Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) forms a legally binding agreement between Radiantroost It , acting as the Data Processor, and the entity accepting these terms, acting as the Data Controller. This Agreement governs the processing of Personal Data in connection with payment Solution services.
Overview
This DPA defines the rights, responsibilities, and obligations of the Controller and Processor with respect to the processing of Personal Data under applicable data protection laws.
Roles of the Parties
- Data Controller: Determines the purpose and legal basis for processing Personal Data and ensures compliance with applicable data protection laws.
- Data Processor: Processes Personal Data only on documented instructions from the Controller and solely to provide payment Solution services.
Scope of Processing
The Processor shall process Personal Data only for the following purposes:
- Payment transaction initiation, authorization, and settlement
- KYC verification and fraud prevention
- Customer authentication, including two-factor authentication (2FA)
- Transaction reporting, reconciliation, and dispute management
- Compliance with RBI, NPCI, and applicable payment network regulations
Security Measures
- Encryption of data in transit and at rest
- Multi-factor authentication for system access
- Secure cryptographic key management
- Regular vulnerability assessments and penetration testing
All personnel handling Personal Data are bound by confidentiality obligations and trained in information security best practices.
Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests, including rights to:
- Access
- Rectification
- Erasure
- Data portability
- Restriction of or objection to processing
Subprocessors
The Processor shall not appoint Subprocessors without prior written consent from the Controller.
Approved Subprocessors must be bound by written agreements that provide data protection standards no less protective than this DPA.
Data Breach Notification
The Processor shall notify the Controller within 24 hours of becoming aware of any Personal Data breach. Notifications shall include:
- The nature of the breach
- Categories and approximate number of affected Data Subjects
- Mitigation and containment steps taken
- Measures planned to prevent future breaches
Audit & Compliance
Upon reasonable notice, the Controller may audit the Processor’s compliance with this Agreement. The Processor shall provide access to relevant records, policies, and certifications.
Data Retention & Deletion
Personal Data shall be retained only as long as necessary for payment processing and legal compliance, including RBI-mandated retention requirements.
Upon termination of services, Personal Data shall be securely deleted or returned unless retention is required by law.
Legal & Regulatory Changes
The Processor shall promptly notify the Controller of any legal or regulatory changes that may impact compliance with this Agreement.
Liability & Indemnification
Each Party is responsible for damages resulting from its own breach. The Processor shall indemnify the Controller against fines, claims, or losses arising from non-compliance with data protection obligations.
Governing Law & Jurisdiction
This Agreement is governed by the laws of India. All disputes shall be subject to the exclusive jurisdiction of Indian courts.
Amendments
Any amendments to this Agreement must be made in writing and signed by both Parties.
Acknowledgment and Acceptance
By entering into this Agreement, both Parties acknowledge that they have read, understood, and agreed to the terms of this Data Processing Agreement.