Data Protection Addendum (DPA)

Data Protection Addendum (DPA)

This Data Processing Addendum (“DPA”) is entered into between the Customer (as defined in the Terms of Service) (“Controller”) and Shopylyst (the “Processor”) (each a “Party” and collectively the “Parties”). This DPA supplements and forms part of the Terms of Service executed between the Parties (the “Agreement”).

1. DEFINITIONS

1. Capitalized terms not defined in this DPA have the meanings given in the Agreement.
2. The following terms have the following meanings in this DPA:
   • Applicable Data Protection Laws: Indian laws and regulations governing the protection of personal data, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and any regulations, as amended or replaced.
   • Personal Data: any information relating to a natural person who is or can be identified, directly or indirectly.
   • Processing / Process / Processed / Processes: any operation or set of operations performed on Personal Data (e.g., collection, storage, use, disclosure, deletion).
   • Covered Data: Personal Data that is provided by or on behalf of Controller to Processor, or that Processor receives, records, or processes on behalf of Controller in connection with the Services.
   • Data Subject: the natural person to whom Personal Data relates.
   • Sub-processor: an entity appointed by or on behalf of Processor to process Covered Data under this DPA.
   • Security Incident: a confirmed or reasonably suspected breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Covered Data.

2. INCORPORATION & PRIORITY

1. This DPA is incorporated into and forms an integral part of the Agreement.
2. In case of a conflict or inconsistency between this DPA and the Agreement regarding the Processing of Covered Data, the provisions of this DPA shall prevail to the extent necessary to comply with Applicable Data Protection Laws.
3. Controller’s obligations under this DPA extend to its Affiliates (if any) that use the Services; Controller ensures that its Affiliates comply with this DPA.

3. ROLES OF THE PARTIES

1. Controller is the data fiduciary (i.e., determines the purposes and means of processing Covered Data).
2. Processor acts as a data processor and shall only process Covered Data on documented instructions from Controller, including as set out in the Agreement, and this DPA.
3. Processor shall not process Covered Data for any purposes other than those expressly authorized by Controller, unless required to do so by law (in which case Processor must notify Controller unless prohibited by law).

4. DETAILS OF DATA PROCESSING

1. The subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Covered Data are set out in Schedule 1 of this DPA and in the Agreement.
2. Processor shall:
   a. Process Covered Data only on Controller’s instructions (which may be via the Agreement, this DPA, or further written instructions).
   b. Not sell, share, or monetize Covered Data, nor use it for cross-context behavioral advertising.
   c. Limit access to Covered Data to personnel who need to know it, and ensure they are bound by confidentiality and data protection obligations.
   d. Not combine Covered Data with other personal data held by Processor (unless authorized in writing).
   e. Allow Controller to carry out reasonable oversight, audits, and verifications.

5. SUB-PROCESSORS

1. Controller grants Processor general authorization to engage Sub-processors, subject to the clauses below.
2. Processor shall ensure each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
3. Processor will notify Controller of any intended changes to Sub-processors (adding or replacing). The controller may object in writing within [10-15] days. If an objection is raised, Parties shall negotiate in good faith; if not resolved, Controller may terminate the affected part of the Services.

6. SECURITY

1. Processor shall implement and maintain appropriate technical and organizational measures to safeguard Covered Data, taking into account the nature, scope, context, and purposes of processing, and risks to the rights and freedoms of Data Subjects.
2. These measures include (but are not limited to):
   • Encryption in transit and at rest
   • Access controls, role-based permissions, and strong authentication
   • Regular security assessments, vulnerability scanning, and penetration testing
   • Logging, monitoring, and incident response procedures
   • Data minimization and pseudonymization where appropriate
3. Processor shall document its security practices and, upon request, provide evidence to Controller of compliance.

7. DATA SUBJECT RIGHTS

1. The controller is responsible for responding to requests from Data Subjects (e.g., for access, correction, erasure).
2. If Processor receives a Data Subject’s request, it shall promptly forward it to Controller (unless legally prohibited).
3. Processor shall assist Controller, to the extent reasonably possible, in fulfilling Data Subject rights, by appropriate technical and organizational measures.

8. SECURITY INCIDENTS & BREACH NOTIFICATION

1. Processor shall notify Controller without undue delay after becoming aware of a Security Incident. Notification shall include:
   • Nature and extent of the incident
   • Categories and approximate number of Data Subjects and records involved
   • Likely consequences
   • Measures taken or proposed to mitigate or remediate
2. Processor shall cooperate with Controller in investigation, mitigation, and regulatory reporting (if required under Applicable Data Protection Laws).
3. Notification or cooperation does not, in itself, imply admission of liability.

9. RETENTION, RETURN, DELETION

1. Upon termination or expiration of the Agreement, and at Controller’s choice, Processor shall either:
   a. Return all Covered Data to Controller, or
   b. Permanently delete all Covered Data (including from backups), unless retention is legally required.
2. Processor shall certify to Controller that deletion or return has been completed.

10. AUDITS & COMPLIANCE

1. Controller may, once per year, audit Processor’s compliance with this DPA (or engage an independent auditor), upon reasonable written notice and during normal business hours.
2. The audit scope must be reasonable and relate to the Processor’s compliance with this DPA.
3. Controller bears audit costs unless a material noncompliance is found, in which case Processor bears the costs.
4. Processor shall make available records, documentation, and evidence of compliance (e.g., security policies, logs, audit reports) to Controller.

11. LIABILITY

Each Party’s liability for data protection claims under this DPA shall be subject to the limitation and indemnity provisions in the Agreement, except where law mandates otherwise (i.e., no waiver where law prohibits).

12. GOVERNING LAW & JURISDICTION

This DPA shall be governed by the laws of India. All disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of courts located in [Insert City, e.g,. Jaipur / Delhi / Karnataka].

13. SURVIVAL

This DPA shall remain in force beyond termination or expiration of the Agreement to the extent necessary for Processor to fulfill its obligations (e.g., deletion, return, audit).

Schedule 1 – Details of Processing