same data protection obligations outlined in this agreement.
  • The Processor remains fully liable for actions of approved subprocessors.

Compliance with Laws

  • Both Controller and Processor commit to processing personal data in accordance with applicable data protection laws.
  • The agreement shall be interpreted in a manner consistent with such laws and any official guidelines.
  • Legal obligations take precedence over conflicting contract terms.

Audit Rights

  • The Controller reserves the right to audit the Processor’s compliance with this DPA.
  • Audits may be conducted directly or via an appointed independent auditor.
  • The Processor shall provide all necessary access and documentation required for the audit.

Data Deletion

  • Upon termination of the agreement or at the Controller’s request, the Processor must delete or return all personal data.
  • Any copies must also be securely erased unless retention is legally required.
  • Confirmation of data deletion must be provided in writing.

Data Retention

  • Personal data shall only be retained for as long as necessary to fulfill the defined purposes.
  • Extended retention requires legal basis or explicit instructions from the Controller.
  • Retention periods must be documented and followed strictly.

Notification Obligations

  • The Processor must inform the Controller of any changes that may impact data protection.
  • These include policy changes, security incidents, or subprocessors’ involvement.
  • Timely notification ensures proactive risk mitigation.

Liability

  • Each party is liable for breaches of this agreement resulting from their own actions or omissions.
  • The Processor is accountable for data mishandling or failure to implement agreed safeguards.
  • Liability does not extend to force majeure events or acts beyond reasonable control.

Indemnification

  • The Processor shall indemnify the Controller against claims arising from unlawful processing or data breaches caused by its negligence.
  • This includes legal fees, penalties, or damages incurred due to non-compliance.
  • Indemnity obligations survive the termination of the agreement.

Governing Law

  • This agreement shall be governed and interpreted in accordance with Indian laws.
  • All disputes shall be subject to the exclusive jurisdiction of Indian courts.

Amendments to the Agreement

  • Any changes to this agreement must be made in writing and signed by both parties.
  • Updates may be required due to regulatory changes, service modifications, or mutual business needs.
  • Continued processing after amendment implies acceptance of the revised terms.