Data Processing Agreement

1. "Applicable Law" shall mean any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restrictions (including any and all legislative and/or regulatory amendments), to which a Party to this DPA is subject and includes the Data Protection Regulations.
2. "Customer Data" means all data provided or made available by the Company to the Processor or otherwise Processed on behalf of the Company under the Service Agreement, including but not limited to [insert data type] and any derivatives thereof.
3. "Model Training" means developing, training, fine‑tuning, benchmarking, or otherwise improving an algorithm, model, or product using data or derivatives.
4. "Data Protection Regulations" the Personal Data protection legislation applicable in India, including the Digital Personal Data Protection Act, 2023 and rules thereunder (as and when it comes into force), the Information Technology Act, 2000 and rules thereunder, and the CERT‑In Directions.
5. "Data Principal" any identified or identifiable natural person to whom the Personal Data relates.
6. "Personal Data" means any data or information relating to an identified or identifiable natural person, including any identifiers, contact details, financial or transactional information, communications metadata, and online identifiers, to the extent Processed under this DPA.
7. "Personal Data Breach / Breach" any unauthorised Processing of Personal Data or accidental disclosure, acquisition, sharing, use, alteration, destruction, theft or loss of access to Personal Data, that compromises the confidentiality, integrity or availability of Personal Data.
8. "Personnel" means the employees, agents, consultants, representatives or contractors of the Company or Processor, as the context may clarify.
9. "Processing or Processed" in relation to Personal Data means a wholly or partly automated operation or set of operations performed on or with regard to Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, blocking, erasure or destruction. Processing includes the purposes and operations mentioned in Appendix A of this DPA.
10. "Services" shall have the meaning attributed to it under the Services Agreement.
11. "Sub-processor" any natural or legal person engaged by Processor to carry out, fully or partially, on its behalf the Processing of Personal Data as set out under this DPA.

1. The Processor shall Process Personal Data only on documented instructions from the Company and only to deliver the Services. The Processor shall not determine the purposes or means of Processing.
2. The Processor shall during the Term of this DPA and thereafter as required by this or any other agreement between the Parties, adhere to any and all written instructions of the Company provided in relation to Personal Data shared with the Processor by the Company and Processing thereof. Without prejudice to the foregoing, the Processor shall immediately inform the Company where it deems that an instruction given by Company is in violation of the Applicable Laws. Under no circumstance do the requirements of this Section per se limit or exclude Processor's liability as set out in the DPA.
3. The Parties hereby acknowledge, agree and confirm that the Company is not receiving any compensation for sharing or providing access to any Personal Data.

1. The Processor shall hold in strict confidence any and all Personal Data disclosed to or accessed by Processor in accordance with this DPA and shall segregate Customer Data logically from other customers' data.
2. Access of Personal Data shall be restricted to Personnel who need to know the data to perform the Services and who are bound by written confidentiality and data‑protection obligations no less protective than this DPA and are trained on privacy and security.
3. The Processor shall not copy, decompile, modify, reverse engineer, or create derivative works out of any of the Personal Data.
4. The Processor shall not, and shall ensure its Sub‑processors do not use Customer Data, or Personal Data to develop, train, fine‑tune, or improve any models, algorithms, features, or products, whether for the Processor or any third party, including through aggregation, anonymization, or de‑identification.
5. The Processor shall implement technical and organizational controls to prevent ingestion of Customer Data into any Model Training or analytics pipelines and shall maintain auditable evidence of such controls.
6. The Processor shall ensure that any approved Sub-Processor engaged in connection with the Services conducts a quarterly internal audit or, at a minimum, provides an annual written certification confirming that no Customer Data has been used, directly or indirectly, for any Model Training or analytics purposes. Such audit reports or certifications shall be retained by the Processor and made available to the Company upon request.
7. The Company confirms that it has the legal right to provide the Personal Data to the Processor for the purposes of availing the Services.
8. The Processor shall conduct its operations in a transparent and open manner. The Processor is obligated to ensure that the Processing of Personal Data is in strict compliance with Applicable Laws and the industry standards.

