This Data Processing Agreement (“DPA”) sets out a legally binding understanding
between JETFIN TECHNOLOGIES SOLUTION, referred to as the “Data Processor,” and the entity
accepting these terms, referred to as the “Data Controller.” It defines how the
Processor handles Personal Data in connection with the payment gateway services provided.
Roles and Responsibilities
Data Controller:
- Determines the purposes and lawful basis for processing Personal Data.
- Ensures compliance with applicable Data Protection Laws.
Data Processor:
- Processes Personal Data strictly according to the Controller’s documented
instructions.
- Uses Personal Data solely to deliver payment gateway services.
Scope of Data Processing
The Processor will handle Personal Data only for the following purposes:
- Initiating, authorizing, and settling payment transactions.
- Conducting Know Your Customer (KYC) verifications and preventing fraud.
- Authenticating customers, including via two-factor authentication (2FA).
- Preparing transaction reports and performing reconciliation.
Security Protocols
The Processor commits to implementing appropriate technical and organizational measures,
including:
- Encryption of data both at rest and during transfer.
- Multi-factor authentication for system access.
- Strong key management procedures.
- Regular penetration testing and vulnerability assessments.
Additionally, the Processor shall:
- Ensure confidentiality obligations for personnel.
- Provide staff training on data protection and security best practices.
Assistance with Data Subject Rights
The Processor will support the Controller in fulfilling Data Subject rights under applicable
laws, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to data portability
- Right to restrict or object to processing
Subprocessors
- The Processor shall not engage any Subprocessor without prior written approval from the
Controller.
- Any approved Subprocessor must enter agreements ensuring data protection safeguards at
least equivalent to those in this DPA.
Data Breach Notification
In the event of a Personal Data Breach, the Processor will notify the Controller within 24
hours of discovery, including:
- Nature of the breach
- Categories and approximate number of affected Data Subjects
- Steps taken to contain and mitigate the breach
- Measures planned to prevent recurrence
Audits and Compliance
- The Controller may conduct audits with reasonable prior notice to verify adherence to
this DPA.
Data Retention and Disposal
- Personal Data will be retained only as long as necessary for payment processing and
compliance with legal obligations, including RBI-mandated retention periods.
- Upon service termination, the Processor will securely erase or return all Personal Data
unless retention is required by law.
Regulatory and Legal Updates
The Processor must promptly inform the Controller of any legal or regulatory changes that may
affect its ability to process Personal Data in compliance with this DPA.
Liability and Indemnification
- Each Party is responsible for damages arising from its breach of this
Agreement.
- The Processor shall indemnify the Controller against penalties, claims, or losses
resulting from non-compliance with data protection obligations.
Governing Law and Jurisdiction
- This DPA is governed by the laws of India.
- Any disputes shall fall under the exclusive jurisdiction of Indian courts.
Amendments
Any changes to this Agreement must be made in writing and signed by both Parties.
Confirmation
By entering into this DPA, both Parties acknowledge and accept all terms and conditions
described herein.
