Back to Datalex

Master Data Processing Agreement

This Master Data Processing Agreement (“Agreement“) is entered into on this _____ day of _______, 20 (“Effective Date“)

BETWEEN:

[DATA FIDUCIARY NAME], a company incorporated under the Companies Act, 2013, having its registered office at [Address], represented by its authorized signatory (hereinafter referred to as “Data Fiduciary” or “Controller“, which expression shall, unless repugnant to the context or meaning thereof, include its successors and permitted assigns) of the FIRST PART;

AND

[DATA PROCESSOR NAME], a company incorporated under the Companies Act, 2013, having its registered office at [Address], represented by its authorized signatory (hereinafter referred to as “Data Processor” or “Processor“, which expression shall, unless repugnant to the context or meaning thereof, include its successors and permitted assigns) of the SECOND PART.

The Data Fiduciary and Data Processor shall individually be referred to as “Party” and collectively as “Parties“.

RECITALS

WHEREAS:

A. The Data Fiduciary is engaged in the business of investment management and financial services, operating as a fintech platform providing investment advisory, portfolio management, and related financial services to its customers in India;

B. The Data Fiduciary is registered with the Securities and Exchange Board of India (SEBI) as [Investment Advisor/Portfolio Manager/Other relevant registration] bearing Registration No. [_______];

C. The Data Processor provides [describe services – e.g., technology services, data analytics, customer support, payment processing] to support the Data Fiduciary’s operations;

D. In connection with the services provided under the Principal Services Agreement dated [______] (“Principal Agreement“), the Data Processor processes personal data on behalf of the Data Fiduciary;

E. The Parties wish to ensure compliance with the Digital Personal Data Protection Act, 2023 (“DPDPA“), Information Technology Act, 2000, SEBI regulations, RBI guidelines, and other applicable data protection laws;

NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth, the Parties hereby agree as follows:

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

In this Agreement, unless the context otherwise requires, the following terms shall have the meanings set forth below:

(a) “Applicable Laws” means all applicable laws, regulations, guidelines, and circulars that govern the processing of personal data and the conduct of financial services in India, including but not limited to the Digital Personal Data Protection Act, 2023 and rules thereunder, Information Technology Act, 2000 and rules thereunder, SEBI (Investment Advisers) Regulations, 2013, SEBI (Portfolio Managers) Regulations, 2020, RBI Master Directions on Digital Payment Security Controls, Prevention of Money Laundering Act, 2002, and any other applicable financial sector regulations as may be amended from time to time;

(b) “Consent” means the free, specific, informed, unconditional, and unambiguous consent given by a Data Principal through clear affirmative action as specified under Section 6 of DPDPA, which signifies agreement to the processing of personal data for specified purposes and includes consent obtained through registered Consent Managers where applicable;

(c) “Data Breach” or “Personal Data Breach” means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data, including but not limited to cyber incidents, system intrusions, unauthorized access by employees or third parties, and physical security breaches;

(d) “Data Principal” means the individual to whom the personal data relates, including but not limited to investors, potential investors, customers of the Data Fiduciary, nominees, authorized representatives, beneficial owners, and related parties whose information is collected for KYC purposes;

(e) “Financial Data” means personal data relating to an individual’s financial information including but not limited to bank account details, demat account information, investment portfolio details, transaction history, income and tax information, credit scores, financial history, investment preferences, risk profiles, and any other financial information processed in connection with the Services;

(f) “KYC Data” means Know Your Customer information required under applicable laws including but not limited to PAN details, Aadhaar information (where permitted by law), identity proofs, address proofs, photographs, signatures, and other documentation required for customer identification and verification under SEBI regulations and Prevention of Money Laundering Act;

(g) “Personal Data” means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of DPDPA;

(h) “Processing” means any wholly or partly automated operation or set of operations performed on digital personal data, including operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction, as defined under Section 2(x) of DPDPA;

(i) “Sensitive Personal Data” includes financial information, biometric data, passwords, and any other data classified as sensitive under Applicable Laws, requiring enhanced protection measures;

(j) “Services” means the services provided by the Data Processor as specified in Schedule A attached hereto;

(k) “Sub-processor” means any person or entity engaged by the Data Processor to process personal data on behalf of the Data Fiduciary, subject to the prior approval and contractual requirements set forth in this Agreement;

1.2 Interpretation

In this Agreement: (a) references to statutes, regulations, or guidelines include all amendments, modifications, and re-enactments thereof; (b) headings are for convenience only and shall not affect interpretation; (c) schedules and annexures form an integral part of this Agreement; (d) words importing the singular include the plural and vice versa; (e) references to “including” mean “including without limitation”.

2. SCOPE AND NATURE OF PROCESSING

2.1 Authorization and Scope of Processing

The Data Processor is hereby authorized to process personal data solely for the purposes and to the extent necessary for providing the Services under the Principal Agreement. Such processing shall be limited to: (a) the specific purposes detailed in Schedule A; (b) documented instructions provided by the Data Fiduciary in writing or through agreed electronic means; (c) requirements necessary to comply with Applicable Laws, provided the Data Processor informs the Data Fiduciary of such legal requirements before processing unless prohibited by law; (d) the minimum extent necessary for effective delivery of the Services.

2.2 Nature and Categories of Processing Activities

The processing activities authorized under this Agreement encompass the following operations: collection and validation of KYC documentation in accordance with SEBI and RBI guidelines; processing of investment transactions and customer instructions including order placement, modification, and cancellation; maintenance of comprehensive investment records and portfolio data with real-time updates; generation of account statements, regulatory reports, and compliance documentation; provision of customer support and query resolution through authorized channels; conducting risk profiling and suitability assessments as per SEBI requirements; performing data analytics solely for service improvement and regulatory compliance purposes as specifically authorized; and such other activities as may be specified in Schedule A and approved in writing by the Data Fiduciary.

