This Data Processing Agreement (“DPA”)
sets out the
binding terms between Zepayra as
the “Data Processor” and the
accepting entity as the “Data
Controller”. It explains
how the Processor manages Personal Data connected to
payment solution related operations.
Roles of the Parties
The Data Controller is responsible for:
- Deciding the
purpose for handling
Personal Data
- Establishing the
lawful basis for
handling
- Ensuring full
adherence to all
Applicable Data Protection Laws
The Data Processor shall:
- Handle Personal
Data based only on
documented directions from the Controller
- Use Personal Data
solely for
activities linked to payment solution services
Scope Of Processing
The Processor may handle Personal Data for:
- Payment
initiation, authorization, and
settlement
- KYC checks and
fraud risk
reduction
- Customer
authentication including
2FA
- Transaction
summaries, records, and
reconciliation
- Compliance with
RBI, NPCI, and payment
network requirements
Security Measures
The Processor shall adopt strict technical and
organizational
safeguards, including:
- Encryption of
Personal Data during
movement and storage
- Multi factor
authentication for system
access
- Secure key
handling procedures
- Regular
vulnerability checks and
penetration assessments
The Processor shall also ensure:
- Personnel maintain
confidentiality
- Staff receive
training on data
protection and security practices
Data Subject Rights
The Processor shall support the Controller in
responding to:
- Access
requests
- Correction
requests
- Removal
requests
- Data portability
requests
- Requests to place
limitations or
objections on handling
Subprocessors
The Processor shall:
- Seek written
approval from the
Controller before involving any Subprocessor
- Ensure all
approved Subprocessors
follow written obligations equal to what is required under this
DPA
Data Breach Notification
If a Personal Data Breach occurs, the Processor shall
notify the
Controller within twenty four hours. The notice shall include:
- Nature of the
incident
- Categories and
estimated count of
affected individuals
- Actions taken to
contain and reduce
harm
- Future corrective
measures
Audit and Compliance
The Controller may request an audit with reasonable
notice. The
Processor shall provide access to:
- Policies and
internal
procedures
- Relevant
documentation
Data Retention and Deletion
The Processor shall follow these requirements:
- Retain Personal
Data only for payment
processing needs and legal timelines such as RBI mandated
periods
- Delete or return
Personal Data
securely at the end of service unless law requires continued
retention
Legal and Regulatory Changes
The Processor shall inform the Controller if a
regulatory or legal
change affects the Processor’s ability to meet the commitments in
this DPA.
Liability and Indemnification
- Each party is
responsible for harm
caused by its own breach
- The Processor
shall indemnify the
Controller for claims, penalties, or losses that arise due to
the Processor’s failure
to meet data protection obligations
Governing Law and Dispute Resolution
- This DPA is
governed by the laws of
India
- Any dispute shall
be handled
exclusively by courts located in India
Amendments
- Any amendment to
this DPA must appear
in written form and be signed by both parties
Acknowledgment and Acceptance
By entering this Agreement, both parties confirm
their understanding
and acceptance of all terms within this Data Processing
Agreement.
