1. Data Processing Agreement (DPA)
This agreement outlines the terms under which personal data is processed on behalf of the user. It ensures that all processing activities align with applicable data protection standards. The agreement defines the roles, responsibilities, and obligations of involved parties. Both the controller and processor must comply with the terms set forth here. This DPA forms part of the overarching service relationship.
2. Data Controller
The data controller determines the purpose and method of processing user data. They are responsible for ensuring the lawful collection and use of information. Controllers must inform users about data usage and uphold transparency. The controller is accountable for data subject rights and consent management. All instructions to the processor must be documented and lawful.
3. Data Processor
The processor acts on documented instructions provided by the controller. It must handle personal data only for defined purposes within agreed limitations. The processor cannot use the data for its own benefit. Security measures must be maintained during all processing activities. The processor remains obligated to assist with compliance and user rights.
4. Personal Data
Personal data refers to any information related to an identifiable individual. This includes contact details, identifiers, and user-specific interactions. Such data must be handled with care and processed with legal justification. Only relevant and necessary information is collected for operational purposes. Personal data should never be shared without authorization.
5. Processing Activities
Processing includes data collection, storage, access, transmission, and deletion. Each activity must align with the purpose agreed upon by both parties. Unauthorised processing is strictly prohibited. The processor must log all data-related operations as required. All processing activities must uphold privacy and security principles.
6. Data Security Measures
Appropriate technical and organisational measures must be taken to protect data. These may include encryption, access control, and regular system audits. Security procedures are continuously monitored and updated for reliability. The processor must promptly notify the controller of any vulnerabilities. Both parties must ensure systems remain secure and protected.
7. Confidentiality
All personnel involved in processing must maintain data confidentiality. Access to data is limited to those with legitimate responsibilities. Any breach of confidentiality is treated as a serious violation. Agreements and internal policies reinforce the need for discretion. Confidentiality survives the termination of the agreement.
8. Data Subject Rights
The processor must assist the controller in fulfilling user rights. These include access, correction, deletion, and data portability. Data subjects must be informed of how their data is used. Requests from individuals must be handled within designated timelines. Transparency is central to respecting individual rights.
9. Data Breach Response
In case of a data breach, the processor must inform the controller without undue delay. A detailed report must include the scope, impact, and corrective actions taken. The controller is responsible for notifying affected individuals where required. Response procedures are tested and reviewed regularly. Every incident must be thoroughly documented.
10. Subprocessing
Subprocessors may be engaged only with prior approval from the controller. They must comply with the same obligations as the main processor. Written agreements are required with all subprocessors. The primary processor remains liable for the actions of its subprocessors. Subprocessing arrangements must be transparent and accountable.
11. Compliance with Laws
Both parties must comply with applicable data protection regulations. This includes obligations related to data handling, storage, and transfer. The agreement may be updated to reflect changes in legal requirements. Any breach of law may result in enforcement actions. Compliance is a shared responsibility.
12. Audit Rights
The controller reserves the right to audit data processing practices. Audits ensure adherence to agreed terms and applicable standards. Reasonable notice must be given before conducting inspections. Processors must provide necessary access and documentation. Audit outcomes may lead to updates or corrective actions.
13. Data Deletion
Upon request or termination, all personal data must be securely deleted. The processor must confirm the deletion in writing. Backup systems must also be addressed during this process. Data must not be retained beyond the necessary period. Exceptions must be documented and justified.
14. Data Retention
Data is retained only for as long as needed for operational or legal purposes. Retention periods must be clearly defined and reviewed periodically. After expiry, data must be securely destroyed. Controllers and processors must maintain proper retention logs. Retention must not exceed the intended duration.
15. Notification Obligations
Each party must notify the other of any legal inquiries, breaches, or incidents affecting data. Timely communication supports collaborative response and mitigation. Notification must include relevant details for swift action. Channels of communication should remain open and reliable. Obligations apply throughout the duration of this agreement.
16. Liability
Each party is liable for their respective actions under the agreement. Liability extends to any misuse, breach, or negligence in handling data. Compensation may apply in case of damages. Limitations and exclusions are clearly defined in the agreement. Shared accountability ensures responsible data processing.
17. Indemnification
The processor agrees to indemnify the controller against claims arising from data mishandling. Indemnification covers legal costs, penalties, and damages. This clause reinforces the importance of compliance and care. Conditions for indemnity are specified in detail. It provides assurance and accountability for both parties.
18. Governing Law
This agreement is governed by the laws of India. All disputes shall be subject to the jurisdiction of appropriate courts. Legal interpretations will follow the rules of that region. The governing law clause ensures clarity and consistency. It applies to the full scope of the agreement.
19. Amendments to the Agreement
This agreement may be modified with mutual consent to reflect changes in services or regulations. Amendments must be documented and signed by both parties. Users will be informed of significant updates. Previous versions may be retained for recordkeeping. All changes become effective upon formal confirmation.
