This Data Processing Agreement (“DPA”) forms part of the Terms of Use (or other similarly titled written or electronic agreement addressing the same subject matter) (“Agreement”) between the Customer (as defined in the Agreement) and Botmatic Solutions Pvt Ltd (the “Processor”), under which the Processor provides the Controller with software and services (the “Services”). The Controller and the Processor are individually referred to as a “Party” and collectively as the “Parties.”

The Parties enter into this DPA to comply with the requirements of the EU General Data Protection Regulation (GDPR) (as defined below) regarding the Processor’s processing of Personal Data (as defined under the EU GDPR) as part of its obligations under the Agreement.

This DPA applies to the Processor’s processing of Personal Data provided by the Controller as part of the Processor’s obligations under the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

1.     Definitions

Terms not otherwise defined herein shall have the meaning given to them in the EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:

1.1 “Data Transfer” means a transfer of Personal Data from the Controller to the Processor, between two establishments of the Processor, or with a Sub-processor engaged by the Processor.

1.2 “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.3 “Standard Contractual Clauses” means the contractual clauses attached hereto as Schedule 1, pursuant to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries that do not ensure an adequate level of data protection.

1.4 “Controller” means the natural or legal person, public authority, agency, or other body that alone or jointly determines the purposes and means of processing Personal Data.

1.5 “Processor” means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller.

1.6 “Sub-processor” means any processor or subcontractor appointed by the Processor to provide all or parts of the Services and process Personal Data provided by the Controller.

2.     Purpose of this Agreement

This DPA sets forth the obligations of the Processor in relation to the processing of Personal Data and shall be limited to the Processor’s obligations under the Agreement. In case of a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.

3.     Categories of Personal Data and Data Subjects

The Controller authorizes the Processor to process Personal Data to the extent determined and regulated by the Controller. The categories of Personal Data and data subjects are specified in Annex I to Schedule 1 of this DPA.

4.     Purpose of Processing

The processing of Personal Data by the Processor shall be limited to providing the Services to the Controller and/or its clients pursuant to the Agreement.

5.     Duration of Processing

The Processor shall process Personal Data for the duration of the Agreement unless otherwise agreed in writing by the Controller.

6.     Data Controller’s Obligations

6.1 Legal Basis for Processing: The Controller warrants that it has all necessary rights to provide Personal Data to the Processor for processing in connection with the agreed Services. Where required by applicable data privacy laws, the Controller shall ensure that:

It provides Personal Data to the Processor based on a lawful basis for processing.

It obtains any necessary Data Subject consents for processing, where applicable.

It maintains records of such consents and informs the Processor if a Data Subject revokes consent.

6.2 Privacy Notice: The Controller shall provide all individuals from whom it collects Personal Data with a relevant privacy notice in compliance with applicable data privacy laws.

6.3 Data Deletion: The Controller shall have the right to request the Processor to delete or return Personal Data when required unless the Processor is legally required to retain such data.

6.4 Notification of Data Privacy Matters: The Controller shall promptly notify the Processor in writing upon becoming aware of:

6.4.1 Any complaint or allegation indicating a violation of data privacy laws regarding Personal Data;

6.4.2 Any request from individuals seeking access, correction, or deletion of their Personal Data;

6.4.3 Any inquiry or complaint from individuals regarding the collection, processing, use, or transfer of their Personal Data;

6.4.4 Any regulatory request, search warrant, or other legal, administrative, or governmental process seeking Personal Data.

7. Data Processor’s Obligations

7.1. The Processor shall follow written and documented instructions received, including via email, from the Controller, its affiliates, agents, or personnel concerning the Processing of Personal Data (each, an “Instruction”).

7.2. The Processing described in the Agreement and related documentation shall be considered an Instruction from the Controller.

7.3. At the Controller’s request, the Processor shall provide reasonable assistance to the Controller in responding to or complying with requests from Data Subjects exercising their rights or regulatory authorities regarding the Processing of Personal Data.

