Data Processing Agreement

2.1 Compliance with Laws. Within the scope of this Agreement and the Terms of Use, You will be responsible for complying with all requirements that apply to You under applicable Data Protection Laws with respect to the Processing of Personal Information. In particular, but without prejudice to the generality of the foregoing, You acknowledge and agree that You will be solely responsible for:

1. the accuracy, quality and legality of Personal Information and the means by which You have acquired the same;
2. complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of Personal Information, including obtaining any necessary consents and authorisations (including use for marketing purposes);
3. ensuring You have the right to transfer, or provide access to, the Personal Information to the Data Processor for Processing in accordance with the terms of this Agreement;
4. ensuring that Instructions issued to the Data Processor comply with applicable laws, including Data Protection Laws;
5. complying with all laws (including Data Protection Laws) applicable to any emails or other content created using the services under the Terms of Use, including those relating to obtaining consents where required to send emails, the content of the emails and its email deployment practices. You will inform the Data Processor if You are not able to comply with Your responsibilities under this section or applicable Data Protection Laws.

2.2 Instructions. The Parties agree that the services provided under the Terms of Use, along with the terms of this Agreement, constitute Your complete Instructions to the Data Processor in relation to the Processing of Personal Information, so long as You may provide additional Instructions during Your continued relationship with the Data Processor that are consistent with this Agreement, and the nature and lawful use of the services under the Terms of Use.

2.3 Security. You are responsible for independently determining whether the data security provided for in the Terms of Use and this Agreement adequately meets Your obligations under applicable Data Protection Laws. You are also responsible for Your secure use of the services provided under the Terms of Use, including protecting the security of Personal Information in transit to and from the Data Processor (including to securely backup or encrypt any such Personal Information).

3.1 Compliance with Instructions. The Data Processor will only Process Personal Information for the purposes prescribed in the Privacy Policy and this Agreement, or as otherwise agreed within the scope of Your lawful Instructions, except where and to the extent otherwise required by applicable law. In the event that the Data Processor is required by applicable law to Process Personal Information outside of Your Instructions, the Data Processor shall inform You of that legal requirement before the relevant Processing, to the extent permitted by applicable law. The Data Processor will not be responsible for any compliance with Data Protection Laws that have to be effectuated by You that are not generally applicable to the Data Processor.

3.2 Conflict of Laws. In the event that the Data Processor is unable to Process Personal Information in accordance with the Instructions issued by You due to a legal requirement under any applicable law, the Data Processor will:

1. promptly notify You of that legal requirement to the extent permitted by applicable law; and
2. where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Information) until such time as You issue new Instructions with which the Data Processor is able to comply.

If this provision is invoked, the Data Processor will not be liable to You under the Terms of Use or this Agreement for any failure to perform the services under the Terms of Use until such time as You issue new Instructions with regard to the Processing of Personal Information.

3.3 Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor agrees and undertakes to implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Such measures include but are not limited to:

1. Physical Access Controls — Reasonable measures to prevent physical access, such as secured buildings, to prevent unauthorised persons from gaining access to Personal Information.
2. System Access Controls — Reasonable measures to prevent Personal Information from being used without authorisation. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorisation processes, documented change management processes, and logging of access on several levels.
3. Data Access Controls — Reasonable measures to ensure that Personal Information is accessible and manageable only by properly authorised staff, direct database query access is restricted, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Information to which they have privilege of access, and that Personal Information cannot be read, copied, modified or removed without authorisation in the course of Processing.
4. Transmission Controls — Reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Information by means of data transmission facilities is envisaged so Personal Information cannot be read, copied, modified or removed without authorisation during electronic transmission or transport.
5. Input Controls — Reasonable measures to ensure that it is possible to check and establish whether and by whom Personal Information has been entered into data processing systems, modified or removed. The Data Processor shall ensure that (i) the Personal Information source is under the control of the Data Controller; and (ii) Personal Information integrated into the Data Processor's systems is managed by secured file transfer.

In assessing the appropriate level of security, the Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Information Breach. Notwithstanding any provision to the contrary, the Data Processor may modify or update the security measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by such measures.

