Introduction

This Data Processing Agreement (“DPA”) sets forth a legally binding arrangement between (Website Name), hereinafter referred to as the “Data Processor,” and the entity agreeing to these terms, hereinafter referred to as the “Data Controller.” It governs the Processor’s handling of Personal Data in connection with the payment gateway services provided.

Roles of the Parties

• The Controller defines the purposes and establishes the legal basis for Processing Personal Data and remains fully responsible for ensuring compliance with all applicable data protection laws.
• The Processor processes Personal Data strictly in accordance with the documented instructions of the Controller and solely for the purpose of delivering payment gateway services.

Scope of Processing

The Processor shall process Personal Data only for the following purposes:

• Initiating, authorizing, and settling payment transactions
• Conducting KYC (Know Your Customer) checks and preventing fraud
• Customer authentication, including two-factor authentication (2FA)
• Transaction reporting and reconciliation
• Ensuring compliance with RBI, NPCI, and relevant payment network requirements

Security Measures

The Processor shall implement appropriate technical and organizational safeguards, including but not limited to:

• PCI DSS compliance for storing, processing, and transmitting cardholder data
• Encryption of data both in transit and at rest
• Multi-factor authentication for access to systems
• Secure key management protocols
• Regular vulnerability testing and penetration assessments

The Processor shall also ensure that its personnel observe strict confidentiality and receive adequate training in data security best practices.

Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests in accordance with applicable laws, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to data portability
• Right to restrict or object to Processing

Subprocessors

• The Processor shall not appoint or engage any Subprocessor without obtaining prior written approval from the Controller.
• Any authorized Subprocessors must be bound by written contracts imposing data protection obligations that are no less protective than those contained in this DPA.

Data Breach Notification

The Processor shall notify the Controller within 24 hours of becoming aware of any Personal Data Breach. Such notification shall include:

• The nature of the breach
• The categories and approximate number of affected Data Subjects
• Steps taken to contain and mitigate the breach
• Measures planned to prevent recurrence in the future

Audit & Compliance

The Controller may, with reasonable prior notice, conduct an audit of the Processor’s compliance with this DPA. The Processor shall grant access to relevant documents, policies, and certifications, including PCI DSS compliance reports.

Data Retention & Deletion

Personal Data shall be retained only for as long as necessary to complete payment processing and meet legal or regulatory obligations (e.g., RBI-mandated retention periods). Upon termination of services, the Processor shall either securely delete or return all Personal Data, unless continued retention is legally required.

Legal & Regulatory Changes

The Processor shall promptly notify the Controller if any change in law or regulation affects its ability to process Personal Data in accordance with this Agreement.

Liability & Indemnification

Each Party shall be liable for damages resulting from its own breach of this Agreement. The Processor shall indemnify and hold the Controller harmless against any fines, claims, or damages arising from the Processor’s non-compliance with applicable data protection obligations.

Governing Law & Dispute Resolution

This Agreement shall be governed by and interpreted in accordance with the laws of India. Any disputes arising under or in connection with this Agreement shall fall under the exclusive jurisdiction of the courts located in India.

Amendments

Any modification or amendment to this Agreement must be made in writing and duly signed by both Parties.

Acknowledgment and Acceptance

By entering into this Agreement, both Parties confirm their understanding of and agreement to the terms outlined in this Data Processing Agreement.