1. The Processor shall not appoint any Sub‑processor without prior intimation to the Company. The Company pre‑approves only those Sub‑processors listed in Appendix B.
2. Where the Processor, with the written consent of Company, subcontracts any of the Processing operations to a third-party Sub-processor, the Processor shall enter into a written agreement with each such Sub-processor that imposes obligations on the Sub-processor that are identical to those imposed on Processor under this DPA. Where the Sub-processor fails to fulfil these obligations, the Processor shall remain fully liable to Company for the performance of that Sub-processor's obligations. It is hereby clarified that all obligations of the Processor in relation to its Personnel as set out hereunder, shall also apply mutatis mutandis to the involvement of any Sub-processors.
3. The Processor shall disclose all storage and Processing locations and shall not transfer Personal Data outside India without the Company's prior written consent.
4. In relation to any and all actions or omissions of the Processor's Personnel and/or Sub-processors resulting in non-compliance or breach (direct or indirect) of this DPA and/or Applicable Law, such breach / non-compliance shall be deemed to be committed by the Processor and the Processor shall completely and effectively indemnify the Company and/or Data Principal for all such breaches / non-compliance.

1. The Processor will keep detailed, accurate, and up‑to‑date records regarding Processing activities performed on behalf of the Company, including categories of Personal Data, Processing purposes, data flows, Sub‑processor registry with locations, access controls, and security measures ("Records").
2. Upon written request by the Company, the Processor shall share all such Records with the Company promptly and within the timeline prescribed by the Company in its request.
3. Notwithstanding anything contained hereunder, upon any request being made in writing by the Company, the Processor shall carry out such changes to the Records, and shall ensure that the Sub-processors also carry out such changes, as may be required by the Company and/or Data Principal for ensuring correction, completeness and accuracy of Personal Data.

1. The Processor shall not retain any Personal Data (or any documents or records containing Personal Data, electronic or otherwise) for any period longer than the Term of this DPA or as is necessary for the Purpose, or upon a written request by the Company, whichever is earlier.
2. On expiry or early termination of this DPA, or the fulfilment of the Purpose, or on written request of the Company, the Processor shall immediately cease to use any Personal Data and shall within a maximum period of 15 (fifteen) days from expiry / termination or written request, as the case may be, return or destroy all such Personal Data and delete all electronic records of such Personal Data from their computers / servers / data storage devices / backup devices (as the case may be). The Processor shall ensure compliance with this Section by its Sub-processors as well and will be required to provide a certificate confirming compliance with all the obligations under this Section. Notwithstanding anything to the contrary hereunder, in case of a regulatory requirement, the Company may require the return of all Personal Data, in which case the Processor shall promptly but not later than any timelines provided under such regulatory requirement, return all such data to the Company. If required by the Company, the Processor shall provide a certificate confirming compliance with the destruction obligation under this section.
3. Only such Personal Data may be retained by the Processor which it is legally required to retain for compliance with any Applicable Law ("Legal Purpose") and the Processor's obligation of confidentiality and security towards this information as set out under this DPA and Service Agreement and Applicable Law shall continue in perpetuity. No other use is permitted and the data shall be deleted immediately after the Legal Purpose ends.

Personal Data shall be stored and Processed only in India. The Processor shall not transfer Personal Data outside India without the Company's prior written consent and subject to contractual safeguards and a written undertaking that the data will be protected at a standard comparable to this DPA and Applicable Law.

1. The Processor shall assist the Company by appropriate technical and organisational measures, for the fulfilment of the Company's obligation to respond to any data protection related requests including any requests for exercising Data Principal's rights or answering any potential requests from supervisory authorities. The Processor shall provide the Company with access to the Company's Personal Data that the Processor has in its possession or control related to the Services, as soon as practicable upon the Company's written request. The Processor shall acknowledge such request within one (1) day of receipt and shall provide full resolution, response, or necessary support within twenty-one (21) days from the date of such request or earlier if required by the Company. If required, the Processor shall also reasonably assist the Company in carrying out data protection impact assessments related to the Personal Data in relation to the Services.
2. The Processor shall ensure compliance with the Cert-In Directions and all applicable requirements prescribed thereunder, including maintenance of necessary infrastructure, connection with prescribed servers, maintenance of logs within India etc.
3. The Processor shall promptly inform the Company if the Processor cannot ensure compliance with Applicable Law for whatever reason of its inability to comply, in which case the Company reserves the right to immediately and automatically suspend any Processing and/or terminate this DPA.
4. The Processor shall not combine the personal data that the Processor receives from the Company with data of another business.

