Data Processing Agreement
Table of Contents
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service agreement ("Agreement") between:
YugantarX (hereinafter referred to as "Processor" or "YugantarX"), a company registered in India, with its registered office at [Address]; and
The Client (hereinafter referred to as "Controller"), as defined in the Agreement.
This DPA reflects the parties' agreement with respect to the processing of Personal Data by YugantarX on behalf of the Client in connection with the services provided by YugantarX under the Agreement.
This DPA is designed to ensure compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Information Technology Act, 2000, and the Personal Data Protection Bill of India (when enacted).
2. Definitions
In this DPA, the following terms shall have the meanings set out below:
"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
"Data Subject" means the identified or identifiable person to whom the Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means the entity which Processes Personal Data on behalf of the Controller.
"Sub-processor" means any Processor engaged by YugantarX to process Personal Data on behalf of the Client.
"Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to the GDPR, the Information Technology Act, 2000, and the Personal Data Protection Bill of India (when enacted).
3. Scope and Purpose of Processing
This DPA applies to the Processing of Personal Data by YugantarX on behalf of the Client in the course of providing the services as described in the Agreement.
The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data processed and categories of Data Subjects, are specified in Appendix 1 to this DPA.
YugantarX shall Process Personal Data only for the purpose of providing the services as specified in the Agreement and in accordance with the Client's documented instructions, unless required to do otherwise by applicable law.
4. Processor Obligations
YugantarX shall:
- Process Personal Data only on documented instructions from the Client, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law; in such a case, YugantarX shall inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
- Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 5 of this DPA;
- Respect the conditions for engaging Sub-processors as set out in Section 6 of this DPA;
- Assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to YugantarX;
- At the choice of the Client, delete or return all the Personal Data to the Client after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage of the Personal Data;
- Make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
5. Security Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, YugantarX shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among others:
- The pseudonymization and encryption of Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
Detailed security measures implemented by YugantarX are described in Appendix 2 to this DPA.
6. Sub-processors
The Client hereby provides general authorization for YugantarX to engage Sub-processors to Process Personal Data. YugantarX shall inform the Client of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Client the opportunity to object to such changes.
YugantarX shall ensure that any Sub-processor it engages to provide services on its behalf in connection with this DPA does so only on the basis of a written contract which imposes on such Sub-processor terms substantially no less protective of Personal Data than those imposed on YugantarX in this DPA ("Relevant Terms"). YugantarX shall procure the Sub-processor's compliance with the Relevant Terms and shall be directly liable to the Client for any breach by a Sub-processor of any of the Relevant Terms.
A list of currently approved Sub-processors is available in Appendix 3 to this DPA. YugantarX will update this list if and when any Sub-processors are added or replaced, providing the Client with a mechanism to obtain notice of that update.
7. International Data Transfers
YugantarX shall not transfer Personal Data outside of India or the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws.
Such measures may include:
- Transferring to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission or relevant authorities;
- Implementing appropriate safeguards such as standard contractual clauses approved by the European Commission or relevant authorities;
- Implementing binding corporate rules.
YugantarX shall provide the Client with details of the transfer mechanism used for any specific transfer upon request.
8. Data Breach Notification
YugantarX shall notify the Client without undue delay after becoming aware of a Personal Data breach and shall provide the Client with sufficient information to allow the Client to meet any obligations to report or inform Data Subjects of the Personal Data breach under the Data Protection Laws.
Such notification shall as a minimum:
- Describe the nature of the Personal Data breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
- Communicate the name and contact details of YugantarX's data protection officer or other relevant contact from whom more information may be obtained;
- Describe the likely consequences of the Personal Data breach; and
- Describe the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
9. Audits and Inspections
YugantarX shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
The Client shall give YugantarX reasonable notice of any audit or inspection to be conducted and shall make reasonable endeavors to avoid causing any damage or disruption to YugantarX's premises, equipment, personnel, and business while its personnel are on those premises in the course of such an audit or inspection.
YugantarX shall provide reasonable cooperation to the Client in connection with any such audit or inspection, including by making available to the Client, upon request, relevant records, logs, files, data reporting, and other materials required to demonstrate YugantarX's compliance with this DPA.
10. Term and Termination
This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon the termination of the Agreement.
Upon termination of this DPA, YugantarX shall, at the choice of the Client, delete or return all Personal Data to the Client and delete existing copies unless applicable law requires storage of the Personal Data.
Obligations relating to confidentiality, liability, and dispute resolution shall survive the termination of this DPA.
11. Liability and Indemnity
Each party shall be liable for and shall indemnify the other party against all claims, actions, liabilities, losses, damages, and expenses incurred by the indemnified party which arise directly or indirectly out of or in connection with a breach of this DPA by the indemnifying party.
The liability of each party under or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.
Nothing in this DPA shall limit the liability of either party for:
- Death or personal injury resulting from its negligence or that of its employees or agents;
- Fraud or fraudulent misrepresentation;
- Any other matter which cannot be excluded or limited under applicable law.
12. Miscellaneous
12.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws of India, without regard to its conflicts of law principles.
