Data Processing Agreement

PLEASE READ THIS AGREEMENT CAREFULLY. THE PARTIES ACKNOWLEDGE THAT THEY HAVE READ, UNDERSTOOD, AND CONSENT TO BE BOUND BY THE TERMS OF THIS AGREEMENT. THE USE OF THE PLATFORM IS CONDITIONED UPON THE PARTIES’ ACCEPTANCE OF THIS AGREEMENT. IF THE PARTIES DO NOT AGREE WITH ANY PART OF THIS AGREEMENT, THEY MUST NOT USE OR ACCESS THE PLATFORM.

This Data Processing Agreement (“Agreement”) is made and entered into as of the date of electronic acceptance ("Effective Date"). This Agreement constitutes a binding agreement between the Client (“Data Controller”) and Ascorb Technologies Private Limited, having its registered address at 1st Floor, Smart Works, DSR Techno Cube, Kundalahalli Main Rd, Signal, Bengaluru, Karnataka 560037 (“Data Processor” or “Company”).

The Data Controller understands and acknowledges that this Agreement has to be read in conjunction with the Terms of Service and the Privacy Policy. It is designed to clarify and expand upon the roles, responsibilities, and obligations of both the Data Controller and the Data Processor concerning the processing of Personal Data. The DPA aims to ensure that all data processing activities are conducted in compliance with applicable Data Protection Laws and regulations, thus safeguarding the rights of individuals whose data is being processed.

The Data Controller also understands and agrees that in providing the Services, the Data Processor collects, uses, or otherwise processes Personal Data within the meaning of the Data Protection Laws (defined below) for which the Data Controller is responsible as provided under the said Data Protection Laws.

In the event of any conflicts or discrepancies between the provisions of this Agreement and the Terms of Service and/or the Privacy Policy, the provisions of this Agreement shall take precedence with respect to data protection matters.

Further, the Data Controller understands that all capitalised terms utilised in this Agreement that are not explicitly defined herein shall retain the meanings attributed to them in the Terms of Service and/or the Privacy Policy, as the case may be.

The Data Controller and Data Processor are hereinafter collectively referred to as “Parties” and individually as a “Party” where the context so requires.

1. PURPOSE

   1. The purpose of this Agreement is to establish the data protection obligations of both Parties in connection with the processing of Personal Data collected through the Platform (defined in the Terms of Service). This Agreement outlines the framework within which the Data Controller's Personal Data will be processed, ensuring that such processing occurs solely on behalf of the Data Controller and in strict accordance with their instructions.

   2. The Parties acknowledge their respective roles as defined by applicable Data Protection Laws, including but not limited to the GDPR. In compliance with Article 28(3) of the GDPR, this Agreement serves as a binding contract between the Data Controller and the Data Processor, ensuring that the Personal Data of individuals located within the European Union (EU), European Economic Area (EEA), Switzerland, and the United Kingdom (UK) is processed in a regulated manner.

   3. Further, this Agreement delineates the roles and responsibilities of the Parties involved, including any Sub-Processors, in relation to the handling of Personal Data. The provisions herein create a clear understanding of each Party's rights, obligations, and liabilities concerning data processing activities, thereby reinforcing the commitment to safeguarding Personal Data and ensuring compliance with all relevant legal and regulatory requirements.

      
      

2. DEFINITIONS AND INTERPRETATION

   
   

   1. Definitions:

      In this Agreement, the following words, expressions, and abbreviations shall have the following meanings unless the context otherwise requires:

      1. “Agreement” shall mean this Data Processing Agreement, including all Annexures annexed hereto.

      2. “Data Controller” shall mean the Person who, alone or jointly with others, determines the purpose and means of Processing of Personal Data and shall include the meaning assigned to the term in the applicable Data Protection Laws.

      3. “Data Processor” shall mean the person who processes Personal Data on behalf of the Controller and shall include equivalent terms in other Data Protection Laws, such as the CCPA-defined term “Service Provider,” as the context requires.

      4. “Data Protection Laws” shall mean all applicable worldwide legislation relating to data protection and privacy that governs the processing of Personal Data by the Parties under this Agreement. This includes, but is not limited to, the Digital Personal Data Protection Act, 2023 (“DPDPA”), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council (“EU GDPR”); the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”) (Cal. Civ. Code §§ 1798.100 to 1798.199.100), together with the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102) (“CCPA”), the UK General Data Protection Regulation (UK GDPR), as adopted by the Data Protection Act 2018, the Swiss Federal Act on Data Protection (FADP), the Privacy and Electronic Communications Directive 2002 (commonly known as the “e-Privacy Directive”), or any other relevant data protection legislation applicable to the respective Party in its role in processing Personal Data under this Agreement, including any amendments, replacements, or superseding legislation.

      5. “Data Security Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the shared Personal Data. For the avoidance of doubt, a "Data Security Breach" does not include unsuccessful attempts or activities that do not result in a compromise to the security of Personal Data. This includes but is not limited to unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, and other similar network-related attacks on firewalls or systems that do not result in the unauthorised access, alteration, or disclosure of Personal Data.

      6. “Data Subject” means the individual to whom Personal Data relates.

      7. “Data Subject Request” shall mean an actual or purported request, notice, or complaint from, or on behalf of, a Data Subject under Data Protection Laws, including, but not limited to, requests under Articles 16, 17, or 18 of the GDPR, requests for data portability, objections to Processing, or requests not to be subject to automated decision-making.

