Politique en matière de cookies

This Data Processing Agreement ("DPA") is entered into as of the date last signed below (the "Effective Date") and reflects the Parties' agreement with respect to the terms governing the processing of Personal Data under the Master Sales Agreement. This DPA is an addendum to the MSA and is effective upon its incorporation into the MSA. The term "MSA" means the Master Sales Agreement and any statements of work, purchase orders, or other agreements entered into thereunder between the Parties. The term of this DPA shall follow the term of the MSA. Terms not otherwise defined herein shall have the meaning as set forth in the MSA.

‍
Ramanathan Software Private Limited, a company incorporated under the Companies Act, 2013, having its registered office at IndiQube Ascent, 420, Mahakavi Vemana Rd, KHB Block Koramangala, Bengaluru, Karnataka 560034, India, hereinafter referred to as the "Data Processor"; and the Customer as further specified in the MSA, hereinafter referred to as the "Data Fiduciary". The Data Processor and Data Fiduciary are hereinafter referred to individually as "Party" or collectively as "Parties".

Whereas:

Background

• The Data Fiduciary and     Data Processor have entered into the MSA pursuant to which the Data     Processor provides various items and/or services to the Data Fiduciary and     may receive, maintain, or transmit Digital Personal Data on behalf of the     Data Fiduciary.
• The Parties are committed     to complying with the Digital Personal Data Protection Act, 2023, the     Information Technology Act, 2000, and their respective Rules and     regulations, including the information security and reporting requirements     thereunder (collectively, the "Applicable Data Protection     Laws").

Inconsideration of the promises contained in this DPA and the MSA and for other good and valuable consideration, the receipt and sufficiency of which is acknowledged, the Parties agree as follows:

1. Definitions

All capitalized terms used but not otherwise defined in this DPA shall have the same meaning as in the Applicable Data Protection Laws. For the purposes of this DPA:

• "Child" means an individual who has not completed the age of eighteen (18) years.
• "Consent Manager" means a person registered with the Data Protection Board of India who acts as a single point of contact to enable a Data Principal to give, manage, review, and     withdraw consent through an accessible, transparent, and interoperable platform.
• "Data" means  a representation of information, facts, concepts, opinions, or  instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means.
• "Data Fiduciary" means any person  who alone or in conjunction with other persons determines the purpose and     means of processing of Personal Data.
• "Data Principal" means the  individual to whom the Personal Data relates, and where such individual     is: (i) a Child, includes the parents or lawful guardian of such Child; or (ii) a person with disability, includes the lawful guardian acting on     their behalf.
• "Data Processor" means any person who processes Personal Data on behalf of a Data Fiduciary.
• "Data Protection  Board" means the Data Protection Board  of India established under the DPDPA.
• "Digital Personal Data" means Personal Data in digital  form.
• "DPDPA" means     the Digital Personal Data Protection Act, 2023, as amended from time to     time, together with all rules, regulations, and guidelines made     thereunder.
• "Effective Date" has the meaning given to it in     the introduction of this DPA.
• "Personal Data" means     any data about an individual who is identifiable by or in relation to such     data.
• "Personal Data Breach" means any unauthorized processing of Personal Data, or accidental disclosure,     acquisition, sharing, use, alteration, destruction, or loss of access to Personal Data that compromises the confidentiality, integrity, or     availability of Personal Data.
• "Processing" means a wholly or partly automated operation or set of operations performed on  Digital Personal Data, and includes operations such as collection,     recording, organization, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission,     dissemination, restriction, erasure, or destruction.
• "Pre-Approved  Sub-Processor List" means the list of  Sub-Processors set out in Schedule A to this DPA, as updated from time to     time in accordance with Section 6.
• "Sub-Processor" means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Fiduciary under this DPA.

