N I M B O V O X

Loading

Sign Up

Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) sets forth a legally binding agreement between Nimbovox Solution, hereinafter referred to as the “Data Processor,” and the party accepting these terms, referred to as the “Data Controller.” It outlines the responsibilities and obligations of the Data Processor in managing Personal Data in relation to the Payment Solution services provided.

Roles of the Parties

The Controller defines the purposes and legal grounds for processing Personal Data and is responsible for ensuring compliance with all applicable data protection laws. The Processor processes Personal Data exclusively based on the Controller’s documented instructions and solely for the purpose of providing Payment Solution services.

Scope of Processing

The Processor will handle Personal Data exclusively for the following purposes:

  • Initiating, authorizing, and settling payment transactions
  • Conducting KYC (Know Your Customer) verification and preventing fraud
  • Authenticating customers, including two-factor authentication (2FA)
  • Generating transaction reports and performing reconciliations
  • Ensuring compliance with regulations set by the RBI, NPCI, and relevant payment network rules

Security Measures

The Processor will implement suitable technical and organizational measures, including:

  • Compliance with PCI DSS standards for the storage, processing, and transmission of cardholder data
  • Encryption of data both in transit and at rest
  • Multi-factor authentication for accessing systems
  • Secure management of cryptographic keys
  • Regular vulnerability assessments and penetration testing

Additionally, the Processor will ensure that its personnel uphold strict confidentiality and receive training on data security best practices.

Data Subject Rights

The Processor will assist the Controller in addressing Data Subject rights as required by applicable laws, including the rights to:

  • Access their personal data
  • Rectify inaccurate or incomplete information
  • Erase personal data
  • Port their data to another service provider
  • Restrict or object to the processing of their data

Subprocessors

The Processor may engage trusted third-party subprocessors to deliver specific services, such as cloud hosting, fraud detection, or analytics. The Processor will ensure that such subprocessors are bound by data protection obligations equivalent to those outlined in this Agreement.

Data Breach Notification

The Processor shall inform the Controller within 24 hours of discovering any Personal Data breach. The notification will include:

  • The nature of the breach
  • The categories and approximate number of affected Data Subjects
  • Actions taken to contain and mitigate the breach
  • Planned measures to prevent future occurrences

Audit & Compliance

The Controller may, with reasonable notice, conduct audits to verify the Processor’s compliance with this DPA. The Processor shall grant access to relevant records, policies, and certifications, including PCI DSS compliance reports.

Data Retention & Deletion

Personal Data will be retained only for as long as necessary to complete payment processing and comply with legal obligations, such as retention periods mandated by the RBI. Upon termination of services, the Processor will securely delete or return all Personal Data, except where retention is required by law.

Legal & Regulatory Changes

The Processor shall promptly notify the Controller of any changes in laws or regulations that impact its ability to process Personal Data in accordance with this Agreement.

Liability & Indemnification

Each Party will be responsible for any damages resulting from its breach of this Agreement. The Processor agrees to indemnify the Controller against any fines, claims, or damages arising from its failure to comply with data protection obligations.

Governing Law & Dispute Resolution

This Agreement shall be governed by the laws of India, and any disputes arising under it shall be subject to the exclusive jurisdiction of Indian courts.

Amendments

Any modifications to this Agreement must be documented in writing and signed by both Parties to be effective.

Acknowledgment and Acceptance

By entering into this Agreement, both Parties acknowledge that they have read, understood, and agree to be bound by the terms set forth in this Data Processing Agreement.