Data Processing Agreement (DPA)

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation performed on Personal Data, including collection, storage, use, transfer, or deletion.

“Controller” means the entity that determines the purposes and means of processing Personal Data.

“Processor” means the entity that processes Personal Data on behalf of the Controller.

“Sub-Processor” means any third party engaged by the Processor to assist in providing services.

“Applicable Data Protection Law” means GDPR, Indian IT Act 2000 (as amended), and any other applicable data protection laws.

2. Subject Matter of Processing

The Processor shall process Personal Data as necessary to provide the Platform, including but not limited to:

• Lead management (contact details, interactions, reminders).
• User and employee management (HR, finance, training records).
• AI-driven insights, communications, and notifications.
• Technical logs, device identifiers, and analytics.

3. Roles and Responsibilities

The Controller determines the purpose and lawful basis of processing.

The Processor processes Personal Data only in accordance with documented instructions from the Controller.

Both parties shall comply with Applicable Data Protection Laws.

4. Processor Obligations

• Process Personal Data only for the agreed purposes.
• Implement appropriate technical and organizational measures to ensure data security.
• Ensure staff handling Personal Data are bound by confidentiality.
• Notify the Controller without undue delay in case of a data breach.
• Assist the Controller in responding to data subject rights (access, rectification, erasure, portability, restriction, objection).
• Delete or return Personal Data at the end of service provision unless retention is required by law.

5. Sub-Processing

The Controller authorizes the Processor to engage Sub-Processors (e.g., hosting providers, analytics tools, payment gateways).

A list of current Sub-Processors may be provided upon request.

The Processor ensures that Sub-Processors are bound by equivalent data protection obligations.

6. International Transfers

If Personal Data is transferred outside the Controller’s jurisdiction (e.g., EU to India), the Processor shall ensure appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions).

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject rights under Applicable Data Protection Laws, including but not limited to:

• Right of access
• Right to rectification
• Right to erasure
• Right to data portability
• Right to object/restrict processing

8. Security Measures

• Encryption of data in transit and at rest.
• Role-based access control.
• Secure login and authentication mechanisms.
• Regular monitoring and logging of access.

9. Audit Rights

The Controller may audit the Processor’s compliance with this DPA once per year, with reasonable prior notice.

The Processor shall provide necessary cooperation and documentation.

10. Liability

Each party’s liability under this Agreement is subject to the limitations of liability in the main Terms & Conditions.

The Controller remains responsible for the lawfulness of processing and accuracy of Personal Data.

11. Term and Termination

This Agreement remains in effect as long as the Processor processes Personal Data on behalf of the Controller.

Upon termination, the Processor shall return or securely delete all Personal Data, unless required to retain it by law.

12. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of India, with jurisdiction in Pune, Maharashtra.

13. Contact Information