2. Data Processor's Permitted Uses, Disclosures and Obligations

a. Processing only on Instructions

The Data Processor shall not use or disclose Personal Data other than as permitted or required by this DPA, as instructed in writing by the Data Fiduciary, or as required by Applicable Data Protection Laws. The Data Processor shall promptly inform the Data Fiduciary if, in its reasonable opinion, any instruction from the Data Fiduciary infringes any Applicable Data Protection Law.

b. Continuation of Processing

The Data Processor may continue to process Personal Data until the Data Fiduciary issues written instructions to the Data Processor to cease such processing. Upon receipt of such written instructions, the Data Processor shall cease processing and restrict further use of the relevant Personal Data in accordance with Section 5(g) of this DPA.

c. Security Safeguards

The Data Processor agrees to use appropriate administrative, physical, and technical safeguards and comply, where applicable, with the Security Standards for Protection of Digital Personal Data under Applicable Data Protection Laws. The Data Processor agrees to ensure that any Sub-Processors that create, receive, maintain, or transmit Personal Data shall use safeguards and security standards no less stringent than those used by the Data Processor.

d. Breach Notification

In the event of an actual Personal Data Breach, the Data Processor shall report to the Data Fiduciary in writing within five (5) business days of becoming aware of such Breach. The notification shall include:

‍
• a description of the nature of the Personal Data Breach;
• the categories and approximate number of Data Principals affected;
• the categories and approximate volume of Personal Data records affected;
• the likely consequences of the Breach; and
• the measures taken or proposed to address the Breach.

For the avoidance of doubt, security incidents that do not constitute a Personal Data Breach — including unsuccessful attempts at unauthorized access, use, modification, or destruction of information, or unsuccessful interference with system operations — shall not trigger reporting obligations under this clause.

e. Accounting of Disclosures

The Data Processor will maintain and, upon request by the Data Fiduciary, provide the Data Fiduciary with information necessary for the Data Fiduciary to provide a Data Principal with an accounting of disclosures of their Personal Data.

f. Confidentiality of Personnel

The Data Processor shall ensure that all personnel authorized to process Personal Data under this DPA are subject to binding confidentiality obligations and are aware of and comply with the Data Processor's obligations hereunder.

3. Consent

• The consent given by the     Data Principal shall be free, specific, informed, unconditional and     unambiguous with a clear affirmative action, and shall signify an     agreement to the processing of Personal Data for a specified purpose.
• Where consent given by     the Data Principal is the basis of the processing of Personal Data, such     Data Principal shall have the right to withdraw its consent at any time.     The Data Fiduciary shall be responsible for managing and acting upon     consent withdrawal in accordance with the DPDPA, and shall promptly issue     written instructions to the Data Processor to cease processing upon any     such withdrawal.
• Upon receipt of written     instructions from the Data Fiduciary pursuant to Section 3(b) above, the     Data Processor shall cease processing the relevant Personal Data and     restrict further use, subject to Section 5(g) of this DPA.

4. Certain Legitimate Uses

Personal Data of a Data Principal may be processed for any of the following uses without consent, namely:

• for the specified purpose     for which the Data Principal has voluntarily provided Personal Data to the     Data Fiduciary, and in respect of which they have not indicated     non-consent;
• for compliance with any     judgment or decree or order issued under any law for the time being in     force in India, or any judgment or order relating to claims of a     contractual or civil nature under any law in force outside India;
• for responding to a     medical emergency involving a threat to the life or immediate threat to     the health of the Data Principal or any other individual;
• for taking measures to     provide medical treatment or health services to any individual during an     epidemic, outbreak of disease, or any other threat to public health; or
• for taking measures to     ensure safety of, or provide assistance or services to, any individual     during any disaster or breakdown of public order.

5. General Obligations of Data Fiduciary

a. Compliance Responsibility

The Data Fiduciary shall carry out the duties and be responsible for complying with Applicable Data Protection Laws in respect of any processing undertaken by it or on its behalf by the Data Processor.

b. Valid Contract

The Data Fiduciary may engage the Data Processor to process Personal Data on its behalf only under a valid contract. This DPA constitutes such valid contract for the purposes of Applicable Data Protection Laws.

c. Notification of Rights Invocation

The Data Fiduciary will notify the Data Processor in writing if the Data Principal invokes the right to correction, completion, updating, or erasure of Personal Data, so that the Data Processor may take appropriate action in accordance with the Data Fiduciary's written instructions.

