Data Handling Terms And Conditions

These terms were last updated on 14th March 2024.

1. Definitions And Interpretation:

In these Terms the following words and phrases shall have the following meanings, unless inconsistent with the context or as otherwise specified.

"Appropriate Technical and Organisational Measures" shall be interpreted in accordance with applicable Data Protection Legislation;

“Authorized Persons”means authorized representatives, employees, agents, auditors and Subprocessors of the Company who have a need to know or otherwise access Personal Data to enable the Company perform obligations under the Agreement and Terms, and who are bound by confidentiality obligations sufficient to protect Personal Data in accordance with these Terms;

“Data Processing Addendum” (“DPA”) means the DPA detailing the personal data processing conducted by the Company for the Customer for the purposes of obligations to be provided by the Company to the Customer. This DPA shall be applicable only for Customers based in the EU region;

"Data Protection Legislation" means any and all data protection and privacy legislation in force from time to time in those parts of the world in which the parties operate and/or Process Personal Data (either directly or through a third party).

"Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

"Data Processor" means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller by itself, jointly or through its Sub-Proceesors;

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"Personal Data" means any information that identifies or could be used to identify a Data Subject. This includes information about the Data Subject (e.g. name, age, e-mail, address, identification number, financial account numbers, State/Member Union or Government issued ID cards, biometric or health data and other unique identifiers). It also includes online identifiers, location data or any other factors alone or in combination that relate to a specific Data Subject to be singled out or any information relating to a Data Subject obtained in relation to activities governed by the applicable Data Protection Legislation. Personal Data shall be deemed to be highly confidential information of the Data Controller;

"Process/Processing" means all operations and activities which involve Personal Data, including collecting, handling, updating, storing, deleting, sharing, accessing, using, transferring and deletion of Personal Data;

"Sub-Processors” shall mean any third party appointed by or on behalf of the Company to process Personal Data in connection with provisioning of SaaS Offering as envisaged under the Agreement; and

"Security Breach" means any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the Personal Data that the Data Processor Processes.

2. Standard of Care for Processing of Personal Data:

a. Company acknowledges and agrees that Customer is the Data Controller, Company may receive or have access to Personal Data and may process the Personal Data. While processing the Personal Data, the Company shall comply with the terms and conditions set forth in these Terms in its collection, receipt, transmission, handling storage, disposal, use and disclosure of such Personal Data. Company shall be responsible for and remain liable to Customer for the actions and omissions of all its Authorized Persons, concerning the treatment of personal data as if they were the company’s own actions and omissions.

b. The Company covenants to:

(i) keep and maintain all Personal Data in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use or disclosure;

(ii) use and disclose Personal Data solely and exclusively for the purposes for which the Personal Data, or access to it, is provided pursuant to the terms and conditions of these Terms, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Personal Data for Company’s own purposes or for the benefit of anyone other than Customer, in each case, without Customer prior written consent;

(iii) not, directly or indirectly, disclose Personal Data to any person other than its Authorized Persons (“Unauthorized Third Party” including its affiliates), without express written consent from Customer, unless and to the extent required by Government authorities or as otherwise, to the extent expressly required, by applicable law, in which case, Company shall (i) use best efforts to notify Customer before such disclosure or as soon thereafter as reasonably possible; (ii) be responsible for and remain liable to Customer for the actions and omissions of such Unauthorized Third Party concerning the treatment of such Personal Data as if they were Company’s own actions and omissions;

(iv) implement Appropriate Technical and Organisational Measures and in so far as is possible, in fulfilling Customer' obligations to respond to requests from Data Subjects exercising their rights.

c. Sub-Processors:

Company engages Sub-Processors to process Personal data by or on behalf of Company in connection with provisioning of the SaaS Offering under the Agreement. The Sub-Processors listed are here, and such Sub-Processors are deemed approved. If the Company notifies the planned commissioning of a new Sub Processor to the Customer and the Customer has not explicitly objected to the planned deployment of the sub-processor in writing within fifteen (15) Business Days upon receipt of such notification, then such sub-processor shall be deemed approved. Such notification shall be sent to the details provided by the Customer in this form.

d. Data Transfer Mechanism:

The Company processes and transfers the Data to the sub-processors listed above, and such transfers shall not be objected to by the Customer.

3. Information Security:

a. Company represents and warrants that its collection, access, use, storage, disposal and disclosure of Personal Data does and will comply with all applicable Data Protection Legislation, as well as all other applicable regulations and directives.

b. The Company shall implement appropriate Technical and Organisational Measures and administrative safeguards to protect Personal Data that are no less rigorous than accepted industry practices by obtaining certifications such as ISO 27001:2013, SOC 2 Type II and GDPR. The Company shall ensure that all such safeguards, including the manner in which Personal Data is collected, accessed, used, stored, processed, disposed of and disclosed, comply with applicable Data Protection Legislations, as well as the terms and conditions of these Terms.

c. At a minimum, Company’s safeguards for the protection of Personal Data shall include: (i) role based access controls for of Customer's Data access;(ii) using secure and renowned data centres, servers, back-up systems and computing equipment; (iii) implementing network, device, application, database, and platform security; (iv) securing information transmission, , storage and disposal; (v) implementing authentication and access controls; (vi) encrypting Personal Data transmitted over public networks (viii) strictly segregating Personal Data from other information, so that Personal Data is not commingled with any other types of information; (I don't think this is done within the system or database);(ix) implementing appropriate personnel security and integrity procedures and practices; and (x) providing appropriate privacy and information security training to the relevant stakeholders.

d. During the term of each Authorized Person’s employment by Company, Company shall always cause such Authorized Persons to abide strictly by Company’s obligations similar to those under these Terms and the applicable Data Protection Legislations.

4. Security Breach Procedures:

a. Company shall notify Customer of a Security Breach as soon as practicable, but no later than forty-eight (48) hours after Company becomes aware of it; and

b. Immediately following Company’s notification to Customer of a Security Breach, the Company shall investigate the Security Breach and shall take reasonable steps to/use best efforts to immediately remedy any Security Breach and prevent any further Security Breach in accordance with applicable Data Protection Legislation, rights and standards.

c. Company agrees that it shall not inform any third party, unless required under applicable law, of any Security Breach without first obtaining Customer’ prior written consent.

d. Company agrees to fully cooperate with Customer in providing any information, under the orders of the court, or other formal action deemed necessary by Customer to protect its rights relating to the use, disclosure, protection and maintenance of Personal Data. In providing such information, Company shall not be deemed to be in breach of its obligation here.

e. Where the Company receives a request, Company shall (i) not directly respond to such request, (ii) forward the request to Customer and (iii) provide assistance according to further instructions from the Customer.

f. In the event of any Security Breach, Company shall promptly use its best efforts to prevent a recurrence of any such Security Breach.

5. Audits:

a. Upon Customer’s written request, Company shall provide Customer with the results of any audit by or on behalf of Company performed that assesses the effectiveness of Company’s information security program as relevant to the security and confidentiality of Personal Data shared under the Agreement.

b. The Company shall on request by the Customer fill out a security assessment or a questionnaire provided by Customer. Company shall manage identified gaps in the same way as other audit findings.

6. Destruction of Personal Data:

a. At any time during the term/expiry of the Agreement upon receiving a written request by Customer, Company shall delete the requested data within 30 (thirty) days of such request whether in written, electronic or other form or media, of Personal Data in its possession or the possession of such Authorized Persons, and certify in writing to Customer that such Personal Data has been deleted or disposed of securely.

b. Company shall comply with all directions provided by Customer with respect to the deletion or disposal of Personal Data.