      8. “Documented Instructions” shall refer to any written directives provided by the Data Controller to the Data Processor that outline the specific parameters, purposes, and conditions under which the Data Processor is authorised to process Personal Data. Such instructions will be consistent with the obligations set forth in the Terms of Service, this Agreement, Privacy Policy, and applicable laws, including Data Protection Laws. Documented Instructions may include, but are not limited to, guidelines on data usage, retention, deletion, and any other relevant processing requirements.

      9. “EEA” means the European Economic Area.

      10. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Personal Data” includes equivalent terms in other Data Protection Laws, such as the CCPA-defined term “Personal Information,” as the context requires.

      11. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. The terms “Processes” and “Processed” will be construed accordingly.

      12. “Sensitive Personal Data” shall have the meaning assigned to it under the applicable Data Protection Laws and shall include, but not be limited to: (i) passwords and financial data (excluding the truncated last four digits of credit/debit card numbers); (ii) health-related information; (iii) official identifiers, such as biometric data, Aadhaar numbers, Social Security numbers, driver’s licence, and passports; (iv) educational background, academic qualification, and performance data, particularly in relation to users' interactions with educational services provided by the Company; (v) account credentials, including usernames and passwords; and/or (vi)any additional categories of data identified as 'sensitive personal data' or 'special categories of data' under relevant Data Protection Laws, as applicable to this Agreement.

      13. “Special Categories of Data” shall mean Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, as defined by Article 9 of GDPR.

      14. “Standard Contractual Clauses” or “SCCs” refers to the standard contractual clauses set forth by the European Commission for data transfers between Data Controllers and Data Processors, as specified in Decision 2010/87/EU, as may be amended, superseded or replaced from time to time. Further, the SCCs are hereby integrated into this Agreement by way of reference and are elaborated upon in Annexure I, attached to this Agreement.

      15. “Sub-Processor(s)” means any processor engaged by the Data Processor or its Affiliates to assist in fulfilling the Company’s obligations with respect to the provision of the Services.

      16. “Technical and Organisational Measures” shall refer to the measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, particularly during transmission over networks, and against all unlawful forms of processing.

      The terms "Commission", "Member State", and "Supervisory Authority" shall have the same meaning as in the applicable Data Protection Laws, whether such terms are capitalised therein or not.

      
      

   2. Interpretation:

      1. Heading and bold typeface are only for convenience and shall be ignored for the purpose of interpretation.

      2. Other terms may be defined elsewhere in the text of this Agreement and, unless otherwise indicated, shall have such meaning throughout this Agreement.

      3. References to this Agreement shall be deemed to include any amendments or modifications to this Agreement, as the case may be.

      4. Unless the context of this Agreement otherwise requires:

         1. the terms “hereof", “herein”, “hereby”, “hereto” and derivative or similar words refer to this entire Agreement or specified Clauses of this Agreement, as the case may be;

         2. references to a particular section, clause, paragraph, sub-paragraph or schedule, exhibit or annexure shall be a reference to that section, clause, paragraph, sub-paragraph or schedule, exhibit or annexure in or to this Agreement;

         3. reference to any legislation or law or to any provision thereof shall include references to any such law as it may, after the date hereof, from time to time, be amended, supplemented or re-enacted, and any reference to a statutory provision shall include any subordinate legislation made from time to time under that provision;

         4. references in the singular shall include references in the plural and vice versa. References to one gender shall include references to other genders; and

         5. references to the word “include” shall be construed without limitation.

      
      

3. PROCESSING OF THE PERSONAL DATA

   
   

   1. Agreement to Process:

      1. The Data Processor hereby agrees to process Personal Data solely in accordance with applicable Data Protection Laws and the terms set forth in this Agreement.  The processing activities will occur exclusively for the purposes outlined in Clause 5 of the Privacy Policy and the purpose outlined herein.

         
         

   2. Duration of Processing:

      1. The rights, benefits, and obligations of this Agreement shall commence on the Effective Date of this Agreement and shall be in force for the Term (defined below) unless otherwise agreed to in writing.

      2. Upon termination of the processing activities or at the request of the Data Controller, the Data Processor shall, at the Data Controller's discretion, either return or securely delete all Personal Data processed under this Agreement. This shall be conducted in compliance with applicable Data Protection Laws and the relevant terms specified in Clause 7 of the Privacy Policy, which outlines the duration for retaining Personal Information, conditions for data deletion, and any exceptions for legitimate business interests or legal obligations.

         
         

   3. Categories of Personal Data:

      1. The types of Personal Data processed include, but are not limited to, full name, contact information (company, email, phone, physical address), professional life data, and any other information. For detailed information on the types of Personal Data collected, refer to Clause 3 of the Privacy Policy.

         
         

   4. Categories of Data Subject:

      The categories of Data Subjects include, but are not limited to:

      1. Client's Selected Individuals: Individuals selected by the Client and included within Client Data at the Client’s sole discretion.

      2. Website Users: Users of the Client’s website, including individuals who interact with the site for various purposes.

      3. Service Recipients: Individuals whose information is collected and processed by the Client while providing services to those individuals.

         
         

   5. Special Categories of Personal Data:

      1. The Personal Data being transferred does not pertain to any special categories of data as defined by the GDPR. The Client acknowledges that the Platform is not designed for the processing of such data and agrees not to provide, nor permit the provision of, any special categories of data for processing under this Agreement. Consequently, the Data Processor will not engage in the processing of any Special Categories of Data.

         
         

   6. Compliance with Laws:

      1. Both Parties agree to comply with all applicable laws, regulations, and standards concerning the processing of Personal Data, including but not limited to Data Protection Laws. In the event that either Party becomes aware of, or has reasonable grounds to believe that any Documented Instruction issued by the User may violate or infringe upon any Data Protection Law, that Party shall promptly notify the other Party of such concern.

