Logo
Sign Up

Data Processing Agreement

This Data Processing Agreement ("DPA") serves as a binding contractual framework between ARV Software Solutions, hereinafter referred to as the "Data Processor," and the entity agreeing to these terms, hereinafter referred to as the "Data Controller." It outlines the responsibilities of the Processor in relation to handling Personal Data in connection with the provision of payment Solutions services.

Roles and Responsibilities of the Parties
The Controller is solely responsible for defining the purposes and legal grounds for Processing Personal Data and ensuring compliance with all Applicable Data Protection Laws.

The Processor, on the other hand, shall handle Personal Data exclusively on documented directives received from the Controller, and strictly for delivering payment Solutions services as agreed.

Scope of Processing
The Processor will carry out Processing activities of Personal Data only for the following specific functions:

  • Initiation, authorization, and settlement of payment transactions
  • Execution of KYC (Know Your Customer) procedures and fraud prevention mechanisms
  • Customer authentication, including two-factor authentication (2FA)
  • Preparation of transaction reporting and reconciliation processes

Security Controls
The Processor commits to adopting and maintaining suitable technical and organizational safeguards, including but not limited to:

  • Encryption of Personal Data during transmission and storage
  • Multi-factor authentication to access systems securely
  • Proper key management protocols
  • Routine vulnerability testing and penetration testing

Additionally, the Processor will ensure that its staff members are bound by confidentiality obligations and are trained in industry-standard data protection and security practices.

Data Subject Rights
The Processor shall support the Controller in meeting obligations to Data Subjects under applicable laws, including but not limited to the following rights:

  • Right of access
  • Right of rectification
  • Right of erasure
  • Right to portability of data
  • Right to restrict or object to Processing

Subprocessing
The Processor shall not engage any Subprocessor without prior written approval from the Controller.
In cases where a Subprocessor is authorized, such entities must be bound through written agreements enforcing data protection duties equivalent to those described in this DPA.

Data Breach Notification
In the event of a Personal Data Breach, the Processor shall notify the Controller within 24 hours of becoming aware of such an incident. The notice must clearly state:

  • The nature and scope of the breach
  • Categories and estimated number of impacted Data Subjects
  • Remedial steps undertaken to contain and mitigate the impact
  • Preventive measures to avoid recurrence of similar breaches

Audit and Compliance Rights
The Controller reserves the right, with reasonable prior notice, to conduct audits of the Processor’s adherence to this DPA.

Data Storage, Retention, and Deletion
Personal Data shall be stored only for the duration necessary to complete payment processing and to satisfy legal obligations, including RBI-mandated retention timelines.
Once services terminate, the Processor shall either return all Personal Data to the Controller or permanently delete it, unless retention is legally required.

Regulatory and Legal Developments
The Processor shall immediately notify the Controller if any change in regulation or legal framework affects its ability to process Personal Data under this Agreement in compliance with applicable laws.

Liability and Indemnification
Each Party accepts responsibility for losses or damages caused due to its own breach of this Agreement. The Processor agrees to indemnify and hold the Controller harmless against any penalties, claims, or losses stemming from failure to adhere to its data protection obligations.

Governing Law and Resolution of Disputes
This DPA shall be governed by the laws of India. Any dispute that arises under or in connection with this Agreement shall fall within the exclusive jurisdiction of the courts located in India.

Amendments
Any modification or amendment to this Agreement must be executed in writing and duly signed by both the Processor and the Controller.

Acknowledgment and Consent
By accepting this Agreement, both the Processor and the Controller confirm their full understanding of and commitment to all the terms and obligations contained in this Data Processing Agreement.