Data Processing Schedule For Vendors

This Data Processing Schedule (“Schedule”) forms an integral part of the Service Agreement (“Agreement”), including any relevant Statement of Work (“SOW”) agreed upon under such Agreement, entered between M2P Entity (as defined below) and any Vendor that processes Personal Data on behalf of the M2P Entity.

This Schedule shall be deemed to be in effect from the same date as the Agreement, or as otherwise agreed between the Parties mutually. In the event of any conflict or inconsistency between the terms of this Schedule and any other provision of the Agreement, the terms of this Schedule shall prevail solely with respect to the subject matter herein.

M2P Entity and Vendor are hereinafter individually referred to as “Party” and collectively as “Parties.”

To the extent, the Vendor processes Personal Data on behalf of M2P Entity, the parties agree to the following:

Definitions

Capitalized terms not otherwise defined herein shall have the meaning set forth in the Schedule or applicable Data Protection laws. The following terms shall have the corresponding meanings assigned to them below:

1. “Child” is an individual who has not completed the age of eighteen years as per Indian laws.
2. “Controller” means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. For the purpose of this Schedule, any other term used in place of "Controller," shall essentially mean the same as a “Controller.”
3. “Data Subject” means the individual to whom the Personal Data relates to.
4. “Processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. For the purpose of this Schedule, any other term used in place of "`Processor"` shall essentially mean the same as a “Processor.”
5. “Data Protection Board of India” or “DPBI,” is a public authority set up by the Central Government of India to supervise compliance with the DPDPA within processing related to the territory of India.
6. “Supervisory Authority” means an independent public authority that is established by a Member State.
7. "Data Transfer" means a transfer of Personal Data from one party to the Data Processor, or between two establishments of the Data Processor, or with a Sub-Data Processor by the Data Processor.
8. “DPDPA” means the Digital Personal Data Protection Act, 2023, which was enacted on 11th August 2023, an act of the Parliament of India to provide for the processing of digital Personal Data in a manner that recognizes both the right of individuals to protect their Personal Data and the need to process such Personal Data for lawful purposes and for matters connected therewith or incidental thereto.
9. “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
10. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
11. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
12. "Services" means any Vendor product, service offering, or support service provided to the M2P Entity as described in the Agreement.
13. “Third Party” means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
14. “Other applicable Laws” means any law relating to data protection, privacy, and security applicable to a party in connection with the processing of Personal Data under the DPA, including but not limited to (each as amended or replaced from time to time) (a) EU Data Protection Laws, (b) Digital Personal Data Protection Act, 2023 (“DPDPA), and any applicable laws worldwide relevant to the Vendor, M2P Entity, Data Processor, Data Fiduciary, or the Third Parties.
15. “Cross-Border Transfer” means either:
    • processing of personal data that takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
    • processing of personal data that takes place in the context of the activities of a single establishment of a controller or processor in the Union, but that substantially affects or is likely to substantially affect data subjects in more than one Member State.
16. "M2P Entity" refers to any entity within the M2P Group that is receiving Services from the Vendor that involves processing Personal Data, regardless of the nature or duration of the service relationship.
17. "M2P Group" refers to M2P Solutions Private Limited and its subsidiaries (including any subsidiaries that may be established in the future).
18. “Model Clauses” means, as applicable:
    • the Standard Contractual Clauses for the transfer of personal data (Decision 2021/914/EU), as they may be amended or replaced from time to time, in respect of transfers from the European Economic Areas (“EEA”) to third countries;
    • the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses or the International Data Transfer Agreement, each as issued under Section 119A of the Data Protection Act 2018 in respect of transfers from the United Kingdom (“UK”) to countries that are not subject to an adequacy decision under the UK GDPR; and/or
    • the Standard Contractual Clauses for the transfer of personal data (Decision 2021/914/EU), as they may be amended or replaced from time to time and as specifically amended for use under the Swiss Federal Data Protection Act by the amendments announced by the Swiss Federal Data Protection and Information Commissioner on 27 August 2021, in respect of transfers from Switzerland to third countries.