      2. The Company will ensure that all its employees, authorised representatives, and any Sub-Processors engaged in the processing of Personal Data are bound by confidentiality obligations concerning Personal Data. These obligations shall remain in effect unless the disclosure of Personal Data is mandated by law or the information in question is already publicly available.

      3. The Parties acknowledge that compliance with applicable laws is a shared responsibility and that Documented Instructions must be consistent with applicable laws, including Data Protection Laws, and shall not require either Party to act in a manner that would cause non-compliance.

      
      

4. SUB-PROCESSORS

   
   

   1. Appointment and Authorisation:

      1. The Data Controller provides general authorisation to the Data Processor to engage Sub-Processors in the processing of Personal Data on behalf of the Data Controller without requiring the Data Controller’s prior consent for each individual engagement. The Data Processor hereby agrees to provide the Data Controller with the updated list of all Sub-Processors engaged by the Data Processor upon request. Requests can be sent to legal@edmingle.com.

         
         

   2. Changes to Sub-Processors and Right to Object:

      1. Before engaging any new Sub-Processor or replacing an existing one, the Data Processor shall inform the Data Controller in writing, providing at least 30 days' notice. The Data Controller may raise any reasonable objection in writing within this 30-day period.

      2. If the Data Controller objects to the addition or replacement of a Sub-Processor based on legitimate grounds related to data protection, the Parties will discuss the objection in good faith in an effort to resolve the issue.

      3. If the objection cannot be resolved within 30 days, the Data Processor reserves the right to proceed with the new Sub-Processor. In such cases, the Data Controller has the right to terminate this Agreement without penalty upon providing written notice to the Data Processor.

         
         

   3. Sub-Processors’ Obligations:

      1. The Data Processor will ensure that each Sub-Processor is bound by written contracts that impose data protection obligations equivalent to those required of the Data Processor under this Agreement and applicable Data Protection Laws. These agreements will ensure that Sub-Processors implement appropriate Technical and Organisational Measures to protect Personal Data and meet the requirements of the Data Protection Laws.

         
         

   4. Confidentiality:

      1. The Data Processor hereby ensures that all Sub-Processors are subject to legally binding confidentiality obligations in relation to the Personal Data they process, except where disclosure is required by law. The Data Processor will obtain appropriate confidentiality agreements from each Sub-Processor before allowing them to access any Personal Data.

         
         

   5. Data Transfers by Sub-Processors:

      1. The Data Processor will ensure that no Sub-Processor transfers or accesses Personal Data outside the jurisdictions agreed upon by the Data Controller without prior written consent from the Data Controller. In the event that such a transfer is approved, the Data Processor will ensure that appropriate safeguards, such as Standard Contractual Clauses or other applicable legal mechanisms, are in place to protect the data.

         
         

   6. Responsibility for Sub-Processor Actions:

      1. The Data Processor will remain responsible for any acts or omissions of its Sub-Processors that cause it to breach any of its obligations under this Agreement. The Data Processor shall oversee the compliance of its Sub-Processors with the applicable data protection requirements and will be liable for any failure by Sub-Processors to meet their obligations.

   
   

5. OBLIGATIONS OF DATA CONTROLLER

   
   

   1. The Data Controller shall be solely responsible for complying with all applicable Data Protection Laws, including but not limited to ensuring that the collection, processing, and sharing of Personal Data is lawful, transparent, and based on a valid legal basis as required by such laws.

   2. The Data Controller acknowledges and agrees that it is responsible for the accuracy, quality, and legality of the Personal Data it provides to the Data Processor. The Data Controller guarantees that it has the lawful right to process such data and to transfer it to the Data Processor for processing in accordance with this Agreement.

   3. It is the responsibility of the Data Controller to ensure that all necessary consents, authorisations, and notices have been obtained from Data Subjects before providing their Personal Data to the Data Processor for processing. This includes ensuring compliance with transparency requirements and informing Data Subjects of the purposes for which their Personal Data is being collected and processed.

   4. The Data Controller will provide clear, lawful, and Documented Instructions to the Data Processor regarding the processing of Personal Data in accordance with applicable Data Protection Laws, including Article 28(3)(a) of GDPR. The Data Controller warrants that its Documented Instructions will not cause the Data Processor to violate any applicable Data Protection Laws. If the Data Controller becomes aware that its instructions infringe or may potentially infringe Data Protection Laws, it will notify the Data Processor without undue delay.

   5. The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for processing as part of the Services, including, when relevant, one or more lawful bases as set forth in Data Protection Laws. The Data Controller is responsible for ensuring that all necessary privacy notices are provided to Data Subjects and that all required consents are obtained unless another legal basis under the Data Protection Law applies. The Data Controller is also responsible for maintaining records of such consents. If consent is revoked by a Data Subject, the Data Controller will promptly notify the Data Processor, and the Data Processor will follow the Data Controller’s instructions with respect to the processing of that Personal Data.

   6. The Data Controller is solely responsible for ensuring that it has the right to transfer or provide access to Personal Data to the Data Processor. This includes verifying that such transfers are lawful under applicable Data Protection Laws, especially where data is being transferred across international borders.

   7. The Data Controller shall notify the Data Processor of any changes to the nature of the Personal Data being processed, including any updates or changes to the lawful basis of processing or the categories of data subjects involved. These notifications must be provided in a timely manner to ensure that the Data Processor’s processing activities remain compliant with applicable laws.