d.Data Accuracy

Where Personal Data processed is used to make a decision affecting the Data Principal or is disclosed to another Data Fiduciary, the completeness, accuracy, and consistency of such data will be ensured by the Data Fiduciary.

e.Technical and Organizational Measures

The Data Fiduciary shall implement appropriate technical and organizational measures by taking reasonable security safeguards to prevent Personal Data Breaches.

f. Board Notification

In the event of a Personal Data Breach, the Data Fiduciary shall give the Data Protection Board and each affected Data Principal intimation of such breach in the form and manner as may be prescribed under Applicable Data Protection Laws.

g.Restriction on Processing

Upon issuing written instructions to the Data Processor to cease processing of Personal Data (whether due to withdrawal of consent, fulfillment of the specified purpose, or otherwise), the Data Processor shall restrict further active processing of the relevant Personal Data. The Parties acknowledge that complete erasure of Personal Data — including from backup systems, archived records, or infrastructure logs — may not be technically feasible. Where erasure is not technically feasible, the Data Processor shall:

• extend the protections of this DPA to such retained Personal Data;
• restrict any further active processing of such data to only those purposes that make erasure     infeasible; and
• maintain such protections  for as long as the data is retained.

This obligation shall survive termination of this DPA.

h.Retention Instructions

The Data Fiduciary shall ensure that Personal Data is not retained by the Data Processor beyond the period necessary for the specified purpose or as required by applicable law, and shall issue timely written instructions for restriction or return of Personal Data where retention is no longer required.

i.Cross-Border Transfer and Remote Access

Where Personal Data is stored outside of India or where the Data Processor or any Sub-Processor accesses Personal Data remotely from a location outside of India, the following conditions shall apply:

• The Data Processor shall  notify the Data Fiduciary in writing prior to any transfer of Personal     Data outside India or any remote access to Personal Data from outside     India, specifying the country of storage or access, the nature of the     data, and the purpose of such transfer or access;
• All cross-border  transfers of Personal Data shall be carried out in accordance with the     provisions of the DPDPA and any rules or regulations prescribed     thereunder, including any conditions or restrictions on cross-border data     flows as notified by the Government of India from time to time;
• The Data Processor shall  ensure that any country to which Personal Data is transferred, or from  which it is remotely accessed, provides a level of data protection that is at least equivalent to that required under Applicable Data Protection  Laws;
• Where remote access to     Personal Data is provided to personnel located outside India, the Data  Processor shall implement appropriate technical and organizational     measures to secure such remote access, including but not limited to  encrypted connections, access controls, and audit logging; and
• The Data Processor shall  maintain a record of all cross-border transfers and remote access instances and shall make such records available to the Data Fiduciary upon  written request.

6. Sub-Processors

a. Pre-Approved Sub-Processor List

The Data Fiduciary hereby grants general authorization to the Data Processor to engage the Sub-Processors listed in Schedule A to this DPA as of the Effective Date. The Data Processor shall not engage any Sub-Processor not on Schedule A without the prior written consent of the Data Fiduciary.

b. Updates to Schedule A

The Data Processor shall notify the Data Fiduciary in writing of any intended addition to or removal from Schedule A at least fifteen (15) business days prior to such change taking effect. The Data Fiduciary may object to any such addition in writing within such notice period. If the Parties are unable to resolve a reasonable objection within a further fifteen (15) business days, either Party may terminate the relevant services on thirty (30) days' written notice without liability.

c. Flow-Down Obligations

Where the Data Processor engages a Sub-Processor, it shall impose data protection obligations on the Sub-Processor no less stringent than those imposed on the Data Processor under this DPA, by way of a written agreement. The Data Processor shall remain fully liable to the Data Fiduciary for the performance of any Sub-Processor's obligations under this DPA.

d. Maintained List

The Data Processor shall maintain Schedule A and, upon written request, provide the Data Fiduciary with the then-current version.

7. Processing of Personal Data of Children

• The processing of  Personal Data of Children must be done in a manner that is verifiably safe. The Data Fiduciary shall obtain verifiable consent of the parent or  lawful guardian of such Child prior to any processing, as required by  Applicable Data Protection Laws.
• Neither Party shall  conduct tracking or behavioral monitoring of Children, or direct targeted advertising toward Children, in connection with the services provided  under this DPA.

