Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller ("Controller"): The entity that has agreed to DataCrux's Terms of Service and uses DataCrux services to process personal data (referred to as "you" or "Customer").
• Data Processor ("Processor"): DataCrux Technologies Pvt. Ltd., a company incorporated in India, which processes personal data on behalf of the Controller (referred to as "DataCrux," "we," "our," or "us").

This DPA supplements and forms part of the agreement between the Controller and DataCrux for the provision of DataCrux services. It reflects the parties' commitment to comply with applicable data protection laws, including India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and the EU General Data Protection Regulation ("GDPR").

2. Definitions

In this DPA, the following terms have the meanings set out below:

• Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject"), as defined under the DPDP Act and GDPR.
• Processing: Any operation or set of operations performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• Sub-Processor: Any third party appointed by DataCrux to process personal data on behalf of the Controller.
• Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
• Data Principal: The individual to whom the personal data relates, as defined under the DPDP Act (equivalent to "Data Subject" under the GDPR).
• Applicable Data Protection Laws: All applicable laws and regulations relating to the processing of personal data, including the DPDP Act, GDPR, and any implementing or supplementary legislation.

3. Scope of Processing

DataCrux will process personal data only to the extent necessary to provide the services agreed upon with the Controller. The details of the processing are as follows:

• Purpose of Processing: To provide data discovery, consent management, and privacy compliance services as described in the applicable service agreement.
• Categories of Data Subjects: Employees, customers, website visitors, and other individuals whose data is processed through DataCrux services.
• Types of Personal Data: Contact information, identification data, usage data, consent records, and other personal data as specified in the service agreement.
• Duration of Processing: For the term of the service agreement between the Controller and DataCrux, unless a different retention period is required by law.

4. Data Processor Obligations

DataCrux, as Data Processor, shall:

• Process personal data only on documented instructions from the Controller, unless required to do so by applicable law.
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.
• Assist the Controller in ensuring compliance with obligations relating to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• At the Controller's choice, delete or return all personal data upon termination of the service agreement, unless applicable law requires retention.
• Make available to the Controller all information necessary to demonstrate compliance with applicable data protection obligations.

5. Sub-Processors

DataCrux may engage Sub-Processors to assist in providing its services. We will:

• Maintain an up-to-date list of Sub-Processors and make it available to the Controller upon request.
• Inform the Controller of any intended changes to Sub-Processors, giving the Controller the opportunity to object to such changes within 30 days.
• Impose data protection obligations on each Sub-Processor that are no less protective than those set out in this DPA.
• Remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

6. Data Subject Rights

DataCrux will assist the Controller in fulfilling its obligations to respond to Data Subject (or Data Principal) requests to exercise their rights under the DPDP Act and GDPR, including:

• Right of Access: The right to obtain confirmation of whether personal data is being processed and to access that data.
• Right to Correction: The right to have inaccurate or incomplete personal data corrected.
• Right to Erasure: The right to request deletion of personal data when it is no longer necessary for the purpose it was collected.
• Right to Withdraw Consent: The right to withdraw consent at any time where processing is based on consent.
• Right to Data Portability (GDPR): The right to receive personal data in a structured, commonly used, and machine-readable format.
• Right to Grievance Redressal (DPDP Act): The right to have grievances addressed by the Data Fiduciary in a timely manner.

DataCrux will promptly notify the Controller if it receives a request from a Data Subject directly and will not respond to such requests except on the Controller's documented instructions.

7. Security Measures

DataCrux implements and maintains appropriate technical and organisational security measures, including but not limited to:

• Encryption: Personal data is encrypted at rest and in transit using industry-standard encryption protocols.
• Access Controls: Role-based access controls with multi-factor authentication for all personnel accessing personal data.
• Network Security: Firewalls, intrusion detection and prevention systems, and regular vulnerability scanning.
• Monitoring: Continuous monitoring and logging of access to personal data and systems.
• Business Continuity: Regular backups, disaster recovery plans, and redundancy measures to ensure availability of personal data.
• Employee Training: Regular data protection and security awareness training for all employees who handle personal data.
• Incident Response: Documented incident response procedures to detect, contain, and remediate security incidents.

8. Data Breach Notification

In the event of a Data Breach involving personal data processed on behalf of the Controller, DataCrux will:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, as required by the GDPR.
• Notify the Data Protection Board of India as required under the DPDP Act.
• Provide the Controller with sufficient information to enable the Controller to meet its obligations to report the breach to the relevant supervisory authority and affected Data Subjects.
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
• Document all Data Breaches, including the facts surrounding the breach, its effects, and the remedial actions taken.

9. Data Transfers

DataCrux shall not transfer personal data to a country or territory outside India or the European Economic Area ("EEA") unless:

• The transfer is to a country that has been deemed to provide an adequate level of data protection by the relevant authority.
• Appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or binding corporate rules.
• The transfer is permitted under the DPDP Act, including to countries or territories notified by the Central Government of India as permitted jurisdictions.
• The Controller has provided prior written consent to such transfer.

DataCrux will inform the Controller of any cross-border data transfers and the safeguards implemented to protect the personal data during such transfers.

10. Audit Rights

DataCrux will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and applicable data protection laws. The Controller or its appointed auditor may:

• Request and review DataCrux's data protection policies, procedures, and records.
• Conduct audits, including inspections, of DataCrux's processing activities, with reasonable prior notice and during normal business hours.
• Request evidence of compliance certifications, security assessments, and penetration test results.

DataCrux will cooperate with and assist the Controller in any such audits. If an audit reveals non-compliance with this DPA, DataCrux will promptly take all necessary steps to remedy the non-compliance at its own expense.

11. Term and Termination

This DPA shall remain in effect for the duration of the service agreement between the Controller and DataCrux. Upon termination or expiry of the service agreement:

• DataCrux will, at the Controller's election, return or securely delete all personal data processed on behalf of the Controller within 30 days of termination.
• DataCrux will provide certification of deletion upon the Controller's request.
• Any provisions of this DPA that by their nature should survive termination will continue to apply, including obligations relating to confidentiality, liability, and data breach notification.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the service agreement between the Controller and DataCrux, except that:

• Neither party limits its liability for breaches of its obligations under applicable data protection laws where such limitation is not permitted by law.
• DataCrux shall be liable for damage caused by processing only where it has not complied with obligations under the DPDP Act or GDPR specifically directed at processors, or where it has acted outside or contrary to lawful instructions of the Controller.
• Each party shall indemnify the other against all costs, claims, damages, or expenses incurred as a result of any breach of this DPA or applicable data protection laws by the indemnifying party.

For questions about this Data Processing Agreement, contact us at privacy@datacrux.ai.

DataCrux Technologies Pvt. Ltd.
India