Interpretation

In this Schedule, any reference to the "M2P Entity" shall be interpreted to mean one or more specific members of the M2P Group that have entered into the Agreement with the relevant Vendors.

For the purposes of this Schedule, any defined term herein shall supersede any conflicting definition of the same term in the Agreement, to the extent applicable to this Schedule.

Purpose of Processing

The Vendor shall process Personal Data on behalf of and as instructed by M2P Entity for the specific purpose of delivering the agreed-upon services under the Agreement and applicable Statement of Work. Such Processing shall be undertaken only to the extent necessary to fulfill M2P Entity’s business objectives and in compliance with the obligations imposed on M2P Entity under applicable data protection laws. The Vendor shall not Process the Personal Data for any other purpose, including its own purposes, without the prior written authorization of M2P Entity.

Duration of Processing

The Vendor shall process Personal Data for the duration specified in the Agreement unless otherwise agreed in writing by the M2P Entity.

Vendor Obligations

Vendors shall comply with all the requirements of applicable Data Protection Laws. This Schedule is in addition to, and does not relieve, remove, or replace, the party’s obligations under the Data Protection Laws.

The Vendor shall follow written and documented instructions received, including by email, from the M2P Entity, its affiliate, agents, or personnel, with respect to the Processing of Personal Data (each, an “Instruction”).

The Processing described in this Schedule, and the related documentation shall be considered as an instruction from the M2P Entity.

Upon M2P Entity’s request, the Vendor shall provide reasonable assistance to the M2P Entity in relation to the Processing of Personal Data, including support in fulfilling M2P Entity’s obligations under applicable data protection laws and any requirements imposed by competent regulatory authorities in connection with such Processing.

Data Secrecy and Accuracy

To Process the Personal Data, the Vendor shall assign personnel who is:

1. informed of the confidential nature of the Personal Data,
2. performing the Services in accordance with the Agreement.

The Vendor shall regularly train individuals having access to Personal Data in data security and data privacy in accordance with accepted industry practice and shall ensure that all Personal Data is kept strictly confidential. Further, the Vendor shall maintain appropriate technical and organizational measures for protection of the security, confidentiality, and integrity of the Personal Data

The Vendor shall ensure completeness, accuracy, and consistency of all the Personal Data processed by the Vendor as part of the performance of the services, as specified under the Agreement.

Audit Rights

The Vendor shall maintain records of its security standards. Upon the Data Processor’s request, the Vendor shall provide copies of all relevant data privacy compliance certifications, audit report summaries, and/or other documentation that may be required by the M2P Entity to verify the Vendor's compliance with this Schedule. The Vendor shall further provide written responses to all requests for information made by the M2P Entity, including responses to information security and audit questionnaires, that the M2P Entity at its discretion considers necessary to confirm the Vendor's compliance with this Schedule.

If required under applicable laws, and to the extent required under Applicable Laws, the Vendor shall provide to the M2P Entity or its customers, its internal and external auditors, inspectors and regulators like RBI, NPCI, FIU, etc., that the M2P Entity or its customers may designate in writing, from time to time (each, an “Auditor”) with prior notice, access to such records and other pertinent information, pertaining and relevant to the Vendors obligations, representations, and performance of obligations under the Agreement and compliance towards the applicable regulations and statutes while performing its obligations under the Schedule. All associated costs of such audit will be borne by the respective entity requested for such audit or dictated by applicable law.

Vendor shall provide reasonable support to the Auditor in providing access to documents, records of transactions, and other necessary information given to, stored, or processed by Vendor but not limited to providing access to relevant records and personnel. The vendor shall reasonably cooperate and assist the Auditor in performing its obligations under applicable laws.

Frequency: The M2P Entity or its customers may conduct audits annually or as deemed necessary based on reasonable cause and required under applicable law.