8. Audit Rights

The Data Fiduciary shall have the right, upon reasonable prior written notice of not less than thirty (30) calendar days and no more than once per calendar year (except where a Personal Data Breach has occurred), to assess the Data Processor's processing activities and security measures under this DPA. Such assessment shall be conducted in the following order of preference:

• Documentary Review (Primary): The Data Processor shall, in  the first instance, respond to audit requests by providing relevant third-party audit reports, certifications (such as ISO 27001, SOC 2, or equivalent), security questionnaires, or other documented evidence of compliance. The Data Fiduciary agrees to accept such documentation as  sufficient evidence of compliance unless it has reasonable grounds to believe that such documentation does not adequately address the specific  concerns raised;
• On-Site Audit (Secondary): Where the Data  Fiduciary reasonably determines that the documentary review does not adequately address its concerns, the Data Fiduciary may request an on-site audit of the Data Processor's processing activities and security measures.  Such on-site audit shall be conducted during normal business hours in a manner that minimizes disruption to the Data Processor's operations, and  subject to appropriate confidentiality undertakings; and
• Costs: The costs of any audit or assessment shall be borne by the Data Fiduciary,  unless the audit reveals a material breach of this DPA by the Data     Processor, in which case such costs shall be borne by the Data Processor.

9. General Permissions of Data Processor

a. Performance of Services

Except as otherwise limited in this DPA, the Data Processor may use or disclose Personal Data to perform functions, activities, or services for, or on behalf of, the Data Fiduciary as specified in the MSA, provided that such use or disclosure is permitted under Applicable Data Protection Laws and is consistent with the written instructions of the Data Fiduciary.

b. Management and Administration

Except as otherwise limited in this DPA, the Data Processor may use Personal Data for the proper management and administration of the Data Processor or to carry out its legal responsibilities, to the extent permitted by Applicable Data Protection Laws and consistent with the instructions of the Data Fiduciary.

c. Disclosure to Third Parties

Except as otherwise limited in this DPA, the Data Processor may disclose Personal Data to a third party for the proper management and administration of the Data Processor or to fulfill any legal responsibilities, provided that:

• the disclosure is  required by law; or
• the Data Processor has received from the third party reasonable written assurances that: (1) the information will remain confidential and will be used or further disclosed  only as required by law or for the purpose for which it was disclosed; and (2) the third party will notify the Data Processor of any instances in  which the confidentiality of the information has been breached.

d. De-identification and Aggregation

The Data Processor may, as instructed by or on behalf of the Data Fiduciary, use Personal Data to create de-identified or anonymized data in accordance with Applicable Data Protection Laws. The Data Processor may use such de-identified data for data aggregation services related to the operations of the Data Fiduciary.

e. Limitation of Data Processor Liability

The Data Processor shall not be liable for any damages, losses, or compensation where the Data Principal or Data Fiduciary:

• fails to comply with the   provisions of Applicable Data Protection Laws;
• impersonates another    person while providing Personal Data;
• suppresses any material     information while providing Personal Data, proof of identity, or proof of     address;
• registers a false or     frivolous grievance or complaint; or
• furnishes information     that cannot be verified as correct and true while exercising any right     under Applicable Data Protection Laws.

10. Term, Termination and Effect of Termination

a. Term

The term of this DPA shall commence as of the Effective Date and shall terminate when the MSA and all agreements entered into thereunder have terminated.

b. Termination for Breach

Upon either Party's knowledge of a material breach of this DPA by the other Party, or its agents or Sub-Processors, the non-breaching Party may:

• terminate the MSA     immediately if it determines that there is a continuing and unmitigable  risk to the confidentiality, integrity, or availability of Personal Data;     or
• provide written notice of     the breach to the breaching Party and allow not less than thirty (30)    calendar days to cure the breach, and terminate the MSA if the breach is     not cured within such period.

c. Effect of Termination

Upon termination of this DPA or the MSA for any reason, the Data Processor shall, at the Data Fiduciary's written election, either return or restrict further active processing of all Personal Data in its possession. Where return or complete erasure is not technically feasible (including Personal Data retained in backup systems, archived records, or infrastructure logs), the Data Processor shall extend the protections of this DPA to such retained Personal Data, limit further use and disclosure to purposes that make return or erasure infeasible, and maintain such protections for as long as such Personal Data is retained. The cost of returning Personal Data shall be borne by the Data Fiduciary. This Section shall survive termination of this DPA.

