This document was downloaded from ministryofsecurity.

co
 DATA PROCESSING AGREEMENT

This data processing agreement (”Agreement”), comprises of Annexes 1 and 2, and is an integral part of the
services agreement entered on [insert date] between Organisation(“Organisation”) and Vendor(“Company”)
(each individually a Party and collectively the “Parties”) and all further agreements and statements of work
executed under / under it (collectively, the “Main Agreement”). This Agreement is effective as of the date last
signed by the Parties below.

DEFINITIONS

The following terminology shall have the following meanings. Capitalized terms have not been defined herein
shall have the same meaning outlined in the Main Agreement.

a. “Affiliate” refers to an entity that controls and owns, is owned or controlled by, or is under common
control or ownership with a Party.

b. “Data Fiduciary” refers to the Party or Parties to this Agreement that establishes the purposes and
means of the Processing of Personal Data for purposes of the Agreement or the Main Agreement.

c. “Data Fiduciary Personal Data” refers to any Personal Data Processed by a Party under the Agreement
in its capacity as a Data Fiduciary.

d. “Data Protection Law(s)” refers to the entirety of all laws and regulations applicable to the Processing
of Organization Personal Data under the Agreement, which may include the India Digital Personal Data
Protection Act 2023.

e. “Data Subject” refers to an identified or identifiable natural person.

f. “Personal Data” refers to “personal information,” “personal data,” or equivalents as defined in

applicable Data Protection Laws. When applicable Data Protection Laws, are absent “Personal Data”
shall mean any information relating, directly or indirectly, to an identified or identifiable natural person.

g. “Process,” “Processes,” “Processing,” or “Processed” refers to any operation or set of operations that
is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as
collecting, recording, accessing, releasing, disclosing, making available, organizing, structuring, storing,
adapting or changing, consulting, retrieving, utilizing, disclosing by transmission, dissemination or
otherwise, combining or aligning, restricting, deleting or destructing.

h. “Processor” refers to a Party to this Agreement that processes Personal Data on behalf of Organization
or Organization Affiliates.

i. “Services” refers to the services provided or received by the Parties under the Main Agreement.

j. “Sub-processor” refers to a Processor engaged by a Processor, including a Company, to Process

Organization Personal Data.

k. “Organization Data Subject” refers to the Data Subject whose Organization Personal Data is, or will be,
Processed.

l. “Organization Personal Data” refers to Organization Data Subject Personal Data that is Processed by
Company for the purposes described in Annex 1 to this Agreement. For purposes of this Agreement,
Organization Personal Data does not include the name and contact information of those Organization
employees who are responsible for interacting with Company to perform under the Main Agreement,
and any Personal Data incidentally received by Company because of those communications and
interactions

1. GENERAL TERMS
1.1. General roles of Parties. The Parties acknowledge and consent that the Organization is Data
Fiduciary of the Organization Personal Data Processed in connection with the Main
Agreement, and that the Company is a Processor of such Personal Data, in which case the
Processor Terms outlined in Section 2 shall apply (in exclusion of the terms in Section 3).

1.2. Overview of Organisation Personal Data Processing. Company shall complete Annex 1, and
shall not Process Organization Personal Data other than as indicated in Annex 1 without
written permission of Organization received priorly. If the Company is designated as a
Processor in Section 1.1 above, the Parties acknowledge and agree that Annex 1 reflects the
Organization’s written instructions about the Processing of Organization Personal Data in
connection with the Agreement.

1.3. General requirements, limitations, and prohibitions. The company acknowledges and agrees
that:

1.3.1. The Organization's Personal Data is being provided to the Company solely for
purposes of performing its obligations under the Main Agreement, or as otherwise
specified or allowed by this Agreement or the Main Agreement.

1.3.2. It shall only Process Organization Personal Data for purposes of performing its
obligations under the Main Agreement, or as otherwise specified or allowed by this
Agreement or the Main Agreement and may not rent, sell, share, disclose, or
otherwise Process Organization Personal Data for any other purpose unless otherwise
agreed by the Parties in writing.