Audit Results: Following the completion of each audit, Vendor shall promptly receive a written report detailing the findings and recommendations for any necessary corrective actions. The Vendor shall co-operate in good faith with the respective M2P Entity or its customers to correct any practices that are found to be deficient because of any such audit within a reasonable time after receipt of the report from the respective M2P Entity or its customers. The Vendor shall agree to comply with any identified issues and implement the recommended corrective actions within a reasonable time frame as agreed upon by both parties.

Mechanism of Data Transfers.

Prior to any transfer of Personal Data outside the European Economic Area (EEA), the United Kingdom (UK), or any other jurisdiction with equivalent Data Transfer restrictions under applicable Data Protection Laws or local legislation of the relevant jurisdiction, the Vendor shall ensure that such transfers comply with the relevant laws. The Vendor shall notify the M2P Entity in writing prior to the transfer, providing details of the transfer, including the destination country and the applicable data transfer mechanism.

In the absence of an adequacy decision under applicable Data Protection Laws, the Vendor shall implement appropriate safeguards, including but not limited to:

• Execution of the European Commission’s Standard Contractual Clauses (“SCCs”) or
• the UK International Data Transfer Addendum, as applicable; and/or
• Implementation of any required supplementary measures to ensure a level of protection essentially equivalent to that guaranteed within the EEA/UK or applicable local legislation of the relevant jurisdiction.

The Vendor shall also ensure that any onward transfers of Personal Data to its Third-Parties or Affiliates located in third countries are subject to appropriate transfer mechanisms, including the incorporation of SCCs or other legally recognized mechanisms, and shall maintain documentation of such safeguards, which shall be made available to the M2P Entity upon request.

Engaging with Third Parties

Vendor may engage Third Parties if:

1. the M2P Entity has provided its specific written authorization to do so;
2. Prior to engaging any Third Party, the Vendor shall notify the M2P Entity in writing, specifying the purpose of the engagement and providing relevant details of the Third Party and appointment shall happen only after approval from the M2P Entity. The Vendor shall provide any information reasonably requested by the M2P Entity in connection with the engagement of such Third Parties.
3. the M2P Entity shall be given an opportunity to approve or object to the appointment of such Third Parties, in accordance with Clause on Notification which is set out below.
4. Vendors shall enter into a written contract with the Third Parties that imposes the same data protection obligations on them as the ones imposed on the Vendors by this Schedule (in particular, about requiring appropriate technical and organizational data security measures), and, upon written request, provide the M2P Entity with copies of such contracts and any subsequent amendments;
5. The Vendor remains responsible for all Personal Data it entrusts to the Third Parties and all actions of such Third Parties.

Notification: Before engaging any third party for any services within the scope of the Agreement, the Vendor shall notify M2P Entity in writing, detailing the engagement purpose and providing relevant information about the third party. The M2P Entity reserves the right to object to such an appointment within 15 (fifteen) days. Provided however, if M2P Entity does not communicate the objection, then such appointment of Third Party shall be deemed to be approved by M2P Entity.

Agreed list of Third Parties: Vendor has not engaged any other entity for the Services except those mentioned in the list of Third Parties that the Vendor has shared with the M2P Entity under the Agreement.

Performance: Vendor is responsible for its Third Party’s compliance with the obligations outlined in this Schedule.

Compatible obligations: When engaging any Third Party, the Vendor shall ensure via a written contract that the Third Party may only access and use personal data to deliver the services the Vendor has retained them to provide and is prohibited from using Personal Data for any other purpose. The Vendor shall oversee the Third Party to ensure that these contractual obligations are met.

Damages: Vendor shall be liable for any losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, claims or expenses of whatsoever kind, including reasonable attorneys’ fees, arising out of or resulting as a result of any third party claims against the M2P Entity or its customers due to breach of confidentiality of Personal Data, illegal or unlawful processing of personal data or incompliance with the technical and organizational measures and information security of Third Parties as provided under the Agreement and this Schedule.

Personal Data Breach Notification

If the Vendor becomes aware of a Personal Data Breach (Breach Incident) leading to any unauthorized processing of Personal Data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to Personal Data, that compromises the confidentiality, integrity, or availability of Personal Data; the Vendor shall maintain defined procedures and must without undue delay and no later than one (1) hour notify the M2P Entity of such Data Breach.

