This Data Processing Agreement (“DPA”) sets forth a legally binding agreement between Iconcept Contact Solution, hereinafter referred to as the “Data Processor,” and the entity accepting these terms, hereinafter referred to as the “Data Controller.” It governs the Processor’s collection, use, and handling of Personal Data in connection with the payment gateway services provided.

Roles of the Parties

The Data Controller determines the purposes and legal basis for processing Personal Data and remains responsible for ensuring compliance with all applicable data protection laws.

The Data Processor handles Personal Data exclusively based on the Controller’s documented instructions and solely for the purpose of providing payment gateway services.

Scope Of Processing

The Data Processor shall handle Personal Data exclusively for the following purposes:

• Initiation, authorization, and settlement of payment transactions
• KYC (Know Your Customer) verification and fraud prevention
• Customer authentication, including two-factor authentication (2FA)
• Transaction reporting and reconciliation
• Compliance with RBI, NPCI, and other applicable payment network regulations

Security Measures

The Data Processor shall implement appropriate technical and organizational measures, including:

• Compliance with security standards for the storage, processing, and transmission of cardholder data
• Encryption of data both in transit and at rest
• Multi-factor authentication for system access
• Secure key management practices
• Regular vulnerability assessments and penetration testing

The Processor shall also ensure that all personnel maintain strict confidentiality and are trained in data security best practices.

Data Subject Rights

The Data Processor shall assist the Data Controller in addressing Data Subject requests in accordance with applicable laws, including the rights to:

• Access their personal data
• Rectify inaccurate or incomplete data
• Request erasure of their data
• Port their data to another service
• Restrict or object to the processing of their data

Subprocessors

The Data Processor shall not engage any subprocessor without the prior written consent of the Data Controller. All approved subprocessors must enter into written agreements that impose data protection obligations equivalent to, or more stringent than, those outlined in this DPA.

Data Breach Notification

The Data Processor shall notify the Data Controller within 24 hours of becoming aware of any Personal Data Breach. The notification shall include:

• The nature and details of the breach
• Categories and approximate number of affected Data Subjects
• Actions taken to contain and mitigate the breach
• Measures planned to prevent similar breaches in the future

Audit & Compliance

The Data Controller may, with reasonable notice, audit the Data Processor’s compliance with this DPA. The Processor shall grant access to all relevant records, policies, and certifications, including security compliance reports.

Data Retention & Deletion

Personal Data shall be retained only for as long as necessary to facilitate payment processing and comply with legal obligations, including RBI-mandated retention periods. Upon termination of services, the Processor shall securely delete or return all Personal Data unless retention is legally required.

Legal & Regulatory Changes

The Processor shall promptly notify the Controller of any changes in law or regulation that may impact its ability to process Personal Data in accordance with this Agreement.

Liability & Indemnification

Each Party shall be responsible for any damages resulting from a breach of this Agreement. The Processor shall indemnify the Controller against fines, claims, or damages arising from non-compliance with data protection obligations.

Governing Law & Dispute Resolution

This Agreement shall be governed by the laws of India. Any disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of India.

Amendments

Any modifications to this Agreement must be made in writing and signed by both Parties.

Acknowledgment and Acceptance

By entering into this Agreement, both Parties acknowledge that they have read, understood, and agreed to the terms set forth in this Data Processing Agreement.