   8. The Data Controller agrees to indemnify and hold harmless the Data Processor from any and all claims, damages, or legal actions that arise from the Data Controller’s failure to comply with its obligations under this Agreement or applicable Data Protection Laws. This includes any liabilities related to inaccurate or unlawful processing of Personal Data, or failure to obtain necessary consents or provide required notices.

      
      

6. OBLIGATIONS OF DATA PROCESSOR

   
   

   1. The Data Processor will only process Personal Data for the purposes described in Clause 5 of the Privacy Policy and this Agreement or as otherwise agreed within the scope of the Data Controller’s lawful instructions, except where and to the extent required by applicable law. The Data Processor is not responsible for compliance with any Data Protection Laws applicable to the Data Controller or its industry that are not generally applicable to the Data Processor.

   2. The Data Processor will process Personal Data only based on the Documented Instructions of the Data Controller and solely to the extent required for the provision of the Services. If the Data Processor reasonably believes that a specific processing activity outside the Data Controller’s instructions is necessary to comply with a legal obligation, the Data Processor will inform the Data Controller of that legal obligation prior to the processing of the Personal Data. 

   3. The Data Processor will never process Personal Data in a manner inconsistent with the Data Controller’s Documented Instructions. If the Data Processor believes that an instruction infringes any applicable Data Protection Law, it will promptly notify the Data Controller. However, such notification will not impose a duty on the Data Processor to monitor or interpret the laws applicable to the Data Controller, nor will it constitute legal advice.

   4. The Data Processor will implement and maintain appropriate Technical and Organisational Measures to protect Personal Data against unauthorised or unlawful processing, and against accidental loss, destruction, or damage, as outlined in Clause 8 and Clause 11 of this Agreement. The Data Processor may modify or update its security measures at its discretion, provided such modifications do not result in a material degradation of protection for Personal Data.

   5. Subject to Clause 11 of this Agreement, the Data Processor will notify the Data Controller without undue delay after becoming aware of any Personal Data breach in compliance with Article 33 of the GDPR.

   6. Upon request, the Data Processor will assist the Data Controller in fulfilling its obligation to notify the competent Supervisory Authorities and affected Data Subjects of any Personal Data breach, as required by Article 33 and Article 34 of the GDPR.

   7. In compliance with the CCPA and CPRA, the Data Processor will assist the Data Controller in meeting its notification obligations to affected consumers and the California Attorney General in the event of a breach, in accordance with Section 1798.150 of the CCPA which grants individuals the right to take action for certain breaches of personal information. The Data Processor will also comply with any other applicable notification requirements under state or federal laws.

   
   

7. INTERNATIONAL DATA TRANSFER

   
   

   1. Data Hosting:

      1. The Data Controller understands and agrees that the Personal Data will be hosted in the United States (the "Hosting Location"). By using the Company’s Services, the Data Controller acknowledges that Personal Data may be transferred to and stored in the United States, which may not provide the same level of data protection as jurisdictions in the European Economic Area (EEA), the United Kingdom, or Switzerland. The Data Processor will ensure that all transfers of Personal Data comply with applicable Data Protection Laws, including the GDPR, CCPA, and CPRA.

         
         

   2. Data Collection:

      1. The Company may receive Personal Data from various jurisdictions worldwide, including, but not limited to, the EEA, UK, India, and other regions. The Data Controller is responsible for ensuring that any Personal Data provided to the Company complies with applicable data protection laws in the jurisdiction where it originates.

         
         

   3. Legal Mechanism for Data Transfers:

      In cases where Personal Data is transferred from jurisdictions that are not recognised as having adequate data protection standards, the Data Processor and the Data Controller agree to the following mechanisms to ensure legal compliance:

      1. Standard Contractual Clauses (SCCs): If the Data Controller is located in a country outside of India, the Data Controller acknowledges and agrees that Personal Data may be transferred to India and the USA. In limited instances, Data Processors' Sub-Processors for cloud storage and related services may also transfer Personal Data to other jurisdictions that lack an adequate decision from the European Commission. To facilitate such transfers, both Parties hereby enter into the Standard Contractual Clauses (SCCs) attached hereto as Annexure 1, which are incorporated by reference herein. The Parties agree to work together during the Term of this agreement to ensure that they, or any relevant Sub-Processor, have a legally approved mechanism in place for such data transfers, including documenting the appropriateness of this mechanism in accordance with applicable Data Protection Laws.

      2. Data Privacy Framework: The Data Processor participates in and certifies compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (together, the “DPF”). The Data Processor will (i) provide at least the same level of privacy protection to Personal Data as required by the DPF principles; (ii) notify the Data Controller if the Data Processor determines it can no longer meet its obligations to provide the same level of protection as required by the DPF principles; and (iii) upon notice, take reasonable and appropriate steps to remediate unauthorised processing of Personal Data.

      3. Where Personal Data is transferred from the EEA, Switzerland, or the United Kingdom to a territory not recognised as providing an adequate level of protection by relevant authorities, the Data Processor agrees to process that Personal Data in compliance with the provisions set out in Annexure 1, which forms an integral part of this Agreement.

      
      

8. SECURITY OF PERSONAL DATA

   
   

   1. Subject to Clause 8 of the Privacy Policy, the Data Processor will uphold the security of the Personal Data.

   2. Taking into account state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying risks to the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate Technical and Organisational Measures to protect Personal Data against accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure, or access, in line with Article 32 of the GDPR, which sets the standard for the security of processing.