2.3 Categories of Data Principals

The personal data processed under this Agreement relates to the following categories of individuals: retail investors including resident Indians and NRIs; High Net Worth Individuals (HNIs) and Ultra HNIs; potential customers and leads generated through marketing activities; authorized representatives, nominees, and power of attorney holders; beneficial owners and ultimate beneficial owners for KYC purposes; related parties and connected persons as required under regulatory requirements; employees and representatives of corporate clients; and such other categories as may be specified in Schedule A.

2.4 Types and Categories of Personal Data

The Data Processor shall process the following categories of personal data: Identity Data comprising name, date of birth, gender, photograph, signature, and other identification details; Contact Data including residential address, office address, email addresses, phone numbers, and communication preferences; KYC Data encompassing PAN, Aadhaar (where permitted by law), passport details, voter ID, driving license, and other government-issued identification; Financial Data as comprehensively defined in Section 1.1(e); Transaction Data covering investment transactions, payment details, portfolio holdings, and transaction history; Technical Data including IP addresses, login credentials, device information, browser details, and access logs; Risk Profile Data comprising investment objectives, risk tolerance, income levels, net worth, and investment experience; Communication Data including customer service interactions, complaints, feedback, and recorded calls; and any other categories specifically listed in Schedule A.

3. DATA PROCESSOR OBLIGATIONS

3.1 General Processing Obligations

The Data Processor undertakes to process personal data strictly in accordance with the documented instructions from the Data Fiduciary, maintaining complete records of all such instructions and processing activities. The Data Processor shall immediately inform the Data Fiduciary if, in its professional opinion, any instruction infringes Applicable Laws, providing detailed reasoning and alternative approaches where possible. Processing shall be limited to what is necessary, adequate, relevant, and not excessive in relation to the specified purposes. The Data Processor explicitly agrees not to process personal data for its own commercial purposes, for profiling beyond authorized purposes, for sale or disclosure to third parties except as instructed, or for any purpose not explicitly authorized by the Data Fiduciary. The Data Processor shall maintain comprehensive and accurate records of all processing activities in a format that enables audit and review, including processing logs, access records, modification history, and consent records.

3.2 Confidentiality and Personnel Obligations

The Data Processor shall treat all personal data as strictly confidential and shall ensure that all personnel authorized to process personal data are subject to appropriate confidentiality obligations through employment contracts, non-disclosure agreements, or statutory obligations that survive termination of their engagement. The Data Processor shall implement a comprehensive training program ensuring all personnel receive initial and annual refresher training on data protection, information security, and regulatory compliance. Access to personal data shall be restricted based on the principle of least privilege, with role-based access controls, regular access reviews conducted quarterly, immediate revocation upon role change or termination, and documented access matrices. The Data Processor shall maintain a current list of personnel with access to Financial Data and KYC Data, providing updates to the Data Fiduciary within 48 hours of any changes.

3.3 Security Obligations and Measures

The Data Processor shall implement and maintain comprehensive security measures appropriate to the risk and sensitivity of Financial Data, including technical measures such as encryption of financial data in transit using TLS 1.2 or higher and at rest using AES-256 encryption; implementation of multi-factor authentication for all system access with additional authentication for privileged operations; deployment of intrusion detection and prevention systems with 24×7 monitoring; regular security assessments including quarterly vulnerability assessments and annual penetration testing by CERT-IN empaneled auditors; implementation of Security Information and Event Management (SIEM) solutions with real-time alerting. The Data Processor shall comply with internationally recognized standards including ISO/IEC 27001:2013 certification maintained and renewed annually; PCI DSS standards where payment card data is processed; RBI guidelines on cyber security framework for the financial sector; and SEBI circulars on cyber security and cyber resilience framework.

3.4 Financial Sector Specific Obligations

Recognizing the sensitive nature of financial services data, the Data Processor shall implement additional sector-specific controls including segregation of client assets data from proprietary data with logical and physical separation; implementation of Chinese walls where required to prevent conflicts of interest; maintenance of complete data integrity for financial transactions with audit trails that cannot be modified or deleted; compliance with SEBI’s Business Continuity Plan (BCP) and Disaster Recovery (DR) requirements with RPO not exceeding 1 hour and RTO not exceeding 4 hours for critical systems; ensuring real-time reconciliation capabilities for financial data with daily reconciliation reports; implementation of maker-checker controls for all critical financial operations with segregation of duties; and maintenance of immutable audit logs for a minimum period of 8 years as per SEBI requirements.

4. DATA BREACH MANAGEMENT

4.1 Breach Detection and Initial Notification

The Data Processor shall implement comprehensive breach detection mechanisms including continuous monitoring, anomaly detection, and regular security audits. Upon becoming aware of any actual or suspected personal data breach, the Data Processor shall notify the Data Fiduciary immediately and in no event later than 24 hours through multiple channels: immediate phone notification to the designated emergency contact, followed by email notification to the security team, and formal written notification through the designated portal or communication channel. The initial notification shall include, to the extent known: nature and category of the breach, time and date of occurrence and detection, categories and approximate number of Data Principals affected, categories and approximate volume of personal data affected, immediate steps taken to contain the breach, and contact details of the Data Processor’s incident response team.

4.2 Detailed Breach Response and Investigation

Within 48 hours of the initial notification, the Data Processor shall provide a comprehensive incident report containing: detailed description of the breach including root cause analysis where available; complete timeline of events leading to and following the breach; assessment of likely consequences and potential adverse effects on Data Principals; measures taken or proposed to address the breach and mitigate its possible adverse effects; recommendations for preventing similar breaches; evidence preservation status and forensic analysis findings if available; and any other information required for regulatory notifications. The Data Processor shall immediately implement containment measures, preserve all evidence for investigation and potential legal proceedings, cooperate fully with the Data Fiduciary’s investigation and any regulatory inquiries, and implement all reasonable instructions from the Data Fiduciary for breach mitigation.

4.3 Regulatory Notification Assistance

The Data Processor shall assist the Data Fiduciary in meeting regulatory notification obligations to: the Data Protection Board of India as per DPDPA requirements; SEBI within timeframes specified in applicable circulars; CERT-IN within 6 hours for specified cyber incidents; RBI for payment-related breaches as per applicable guidelines; and affected Data Principals as required under Applicable Laws. The Data Processor shall not independently notify any Data Principal, regulator, media, or third party about the breach without prior written consent from the Data Fiduciary, except where legally required, in which case the Data Processor shall inform the Data Fiduciary before making such notification unless prohibited by law.

5. DATA PRINCIPAL RIGHTS

5.1 Assistance with Data Principal Rights

The Data Processor shall implement appropriate technical and organizational measures to assist the Data Fiduciary in responding to Data Principal requests for exercising their rights under DPDPA. For Right to Access (Section 11 DPDPA), the Data Processor shall provide requested personal data in a commonly used electronic format within 5 business days, include complete transaction history for the requested period, identify all systems where the Data Principal’s data is stored, and provide details of any third parties with whom data has been shared under instruction. For Right to Correction and Erasure (Section 12 DPDPA), the Data Processor shall implement data corrections within 2 business days of receiving instructions, execute erasure requests where legally permissible and not conflicting with retention obligations, update all connected systems and backups to reflect corrections or erasures, and maintain logs of all correction and erasure activities.

5.2 Consent Management and Withdrawal

The Data Processor shall maintain comprehensive records of consent including date and time of consent, specific purposes for which consent was obtained, mechanism through which consent was obtained, and any conditions or limitations attached to the consent. Upon receiving notice of consent withdrawal, the Data Processor shall cease processing for the relevant purpose within 24 hours, update all systems to reflect the withdrawal, ensure sub-processors are informed and comply with the withdrawal, and retain only such data as required for legal compliance or legitimate purposes. The Data Processor shall support integration with Consent Managers registered with the Data Protection Board of India and facilitate granular consent management allowing Data Principals to provide or withdraw consent for specific purposes independently.

5.3 Grievance Redressal Support

The Data Processor shall support the Data Fiduciary’s grievance redressal mechanism by: providing necessary information and documentation within 3 business days of request; assisting in investigation of complaints related to processing activities; implementing corrective measures as directed by the Data Fiduciary; maintaining detailed logs of all grievances and their resolution; and providing regular reports on grievance patterns and systemic issues identified.

6. SUB-PROCESSING

6.1 Authorization and Approval Process

The Data Processor may engage Sub-processors only with the prior written authorization of the Data Fiduciary. The current list of approved Sub-processors is provided in Schedule C. For any new Sub-processor or replacement of existing Sub-processor, the Data Processor shall provide at least 30 days advance written notice to the Data Fiduciary, including: name and location of the proposed Sub-processor; description of services to be provided; categories of personal data to be processed; security measures and certifications of the Sub-processor; and due diligence report covering technical, financial, and compliance aspects. The Data Fiduciary shall have 15 days to review and may object on reasonable grounds including inadequate security measures, regulatory concerns, reputational risks, or geographical restrictions.

6.2 Sub-processor Contractual Requirements

The Data Processor shall execute comprehensive written agreements with all Sub-processors that impose data protection obligations no less stringent than those contained in this Agreement, including: same level of security measures and confidentiality obligations; requirement to process only on documented instructions from the Data Processor; prohibition on further sub-processing without explicit approval; audit rights for both Data Processor and Data Fiduciary; breach notification obligations with same timelines; assistance with Data Principal rights and regulatory compliance; and return or deletion obligations upon termination. The Data Processor shall ensure Sub-processors maintain all required regulatory registrations and certifications relevant to their processing activities.

6.3 Ongoing Management and Liability

The Data Processor shall conduct initial and annual due diligence on all Sub-processors covering security, compliance, and financial stability. Regular monitoring shall include quarterly review of Sub-processor performance, annual security audits or obtaining third-party audit reports, immediate investigation of any concerns or incidents, and maintenance of complete records of Sub-processor activities. The Data Processor remains fully liable for any acts or omissions of Sub-processors and shall indemnify the Data Fiduciary for any losses arising from Sub-processor failures. Failure to comply with sub-processing requirements shall constitute a material breach entitling the Data Fiduciary to immediate termination.

7. CROSS-BORDER DATA TRANSFERS

7.1 General Transfer Restrictions

Personal data shall not be transferred outside India except as permitted under Section 16 of DPDPA and other Applicable Laws. Financial data subject to data localization requirements under SEBI and RBI regulations shall be stored and processed exclusively within India with no exceptions. The Data Processor shall maintain accurate records of data storage locations and ensure no unauthorized cross-border transfers occur through technical controls, policy enforcement, and regular audits.

7.2 Permitted Transfer Mechanisms

For any transfers approved in writing by the Data Fiduciary and permitted under law, the Data Processor shall: execute appropriate transfer agreements such as Standard Contractual Clauses or Binding Corporate Rules; conduct and document transfer impact assessments evaluating risks and safeguards; implement supplementary measures where base mechanisms are insufficient; maintain detailed transfer logs as specified in Schedule D; ensure receiving entities provide equivalent levels of protection; and obtain explicit consent where required from Data Principals for transfers.

7.3 Transfer Records and Monitoring

The Data Processor shall maintain comprehensive records for each cross-border transfer including: date, time, and purpose of transfer; categories and volume of personal data transferred; identity and location of receiving entity; legal basis and mechanism for transfer; safeguards and supplementary measures applied; and any relevant approvals or authorizations. These records shall be provided to the Data Fiduciary quarterly and upon request, and shall be retained for the longer of 8 years or as required by Applicable Laws.

8. AUDIT AND COMPLIANCE

8.1 Audit Rights and Procedures

The Data Fiduciary shall have comprehensive rights to verify the Data Processor’s compliance through: direct audits conducted by the Data Fiduciary’s internal audit team; third-party audits by qualified independent auditors; review of certifications and attestation reports; on-site inspections of processing facilities; and review of policies, procedures, and documentation. Audits may be conducted annually as per agreed schedule, upon reasonable suspicion of non-compliance, following any security incident, or as required by regulators. The Data Processor shall provide reasonable notice period of 14 days for scheduled audits (waived for cause), access to all relevant systems, records, and personnel, suitable facilities for conducting the audit, and full cooperation including responding to queries and implementing recommendations.

8.2 Compliance Certifications and Reports

The Data Processor shall maintain and provide: annual ISO 27001 certification from accredited certifying bodies; SOC 2 Type II reports covering security, availability, and confidentiality; vulnerability assessment and penetration testing reports conducted quarterly and annually respectively; regulatory compliance certificates as applicable; and quarterly compliance attestations signed by authorized representatives confirming adherence to this Agreement. Additional certifications may be required based on evolving regulatory requirements or industry standards.

8.3 Regulatory Cooperation

The Data Processor shall fully cooperate with regulatory inspections and inquiries from: Data Protection Board of India; SEBI inspection teams and auditors; RBI supervisory reviews; CERT-IN investigations; and any other authorized regulatory bodies. Such cooperation includes providing requested documentation within specified timelines, facilitating interviews with relevant personnel, providing access to systems and facilities as required, implementing regulatory directives and recommendations, and maintaining confidentiality regarding regulatory proceedings as required.

9. DATA RETENTION AND DELETION

9.1 Retention Periods and Requirements

The Data Processor shall retain personal data only for the duration necessary to provide the Services and meet legal obligations. Specific retention periods include: KYC records for 10 years from the end of the business relationship as per PMLA requirements; transaction records for 8 years as per SEBI regulations; audit logs and system logs for 8 years; communication records for 3 years or as specified by regulations; and other records as specified in Schedule A or required by Applicable Laws. The Data Processor shall implement automated retention policies where feasible and conduct annual reviews of retained data to ensure compliance with retention requirements.

9.2 Data Return and Deletion Procedures

Upon termination of this Agreement or upon specific instruction from the Data Fiduciary, the Data Processor shall: return all personal data in the format specified by the Data Fiduciary (structured, commonly used, and machine-readable) within 30 days; provide complete data export including all metadata and associated information; delete all copies including backups, archives, and cached data within 60 days; ensure complete deletion from all systems including development and test environments; obtain confirmation from all Sub-processors of data deletion; and provide written certification signed by an authorized officer confirming complete deletion. Data required to be retained by law shall be segregated, access-restricted, and used only for legal compliance purposes.

9.3 Exceptions to Deletion

The Data Processor may retain personal data beyond specified periods only where: required by Applicable Laws with clear legal basis; necessary for establishment, exercise, or defense of legal claims; subject to legal hold or preservation obligations; or specifically instructed by the Data Fiduciary in writing. Such retained data shall be subject to continued security and confidentiality obligations, restricted access on need-to-know basis, and deletion immediately upon expiry of the legal requirement.

10. LIABILITY AND INDEMNIFICATION

10.1 Limitation of Liability

Each Party’s aggregate liability arising out of or in connection with this Agreement shall not exceed the higher of: (a) the total fees paid or payable under the Principal Agreement in the 12 months preceding the incident giving rise to liability; or (b) INR [Amount] (Rupees [Amount in words]). This limitation shall not apply to: breaches of confidentiality obligations; data breaches caused by gross negligence or willful misconduct; regulatory penalties and fines arising from the Data Processor’s non-compliance; indemnification obligations set forth below; claims arising from violation of intellectual property rights; or liability that cannot be limited under Applicable Laws.

10.2 Comprehensive Indemnification

The Data Processor shall indemnify, defend, and hold harmless the Data Fiduciary, its officers, directors, employees, and agents from and against all claims, losses, damages, penalties, costs, and expenses (including reasonable legal fees on actual basis) arising from or related to: any breach of this Agreement by the Data Processor or its Sub-processors; unauthorized processing or disclosure of personal data; failure to implement or maintain required security measures; non-compliance with Applicable Laws including penalties imposed by Data Protection Board under DPDPA Schedule, fines levied by SEBI for data protection violations, penalties from RBI for breach of payment data security, sanctions from other regulatory bodies; claims by Data Principals for violation of their rights; breach notification and remediation costs including forensic investigation, credit monitoring services, public relations, and legal counsel; and any acts or omissions of Sub-processors engaged by the Data Processor.

10.3 Insurance Requirements

The Data Processor shall obtain and maintain throughout the term of this Agreement: Cyber Liability Insurance with minimum coverage of INR [Amount] per incident and INR [Amount] in aggregate, covering data breach response costs, regulatory fines where insurable, business interruption losses, and third-party claims; Professional Indemnity Insurance with minimum coverage of INR [Amount]; General Liability Insurance as per industry standards; and any additional insurance required under Applicable Laws. Insurance policies shall name the Data Fiduciary as additional insured where applicable, include waiver of subrogation rights against the Data Fiduciary, and be placed with insurers rated A- or better by recognized rating agencies. The Data Processor shall provide certificates of insurance upon request and 30 days notice of any material changes or cancellation.

11. TERM AND TERMINATION

11.1 Term and Duration

This Agreement shall commence on the Effective Date and continue for the duration of the Principal Agreement unless terminated earlier in accordance with this Section. The Agreement shall automatically renew with the Principal Agreement unless either Party provides 90 days written notice of non-renewal. Notwithstanding termination, provisions relating to confidentiality, liability, indemnification, and any other provisions intended to survive shall remain in effect.

11.2 Termination Rights and Grounds

Either Party may terminate this Agreement immediately upon written notice if: the other Party commits a material breach and fails to cure within 15 days of written notice (or immediately for breaches incapable of cure); the other Party suffers a data breach affecting Financial Data or KYC Data; the other Party loses required regulatory licenses or authorizations; the other Party becomes insolvent, files for bankruptcy, or undergoes similar proceedings; termination is required by regulatory order or change in law; or the Principal Agreement is terminated for any reason. The Data Fiduciary additionally may terminate if the Data Processor fails to meet security or audit requirements, engages unauthorized Sub-processors, or transfers data in violation of this Agreement.

11.3 Effects and Consequences of Termination

Upon termination, the Data Processor shall: immediately cease all processing except as required for legal compliance; execute data return and deletion as per Section 9.2; provide all necessary assistance for orderly transition of services including knowledge transfer, documentation handover, and transition support for up to 90 days; maintain confidentiality obligations in perpetuity; cooperate with any ongoing investigations or legal proceedings; and settle all outstanding obligations including penalties or indemnities. The Data Fiduciary shall pay for services rendered until termination date and reasonable transition assistance costs.

12. GOVERNANCE AND COMMUNICATION

12.1 Data Protection Officers and Key Contacts

Each Party shall designate a Data Protection Officer or equivalent contact person responsible for data protection matters. The designated contacts are:

Data Fiduciary DPO: Name: [Name], Designation: [Designation], Email: [Email], Phone: [Phone], Alternate Contact: [Details]

Data Processor DPO: Name: [Name], Designation: [Designation], Email: [Email], Phone: [Phone], Alternate Contact: [Details]

Any changes to designated contacts shall be notified in writing within 48 hours. These contacts shall serve as primary points for all data protection matters, regulatory liaisons, and incident response coordination.

12.2 Governance Committee and Review Mechanisms

The Parties shall establish a Data Protection Governance Committee that meets quarterly or more frequently as needed. The Committee shall: review compliance status and audit findings; assess and address security incidents and near-misses; evaluate new risks and update risk assessments; review and approve new processing activities or significant changes; monitor regulatory developments and ensure ongoing compliance; plan and oversee improvement initiatives; and resolve escalated issues and disputes. Minutes of meetings shall be maintained and action items tracked to completion.

12.3 Communication Protocols

All formal communications under this Agreement shall follow established protocols: routine communications through designated email addresses; urgent matters through specified escalation chains; security incidents through dedicated 24×7 hotlines; and regulatory matters through legal/compliance channels. Response times shall be: immediate for security incidents, within 24 hours for urgent matters, within 3 business days for routine queries, and as specified by regulators for regulatory matters.

13. MISCELLANEOUS PROVISIONS

13.1 Governing Law and Dispute Resolution

This Agreement shall be governed by and construed in accordance with the laws of India without regard to conflict of law principles. Any dispute arising out of or in connection with this Agreement shall first be attempted to be resolved through good faith negotiations between senior management within 30 days. If unresolved, disputes shall be subject to the exclusive jurisdiction of courts in [City], India. Nothing herein shall prevent either Party from seeking injunctive or other equitable relief for breaches of confidentiality or security obligations.

13.2 Amendment and Modification

This Agreement may only be amended or modified through written instrument signed by duly authorized representatives of both Parties. Amendments required due to changes in Applicable Laws shall be negotiated in good faith and implemented within reasonable timelines. Email confirmations from authorized representatives may be accepted for operational changes not affecting material terms.

13.3 Severability and Waiver

If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The Parties shall negotiate in good faith to replace any invalid provision with a valid provision that achieves the original commercial intent. No waiver of any provision shall be effective unless in writing, and no waiver shall constitute a continuing waiver or waiver of any other provision.

13.4 Force Majeure

Neither Party shall be liable for failure or delay in performance due to circumstances beyond reasonable control including natural disasters, war, terrorism, pandemic, or government actions. This exception shall not apply to payment obligations or data protection obligations that can be fulfilled despite force majeure events. The affected Party shall promptly notify the other Party and use best efforts to minimize impact and resume performance.

13.5 Notices

All notices under this Agreement shall be in writing and delivered to the addresses specified in Schedule E through: registered mail or courier with proof of delivery; email with read receipt to designated addresses; or electronic portal as agreed between Parties. Notices shall be deemed received upon actual receipt or 3 business days after sending, whichever is earlier.

13.6 Order of Precedence

In case of conflict between documents, the following order of precedence shall apply: (1) Mandatory provisions of Applicable Laws; (2) This Data Processing Agreement; (3) Schedules to this Agreement; (4) Principal Agreement; (5) Any other agreements between the Parties.

13.7 No Third-Party Beneficiaries

This Agreement is for the sole benefit of the Parties and their permitted successors and assigns. Nothing herein shall create or be construed to create any third-party beneficiary rights, except that Data Principals shall have such rights as mandated under DPDPA and other Applicable Laws.

13.8 Entire Agreement

This Agreement, including all Schedules, constitutes the entire agreement between the Parties regarding the processing of personal data and supersedes all prior agreements, understandings, and communications on this subject matter.

EXECUTION

IN WITNESS WHEREOF, the Parties have executed this Agreement through their duly authorized representatives on the date first written above.

For and on behalf of DATA FIDUCIARY:

Name: Designation: Date: Place:

For and on behalf of DATA PROCESSOR:

Name: Designation: Date: Place:

Witness 1: Name: Address: Signature:

Witness 2: Name: Address: Signature:

SCHEDULE A: DESCRIPTION OF PROCESSING

A.1 Subject Matter and Duration of Processing

  • Subject Matter: Processing of personal data for investment management and financial services
  • Duration: Coterminous with Principal Agreement plus retention periods
  • Nature: [Automated/Manual/Hybrid] processing
  • Frequency: [Real-time/Batch/Periodic]

A.2 Specific Purposes of Processing

  1. Customer onboarding including KYC verification and risk profiling
  2. Investment transaction processing and order management
  3. Portfolio management, valuation, and reporting
  4. Regulatory compliance including reporting to SEBI, exchanges, and depositories
  5. Customer service including query resolution and complaint handling
  6. Risk management, fraud prevention, and surveillance
  7. Payment processing and settlement
  8. Marketing and communication (only with explicit consent)
  9. Data analytics for service improvement and regulatory compliance
  10. [Other specific purposes]

A.3 Categories of Personal Data Processed

  1. Identity Information: Full name, date of birth, gender, father’s/spouse’s name, photograph, signature, specimen signatures
  2. Government Identifiers: PAN, Aadhaar (where permitted), passport number, voter ID, driving license
  3. Contact Details: Residential address, office address, correspondence address, email IDs, mobile numbers, landline numbers
  4. Financial Information: Bank account details, demat account details, trading account information, income details, net worth, tax status
  5. Investment Data: Portfolio holdings, transaction history, order details, corporate actions, dividend details
  6. Risk Information: Risk profile, investment objectives, investment experience, suitability assessments
  7. Technical Data: IP addresses, device IDs, login history, session information, browser details
  8. Communication Records: Emails, chat transcripts, call recordings, complaints, feedback

A.4 Special Categories of Personal Data

  • Financial information requiring enhanced protection
  • Biometric data (if applicable)
  • Government identifiers
  • Password and authentication credentials

A.5 Data Subjects

  • Individual investors (resident and NRI)
  • HNI and UHNI clients
  • Authorized representatives and POA holders
  • Nominees and beneficiaries
  • Prospective clients
  • Corporate client representatives

A.6 Processing Operations

  • Collection through digital and physical channels
  • Verification and validation
  • Storage in encrypted databases 
  • Analysis and profiling for regulatory compliance
  • Transmission to regulatory authorities and market infrastructure institutions
  • Generation of reports and statements
  • Archival and backup operations
  • Deletion and anonymization

A.7 Processing Locations

  • Primary Data Center: [Location]
  • Disaster Recovery Site: [Location]
  • Backup Storage: [Location]
  • Cloud Infrastructure (if applicable): [Provider and Region]

SCHEDULE B: TECHNICAL AND ORGANIZATIONAL MEASURES

B.1 Technical Security Measures

1. Access Control Systems

  • Multi-factor authentication (MFA) mandatory for all system access
  • Biometric authentication for data center access
  • Role-based access control (RBAC) with principle of least privilege
  • Privileged access management (PAM) solution for administrative access
  • Session timeout after 15 minutes of inactivity
  • Account lockout after 3 failed login attempts
  • Quarterly access reviews and immediate revocation upon termination

2. Data Encryption Standards

  • Data at rest: AES-256 encryption for databases and file systems
  • Data in transit: TLS 1.2 minimum (TLS 1.3 preferred) for all communications
  • Database field-level encryption for sensitive financial data
  • Encryption key management using Hardware Security Modules (HSM)
  • Annual encryption key rotation
  • Secure key storage with split knowledge and dual control

3. Network Security Architecture

  • Network segmentation with DMZ for internet-facing systems
  • Next-generation firewalls with deep packet inspection
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • DDoS protection and mitigation
  • Virtual Private Network (VPN) for remote access
  • Network access control (NAC) for device authentication
  • Regular firewall rule reviews and cleanup

4. Application Security Controls

  • Secure coding practices following OWASP guidelines
  • Static Application Security Testing (SAST) in development
  • Dynamic Application Security Testing (DAST) before production
  • Web Application Firewall (WAF) for public-facing applications
  • API security with rate limiting and authentication
  • Regular security code reviews
  • Input validation and output encoding

5. Endpoint Protection

  • Enterprise antivirus/anti-malware with real-time scanning
  • Endpoint Detection and Response (EDR) solution
  • Host-based firewall and intrusion prevention
  • Full disk encryption for laptops and workstations
  • Mobile Device Management (MDM) for mobile devices
  • USB port restrictions and removable media controls
  • Automated patch management with monthly cycles

6. Security Monitoring and Logging

  • Security Information and Event Management (SIEM) with 24×7 monitoring
  • Security Operations Center (SOC) with defined runbooks
  • Centralized logging with tamper protection
  • Log retention for 8 years per regulatory requirements
  • Real-time alerting for security events
  • Correlation rules for detecting complex attack patterns
  • Regular log reviews and analysis

B.2 Organizational Security Measures

1. Personnel Security

  • Background verification including criminal, employment, and education checks
  • Signed confidentiality and non-disclosure agreements
  • Security awareness training during onboarding
  • Annual refresher training on data protection and cyber security
  • Specialized training for roles handling financial data
  • Clean desk policy enforcement
  • Visitor management with escorts in secure areas

2. Physical Security Controls

  • Data center with Tier III or higher certification
  • Biometric access controls with mantrap entry
  • 24×7 CCTV surveillance with 90-day retention
  • Security guards and access logs
  • Environmental controls (temperature, humidity, fire suppression)
  • Redundant power supply with UPS and generators
  • Secure disposal of media using DoD 5220.22-M standard

3. Incident Response Framework

  • Documented incident response plan with defined roles
  • Incident response team with 24×7 availability
  • Incident classification and escalation matrix
  • Forensic investigation capabilities
  • Communication protocols for stakeholder notification
  • Post-incident review and lessons learned process
  • Regular incident response drills (quarterly)

4. Business Continuity and Disaster Recovery

  • Business Continuity Plan (BCP) aligned with ISO 22301
  • Disaster Recovery Plan with defined RPO and RTO
  • Primary DC to DR site replication (synchronous/asynchronous)
  • Regular DR drills (minimum bi-annually)
  • Alternate work arrangements for personnel
  • Crisis management team and communication plan
  • Third-party dependencies mapping and alternatives

5. Vendor and Third-Party Management

  • Vendor risk assessment before onboarding
  • Security questionnaires and due diligence
  • Contractual security requirements
  • Right to audit clauses
  • Performance monitoring and SLA tracking
  • Annual vendor security reviews
  • Vendor inventory and criticality classification

6. Compliance and Governance

  • Information Security Management System (ISMS) per ISO 27001
  • Privacy by Design and Default principles
  • Regular compliance assessments
  • Internal audit program (annual)
  • External audits and certifications
  • Policy and procedure framework with annual reviews
  • Risk assessment and treatment plans

B.3 Additional Financial Sector Controls

1. Fraud Prevention and Detection

  • Real-time transaction monitoring
  • Anomaly detection using behavioral analytics
  • Fraud detection rules and scenarios
  • Customer verification for high-value transactions
  • Suspicious transaction reporting mechanisms
  • Anti-money laundering (AML) controls

2. Data Integrity Controls

  • Maker-checker for critical operations
  • Transaction authorization matrix
  • Reconciliation controls with exception handling
  • Data validation and integrity checks
  • Audit trail integrity with hash chains
  • Version control for critical data changes

3. Regulatory Compliance Systems

  • Automated regulatory reporting
  • Compliance monitoring dashboards
  • Regulatory change management process
  • Documentation management system
  • Evidence collection and retention
  • Regulatory liaison protocols

SCHEDULE C: APPROVED SUB-PROCESSORS

Sub-processor Name Services Provided Location Data Categories Security Certifications Approval Date
[Cloud Provider Name] Cloud Infrastructure India (Mumbai, Chennai) All categories ISO 27001, SOC 2, PCI DSS [Date]
[SMS Gateway Provider] SMS Notifications India Contact data, transaction alerts ISO 27001 [Date]
[Email Service Provider] Email Communications India Contact data, statements ISO 27001, SOC 2 [Date]
[Document Management] KYC Document Storage India KYC documents, identity data ISO 27001 [Date]
[Call Center] Customer Support India Contact data, service requests ISO 27001, PCI DSS [Date]
[Analytics Provider] Data Analytics India Anonymized transaction data ISO 27001 [Date]

Sub-processor Change Management Process:

  1. 30-day advance notification for new sub-processors
  2. Detailed due diligence report provided
  3. 15-day objection period for Data Fiduciary
  4. Quarterly review of sub-processor performance
  5. Annual security assessment updates
  6. Immediate notification of sub-processor incidents

SCHEDULE D: DATA TRANSFER MECHANISMS

D.1 Cross-Border Transfer Restrictions

Prohibited Transfers (Absolute Restriction):

  • Customer financial data
  • KYC documentation
  • Transaction records
  • Investment portfolios
  • Payment information
  • Any data classified as “Critical” under RBI/SEBI guidelines

Potentially Permitted Transfers (With Approval):

  • Anonymized analytical data
  • Public information
  • Marketing materials (non-personal)
  • Technical logs (sanitized)

D.2 Approved Transfer Destinations Currently, no countries are approved for transfer of personal data. Any future approvals will require:

  • Adequacy assessment
  • Written approval from Data Fiduciary
  • Regulatory no-objection where required
  • Additional safeguards implementation

D.3 Transfer Safeguards (If Applicable)

  • Standard Contractual Clauses (SCCs) adapted for Indian law
  • Binding Corporate Rules (BCRs) where applicable
  • Explicit consent from Data Principals
  • Encryption during transfer
  • Access controls at destination
  • Audit rights over foreign processing

D.4 Transfer Documentation Requirements For any approved transfer, maintain records of:

  • Date and time of transfer
  • Volume and categories of data
  • Purpose and legal basis
  • Receiving entity details
  • Security measures applied
  • Approval documentation
  • Data Principal consent (where applicable)
  • Return/deletion confirmation