1.3.3. It understands and shall comply with all requirements under applicable Data
Protection Laws, and will provide the protections to Organization Personal Data as
are required by applicable Data Protection Laws.

1.3.4. It will notify the Organization if it determines that it can no longer meet its obligations
under applicable Data Protection Laws.

1.3.5. It will not combine the Organization's Personal Data with data from any other source,
company, organization, or entity, unless necessary to perform its obligations under
the Main Agreement. Company will not copy or reproduce Organization Personal
Data for its purposes or those of any Sub-processor or other third party.

1.3.6. Organization may take reasonable and appropriate steps to ensure that the Company
uses Organization Personal Data in a manner consistent with its obligations under
applicable Data Protection Laws, and may take reasonable and appropriate steps as
permitted under this Agreement and the Main Agreement to stop and remediate
unauthorized use of Organization Personal Data.

1.4. Data Security. The company will maintain appropriate measures to protect the integrity,
security, and confidentiality of all Organization Personal Data against any anticipated threats
or hazards, and/or unauthorized access to or use of such data, which measures shall include
at a minimum those outlined in Annex 2 to this Agreement.

1.5. Data Retention and Deletion

1.5.1. Provider shall maintain the Organization Personal Data for only as long as necessary
to perform its duties under the Main Agreement(s), unless otherwise a requirement
under applicable laws.

1.5.2. Upon termination or end of tenure of the Main Agreement(s) or earlier as requested
by Organization, Provider shall give back to Organization or destruct (at
Organization’s election) all Organization Personal Data in its possession, custody and
 control, except for such Personal Data as must be retained under law applicable
(which Provider shall destroy once it is no longer required under applicable law
directing it to retain). At the Organization’s request, the Provider shall provide the
Organization with a log that is written showcasing the evidence of the destruction
and any retention of Organization Personal Data.

1.6. Data Security Incidents

1.6.1. Notice to Organization. Company will inform` Organization within twenty-four (24)
hours of discovery of an actual or suspected unauthorized access to, or acquisition or
disclosure of, Organization Personal Data, or other actual or suspected violation of
security or confidentiality concerning Organization Personal Data in the possession or
control of Company, its representatives, and/or any Sub-processor of Company (a
“Data Security Incident”). Such notice shall be sent to the Organization persons or
team appointed to receive notices under the Main Agreement.

1.6.2. Third Party Notices. If a Data Security Incident requires notice to any regulator, Data
Subject, or another third party: (1) The Company shall help Organization in providing
such notifications if requested by the Organization; (2) Organization shall have sole
control over the content, timing, and method of distribution of any needed notice
unless otherwise required by law applicable; (3) Company may notify the affected
parties only upon Organization’s prior written approval and instructions unless
otherwise required by applicable law (in which case Company shall provide
Organization with a copy of such notice as soon as possible and in all events before
providing such notice to any regulator, Data Subject or another third party unless
otherwise required by law); and (4) Company shall reimburse Organization all
reasonable expenses incurred by Organization pertaining to notice concerning any
breach of security or confidentiality for which Company is wholly or partially
responsible.

1.6.3. Notice requirements. The notice to Organization required under Paragraph 1.6.1
shall include:

(i) a description of the Data Security Incident, including the location, date, and
time the Data Security Incident occurred and the location, date, and time
the Data Security Incident was discovered;

(ii) a description of the steps the Company has taken, or plans to take, to
investigate the Data Security Incident;

(iii) an overview of the impacted Organization Personal Data, including the types
of Organization Personal Data and whether the Organization Personal Data
was encrypted or redacted;

(iv) the number of impacted Organization Data Subjects and the city, state (if
applicable), and country of the Data Subjects; and

(v) the expected consequences of the Data Security Incident; and a description
of the steps Company has taken, or plans to take, to mitigate such
consequences.