12.2 Dispute Resolution
Any dispute arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions set out in the Agreement.
12.3 Severability
If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability shall remain in full force and effect.
12.4 Amendments
This DPA may not be amended or modified except by a written agreement signed by both parties.
12.5 Entire Agreement
This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and negotiations, both written and oral, between the parties with respect to the subject matter of this DPA.
Signatures
For and on behalf of the Controller:
Click here to sign electronically
For and on behalf of the Processor:
Note on Appendices
The following appendices form an integral part of this DPA:
- Appendix 1: Details of Processing
- Appendix 2: Technical and Organizational Security Measures
- Appendix 3: List of Approved Sub-processors
These appendices are available in your client portal under Legal Documents or can be provided upon request.
Appendix 1: Details of Processing
Subject Matter of Processing
The processing of Personal Data by YugantarX for the purpose of providing digital transformation and technology services to the Client as described in the Agreement.
Duration of Processing
YugantarX will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
Nature and Purpose of Processing
YugantarX will process Personal Data as necessary to perform the services pursuant to the Agreement, as further specified in the applicable service documentation, and as further instructed by the Client in its use of the services.
Types of Personal Data
The Personal Data processed by YugantarX may include, but is not limited to, the following:
- Personal details (e.g., name, email address, phone number, job title, employer)
- Login credentials
- Device information (e.g., IP address, browser type, operating system)
- Usage data (e.g., logs, analytics)
- Client's customer data (as applicable to the services provided)
- Other Personal Data as specified in the Agreement
Categories of Data Subjects
The Personal Data processed by YugantarX may concern the following categories of Data Subjects:
- Client's employees, contractors, and other staff
- Client's authorized users of the services
- Client's customers, prospects, and business partners
- Other individuals whose Personal Data is processed in connection with the services
Appendix 2: Technical and Organizational Security Measures
YugantarX has implemented and will maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, but are not limited to:
1. Physical Security Measures
- Access control systems for office premises
- 24/7 surveillance of data centers
- Fire prevention systems
- Uninterruptible power supply
- Climate control systems
2. IT Systems Security
- Network firewalls and intrusion detection/prevention systems
- Anti-virus and anti-malware protection
- Encryption of data at rest and in transit (using industry-standard encryption protocols and algorithms)
- Regular vulnerability scanning and penetration testing
- Secure software development lifecycle processes
- Regular security patches and updates
3. Access Control Measures
- Multi-factor authentication for system access
- Role-based access controls
- Unique user IDs and strong password policies
- Regular review of access rights
- Automatic locking of inactive sessions
- Secure remote access procedures
4. Data Protection Measures
- Data backup and disaster recovery procedures
- Data minimization and pseudonymization where appropriate
- Secure disposal of data and equipment
- Data leakage prevention systems
5. Organizational Measures
- Appointment of a Data Protection Officer
- Regular security awareness training for employees
- Confidentiality obligations in employment contracts
- Information security policies and procedures
- Regular compliance audits
- Incident response and management procedures
6. Monitoring and Logging
- Comprehensive logging of access and actions in systems processing Personal Data
- Regular review of logs and alerts
- Real-time monitoring of systems for unusual activity
- Security information and event management (SIEM) system
Appendix 3: List of Approved Sub-processors
As of the date of this DPA, YugantarX uses the following Sub-processors for the processing of Personal Data. This list will be updated if and when any Sub-processors are added or replaced.
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure provider | Global (Primary: Mumbai, India) | Standard Contractual Clauses |
| Microsoft Corporation | Azure cloud services | Global (Primary: Central India) | Standard Contractual Clauses |
| Snowflake Inc. | Data warehouse service | Global (Primary: Mumbai, India) | Standard Contractual Clauses |
| Zendesk, Inc. | Customer support platform | Global | Standard Contractual Clauses |
| Atlassian Pty Ltd | Project management tools | Global | Standard Contractual Clauses |
Procedure for Adding or Replacing Sub-processors
YugantarX shall inform the Client of any intended changes concerning the addition or replacement of Sub-processors by:
- Updating the list of Sub-processors on the Client Portal;
- Sending an email notification to the Client's designated contact person at least 30 days before the new Sub-processor processes any Personal Data;
- Providing the Client with information about the new Sub-processor, including its identity, location, and the Processing activities it will undertake.
If the Client objects to a new Sub-processor, the Client must notify YugantarX in writing within 14 days of receiving the notification. Upon receipt of such objection, YugantarX will use reasonable efforts to make available to the Client a change in the services or recommend a commercially reasonable change to the Client's configuration or use of the services to avoid processing of Personal Data by the objected-to Sub-processor without unreasonably burdening the Client. If YugantarX is unable to make available such change within a reasonable period of time, which shall not exceed 30 days, the Client may terminate the applicable services which cannot be provided by YugantarX without the use of the objected-to Sub-processor by providing written notice to YugantarX. YugantarX will refund the Client any prepaid fees covering the remainder of the term following the effective date of termination with respect to such terminated services.
Download Documentation
You can download copies of this Data Processing Agreement and related documents for your records: