Data Processing Agreement

This Data Processing Agreement (the “Agreement”) is entered, between:

Customer with agreement having its principal place of business at Customers address as per the Agreement and
Mindscape Computing Pvt Ltd, having its principal place of business at #20, 14th ‘A’ Main, HAL 2nd Stage, Indiranagar, Bengaluru Karnataka 560008.

WHEREAS:

The Controller acts as the data controller.
The Processor agrees to process personal data on behalf of the Controller in accordance with this Agreement.

NOW, THEREFORE, the parties agree as follows:

1. DEFINITIONS

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

“Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Mindscape Computing (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
“Customer Personal Data” means any Personal Data provided by or made available by Customer to Mindscape Computing or collected by Mindscape Computing on behalf of Customer which is Processed by Mindscape Computing to perform the Services;
“Controller to Processor SCCs” means the standard contractual clauses for cross-border transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries as adopted by the European Commission, the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (“UK ICO”) for data transfers from the UK to Third Countries; or (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto;
“Data Protection Laws” means any local, state, or national law regarding the processing of Personal Data applicable to Mindscape Computing in the jurisdictions in which the Services are provided to Customer, including, without limitation, privacy, security, and data protection law;
“EU Area” means the European Union, European Economic Area, United Kingdom, and Switzerland;
“EU Area Law” means (i) Directive 95/46/EC and, from May 25, 2018, Regulation (EU) 2016/679 (“EU GDPR”) together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons; (ii) the Data Protection Act 1998 of the United Kingdom and the EU GDPR as saved into United Kingdom Law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”); (iv) any other law relating to the data protection, security, or privacy of individuals that applies in the EU Area; or (v) any successor or amendments thereto (including, without limitation, implementation of the EU GDPR by Member States into their national law);
“Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by Mindscape Computing;
“Services” means the services to be supplied by Mindscape Computing to Customer or Customer’s Affiliates pursuant to the Agreement; and
“Third Country” means countries that, where required by applicable Data Protection Laws, have not received an adequacy decision from an applicable authority relating to cross-border data transfers of Personal Data, including regulators such as the European Commission, UK ICO, or Swiss FDPIC.

2. PROCESSING OF PERSONAL DATA

2.1 The Processor will process personal data on behalf of the Controller in accordance with the terms of this Agreement.

2.2 The subject matter, duration, nature, and purpose of the processing, as well as the type of personal data and categories of data subjects, are detailed in Annex 1 of this Agreement.

2.3 The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organization.

3. OBLIGATIONS OF THE PROCESSOR

3.1 The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Pseudonymization and encryption of personal data;
The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

4. SUB-PROCESSING

4.1 The Processor shall not engage another processor without the prior specific or general written authorization of the Controller.

4.2 Where the Processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on that other processor.

5. DATA SUBJECT RIGHTS

5.1 The Processor shall assist the Controller, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligations to respond to requests for exercising the data subject’s rights.

6. PERSONAL DATA BREACH

6.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

6.2 The Processor shall assist the Controller in complying with its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.

7. DATA PROTECTION IMPACT ASSESSMENTS

7.1 The Processor shall provide assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, where necessary.

8. DELETION OR RETURN OF PERSONAL DATA

8.1 At the choice of the Controller, the Processor shall delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the personal data.

9. AUDIT AND INSPECTION

9.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

10. INTERNATIONAL DATA TRANSFERS

10.1 The Processor shall not transfer personal data from India to a country outside the European Economic Area (EEA) unless it ensures appropriate safeguards as required by the GDPR.

11. TERM AND TERMINATION

11.1 This Agreement shall commence on the date set forth above and continue for as long as the Processor processes personal data on behalf of the Controller.

12. GOVERNING LAW

12.1 This Agreement shall be governed by and construed in accordance with the laws of Jurisdiction in which the Services are provided to Customer, including, without limitation, privacy, security, and data protection law;

Annex 1: Description of Processing

Subject Matter: Retail Information
Duration: Period as required by Controller
Nature and Purpose of Processing: For Processing retail business.
Type of Personal Data: Customer Name, Customer Mobile No, Customer Shipping address.
Categories of Data Subjects: [List the data subjects]

Name:	Customer (as defined in the Agreement)
Address:	As per the address given in the contract
Contact person’s name, position and contact details:	As set forth in the relevant Order Form.
Activities relevant to the data transferred under these Clauses:	Recipient of the Services provided by Mindscape in accordance with the Agreement.
Signature and date:	Signature and date are set out in the Agreement.
Role (controller/processor):	Processor

Data Importer

Name:	Mindscape Computing Pvt Ltd
Address:	#20, 14th A Main, Indiranagar, HAL 2nd Stage, Bangalore
Contact person’s name, position and contact details:	Manoj Nair, CISO +91 97416 77033 manoj.nair@olabi.in
Activities relevant to the data transferred under these Clauses:	Provision of the Services to the Customer in accordance with the Agreement.
Signature and date:	Signature and date are set out in the Agreement.
Role (controller/processor):	Processor

2. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)

As determined by application of Clause 13 of the EU SCCs.

3. Processing Information

Categories of data subjects whose personal data is transferred	There are no Personal Data Transfers
Sensitive personal data transferred	None
Frequency of the transfer	None
Purpose of the data transfer and further processing	The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement and accompanying order forms.
For processing involving California consumers, please select the Business Purpose(s) for Processing Personal Data	☐ N/A ☐ Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards ☒ Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes ☒ Debugging to identify and repair errors that impair existing intended functionality. ☐ Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business ☒ Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. ☐ Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers. ☒ Undertaking internal research for technological development and demonstration. ☒ Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business. ☒ To retain and employ another service provider or contractor as a subcontractor where the subcontractor meets the requirements for a service provider or contractor under CCPA. ☒ To build or improve the quality of the services it is providing to the business even if this Business Purpose is not specified in the written contract required by CCPA provided that Service Provider does not use the Customer Personal Data to perform Services on behalf of another person. ☒ To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity, even if this Business Purpose is not specified in the written contract.

List of Sub Processors

The Controller has authorised the use of the following sub-processors:

Name of the Processor	Description of Processing	Location of Other Processor
Amazon Web Services	Hosting the Production Environment	India Center

Contact Us

For any questions or concerns regarding our Data Processing Agreement, you may contact us using the following details:

Manoj Nair, CISO & DPO
+91 97416 77033
manoj.nair@olabi.in