   3. Each Party shall ensure that any individual acting under its authority who has access to Personal Data does not process such data in violation of Data Protection Laws or this Agreement. Each Party is responsible for ensuring that its personnel protect the security, privacy, and confidentiality of Personal Data in accordance with the requirements of this Agreement and applicable Data Protection Laws.

   4. Upon request, the Data Processor, in compliance with Article 28(3)(h) of the GDPR, shall demonstrate the security measures it has taken and shall allow the Data Controller to audit and test such measures, provided that the Data Controller gives reasonable notice and reimburses the Data Processor for any costs incurred.

   5. To ensure proper accountability and compliance with Article 30 of the GDPR, the Data Processor shall make available to the Data Controller any necessary documentation to demonstrate adherence to the legal obligations related to processing activities, ensuring that the Data Controller can maintain accurate records of processing activities.

   6. The Data Processor shall conduct regular security assessments to verify the effectiveness of security measures and compliance with this Agreement, providing relevant reports to the Data Controller upon request, aligning with Article 32(1)(d) of the GDPR.

      
      

9. DATA PROTECTION IMPACT ASSESSMENT

   
   

   1. The Data Processor shall, where necessary and upon request, assist the Data Controller in conducting Data Protection Impact Assessments (“DPIA”) in relation to processing activities carried out by the Data Processor. This includes providing relevant input, documentation, and technical information necessary for the Data Controller to fulfil its DPIA obligations under Article 35 of the GDPR and other applicable Data Protection Laws. The Data Processor will work collaboratively with the Data Controller to assess any potential risks to the rights and freedoms of Data Subjects, ensuring that appropriate measures are in place to mitigate such risks.

   2. Where a DPIA indicates that the processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, the Data Processor, in compliance with Article 36 of the GDPR, shall support the Data Controller in the necessary consultations with the relevant Supervisory Authorities. The Data Processor will also implement additional Technical and Organisational Measures as identified during the DPIA to mitigate risks, if applicable.

      
      

10. DATA SUBJECT REQUESTS

    
    

    1. The Data Processor shall assist the Data Controller, to the extent possible and in compliance with applicable Data Protection Laws, in responding to requests from Data Subjects to exercise their rights. These rights, as outlined in Clause 13 of the Privacy Policy, include, but are not limited to, rights to access, rectification, erasure, restriction of processing, data portability, and objection under the GDPR, as well as equivalent rights provided under other applicable Data Protection Laws.

    2. Upon receiving a Data Subject request directly related to the Personal Data processed on behalf of the Data Controller, the Data Processor shall (i) promptly inform the Data Controller without undue delay, unless prohibited by law, and (ii) provide the Data Controller with all necessary cooperation, information, and assistance to enable the Data Controller to respond to the request in compliance with the relevant Data Protection Laws.

    3. Further, the Platform provides the Data Controller with technical capabilities, such as modifying, deleting, or restricting access to Personal Data. These features help the Data Controller fulfil its obligations under Data Protection Laws when responding to Data Subject requests.

    4. If the Data Controller is unable to address a Data Subject request directly via the provided Platform controls, the Data Processor shall provide reasonable assistance. Such assistance may include retrieving, correcting, or deleting Personal Data as required. In this case, the Data Controller shall reimburse the Data Processor for any reasonable costs incurred in providing such assistance, particularly where Technical and Organisational Measures are needed. 

    5. In the event of a legal demand for the disclosure of Personal Data, such as a subpoena, court order, or search warrant, the Data Processor will attempt to redirect the requesting party to the Data Controller unless legally obligated to respond directly. The Data Processor shall notify the Data Controller of any such demand unless prohibited by law, allowing the Data Controller to respond appropriately.

       
       

11. DATA SECURITY BREACH

    
    

    1. In the event that the Data Processor becomes aware of a Personal Data breach that materially impacts the processing of Personal Data covered by this Agreement, the Data Processor shall promptly notify the Data Controller without undue delay. This notification will include all relevant details, such as the nature of the breach, the categories and approximate number of Data Subjects affected, and any potential consequences of the breach.

    2. The Data Processor, in accordance with Article 33 of the GDPR, shall notify the Data Controller without undue delay upon becoming aware of any Personal Data breach affecting Personal Data. Notifications shall be sent via email to the registered email address of the Data Controller, and wherever feasible, within 72 hours of becoming aware of the breach.

    3. The Data Processor shall take all necessary steps to contain and resolve the breach, working in collaboration with the Data Controller to investigate the cause, prevent further incidents, and reduce the impact in accordance with Clause 9 of the Privacy Policy. The Data Processor will provide regular updates to the Data Controller throughout the incident response process.

    4. If a breach involves a Sub-Processor, the Data Processor shall ensure that the Sub-Processor promptly notifies the Data Processor of the breach, and the Data Processor will then relay the relevant information to the Data Controller. The Data Processor will take all appropriate steps to manage and coordinate the response with the Sub-Processor and provide the Data Controller with full details.

    5. The Data Processor will only be liable for breaches that result from its failure to comply with the security obligations outlined in this Agreement. The Data Processor will not be responsible for breaches caused by the Data Controller’s failure to implement required security measures or actions beyond the Processor's reasonable control.

       
       

12. COMPLIANCE WITH CCPA

    
    

    1. To the extent that any Personal Data is subject to the CCPA, the Parties acknowledge that the Data Processor will act solely as a service provider with respect to such Personal Data.

    2. The Data Processor shall not retain, use, or disclose any Personal Data subject to the CCPA for any purpose other than performing the Services or otherwise specified in any other agreement with the Data Controller. The Data Processor also agrees not to retain, use, or disclose Personal Data outside the direct business relationship between the Data Controller and their Authorised Users and End Users (both defined in Terms of Service) and between the Data Controller and the Data Processor.