D.5 Data Localization Compliance Strict compliance with:

  • RBI data localization requirements for payment data
  • SEBI requirements for securities market data
  • IRDAI requirements (if insurance products involved)
  • Any sector-specific localization mandates

SCHEDULE E: CONTACT INFORMATION

E.1 Data Fiduciary Contacts

Primary Business Contact:

  • Name: [Name]
  • Designation: [Designation]
  • Email: [email@domain.com]
  • Phone: [+91-XX-XXXXXXXX]
  • Address: [Complete Address]

Data Protection Officer:

  • Name: [Name]
  • Email: dpo@[domain.com]
  • Phone: [+91-XX-XXXXXXXX]
  • Escalation: [Senior Management Contact]

Security Incident Response Team:

  • 24×7 Hotline: [+91-XX-XXXXXXXX]
  • Email: security@[domain.com]
  • Escalation Matrix: [Provide Details]

Legal and Compliance:

  • Name: [Name]
  • Email: legal@[domain.com]
  • Phone: [+91-XX-XXXXXXXX]

Audit and Risk:

  • Name: [Name]
  • Email: audit@[domain.com]
  • Phone: [+91-XX-XXXXXXXX]

E.2 Data Processor Contacts

Primary Business Contact:

  • Name: [Name]
  • Designation: [Designation]
  • Email: [email@domain.com]
  • Phone: [+91-XX-XXXXXXXX]
  • Address: [Complete Address]

Data Protection Officer:

  • Name: [Name]
  • Email: dpo@[domain.com]
  • Phone: [+91-XX-XXXXXXXX]
  • Escalation: [Senior Management Contact]

Security Incident Response Team:

  • 24×7 Hotline: [+91-XX-XXXXXXXX]
  • Email: security@[domain.com]
  • Escalation Matrix: [Provide Details]

Legal and Compliance:

  • Name: [Name]
  • Email: legal@[domain.com]
  • Phone: [+91-XX-XXXXXXXX]

Technical Support:

  • Name: [Name]
  • Email: support@[domain.com]
  • Phone: [+91-XX-XXXXXXXX]
  • Escalation: [Technical Manager]

E.3 Regulatory Contacts

SEBI Compliance Officer:

CERT-IN Coordinator:

E.4 Communication Protocols

Routine Communications:

  • Email to designated addresses
  • Response time: 3 business days

Urgent Matters:

  • Phone call followed by email
  • Response time: Within 24 hours

Security Incidents:

  • Immediate phone notification to hotline
  • Follow-up email within 1 hour
  • Detailed report within 24-48 hours

Regulatory Matters:

  • Through legal/compliance channels
  • Response time: As per regulatory requirements

Service Issues:

  • Through designated support channels
  • Response time: As per SLA in Principal Agreement

E.5 Notice Addresses

For Data Fiduciary: [Complete postal address] Attention: [Designation] With copy to: Legal Department

For Data Processor: [Complete postal address] Attention: [Designation] With copy to: Legal Department

Electronic Service: Notices may also be served electronically to the designated email addresses with read receipt, provided hard copies are sent for material notices such as termination, breach notifications, or legal proceedings.

[END OF AGREEMENT]

APPENDIX: DOCUMENT CONTROL

Version Date Changes Approved By
1.0 [Date] Initial Agreement [Names]
       

Next Review Date: [Annual review date]

Document Owner: [Legal/Compliance Department]

Classification: Confidential

Other Privacy Compliance Artefacts

Privacy Notice Mapping

Privacy Notice – Sample Privacy Policy QuickLend Financial Services Private Limited Privacy Notice QuickLend Financial Services Private Limited is a fintech company providing financial solutions

Read more >

Internal Privacy Policy

[COMPANY NAME] Internal Privacy Policy Document Version: 1.0Effective Date: [To be determined]Last Updated: [Date]Approved By: [Board of Directors/Executive Committee]Document Owner: [Data Protection Officer/Chief Privacy Officer]Next

Read more >

Disclaimer

The Bar Council of India forbids advocates from advertising or soliciting in any shape or manner. By using this website (datalex.in), you recognise and affirm that you are seeking information about DATALEX on your own initiative and that DATALEX or its members have made no solicitation, advertising, or enticement. This website’s content is provided for educational purposes only and should not be construed as solicitation or advertisement. If a visitor wishes to obtain or use our legal services online, it is performed on his or her own free will and agreement, and should not be regarded as solicitation, enticement, or advertisement in any way. DATALEX is not responsible for any actions made as a result of relying on the material/information on this website. DATALEX owns the intellectual property rights to the contents of this website.

DISCLAIMER

The Bar Council of India does not permit soliciting work or advertising by advocates in any manner or form. By clicking on “AGREE” below, the user acknowledges and confirms that:

  1. There has been no advertisement, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
  2. The website is a resource solely for the purpose of providing general information about Veritas Legal at the user’s own risk, cost and liability; 
  3. The information provided in this website shall not be construed as legal advice or create any lawyer-client relationship in any manner whatsoever; 
  4. The links provided on this website shall in no way be considered referrals, endorsements or affiliations with the linked entities and Veritas Legal shall not hold responsibility for the content of such links.

The user shall not hold Veritas Legal responsible for any action taken relying upon the content of the website. In cases where the user has any legal issues and requires assistance, he/she/it must seek independent legal advice.

AGREE DISAGREE

ENTER
WhatsApp
LinkedIn
Building a Privacy-First, Trustless Ecosystem for Data Protection.