3.4 Confidentiality. The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Personal Information, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Personal Information, as strictly necessary for the purposes of the Terms of Use, and ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

3.5 No Sale of Personal Information. The Data Processor shall not sell, rent, lease, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Information to another business, person, or third party for monetary or other valuable consideration.

3.6 Duration. The duration of the Processing covered by this Agreement shall be in accordance with the duration of the Terms of Use. Personal Information shall be Processed for the term of this Agreement plus the period from expiry of the term of this Agreement until the deletion or return of Personal Information as described below.

3.7 Data Subject Requests. Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws. The Data Processor shall promptly notify the Data Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Information, and shall ensure that it does not respond to that request except on the documented Instructions of the Data Controller or as required by applicable law.

In the event a Data Subject wishes to exercise its data subject rights under applicable Data Protection Law, including but not limited to, a data subject's right of access, correction and/or erasure of its Personal Data in FlexiFunnels' control, the Data Subject can submit such request by contacting FlexiFunnels' Data Protection Officer (DPO) below. Also, for raising concerns and/or any complaints related to the Customer Personal Data, that can be done by contacting the Data Protection Officer below:

3.8 Personal Information Breaches. The Data Processor shall notify You without undue delay after becoming aware of any Personal Information Breach and will provide timely updates and information relating to the Personal Information Breach as it becomes known or reasonably requested by You, providing You with sufficient information to allow You to meet any obligations to report or inform Data Subjects of the Personal Information Breach under the Data Protection Laws. Such notification shall as a minimum:

1. describe the nature of the Personal Information Breach, the categories and approximate numbers of Data Subjects concerned, and the categories and approximate numbers of Personal Information records concerned;
2. communicate the name and contact details of the Data Processor's data protection officer or other relevant contact from whom more information may be obtained;
3. describe the likely consequences of the Personal Information Breach; and
4. describe the measures taken or proposed to be taken to address the Personal Information Breach, including measures to mitigate its possible adverse effects.

The Data Processor shall co-operate with You and take such reasonable commercial steps as are directed by You to assist in the investigation, mitigation and remediation of each such Personal Information Breach.

3.9 Deletion or Return of Personal Data. Subject to Sections 3.9(a) and 3.9(b), the Data Processor will promptly and in any event within 30 days of the date of cessation of any services involving the Processing of Personal Information (the "Cessation Date"), delete all copies of Personal Information.

1. In addition, within 30 days of the Cessation Date, the Data Processor shall return a complete copy of all Personal Information to the Data Controller by secure file transfer in such format as is reasonably notified by the Data Controller, and delete all other copies of Personal Information.
2. The Data Processor may retain Personal Information to the extent required by applicable law and only to the extent and for such period as required by applicable law, always provided that the Data Processor shall ensure the confidentiality of all such Personal Information and shall ensure that such Personal Information is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

The Data Processor shall provide written certification to the Data Controller that it has fully complied with this section within 60 days of the Cessation Date. You may request the deletion or return of Your Personal Information by issuing appropriate Instructions to the Data Processor including a termination of Your account with the Data Processor. The Data Processor's infrastructure Sub-Processors will retain data for 90 days post-termination, after which all Personal Information will be securely deleted.

3.10 Data Protection Impact Assessment. The Data Processor shall provide reasonable assistance to the Data Controller with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities, which the Data Controller reasonably considers to be required under Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to the Processing of Personal Information by the Data Processor and taking into account the nature of the Processing and information available to the Data Processor.

4.1 General Authorisation. The Data Controller hereby grants a general authorisation to the Data Processor to engage Sub-Processors, including affiliate Sub-Processors, to carry out specific Processing activities on behalf of the Data Processor in connection with the services provided under the Terms of Use, subject to the requirements set out in this Section 4.

4.2 The Data Processor maintains a current list of its Sub-Processors as set out below.

The Data Processor shall update such list with any new or replacement Sub-Processors at least 30 days prior to the date such Sub-Processors begin Processing Personal Information. Such updates shall be posted on this page and shall constitute notice to the Data Controller of any new or replacement Sub-Processors.