    3. The Data Controller confirms that any Personal Data subject to the CCPA was not sold to the Data Processor and agrees not to "sell" personal information as defined under the CCPA.

    4. The Data Processor shall assist the Data Controller in fulfilling any obligations to respond to Data Subject requests under the CCPA. The Data Controller shall also enable the Data Processor to fulfil its obligations in responding to Data Subject requests, if any, in compliance with the CCPA within the mandated time limits.

    5. Should the Data Processor determine that it can no longer comply with its obligations as a service provider under the CCPA, the Data Processor will promptly notify the Data Controller.

    6. Both Parties hereby certify their understanding of the restrictions set forth in this clause and commit to compliance. Acceptance of this Data Processing Agreement shall be deemed as acceptance by both Parties of the obligations under the CCPA, requiring no further physical or digital execution.

       
       

13. PERSONAL DATA DELETION AND RETURN

    
    

    1. Upon termination or expiration of this Agreement, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data processed on behalf of the Data Controller, including copies thereof, unless retention of the Personal Data is for the purpose outlined in Clause 7 of the Privacy Policy.

    2. The Data Processor shall provide written confirmation to the Data Controller regarding the deletion or return of Personal Data in accordance with Article 28(3)(g) of the GDPR.

    3. If the Data Processor is required to retain certain Personal Data for compliance with any applicable laws or regulations or otherwise for the reasons outlined in Clause 7 of the Privacy Policy, the Data Processor shall inform the Data Controller of such requirement and shall ensure that such Personal Data is maintained in accordance with the applicable Data Protection Laws and regulations, including but not limited to Article 5(1)(e) of the GDPR regarding data minimisation and storage limitation.

       
       

14. LIMITATION OF LIABILITY

    
    

    1. To the fullest extent permitted by applicable Data Protection Laws, the Data Processor's liability arising out of or related to this Agreement shall be limited to the maximum extent permitted in the Terms of Service.

    2. For the avoidance of doubt, all liability limitations outlined in the Terms of Service are incorporated herein by reference and shall apply equally to any claims under this Agreement.

       
       

15. TERM AND TERMINATION

    
    

    1. This Agreement shall become effective as of the Effective Date and shall remain in force for as long as the Client utilises the Platform and maintains an active account in accordance with the Terms of Service (the “Term”).

    2. The Parties acknowledge that either Party may terminate this Agreement in accordance with the provisions set forth in Clause 19 of the Terms of Service, including any termination rights specified therein.

    3. Upon termination of this Agreement, the obligations of the Parties regarding the handling of Personal Data as detailed in this Agreement shall survive until all Personal Data has been deleted or returned in accordance with clause 13 of this Agreement and applicable Data Protection Laws.

       
       

16. GOVERNING LAW AND DISPUTE RESOLUTION

    
    

    1. This Data Processing Agreement (DPA) shall be governed by and construed in accordance with the laws of India, without regard to its conflict of law principles.

    2. Any disputes arising out of or in connection with this Agreement shall be subject to the dispute resolution procedures outlined in Clause 23 of the Terms of Service.

       
       

17. MISCELLANEOUS

    
    

    1. Supersession of Previous Agreements: Unless otherwise agreed to between the Parties, this Agreement replaces any existing data processing agreement that the Parties may have previously entered into regarding the Services provided by the Company.

    2. Notices: All notices or communications required or permitted under this Agreement shall be in writing and delivered personally, sent via email to the designated addresses provided by the Parties, or sent by registered or certified mail. Notices shall be deemed given upon receipt.

    3. Severability: If any provision of this Agreement is determined to be invalid or unenforceable by a court of competent jurisdiction, such provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall continue in full force and effect.

    4. Force Majeure: Neither Party shall be liable for any loss or delay resulting from a force majeure event, including but not limited to acts of God, natural disasters, terrorism, labour stoppages, or military actions.

    5. Counterparts: This DPA may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. Electronic signatures shall be considered valid.

ANNEXURE I- STANDARD CONTRACTUAL CLAUSES (SCCs)

1. PARTIES

   
   

   1. The Parties to these SCCs are:

      1. Data Exporter: The Client (defined in Terms of Service) who transfers the Personal Data of their Authorised Users and End Users to the Data Importer. The “Data Exporter” is the entity responsible for collecting, controlling, and transferring the data.

      2. Data Importer: The Company receives and processes the Personal Data on behalf of the Client for the provision of services. The Company, acting through its Platform, serves as the Data Importer in this Agreement. The “Data Importer” means the processor who agrees to receive Personal Data from the Data Exporter for processing on their behalf after the transfer, in accordance with their instructions and the terms of these Clauses, and who is not subject to a third country’s system that ensures adequate protection as defined under Article 45 of GDPR.

         
         

2. PURPOSE AND SCOPE

   
   

   1. The purpose of these Standard Contractual Clauses is to ensure compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and the free movement of such data ("GDPR"). These SCCs govern the transfer of Personal Data to a third country that does not ensure an adequate level of data protection as determined by GDPR.

      
      

3. EFFECT AND INVARIABILITY OF THESE CLAUSES

   
   

   1. These Standard Contractual Clauses establish adequate safeguards that include enforceable rights for Data Subjects and effective legal remedies in accordance with Article 46(1) and Article 46(2)(c) of GDPR. They are designed for data transfers from Data Controllers to Data Processors and ensure compliance with Article 28(7). Any modifications to these SCCs must not alter their core principles or contradict their intent.

