Data Processing Agreement

Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Use and addresses compliance requirements under the Digital Personal Data Protection Act, 2023 of India ("DPDP Act") for processing Personal Data on behalf of the Data Fiduciary.

Under India's Digital Personal Data Protection Act, 2023 ("DPDP ACT").

1. Definitions

Unless otherwise defined in this DPA, terms used herein shall have the same meaning as assigned to them in the DPDP Act. The following definitions apply:

1.1 "Data Transfer" means the movement of Personal Data from the Data Fiduciary to the Data Processor, or between two establishments of the Data Processor, or with a Sub-Processor by the Data Processor.

1.2 "DPDP Act" means the Digital Personal Data Protection Act, 2023 as enacted by the Government of India.

1.3 "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

1.4 "Data Processor" means any person who processes personal data on behalf of a Data Fiduciary.

1.5 "Sub-Processor" means any third party appointed by the Data Processor to assist in fulfilling its obligations under this DPA and who processes the Personal Data.

1.6 "Personal Data" means any data about an individual who is identifiable by or in relation to such data.

2. Purpose of this Agreement

This DPA outlines the obligations of the Data Processor in relation to the processing of Personal Data and applies only to the extent of the Data Processor's processing obligations under the Agreement. In case of conflict, this DPA shall prevail over the Agreement to the extent of such conflict.

3. Categories of Personal Data

The Data Fiduciary authorizes the Data Processor to process Personal Data to the extent determined and instructed by the Data Fiduciary. The nature of the Personal Data is specified in Annex I to this DPA.

4. Purpose of Processing

The Data Processor shall process Personal Data solely for the purpose of delivering the Services in accordance with the Agreement.

5. Duration of Processing

The Data Processor shall process the Personal Data for the duration of the Agreement unless otherwise instructed in writing by the Data Fiduciary.

6. Data Fiduciary's Obligations

The Data Fiduciary shall ensure that it has a lawful basis to provide Personal Data to the Data Processor and that any required notice or consent has been obtained from the Data Principals in accordance with the DPDP Act.
The Data Fiduciary shall provide notice to all Data Principals in a clear and accessible manner as required under Section 5 of the DPDP Act.
The Data Fiduciary shall communicate revocation of consent or request for erasure or correction to the Data Processor, where applicable.
The Data Fiduciary shall inform the Data Processor in writing upon becoming aware of: complaints indicating a breach of the DPDP Act; requests from Data Principals for access, correction, or deletion of Personal Data; regulatory or legal notices relating to Personal Data processing.

7. Data Processor's Obligations

The Data Processor shall act only on documented instructions of the Data Fiduciary, including email, regarding the processing of Personal Data.
The Data Processor shall provide reasonable support to the Data Fiduciary in meeting obligations relating to Data Principal rights under the DPDP Act.
The Data Processor shall notify the Data Fiduciary if it believes that an instruction infringes the DPDP Act.
The Data Processor shall implement appropriate measures to ensure compliance with the DPDP Act including assisting with Data Protection Impact Assessments, where required.
The Data Processor shall not share Personal Data with any third party without the consent of the Data Fiduciary, except as legally required.
Where Personal Data is transferred outside India, the Data Processor shall ensure compliance with any applicable government-issued guidance or rules on cross-border data transfer.

8. Confidentiality and Data Security

The Data Processor shall ensure that personnel processing Personal Data are under confidentiality obligations and are trained in data protection.
The Data Processor shall implement appropriate technical and organizational measures to ensure security of the Personal Data as detailed in Annex II.

9. Audit Rights

Upon reasonable notice, the Data Processor shall provide necessary information and cooperation to demonstrate compliance with the DPDP Act.
The Data Fiduciary may, at its expense, conduct audits (or appoint third-party auditors) subject to reasonable scheduling and confidentiality agreements.

10. Sub-Processors

The Data Fiduciary authorizes the use of Sub-Processors as listed in Annex III. Any new Sub-Processors must be notified to the Data Fiduciary at least 30 days in advance.
The Data Processor remains liable for the acts and omissions of Sub-Processors.
The Data Fiduciary has the right to object to the addition of any new Sub-Processor on reasonable grounds.

11. Personal Data Breach Notification

The Data Processor shall notify the Data Fiduciary without undue delay upon becoming aware of a Personal Data Breach that is likely to cause harm to the Data Principal.
The Data Processor shall support the Data Fiduciary in investigating the breach and notifying the Data Protection Board and/or affected Data Principals, as required.
Notification does not imply fault or liability by the Data Processor.

12. Return and Deletion of Personal Data

Upon termination of the Agreement, the Data Processor shall return or delete Personal Data as instructed by the Data Fiduciary.
All Personal Data shall be securely deleted within 30 days unless legally required to be retained.

13. Technical and Organizational Measures

The Data Processor shall implement the technical and organizational measures described in Annex II to ensure the protection of Personal Data as per Section 8 of the DPDP Act.

Annex I: List of Data Principals and Personal Data

Data Principals: Users of the Services as designated by the Data Fiduciary.

Categories of Personal Data: Name, Address, Email, Phone, DOB, Gender, Image, Job Title, Language, etc.

Frequency of Transfer: Continuous

Nature and Purpose of Processing: For delivery of Services as per the Agreement.

Retention Period: As per retention periods defined under the Agreement.

Annex II: Technical and Organizational Measures

Technical and organizational measures for compliance with Section 8 of the DPDP Act, including:

Access control and privilege restriction
Data encryption in transit and at rest
Employee confidentiality agreements
Periodic security audits
Regular training and awareness sessions
Multi-factor authentication

Annex III: List of Sub-Processors

Sub-Processor Name	Description of Processing	Location
Amazon Web Services	Cloud hosting services	India or as per allowed cross-border transfer rules
Cashfree	Payment service	India or as per allowed cross-border transfer rules
Yanolja Cloud Solutions	Property management system	India or as per allowed cross-border transfer rules
Famepilot	Reviews submitted	India or as per allowed cross-border transfer rules
Mixpanel	Product analytics	US
Webengage	Communications	India or as per allowed cross-border transfer rules
QID	Identity verification	India or as per allowed cross-border transfer rules
Google Analytics	Product analytics	India or as per allowed cross-border transfer rules