11. Other Provisions

a. Amendment

This DPA may be modified only in writing, executed by both Parties. The Parties shall take such action as is necessary to amend this DPA from time to time as required for compliance with Applicable Data Protection Laws.

b. Waiver

The waiver by either Party of a breach or violation of any provision of this DPA shall not be construed as a continuing waiver or a waiver of any subsequent breach of the same or any other provision of this DPA.

c. No Other Beneficiaries

Nothing in this DPA shall confer upon any person other than the Parties and their respective successors or assigns any rights, remedies, obligations, or liabilities whatsoever.

d.Indemnification

Each Party (the "Indemnifying Party") agrees to defend, indemnify, and hold harmless the other Party, its officers, agents, and employees from and against all claims, liabilities, demands, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from or caused by the acts or omissions of the Indemnifying Party, its officers, employees, agents, or Sub-Processors in respect of the processing or disclosure of Personal Data under this DPA. For clarity, the Data Processor shall not be liable for any claims arising from the Data Fiduciary's own configuration decisions, written instructions provided to the Data Processor, or the Data Fiduciary's failure to comply with Applicable Data Protection Laws.

e.Limitation of Liability

Each Party's aggregate liability to the other Party under or in connection with this DPA shall not exceed the total fees paid or payable by the Data Fiduciary to the Data Processor under the MSA in the twelve (12) months preceding the event giving rise to the claim. This limitation shall not apply to liability arising from: (i) willful misconduct or gross negligence; or (ii) breach of confidentiality obligations.

f.Notice

Except as otherwise provided in this DPA, notices and reports given under this DPA shall be in writing and sent to the Data Processor at: Ramanathan Software Private Limited, IndiQube Ascent, 420, Mahakavi Vemana Rd, KHB Block Koramangala, Bengaluru, Karnataka 560034, India (Attention: Data Protection Officer; dpo@ramsoft.com), and to the Data Fiduciary at the address shown on the signature page. Such notices shall be deemed delivered: (i) when personally delivered; (ii) on the third business day after deposit by registered post, properly addressed and postage pre-paid; or (iii) on the next business day when sent by recognized overnight courier.

g.Effect on MSA

Except as specifically required to implement the purposes of this DPA, or to the extent inconsistent with this DPA, all other terms of the MSA shall remain in force and effect. In the event of any conflict between this DPA and the MSA with respect to the processing of Personal Data, this DPA shall prevail.

h.Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of India. The Parties irrevocably submit to the exclusive jurisdiction of the courts at Bengaluru, Karnataka, India for the resolution of any disputes arising out of or in connection with this DPA.

i.Severability

If any provision of this DPA is held invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect, and the Parties shall negotiate in good faith a replacement provision that achieves the original intent as closely as possible.

j.Entire Agreement

This DPA, together with the MSA and Schedule A, constitutes the entire agreement between the Parties with respect to the processing of Personal Data and supersedes all prior agreements, representations, and understandings of the Parties relating to the same subject matter.

InWitness Whereof

The Parties have executed this Data Processing Agreement as of the Effective Date.

DATA FIDUCIARY

‍

CompanyName

Signature

PrintName

Title

Address

EffectiveDate

Dateof Signature

‍

DATA PROCESSOR

Ramanathan Software Private Limited

Signature

PrintName

Title

AddressIndiQube Ascent, 420, Mahakavi VemanaRd,
KHB Block Koramangala, Bengaluru 560034

EffectiveDate

Dateof Signature

Schedule A — Pre-Approved Sub-Processor List

EffectiveDate of Schedule: __________________________________

The following Sub-Processors are pre-approved by the Data Fiduciary for the processing of Personal Data under this DPA as of the Effective Date. This Schedule shall be updated by the Data Processor in accordance with Section 6(b) of this DPA.

‍