   2. These Standard Contractual Clauses do not diminish the obligations that the Data Exporter must fulfil under Regulation (EU) 2016/679.

      
      

4. INTERPRETATION

   
   

   1. Where these Clauses reference terms defined in Regulation (EU) 2016/679, such terms shall carry the same meaning as defined in that Regulation.

   2. These Clauses shall be interpreted in accordance with the principles and provisions of Regulation (EU) 2016/679, ensuring compliance with applicable data protection laws. For the purposes of these SCCs, ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established.

   3. The interpretation of these Clauses shall not conflict with the rights and obligations established under Regulation (EU) 2016/679, and any potential inconsistencies shall be resolved in favour of upholding the Regulation.

      
      

5. DESCRIPTION OF TRANSFER

   
   

   1. The details regarding the transfer of Personal Data, including any applicable Special Categories of Personal Data, is outlined in Clause 3 of this Agreement. Clause 3 of this Agreement specifies the types of data being transferred and the purposes for which such data is processed.

      
      

6. OBLIGATIONS OF THE PARTIES

   
   

   1. Both Parties (defined in Clause 1 of this Annexure) agree to comply with all applicable data protection laws and regulations, including but not limited to Regulation (EU) 2016/679 (GDPR), ensuring that the processing of personal data is lawful, fair, and transparent.

      
      

   2. The Data Exporter shall:

      1. ensure that the processing, including the transfer of Personal Data, has been and will continue to be conducted in accordance with the relevant provisions of applicable data protection laws, including GDPR and any other applicable national laws. The Data Exporter shall notify any relevant authorities as required under Articles 33 and 34 of the GDPR.

      2. instruct the Data Importer to process the Personal Data solely on its behalf and according to Documented Instructions, which may be updated throughout the duration of the processing services, in accordance with Article 28(3)(a) of the GDPR.

      3. verify that the Data Importer provides sufficient guarantees concerning the Technical and Organisational Measures implemented to protect Personal Data, as outlined in Article 32 of the GDPR.

      4. ensure that if the transfer involves Special Categories of Data (as defined under Article 9 of the GDPR), Data Subjects have been informed or will be informed before or promptly after the transfer that their data could be transmitted to a third country without adequate protection under Article 46 of the GDPR.

      5. facilitate the exercise of Data Subjects' rights by making available a copy of this Agreement upon request, excluding any proprietary information, and providing summaries of security measures and Sub-Processors.

         
         

   3. The Data Importer shall:

      1. process Personal Data only on the Documented Instructions of the Data Exporter and for the specific purposes outlined in this Agreement and Privacy Policy, unless otherwise required by law.

      2. implement appropriate Technical and Organisational Measures to ensure the security of Personal Data, protecting it against unauthorised access, destruction, loss, or alteration, as required by Article 32 of the GDPR.

      3. notify the Data Exporter without undue delay upon becoming aware of any Data Security Breach and cooperate with the Data Exporter to mitigate its effects, as stipulated in Article 33 of the GDPR.

      4. maintain accurate records of processing activities carried out on behalf of the Data Exporter and allow for audits to demonstrate compliance with these obligations in accordance with Article 30 of the GDPR.

      5. delete or return all Personal Data processed on behalf of the Data Exporter upon termination of Services and certify the completion of such actions, unless the retention of such data is required in accordance with Clause 7 of the Privacy Policy.

      6. ensure that any Sub-Processors engaged comply with the same level of data protection as required under this clause and that their processing activities are governed by a written agreement that reflects these obligations, in line with Article 28(4) of the GDPR.

         
         

7. OBLIGATIONS OF THE DATA IMPORTER IN CASE OF ACCESS BY PUBLIC AUTHORITIES

   
   

   The Data Importer shall promptly inform the Data Exporter and, where feasible, the affected data subjects (with assistance from the Data Exporter if necessary) if it:

   1. receives a legally binding request from a public authority, including judicial entities, for the disclosure of Personal Data transferred under these Clauses. This notification must include details about the requested Personal Data, the authority making the request, the legal basis for the request, and the response provided; or

   2. becomes aware of any direct access to Personal Data transferred under these Clauses by public authorities in accordance with the laws of the destination country. This notification must include all relevant information available to the Data Importer.

   3. in instances where the laws of the destination country prohibit the Data Importer from notifying the Data Exporter and/or the Data Subjects, the Data Importer agrees to exert its best efforts to obtain a waiver of such prohibition to communicate as much information as possible as soon as feasible. The Data Importer shall document these efforts to demonstrate compliance upon request from the Data Exporter.

   4. where permissible under the laws of the destination country, the Data Importer shall provide the Data Exporter with regular updates throughout the duration of the contract, supplying relevant information about requests received (including the number of requests, the type of data requested, the requesting authority, whether any requests have been contested, and the outcomes of such challenges).

   5. the Data Importer agrees to retain the information as specified in sub-clauses 7.1 to 7.4 for the duration of the contract and make it available to the competent Supervisory Authority upon request.

      
      

8. SUB-PROCESSING

   
   

   1. The Data Importer shall adhere to the sub-processing obligations set forth in the main Data Processing Agreement, specifically in Clause 4 (Sub-Processors). The Data Importer shall not subcontract any of its processing operations performed on behalf of the Data Exporter under the SCCs without the prior written consent of the Data Exporter.