1.7. Indemnification: Over and above to the terms outlined in the Main Agreement(s), the
Company agrees to fully indemnify, defend, and hold harmless the Organization, its directors,
officers, employees, and agents from and against any losses, damages, fees, and expenses
arising from any claims due to, arising out of, or relating in any way to Company’s loss,
alteration, or misuse of Organization Personal Data, or unauthorized access to or destruction
or disclosure of Organization Personal Data. Company shall defend against all third-party
 claims, suits and actions with counsel subject to Organization’s reasonable approval and shall
not enter into any settlement or compromise related thereto that contains an admission on
the part of or otherwise negatively impacts Organization in any manner without the prior
written consent of Organization.

2. PROCESSOR TERMS

2.1. Compliance with Organization instructions. Company shall only process Organization
Personal Data under the Organization’s written instructions, including as reflected in the Main
Agreement and this Agreement. If at any period the Company determines that it can no longer
process Organization Personal Data by the Organization’s written instructions and/or
applicable Data Protection Laws, the Company will notify the Organization and explain that
being no longer meets its processing obligations under this Agreement and/or applicable Data
Protection Laws. Upon such notice, the Organization shall have the right to take reasonable
and appropriate steps to stop and remediate the Company’s unauthorized processing of the
Organization's Personal Data.

2.2. Assistance to demonstrate compliance with laws. The company shall adequately assist the
Organization in demonstrating compliance with applicable Data Protection Laws, including by
responding promptly and adequately to inquiries from the Organization regarding such
compliance.

2.3. Information Security Risk Assessment. The company shall complete and pass an information
security risk assessment (“Risk Assessment”) conducted by the Organization’s Third-Party Risk
Management before the Effective Date. After the initial Risk Assessment, Company shall
complete Risk Assessments conducted by Organization’s Third-Party Risk Management
periodically (not more than once per year) or if any of the following occur: (i) Company begins
providing additional products or services to Organization that were not in scope during the
initial or latest assessment; (ii) the nature of or purposes for Processing Organization Personal
Data changes; (iii) Company begins transferring Organization Personal Data to a different third
country that was not in scope during the initial or latest assessment; (iv) Company makes a
material change to the Processing of Organization Personal Data that might impact the security
of that data or Company’s ability to comply with this Agreement; (v) an assessment is
reasonably necessary for Organization to comply with Data Protection Laws or other data
security compliance obligations; (vi) an assessment is reasonably necessary for Organization
to comply with a request, order, or settlement with a supervisory or other legal obligation; or
(vii) a Data Security Incident occurs.

2.3.1. Assessment Requirements. The company shall provide to the Organization all
information logically necessary to complete the Risk Assessment. Such information
may include but is not limited to, risk assessment questionnaires; information
security policies and procedures; data classification and handling policies and
procedures; data security compliance or audit reports that assess the effectiveness
of the Company’s information security program, system(s), internal controls, and
procedures relating to the Processing of Organization Personal Data against an
industry-accepted framework such as ISO, SSAE16, SOC, or NIST; and other
information requested by Organization to assess Company’s information security
program, controls, and Processing of Organization Personal Data. Copies of
Company’s policies, procedures, or other documents may be provided to the
Organization, or presented over a mutually agreed-upon screen-sharing application.

2.4. Organization Audits. In addition to the Risk Assessment in Section 2.3 and upon reasonable
advance written notice, the Organization may (not more than once per year) during normal
business hours and at its own expense, audit the Company’s facilities, networks, systems,
procedures, Processing and maintenance of Organization Personal Data, and compliance with
this Agreement. Notwithstanding the foregoing, the Organization shall be permitted to
exercise such audit right any time a Data Security Incident (as defined in Section 1.6.1 above)
 has occurred or when required to comply with Data Protection Laws, a request, order, or
settlement with a Data Protection Authority, or other legal obligation. Company shall
reasonably cooperate with such audit by providing access to knowledgeable personnel,
physical premises as applicable, documentation, infrastructure, and any application software
that Processes Organization Confidential Information and/or Organization Personal Data or
otherwise has access to Organization’s facilities, networks, systems, procedures. Organization
shall be responsible for its costs and expenses of such audit (or the fees and costs of the third
party performing the audit), unless such audit reveals, or is initiated because of, a material
breach of the Main Agreement including this Agreement, in which case Company will
reimburse Organization for such costs and expenses. The company will promptly address and
correct all deficiencies identified in any such audit.

