This Data Processing Agreement (“DPA”) sets out a legally binding arrangement between Prismpath Technology, referred to as the “Data Processor,” and the entity agreeing to these terms, referred to as the “Data Controller.” This Agreement governs how the Processor manages Personal Data in connection with the services offered.

Roles and Responsibilities

Data Controller:

• Determines the purposes and lawful basis for processing Personal Data
• Ensures compliance with applicable Data Protection Laws

Data Processor:

• Processes Personal Data strictly in accordance with the Controller’s documented instructions
• Uses Personal Data solely to deliver our services

Scope of Data Processing

The Processor shall process Personal Data only for the following purposes:

• Initiating, authorizing, and settling payment transactions
• Conducting KYC verification and preventing fraudulent activities
• Authenticating customers, including through two-factor authentication (2FA)
• Preparing transaction reports and performing reconciliations

Security Measures

The Processor commits to implementing suitable technical and organizational safeguards, including:

• Encryption of Personal Data both at rest and in transit
• Multi-factor authentication for system access
• Secure key management procedures
• Regular penetration testing and vulnerability assessments

Additionally, the Processor shall:

• Ensure confidentiality obligations for all personnel
• Provide staff training on data protection and security best practices

Support for Data Subject Rights

The Processor will assist the Controller in fulfilling Data Subject rights under applicable laws, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to data portability
• Right to restrict or object to processing

Subprocessors

• The Processor shall not engage any Subprocessor without the prior written consent of the Controller
• Any approved Subprocessor must sign agreements ensuring data protection safeguards at least equivalent to those in this DPA

Data Breach Notification

In the event of a Personal Data breach, the Processor will notify the Controller within 24 hours of discovery, including:

• Nature of the breach
• Categories and approximate number of affected Data Subjects
• Steps taken to contain and mitigate the breach
• Measures planned to prevent recurrence

Audits and Compliance

• The Controller may conduct audits with reasonable prior notice to confirm compliance with this DPA

Data Retention and Disposal

• Personal Data will be retained only as long as necessary for payment processing and legal compliance.
• Upon termination of services, the Processor will securely erase or return all Personal Data unless legal requirements mandate retention

Regulatory and Legal Updates

The Processor shall promptly inform the Controller of any legal or regulatory changes that may affect the ability to process Personal Data in accordance with this DPA

Liability and Indemnification

• Each Party is responsible for damages arising from its own breach of this Agreement
• The Processor shall indemnify the Controller against penalties, claims, or losses resulting from non-compliance with data protection obligations

Governing Law and Jurisdiction

• This DPA is governed by the laws of India
• All disputes arising under this Agreement shall fall under the exclusive jurisdiction of Indian courts

Amendments

Any changes to this Agreement must be made in writing and signed by both Parties

Confirmation

By entering into this DPA, both Parties confirm that they have read, understood, and accepted all terms and conditions outlined herein.