1. The Processor shall develop, maintain, implement, and adhere to a comprehensive written information security program that complies with industry standards, is commensurate to the nature of Personal Data Processed by it and the nature of Processing carried out by it as well as requirements under Applicable Laws.
2. The Processor shall use technical and organizational measures to ensure the security and confidentiality of the Personal Data (including encryption) in order to prevent, among other things:
3. accidental, unauthorized or unlawful destruction, alteration, modification or loss of the Personal Data;
4. accidental, unauthorized or unlawful disclosure or access to the Personal Data;
5. unlawful forms of Processing;
6. The security measures taken shall be in compliance with Data Protection Regulations, shall be in accordance with reasonable industry standards and shall be adapted to the risks presented by the processing and the nature of the Personal Data to be Processed. For the avoidance of any doubt, "technical and organizational measures" shall also include arrangements for regularly testing, analyzing, and assessing the effectiveness of the technical and organizational measures implemented by the Processor.
7. If the Processing by Processor or its Personnel involves the transmission of the Personal Data over a network, the Processor shall implement appropriate measures designed to protect the Personal Data against the specific risks associated with such transmission, including the encryption of Personal Data.
8. The Processor shall implement reasonable restrictions regarding physical and electronic access to Personal Data, including but not limited to physical access controls, secure user authentication protocols, secure access control methods, firewall protection, anti-virus and malware protection, and use of encryption where appropriate or required by Applicable Laws.
9. The Processor shall review all its systems and processes from time to time to ensure compliance with the requirements prescribed as part of this DPA.
10. The Processor shall ensure Sub‑processors implement security measures no less protective than those required in this DPA.

1. The Processor shall notify the Company without undue delay and in no event later than 2 (two) hours after becoming aware of a Breach involving Personal Data. If any regulatory /government notification or law requires a notice for Breach within a shorter period of time, the Processor will also notify the Company within such shorter time period.
2. Upon request, the Processor shall provide a written incident report including a description of the Breach, categories and volume of data affected, root‑cause analysis, remedial actions, and status updates until closure. Where legally required, the Parties shall coordinate notifications to authorities and Data Principals.
3. The Processor agrees to take action immediately, at its own expense, to investigate the Breach and to identify, prevent and mitigate the effects of any such Breach, and to carry out any recovery or other action necessary to remedy the Breach. The Processor shall pay for or reimburse the Company for all costs, losses and expenses relating to any Security Breach of the Personal Data collected or Processed by the Processor on behalf of the Company.
4. The foregoing obligations of the Processor in relation to Personal Data Breach are without prejudice to its obligations to report cyber incidents to CERT-In as per the CERT-In Directions and all ancillary and incidental obligations thereunder.

1. The Company and its authorized representatives shall have the right to audit, and to examine all Services related data records (in whatever form they may be kept, whether written, electronic, or other) relating to or pertaining to this Agreement kept by or under the supervision of the Processor, as and when the need reasonably arises. The Processor undertakes to allow the conduct of such audits of its documents, and / or systems by the Company or any third-party auditor instructed by the Company for this purpose, at the cost of the Company. The Processor agrees to reasonably co-operate to such audits, in particular by answering to any questionnaire provided by the Company or said third party auditor.
2. If an audit identifies non‑compliance, the Processor shall remediate within timelines notified by the Company and bear the Company's audit costs where non‑compliance is found.
3. Notwithstanding the foregoing, in cases where breach by the Processor is considered as substantial, the Company shall have the right to immediately terminate the engagement with the Processor, without any outstanding obligations on the part of the Company.
4. The Processor shall deal promptly and appropriately with any inquiries from the Company relating to the Processing of Personal Data and all queries shall be responded to within 1 day from the receipt of query.

1. Each Party hereby represents and warrants to the other Party that it is duly organized and has authority to enter into and perform this DPA and that its performance will comply with Applicable Law.
2. The Processor further represents that it has implemented and will maintain controls sufficient to comply with this DPA.