2.5. Requests or Demands from Governmental or Regulatory Bodies. Company shall inform
Organization as soon as possible if it receives a request or demand from a governmental or
regulatory body with authority over Company or Organization relating to Company’s
Processing of Organization Personal Data, and shall fully cooperate with Organization in
connection with any response to such request or demand.

2.6. Data Subject Rights. Company shall promptly notify Organization of any request by an
Organization Data Subject to exercise their rights under applicable Data Protection Laws, and
reasonably assist Organization to fulfill such request. Company shall not respond to such
requests, unless instructed by Organization to do so.

2.7. Data Handling Frameworks: If requested by Organization, Company shall further agree to
contractually comply with PCI DSS Standards, as well as similar and other frameworks, if and
to the extent such frameworks apply to Company’s processing of the Organization Personal
Data.

2.8. Sub-processors

2.8.1. Permitted Sub-processors. Organization and Company agree that Company may not
engage any Sub-processor to Process Organization Personal Data, other than those
identified in Annex 1 to this Agreement, unless with Organization’s prior written
approval as indicated in this paragraph. In the event Company seeks to engage a Sub-
processor not identified in Annex 1, Company shall notify Organization of its intent
to engage such Sub-processor, and the purposes for which it will process Organization
Personal Data, at least 30 days prior to any Processing of Organization Personal Data
by the Sub-processor. If Organization does not object to such engagement,
Organization will be deemed to have approved such engagement.

2.8.2. Sub-processor obligations. Company will not permit any Sub-processor to Process
Organization Personal Data, unless Company and the Sub-processor have entered
into an agreement that imposes obligations on the Sub-processor that are no less
restrictive and at least equally protective of Organization Personal Data than those
imposed on Company under this Agreement. Organization may request a copy of such
agreement between Company and any Sub-processor, and may withhold consent to
the use of such Sub-Processor if Company does not provide such agreement or such
agreement does not contain sufficient protection of Organization Personal Data.
Company may redact such agreement prior to sharing with Organization to the extent
necessary to protect its trade secrets or confidential information.

2.8.3. Sub-processor compliance with Data Protection Laws. Company is responsible for
ensuring the compliance of Sub-processors with applicable Data Protection Laws, and
with Company’s agreements with Sub-processors consistent with Section 2.8.2 of this
Agreement, as relates to Sub-processors’ Processing of Organization Personal Data.
 2.8.4. Liability. Company’s use of Sub-processors does not affect or limit Company’s liability
under this Agreement.

3. DATA FIDUCIARY TERMS

3.1. Roles of Parties. Each Party:

3.1.1. is an independent Data Fiduciary of Data Fiduciary Personal Data under the Data
Protection Laws, and will not process Data Fiduciary Personal Data as joint data
fiduciaries.

3.1.2. will individually establish the purposes and means of its Processing of Data Fiduciary
Personal Data.

3.1.3. is accountable for its compliance with applicable Data Protection Laws, including as
relates to notifying Data Subjects of its Processing of their Personal Data and how
they may exercise their rights, and obtaining any required consents.

3.1.4. will abide by with the obligations applicable to it under the Data Protection Laws
concerning the processing of Data Fiduciary Personal Data.

3.2. Restrictions. Section 3.1 does not affect any restrictions on either Party’s rights to use or
otherwise Process Data Fiduciary Personal Data under the Main Agreement.