      
      

9. THIRD-PARTY BENEFICIARIES

   
   

   1. The Data Subject has the right to enforce specific obligations directly against the Data Exporter, including:

      1. The Data Subjects rights outlined in Clause 13 of the Privacy Policy.

      2. The right to ensure their personal data is processed lawfully and with appropriate safeguards.

      3. The right to be informed of any data breaches that affect their Personal Data.

      4. The right to seek compensation for damages caused by breaches of these obligations.

         
         

   2. If the Data Exporter ceases to exist, becomes insolvent, or is otherwise unable to fulfill its obligations, the Data Subject may enforce the same rights directly against the Data Importer. These rights include:

      1. Ensuring Personal Data is processed securely and lawfully by the Data Importer.

      2. The right to be notified in case of data breaches.

      3. The ability to request access or correction of their data, and seek compensation for any damages caused by improper handling of their data.

         
         

   3. If both the Data Exporter and the Data Importer are unable to meet their obligations (due to insolvency or ceasing to exist), the Data Subject can enforce their rights directly against the Sub-Processor. These rights are limited to the Sub-Processor’s specific processing operations and include:

      1. Ensuring that Personal Data is processed according to agreed-upon safeguards.

      2. The right to seek redress for any damages caused by a breach of data protection obligations by the Sub-Processor.

         
         

   4. The Data Subject has the right to be represented by an authorised association or body in asserting their rights under this Agreement, provided this is allowed by applicable law and the Data Subject expressly consents.

   5. If a successor entity assumes the legal obligations of either the Data Exporter or the Data Importer, the Data Subject can enforce its rights against that successor. The successor entity will be responsible for ensuring compliance with data protection obligations and for any damages resulting from a breach.

      
      

10. LIABILITY

    
    

    1. Each Party shall be liable for any damages it causes to the other Party as a result of any breach of the obligations set forth in this Agreement. The Data Importer shall be liable to Data Subjects for any material or non-material damages caused by the Data Importer or its Sub-Processors as a result of breaches of their obligations under this Agreement.

    2. In situations where a Data Subject is unable to pursue a claim against the Data Exporter due to its factual disappearance, legal cessation, or insolvency, the Data Importer agrees that the Data Subject may file a claim against the Data Importer as if it were the Data Exporter. This obligation remains unless a successor entity has assumed the full legal obligations of the Data Exporter, in which case the Data Subject can assert its rights against that successor.

    3. The Data Importer may not use any breach by its Sub-Processors as a defence to limit its own liabilities. If a Data Subject cannot bring a claim against either the Data Exporter or the Data Importer due to the disappearance, legal cessation, or insolvency of both, the Sub-Processor agrees that the Data Subject may pursue a claim against the Sub-Processor concerning its own processing operations. The liability of the Sub-Processor will be limited to its own processing activities under this Agreement.

    4. Where multiple parties share responsibility for damages incurred by a Data Subject due to breaches of this Agreement, those parties shall be jointly and severally liable. The Data Subject retains the right to initiate legal action against any of the liable parties. If one party is held accountable for damages under this clause, that party shall have the right to seek compensation from the other parties for their proportional share of the liability.

       
       

11. DISPUTE RESOLUTION AND JURISDICTION

    
    

    1. The Data Importer agrees that should the Data Subject assert third-party beneficiary rights or seek compensation for damages under these SCCs, it will honour the Data Subject’s decision to either:

       1. refer the matter to the dispute resolution process set forth in Clause 23 of the Terms of Service, ensuring an impartial and structured mechanism for addressing the claim.

       2. submit the dispute to the competent courts in the jurisdiction where the Data Exporter is established.

          
          

    2. The Parties acknowledge that the Data Subject's choice of either method will not restrict or affect its right to seek remedies under national or international laws, whether substantive or procedural.

       
       

12. COOPERATION WITH SUPERVISORY AUTHORITIES

    
    

    1. The Data Exporter agrees to provide a copy of this Agreement to any relevant Supervisory Authority upon request or if required under the applicable data protection laws.

    2. Both parties acknowledge that Supervisory Authorities have the right to audit the Data Importer, as well as any engaged Sub-Processors. Such audits will follow the same scope and conditions as would apply to audits of the Data Exporter under relevant data protection regulations.

    3. The Data Importer agrees to promptly inform the Data Exporter if any legal framework applicable to it or any of its Sub-Processors restricts or prevents the performance of such audits. In such an event, the Data Exporter will have the right to take any necessary actions to ensure compliance with applicable data protection laws, including suspension of the processing or termination of this Agreement.

       
       

13. GOVERNING LAW

    
    

    1. The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.

       
       

14. MODIFICATION

    
    

    1. The Parties agree that the core obligations outlined in this Agreement shall not be altered or modified, ensuring the protection of data remains in compliance with applicable laws. However, the Parties may introduce additional provisions or clauses related to business or operational matters, provided that such additions do not conflict with or undermine the data protection commitments made in this Agreement.

       
       

15. DATA EXPORTER’S RIGHTS UPON SERVICE TERMINATION

    
    

    1. Upon termination of the data-processing services, the Parties agree that the Data Importer and any Sub-Processors shall, at the Data Exporter's discretion, either:

       1. Return all Personal Data transferred along with any copies to the Data Exporter; or

       2. Permanently delete all Personal Data transferred and provide the Data Exporter with a certification confirming the completion of this deletion.

          
          

    2. Should applicable legislation prevent the Data Importer from returning or destroying some or all of the Personal Data, the Data Importer shall ensure the confidentiality of such Personal Data and refrain from any further processing of it.

    3. Additionally, the Data Importer and Sub-Processors agree to submit to an audit of their data-processing facilities to verify compliance with these obligations upon request from the Data Exporter or the relevant Supervisory Authority.