7.4. The Processor shall obtain necessary consents and provide appropriate notices to Data Subjects in accordance with Data Protection Laws to enable the lawful sharing and use of Personal Data as contemplated by this Agreement.

7.5. When Personal Data is transferred outside the Processor’s jurisdiction, the transferor shall ensure that the recipient is contractually obligated to uphold data protection standards equivalent to or exceeding those imposed under this Addendum and applicable Data Protection Laws.

7.6. The Processor shall inform the Controller if, in its opinion, a Processing Instruction infringes applicable legislation or regulations.

7.7. Taking into account the nature of Processing and the information available, the Processor shall assist the Controller in conducting necessary Data Protection Impact Assessments (DPIAs) as required under GDPR.

8. Data Secrecy

8.1 The Processor shall ensure that personnel engaged in Processing Personal Data:

8.1.1. Are informed of its confidential nature.

8.1.2. Perform Processing in compliance with this Agreement.

8.2. The Processor shall regularly train personnel with access to Personal Data on data security and privacy best practices.

8.3. The Processor shall maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Data as mutually agreed upon in writing.

9. Audit Rights

9.1. Upon reasonable request, the Processor shall provide the Controller with information necessary to demonstrate compliance with its obligations under GDPR and other applicable laws concerning Processing of Personal Data.

9.2. The Controller may conduct an audit (itself or through a representative) at the Processor’s site upon at least fifteen (15) days’ prior written notice. The Processor shall provide reasonable cooperation and assistance.

9.3. The Controller shall bear the costs of such an audit.

10. Data Transfer Mechanism

10.1. Any transfer of Personal Data outside the European Economic Area (EEA) for Processing by the Processor shall comply with the terms outlined in Schedule 1 of this DPA.

10.2. Where applicable, the Processor shall execute Standard Contractual Clauses or equivalent safeguards as required by GDPR for data transfers outside the EEA.

11. Sub-processors

11.1. The Controller acknowledges and agrees that the Processor may engage third-party Sub-processors, provided they implement appropriate technical and organizational measures to protect Personal Data.

11.2. The Processor shall notify the Controller at least thirty (30) calendar days in advance of any intended changes to its Sub-processors listed in Annex III of Schedule 

11.3. The Controller may object to a new Sub-processor if its Processing activities pose a risk of non-compliance with GDPR. The Parties shall cooperate in good faith to address any concerns.

11.4. The Processor remains liable for its Sub-processors’ compliance with data protection obligations.

12. Personal Data Breach Notification

12.1. The Processor shall implement defined procedures for handling Personal Data Breaches (as defined under GDPR) and, without undue delay, notify the Controller of any breach that is likely to result in a risk to the rights and freedoms of Data Subjects.

12.2. The Processor shall provide reasonable assistance to the Controller in fulfilling breach notification obligations to Supervisory Authorities and affected Data Subjects.

12.3. Notification of a breach by the Processor does not constitute an admission of liability or fault.

13. Return and Deletion of Personal Data

13.1. Within thirty (30) days of termination of the Agreement or cessation of Processing, the Processor shall return all Personal Data to the Controller or delete it, as instructed by the Controller.

13.2. The Processor shall ensure the deletion of Personal Data, including all copies, unless applicable laws require its retention.

14. Technical and Organizational Measures

14.1. The Processor shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage.

14.2. These measures shall ensure a level of security appropriate to: (a) The potential harm from unauthorized Processing or accidental loss, (b) The nature of the Personal Data, and (c) Industry standards, as specified in Annex II of Schedule 1.

SCHEDULE 1

ANNEX I

LIST OF PARTIES

Data Exporter(s):

Name: Customer (as specified in the relevant Order Form)

Address: As specified in the relevant Order Form

Contact Person’s Name, Position, and Contact Details: As specified in the relevant Order Form

Activities Relevant to the Data Transferred Under These Clauses: Recipient of the services provided by Botmatic Solution Pvt Ltd in accordance with the Agreement.