4. MISCELLANEOUS

4.1. Termination and Survival. This Agreement and all provisions herein shall survive so long as,
and to the extent that, Company processes or retains Organization Personal Data.

4.2. Counterparts. This Agreement may be executed in any number of counterparts and any Party
(including any duly authorized representative of a Party) may enter into this Agreement by
executing a counterpart.

4.3. Non-compliance: The Company shall swiftly inform the Organization if it is unable to comply
with this Agreement. If the Company cannot comply within a reasonable period, or the
Company is in substantial or consistent breach of this Agreement or its obligations under this
Agreement, the Organization shall be entitled to terminate the Agreement and the Main
Agreement insofar as it concerns the processing of Organization Personal Data.

4.4. Ineffective clause. If individual provisions of this Agreement are or become ineffective, the
effectiveness of the remaining provisions shall not be impacted. The Parties shall replace the
ineffective clause with a legally allowed clause, which will accomplish the intended commercial
intention as closely as possible.

4.5. Conflicts. In case of contradictions between this Agreement and the provisions of the Main
Agreement, the provisions of this Agreement shall hold true.

Annex 1 - Organizational/Administrative, Physical and Technical Measures

1. Organizational/Administrative Security Measures: The company has implemented, and will maintain
and update as suitable throughout its Processing of the Organization's Personal Data:

1.1. A written and comprehensive information security program in compliance with applicable data
protection laws.

1.2. A data loss prevention program that reflects reasonable policies or procedures designed to
detect, prevent, and mitigate the risk of data security breaches or identify theft, which shall
 include at a minimum:

1.2.1. appropriate policies and technological controls designed to prevent loss of

Organization Personal Data; and

1.2.2. a disaster recovery/business continuity plan that addresses ongoing access,

maintenance, and storage of Organization Personal Data as well as security needs for
backup sites and alternate communication networks.

1.3. Policies and procedures to limit access to Organization Personal Data to those who require
such access to perform their roles and responsibilities in connection with the Main Agreement,
including regular updates to such access based on changes to the Company’s personnel,
policies, or procedures.

1.4. Procedures to verify all access rights through effective authentication methods.

1.5. A government agency data access policy that refuses government access to data, except where
such access is required by law, or where there is sufficient risk of serious harm to individuals.

1.6. Policies and procedures for assessing legal basis for, and responding to, government agency
requests for data.

1.7. Specific coaching of personnel accountable for managing government agency requests for
access to data, which may include requirements under applicable Data Protection Laws.

1.8. Processes to document and record government agency requests for data, the response
provided, and the government authorities involved.

1.9. Procedures to notify the Organization about any request or requirement for government
agency access to data, unless legally prohibited.

2. Physical Security Measures

2.1. The company has implemented, and will maintain and update as appropriate throughout its
Processing of Organization Personal Data, appropriate physical security measures for any
facility used to Process Organization Personal Data and continually monitor any changes to the
physical infrastructure, business, and known threats.
3. Technical Security Measures: The company shall throughout its Processing of the Organization's
Personal Data:
3.1. perform vulnerability scanning and assessments on applications and infrastructure used to
Process Organization Personal Data.
3.2. secure its computer networks using multiple layers of access controls to protect against
unauthorized access.
3.3. restrict access through protocols such as, but not limited to, management go aheads, sturdy
controls, logging, and monitoring access events and audits resulting subsequently.
3.4. identify computer systems and applications that command security event monitoring and
logging, and appropriately maintain and analyze log files.
3.5. use up-to-date, industry standard, commercial virus/malware scanning software that
successfully finds out malicious code on all of its systems that Process Organization Personal
Data.
3.6. encrypt Organization Personal Data which are in transit.
3.7. encrypt Organization Personal Data at rest and solely manage and secure all encryption keys
(i.e. no other third party shall have access to these encryption keys, including Sub-processors).
Signed for and on behalf of:

Organisation Company

Signature:___________________________ Signature:___________________________

Name:____________________________ Name:_____________________________

Title:________________________________ Title:________________________________