This Data Processing Agreement (“DPA”) establishes a legally binding arrangement between Praket Consultancy, hereinafter referred to as the “Data Processor,” and the entity accepting these terms, hereinafter referred to as the “Data Controller.” It sets out the manner in which the Processor manages Personal Data in relation to the payment solutions services provided.

Roles and Responsibilities

Controller

• Determines the purposes and legal basis for Processing Personal Data.
• Ensures compliance with all relevant Data Protection Laws.

Processor

• Processes Personal Data strictly on the Controller’s documented instructions.
• Handles Personal Data solely for delivering payment solutions services.

Scope of Processing Activities

The Processor shall handle Personal Data exclusively for the following purposes:

• Payment transaction initiation, authorization, and settlement.
• Know Your Customer (KYC) checks and fraud prevention.
• Customer authentication, including two-factor authentication (2FA).
• Transaction reporting and reconciliation.
• Compliance with RBI, NPCI, and applicable payment network regulations.

Security Measures

The Processor commits to implementing appropriate technical and organizational measures, including but not limited to:

• Compliance with industry-recognized security standards for processing, storing, and transmitting cardholder data.
• Encryption of information both at rest and during transmission.
• Multi-factor authentication for system access.
• Robust key management procedures.
• Regular penetration testing and vulnerability assessments.

Additionally, the Processor shall ensure:

• Personnel confidentiality obligations are upheld.
• Staff members receive training on data protection and security best practices.

Assistance with Data Subject Rights

The Processor will support the Controller in fulfilling Data Subject rights as required by applicable laws, including: 

• Right of access.
• Right to rectification.
• Right to erasure.
• Right to data portability.
• Right to restrict or object to Processing.

Use of Subprocessors

• The Processor shall not appoint any Subprocessor without prior written consent from the Controller.
• Any approved Subprocessor must sign agreements ensuring data protection safeguards no weaker than those set forth in this DPA.

Notification of Data Breaches

If a Personal Data Breach occurs, the Processor will notify the Controller within 24 hours of discovery. The notice will include:

• The nature of the breach.
• The categories and approximate number of Data Subjects affected.
• Steps taken to contain and reduce the impact of the breach.
• Measures planned to avoid future incidents.

Audits and Compliance

• The Controller has the right to conduct audits with reasonable prior notice to confirm compliance with this DPA.
• The Processor will provide access to relevant records, policies, and certifications

Data Retention and Disposal

• Personal Data will be retained only as long as required to fulfill payment processing and legal obligations (including RBI-mandated timelines).
• Upon service termination, the Processor will either securely erase or return all Personal Data unless continued retention is legally required.

Regulatory and Legal Adjustments

The Processor must immediately inform the Controller if any legal or regulatory changes affect its ability to process Personal Data in line with this DPA.

Liability and Indemnification

• Each Party is responsible for damages caused by its breach of this Agreement.
• The Processor shall indemnify the Controller against penalties, claims, or losses resulting from non-compliance with data protection duties.

Governing Law and Jurisdiction

This DPA shall be governed by the laws of India. Any disputes will fall under the exclusive jurisdiction of the courts of India.

Amendments

Any modifications to this Agreement must be in writing and signed by both Parties.

Confirmation

By entering into this DPA, both Parties acknowledge and accept the terms and conditions contained herein.