The Vendor shall promptly investigate the Breach Incident and provide the M2P Entity with sufficient information to determine whether the incident involves any Personal Data pertaining to the M2P Entity.

The Vendor shall take reasonable steps to mitigate the effects and minimize any damage resulting from the Data Breach Incident.

The Vendor shall not inform any third party of the Breach Incident without first obtaining the M2P Entity’s prior written consent, except when required to do so by law. The Vendor agrees that the M2P Entity has the sole right to determine:

1. Whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
2. Furthermore, the Vendor in the event of Personal Data Breach:
   • cover all reasonable expenses associated with the performance of its obligations above unless the matter arose from the M2P Entity’s specific instructions,
   • restore Personal Data at its own expense; and
   • Reimburse M2P Entity for all expenses incurred in responding to a Breach Incident, to the extent such incident was caused by the Vendor, including but not limited to the costs of notification and any remedial actions.

Data Principal Rights

The Vendor shall promptly notify the M2P Entity upon becoming aware of any of the following:

• Receipt of a request from a Data Subject to access their Personal Data;
• Receipt of a request from a Data Subject for the correction or erasure of their Personal Data;
• Receipt of any complaint or communication relating to either Party’s obligations under applicable Data Protection Legislation;
• Receipt of a request to nominate a representative under applicable Data Protection law;
• Receipt of any other request from a Data Subject in relation to the exercise of their rights under other applicable Data Protection laws.

The Vendor shall, upon request, provide reasonable assistance to the M2P Entity in responding to Data Subject requests, in accordance with the requirements of applicable Data Protection Laws.

The Vendor shall be liable to Data Subjects for any financial or non-financial loss suffered as a direct result of the Vendor’s error, negligence, omission, or failure to comply with its obligations under this Agreement, where such failure results in a violation of the Data Subject’s rights or privacy.

Return and Deletion of Personal Data

Where the retention of Personal Data has not been addressed in the Agreement, the Vendor, based on written instructions from relevant M2P Entity, shall delete, destroy, or return all Personal Data to such M2P Entity and destroy or return any existing copies within thirty (30) days from the termination of the Agreement or when relevant M2P Entity specifically requests the Vendor to do so in writing; or the Vendor has otherwise fulfilled all purposes agreed in the context of the Services related to the processing activities where the M2P Entity does not require Vendor to do any further processing. Unless specifically outlined under the Agreement, the Vendor shall not retain Personal Data beyond the term of the Agreement, unless the Vendor is permitted or required by any applicable law to retain such Personal Data.

Certificate of destruction: The Vendor shall, upon the M2P Entity’s request, provide a certificate confirming the destruction of Personal Data. Where the deletion or return of the Personal Data is impossible for any reason, or where backups and/or archived copies have been made of the Personal Data, the Vendor shall retain such Personal Data in compliance with applicable Data Protection Laws.

Third Parties: Upon termination of this Schedule, the Vendor shall promptly inform all engaged Third Parties involved in the Processing of Personal Data and ensure that, at the M2P Entity’s discretion, they either destroy the Personal Data, providing evidence of such destruction, or return the Personal Data to the M2P Entity.

Technical and Organizational Measures

The Vendor shall implement appropriate technical, physical, organizational, and security measures to ensure the security, confidentiality, integrity, availability, and resilience of the systems and services used for processing Personal Data within the scope of the Agreement and this Schedule. Such measures shall protect Personal Data against unauthorized or unlawful access, alteration, deletion, loss, damage, or inaccessibility.

The Vendor shall maintain documented continuity and contingency plans to ensure effective management of significant security incidents. Such documentation shall be made available to the M2P Entity upon request.

The Vendor shall ensure that its personnel receive adequate training to uphold the security and protection of Personal Data processed on behalf of the M2P Entity. Upon request, the Vendor shall provide the M2P Entity with relevant information regarding such training.