1. This Agreement shall be deemed to have come into effect on and from the date of execution of the Service Agreement and shall be valid, legal, and binding during the entire term of the Service Agreement ("Term") and shall be co-terminus with the Service Agreement.
2. This Agreement will terminate automatically in case of termination of the Service Agreement regardless of the reason for such termination.
3. Notwithstanding the foregoing, the Company will have a right to terminate the DPA:
4. at any time by giving 30 days' prior notice, in case of termination for convenience; and
5. immediately, in case of any material breach of this DPA by the Processor, where such breach is not remedial immediately or may result in direct or indirect breach of Applicable Laws by the Company.
6. In case of termination by the Company, the Company shall have no outstanding obligations towards the Processor and the Processor shall comply with its obligations under this DPA.
7. In the event the provision of Processing the Personal Data by the Processor becomes unlawful under any law, the Processor shall inform Company within reasonable time period of obtaining knowledge about the same and the DPA shall stand terminated.

1. The Processor agrees to indemnify, defend, and hold harmless the Company and its customers, officers, employees, Personnel, Data Principals and agents from and against all direct and indirect claims, demands, actions, liabilities, costs, interest, damages, and expenses of any nature whatsoever (including all legal and other costs, charges, and expenses) incurred or suffered by the Company or its customers, officers, employees, Personnel, data principals and agents, arising out of any (i) any breach of or non-compliance of this DPA by the Processor (or its Personnel or Sub-processor), including its obligations and the representations and warranties, (ii) any breach of Applicable Laws by the Processor (or its Personnel or Sub-processor) that results in Company being in breach of the Applicable Laws; and/or (iii) any and third-party claims arising from or in relation to Processing by Processor (or its Personnel or Sub-processors). The Processor shall make payment for any claim under this Section within a period of 30 (thirty) days from the date of the claim by the Company.
2. The rights, powers, privileges, and remedies provided in this indemnity clause are cumulative and not exclusive of any rights, powers, privileges, or remedies provided by law.
3. Third Party Claims: In the event of any third-party claim being raised against the Company, the Company may call upon the Processor to assume defence of the claim, and the Processor shall promptly, take appropriate actions to dispute, resist, appeal, compromise, defend, remedy or mitigate the third party claim, at its sole cost and expense. The Processor shall not enter into any settlement, consent order, or entry into judgement, without prior written consent of the Company.
4. The Processor agrees that any breach of this DPA or any unauthorized disclosure or access to Personal Data or Personal Data Breach, may cause the Company irreparable harm which cannot be fully compensated by monetary damages. Accordingly, in addition to any other remedies the Company may have at law or in equity, the Company shall be entitled to seek immediate injunction and other equitable relief to prevent any further or continuing breach of obligations.
5. The Parties hereby agree that in no event shall the Company bear any liability towards the Processor or its Personnel or Sub-processors.

1. Entire Agreement: The Service Agreement, along with the DPA and all annexures, appendices constitute the entire and final and exclusive statement of the agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous discussions, communications, negotiations and agreements, written or oral, with respect to the subject matter hereof.
2. Amendments: No amendment is effective unless in writing and signed by both Parties.
3. Survival: The obligations of the Parties under this Agreement that by their nature would continue beyond the termination, expiration or other conclusion of this Agreement and shall survive such termination, expiration or conclusion.
4. Governing Law: This Agreement shall be governed by and construed in accordance with the laws of India.
5. Dispute Resolution: In case of any dispute or difference either in interpretation or otherwise, of any terms of these Terms between the parties hereto, the parties shall attempt to resolve the same through discussion. In case the parties fail to arrive at an amiable solution through discussion, the same shall be referred to Arbitration at the request of either Party in writing, in accordance with the provisions of Arbitration and Conciliation Act, 1996, as amended from time to time. The arbitration shall be conducted by a sole Arbitrator to be mutually appointed between the Parties and decision of the arbitrator shall be final and binding on the parties hereto. The seat and venue of arbitration shall be Madurai, Tamil Nadu, India. The rights and remedies provided in these Terms are cumulative and are in addition to and not in substitution for any other rights and remedies available at law or in equity.
6. Incorporation of the General Terms from the Service Agreement: All General Terms incorporated in the Service Agreement shall be incorporated by reference to this DPA and shall apply mutatis mutandis to this DPA, unless specifically incorporated in this DPA or agreed otherwise. In the event of any conflict between the terms of the Service Agreement and this DPA, the terms of this DPA shall prevail to the extent it is related to any data or Personal Data.