Signature and Date: As set forth in the Agreement.

Role (Controller/Processor): Controller

Data Importer(s):

Name: Botmatic Solution Pvt Ltd

Address: 715 Global Business Hub, Kharadi, Pune

Contact Person’s Name: Shubhankar Narwade

Position: DPO

Contact Details: +91 9356821374 

Email: shubhankar@myvyay.com

Activities Relevant to the Data Transferred Under These Clauses: Provision of services to the Customer in accordance with the Agreement.

Signature and Date: As set forth in the Agreement.

Role (Controller/Processor): Processor

1.     DESCRIPTION OF TRANSFER

Categories of Data Subjects Whose Personal Data is Transferred:

Customer’s authorized users of the services.

Categories of Personal Data Transferred:

Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Related Person, Related URL, User ID, Username.

Sensitive Data Transferred (If Applicable) and Applied Restrictions or Safeguards:

No sensitive data is collected.

Frequency of the Transfer:

Continuous basis

Nature of the Processing:

Continuous basis

Purpose(s) of the Data Transfer and Further Processing:

To facilitate the performance of the services as described in the Agreement and accompanying order forms.

Retention Period for Personal Data or Criteria Used to Determine the Retention Period:

As specified in the Agreement, Addendum, and accompanying order forms.

Transfers to (Sub-) Processors:

The subject matter, nature, and duration of processing are specified in the Agreement, Addendum, and accompanying order forms.

1.     COMPETENT SUPERVISORY AUTHORITY

The data exporter is established in an EEA country.

The competent supervisory authority is determined by applying Clause 13 of the EU SCCs.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE DATA SECURITY

Security Measures Implemented by Botmatic Solution Pvt Ltd

Security Management System:

Organization: Qualified security personnel oversee the Information Security Program.

Policies: Security policies are reviewed and updated annually.

Assessments: Independent third-party risk assessments are conducted annually.

Risk Treatment: Includes penetration testing, vulnerability management, and patch management.

Vendor Management: A structured vendor management program is maintained.

Incident Management: Security incidents are reviewed, including root cause analysis and corrective actions.

Standards: Compliance with ISO/IEC 27001:2022 standard.

Personnel Security:

Employees adhere to confidentiality guidelines and undergo background checks.

Employees sign confidentiality agreements and receive security training.

Personnel handling customer data receive role-specific training and certifications.

Access Controls:

Access Management: Formal processes ensure proper authorization of personnel.

Infrastructure Security: Security policies and training are enforced for personnel.

Authentication: Multi-Factor Authentication (MFA) or Single Sign-On (SSO) is required.

Data Access Policies: Designed to protect against unauthorized access using principles of least privilege and need-to-know.

Data Center and Network Security:

Hosting: Botmatic Solution Pvt Ltd uses AWS as its data center provider.

Resiliency: Multi-Availability Zones enabled; backup restoration testing conducted regularly.

Server Security: Servers are hardened and undergo code review.

Disaster Recovery: Data replication and disaster recovery programs are tested regularly.

Logging: Security logs are enabled for auditing and attack detection.

Vulnerability Management: Regular vulnerability scans and prompt patching.

Network and Transmission Security:

Data Transmission: Uses standard internet protocols.

External Protection: AWS Security Group functions as a virtual firewall.

Incident Response: Maintains policies for security incident management.

Encryption: HTTPS (SSL/TLS) encryption is available for data in transit.

Data Storage, Isolation, Authentication, and Destruction:

Data is stored in a multi-tenant AWS environment with logical isolation for different customers.

A central authentication system ensures uniform security.

Secure disposal procedures are implemented for customer data.

ANNEX III

LIST OF SUB-PROCESSORS

The data controller has authorized the use of the following sub-processors: