This Data Processing Agreement (“DPA”) forms a binding arrangement between (Website Name), hereinafter referred to as the “Data Processor,” and the entity agreeing to these terms, hereinafter referred to as the “Data Controller.” It governs how the Processor manages Personal Data in relation to the payment gateway services offered.
Roles of the Parties
- The Controller defines the purpose and legal grounds for Processing Personal Data and remains fully accountable for adhering to all Applicable Data Protection Laws.
- The Processor handles Personal Data strictly in accordance with documented instructions provided by the Controller and solely for the purpose of delivering payment gateway services.
Scope of Processing
The Processor is authorized to process Personal Data exclusively for the following activities:
- Payment initiation, authorization, and settlement of transactions
- KYC (Know Your Customer) checks and fraud detection
- Customer identity verification, including two-factor authentication
- Transaction reporting, reconciliation, and monitoring
- Compliance with RBI, NPCI, and other applicable payment regulations
Security Measures
The Processor shall implement and maintain suitable technical and organizational safeguards, including but not limited to:
- Full PCI DSS compliance for cardholder data processing, storage, and transmission
- Strong encryption protocols for data both at rest and in transit
- Multi-factor authentication controls for system access
- Secure key management frameworks
- Regular penetration testing and vulnerability assessments
Additionally, the Processor shall ensure staff members maintain confidentiality and receive training on data security protocols.
Data Subject Rights
The Processor shall support the Controller in addressing Data Subject rights as mandated by Applicable Laws, which include:
- Right of access
- Right to rectification
- Right to erasure
- Right to portability
- Right to restrict or object to processing
Subprocessors
- The Processor may not appoint any Subprocessor without the prior written approval of the Controller.
- All authorized Subprocessors must sign written agreements imposing obligations that are equally protective as those stated within this DPA.
Data Breach Notification
- If the Processor becomes aware of a Personal Data Breach, it shall notify the Controller within 24 hours.
- The notification shall include details on:
- The nature and scope of the breach
- Categories and approximate number of Data Subjects impacted
- Remedial steps undertaken to contain and resolve the incident
- Preventive measures planned to reduce future risks
Audit & Compliance
The Controller may, upon providing reasonable notice, conduct audits to assess the Processor’s adherence to this Agreement. The Processor shall grant access to relevant policies, documents, and certifications.
Data Retention & Deletion
Personal Data shall be retained only for as long as required to process payments and satisfy legal obligations (including RBI-prescribed retention timelines).
When services are terminated, the Processor shall either return or permanently erase all Personal Data unless retention is mandated by law.
Legal & Regulatory Changes
The Processor shall promptly notify the Controller if any changes in law or regulations impact its ability to comply with the obligations stated in this Agreement.
Liability & Indemnification
Each Party shall bear responsibility for damages resulting from breaches of this Agreement. The Processor shall indemnify the Controller against penalties, claims, or losses caused by failures to comply with data protection duties.
Governing Law & Dispute Resolution
This Agreement shall be governed by the laws of India. Any disputes arising under this Agreement shall fall within the exclusive jurisdiction of courts located in India.
Amendments
Any modification to this Agreement shall only be valid if documented in writing and signed by both Parties.
Acknowledgment and Acceptance
By agreeing to this document, both Parties confirm their understanding of and consent to the obligations outlined in this Data Processing Agreement.