This Data Processing Agreement (“DPA”) is entered into by and between Zeacloud Services Private Limited (the "Processor"), a company incorporated under the laws of India with its registered office at D-147, Okhla Industrial Area, Phase-1, New Delhi 110020, India, and;
The Customer (the "Controller" or "You"), the entity that has entered into the Principal Agreement (defined below) with the Processor for the provision of Services. This DPA forms an integral part of the Master Services Agreement, Terms of Service, or equivalent contract (the "Principal Agreement"), and it clarifies the Parties' obligations concerning the Processing of Personal Data. The effective date of this DPA shall be the effective date of the Principal Agreement.
This DPA governs the obligations of both the Controller and the Processor in relation to the Processing of Personal Data carried out by the Processor on behalf of the Controller in the course of providing the Services under the Principal Agreement. The Parties affirm that the Controller retains the status of Data Controller (or Data Fiduciary, as per the DPDP Act) as it determines the purpose and means of Processing, while the Processor acts strictly as the Data Processor (or Data Processor, as per the DPDP Act) and only processes Personal Data on the Controller's documented instructions.
This Agreement is subject to all Applicable Data Protection Laws, which include, without limitation, the Digital Personal Data Protection Act, 2023 (DPDP Act) of India, and, where applicable to the Controller's operations or the data being processed, the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and other relevant data protection legislation. All capitalized terms not explicitly defined herein shall bear the meaning ascribed to them under the Applicable Data Protection Laws, particularly terms like Personal Data (or Digital Personal Data), Data Principal (or Data Subject), and Processing.
The specific details regarding the subject matter, nature, purpose, and duration of the Processing, the types of Personal Data involved, and the categories of Data Principals are comprehensively documented in a separate Appendix or Schedule to this DPA (which should always be included, even if not drafted here, to meet legal standards). The duration of Processing shall be coterminous with the Principal Agreement, unless mandatory law dictates longer retention periods, as provided for in Clause 7.3.
The Controller warrants that it has the requisite legal basis (e.g., consent, legitimate interest, or compliance with law) to collect the Personal Data and to instruct the Processor to perform the agreed-upon Processing activities. The Controller shall ensure that its instructions to the Processor comply with all Applicable Data Protection Laws, including ensuring transparency and, where legally necessary, obtaining valid consent from the Data Principals for the Processing undertaken by the Processor. The Controller acknowledges that the Processor is solely acting upon the Controller's instructions concerning the data uploaded to the Services.
The Controller shall indemnify and hold harmless the Processor against all claims, liabilities, costs, and expenses (including reasonable attorney fees) arising from any third-party claim alleging that the Processor's processing of data according to the Controller's instructions infringes any Applicable Data Protection Law, except to the extent such claims arise from the Processor's gross negligence or willful misconduct in violating its specific obligations under this DPA.
The Processor shall Process Personal Data strictly in compliance with the documented instructions of the Controller, as set forth in the Principal Agreement and this DPA. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law. The Processor shall not be required to process Personal Data where the Controller's instructions are deemed unlawful.
The Processor shall ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data shall be granted only on a strict need-to-know basis and shall be subject to robust access controls.
The Processor shall implement and maintain appropriate Technical and Organizational Measures (TOMs) to ensure a level of security appropriate to the risk, particularly concerning accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These TOMs shall include, at minimum, measures for pseudonymisation and encryption of Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, and the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident. Specific categories of TOMs are to be documented in a separate Annex to this DPA and may include controls aligned with standards like ISO 27001 or SOC 2.
The Controller grants the Processor a general authorization to engage other third parties as Sub-processors to assist in providing the Services (e.g., data centre operators, specialized network providers). The Processor shall maintain an updated list of all Sub-processors used for the Services, and this list shall be made reasonably available to the Controller.
The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors, providing the Controller with a reasonable opportunity to object to such changes on reasonable grounds related to data protection compliance. If the Controller objects, and the Processor cannot reasonably accommodate the objection, either Party may terminate the part of the Services affected by the change without penalty.
Where the Processor engages a Sub-processor, the Processor shall enter into a written agreement with that Sub-processor that imposes data protection obligations that are substantively the same as those set out in this DPA. The Processor remains fully liable to the Controller for the performance of the Sub-processor's obligations regarding the Processing of Personal Data.
The Processor shall, where possible, assist the Controller by appropriate TOMs in fulfilling the Controller's obligation to respond to requests from Data Principals exercising their rights under Applicable Data Protection Law (e.g., right to access, right to correction, right to erasure). Given the nature of cloud infrastructure (IaaS) services, the Processor may simply forward the request to the Controller for handling, as the Controller is best positioned to verify the Data Principal's identity and determine the legality of the request.
The Processor shall provide reasonable assistance to the Controller with respect to the Controller's obligations to carry out Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, such as the Data Protection Board of India (DPBI), where such obligations relate to the Processing of Personal Data by the Processor under this DPA. The Processor shall be entitled to charge the Controller for the costs of providing such assistance.
a. The Data Processor shall notify the Data Controller of any actual or suspected Personal Data Breach (as defined by Applicable Data Protection Law) or any other Incident (as defined below) affecting the Controller's Personal Data without undue delay, and in no event later than forty-eight (48) hours after becoming aware of the event. This prompt notification is critical to allow the Data Controller to meet its legal obligations for reporting data breaches.
b. The Data Processor shall, at all times following the discovery of the Incident, cooperate fully with the Data Controller and follow the Data Controller's reasonable instructions to enable a thorough investigation, the formulation of a correct response, and the taking of suitable further steps, including the required notification to the DPBI (or other relevant supervisory authority) and communication to the Data Principals.
For the purposes of this Article 6, an "Incident" shall mean any event with a material impact on the processing of Personal Data, including, but not limited to:
The initial notification and any subsequent updates made pursuant to this Article shall contain, at minimum, the following information to assist the Data Controller in fulfilling its reporting obligations under Applicable Data Protection Law:
The Data Processor shall implement written procedures to manage and respond to Incidents and shall maintain detailed records of all Incidents, including the facts relating to the Incident, its effects, and the remedial action taken. These records shall be made available to the Data Controller upon request.
The Data Processor shall make available to the Data Controller all necessary information to demonstrate compliance with the obligations laid down in this DPA. The Data Controller may conduct an audit of the Data Processor's compliance, provided that the Data Controller limits such audit to reviewing audit reports and security certifications (e.g., SOC 2, ISO 27001) provided by the Data Processor, which shall be made available upon reasonable request, subject to the Data Processor's confidentiality undertakings. Any on-site audit shall be conducted only under exceptional circumstances, upon reasonable advance written notice (e.g., 60 days), and at the Data Controller's expense, and shall not interfere unreasonably with the Data Processor's operations.
Not with standing any provision for return or deletion, the Data Processor may retain Personal Data only as strictly required to comply with mandatory statutory or regulatory retention requirements under laws to which the Data Processor is subject. In such cases, the Data Processor shall ensure the confidentiality of the retained Personal Data and Process it solely for the purpose of fulfilling that legal obligation, and shall inform the Controller of the legal basis for, and duration of, the required retention.
Upon the termination or expiry of the Principal Agreement or this DPA, the fulfillment of all agreed processing purposes, or at any time upon the Data Controller's written request, the Data Processor shall, at the sole written discretion of the Data Controller, either securely delete, destroy, or return all Personal Data and any existing copies thereof (including physical documents, backups, and residual electronic copies) to the Data Controller. The Data Processor shall certify in writing to the Data Controller that all such data has been completely deleted or returned within a time frame agreed upon by the Parties, and shall implement all necessary measures to prevent any further processing of the Personal Data.
The Data Processor is obligated to notify and enforce this destruction or return requirement upon all third-party sub-processors engaged in the processing of the Personal Data. The Data Processor must ensure that these sub-processors either destroy or return the Personal Data to the Data Controller, strictly following the Data Controller's explicit instruction. The Data Processor remains responsible for the final disposition of the data by all parties acting under its direction.
The Parties acknowledge that effective security is a dynamic and evolving requirement. The Data Processor shall, on an ongoing basis, evaluate and maintain the technical and organizational measures implemented under Section 4 to ensure their continued compliance with EU Data Protection Law.
Where material changes to the measures are required due to updated security requirements specified in EU Data Protection Law or by competent data protection authorities, the Parties shall negotiate in good faith the cost of implementing such changes.
Should an instruction from the Data Controller to the Data Processor to implement new or improved security measures necessitate an amendment to the underlying Service Agreement, the Parties agree to negotiate such an amendment in good faith.
The Data Processor shall, through the implementation of appropriate technical and organisational measures and to the extent feasible, provide comprehensive assistance to the Data Controller for the fulfilment of all its legal obligations under EU Data Protection Law. This assistance primarily includes enabling the Controller to respond effectively to requests from data subjects exercising their rights (such as access, rectification, or erasure), and aiding the Controller in maintaining compliance with the security obligations outlined in the DPA. Furthermore, taking into account the nature of the processing, the Data Processor must actively assist the Controller with other complex duties, including notifications regarding Personal Data Breaches to both a supervisory authority and the affected Data Subjects, the process of undertaking a Data Protection Impact Assessment (DPIA), and any necessary prior consultations with supervisory authorities.
To demonstrate compliance and uphold accountability, the Data Processor must make available to the Data Controller all relevant information required to evidence that the Processor is meeting its obligations under this Agreement. Critically, the Data Processor shall allow for and actively contribute to audits, including any inspections conducted by the Data Controller or an independent third-party auditor mandated by the Controller, to verify the security and compliance measures in place. This clause ensures that the Data Controller retains the necessary oversight and support to remain fully accountable for the entire processing operation.
This Data Processing Agreement shall become legally effective and commence on the same date as the underlying Service Agreement, thereby ensuring that all legal protections and obligations apply from the very first moment Personal Data is processed. The Data Processor is authorized to process Personal Data only until the date of expiration or termination of the Service Agreement, unless the Data Controller provides specific written instructions to the contrary, or until such data has been fully returned or destroyed in accordance with Article 9. This ensures that the processing is strictly tied to the contractual relationship and the defined purposes.
Crucially, the termination or expiration of this Data Processing Agreement will not, under any circumstances, discharge the Data Processor from its fundamental obligations regarding confidentiality and security, particularly those detailed in Article 3 (Confidentiality). These duties concerning the protection and non-disclosure of the Personal Data must legally survive the contractual relationship, ensuring the long-term integrity and secrecy of the data even after the services have concluded.
This DPA shall be governed by and construed in accordance with the laws of India, without regard to its conflict of laws principles. The Parties agree that any dispute or claim arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts located in Delhi, India.
In the event of any conflict or inconsistency between the provisions of this DPA and the Principal Agreement, the provisions of this DPA shall prevail solely to the extent of such conflict or inconsistency concerning the Processing of Personal Data.
Should any provision of this DPA be determined to be invalid or unenforceable, the validity and enforceability of the remaining provisions of this DPA shall not be affected, and such invalid or unenforceable provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable.
Increase efficiency, accelerate business growth with ZeaCloud's secure, reliable, and scalable solutions.
© Copyright ZeaCloud Services Pvt. Ltd. 2024.