4.3 Notification of Changes. The Data Processor shall notify You of any intended changes to the list of Sub-Processors through the addition or replacement of Sub-Processors at least 30 days prior to the date such Sub-Processors begin Processing Personal Information, thereby giving You sufficient time to be able to raise any concerns prior to the engagement of such Sub-Processors.

4.4 Objection Rights. The Data Controller shall be deemed to consent to the appointment of any new or replacement Sub-Processor unless the Data Controller provides written notice of objection within 10 days of notification of the new appointment. Time is of the essence with respect to such written objections. Such written objection may only be based upon reasonable grounds related to data protection and must specify such grounds in detail. Upon such objection, the Parties will negotiate a resolution in good faith. If the Data Processor is reasonably able to provide the services without using the Sub-Processor and decides in its discretion to do so, then the Data Controller will have no further rights under this Section 4.4 in respect of the proposed use of the Sub-Processor. If the Data Processor, in its discretion, requires use of the Sub-Processor and is unable to satisfy the Data Controller's objection, then the Data Controller may terminate the affected services under the Terms of Use effective upon the date the Data Processor begins use of such new or replacement Sub-Processor, solely with respect to the services that will use the proposed new Sub-Processor for the Processing of Personal Information.

4.5 Sub-Processor Agreements. The Data Processor undertakes to carry out adequate due diligence before any Sub-Processor first Processes Personal Information, to ensure that the Sub-Processor is capable of providing the level of protection for Personal Information required by this Agreement. The Data Processor shall ensure that its agreement with each Sub-Processor is governed by a written contract that includes terms offering at least the same level of protection for Personal Information as those set out in this Agreement and that meets the requirements of applicable Data Protection Laws. Where Sub-Processors are located outside the country of origin of the Personal Information, the Data Processor shall ensure that appropriate data transfer mechanisms are in place, including Standard Contractual Clauses where required under applicable Data Protection Laws.

4.6 Technical and Organisational Measures. The Data Processor shall ensure that each Sub-Processor implements appropriate technical and organisational measures to protect Personal Information, including physical access controls, system access controls, data access controls, transmission controls, and input controls that are consistent with or equivalent to the measures described in Section 3.3 of this Agreement.

4.7 Liability. The Data Processor shall remain fully responsible for the Sub-Processors' compliance with the obligations of this Agreement and for any acts or omissions of such Sub-Processor that cause a breach of any of the obligations contained in this Agreement.

4.8 Confidentiality of Agreements. You acknowledge that the Data Processor may be restricted from disclosing Sub-Processor agreements in their entirety due to confidentiality obligations, but the Data Processor shall use reasonable efforts to provide (on a confidential basis) all information reasonably requested to demonstrate compliance with this Section 4.

4.9 How to Object. If you wish to object to the engagement of a new or replacement Sub-Processor, please contact us in writing at karthik@flexifunnels.com within 10 days of the update being posted to this page. Your objection must be based on reasonable grounds related to data protection and must specify such grounds in detail.

5.1 You acknowledge and agree that the Data Processor may access and Process Personal Information on a global basis as necessary to provide the services under the Terms of Use in accordance with this Agreement. Wherever Personal Information is transferred outside its country of origin, the Data Processor shall ensure that such transfers are made in compliance with the requirements of Data Protection Laws.

5.2 Where Personal Information is transferred to a country or territory that has not been recognised as providing an adequate level of data protection under applicable Data Protection Laws, the Data Processor shall implement appropriate safeguards, which may include Standard Contractual Clauses as approved by the European Commission or other competent authority, binding corporate rules, or other legally recognised transfer mechanisms.

5.3 The Data Processor shall ensure that all Sub-Processors engaged in the Processing of Personal Information are bound by equivalent data transfer obligations, and that appropriate transfer mechanisms are in place for any onward transfers of Personal Information to Sub-Processors located in third countries.

6.1 Subject to confidentiality obligations set forth in the Terms of Use, the Data Processor shall make available to the Data Controller on request all information reasonably requested and necessary to demonstrate compliance with this Agreement, including the results of any relevant data protection audits conducted by or on behalf of the Data Processor.

6.2 To the extent, and only to the extent, required under applicable Data Protection Law, the Data Processor shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the Processing of Personal Information. Such audits shall be limited to the Data Processor's architecture, systems, and procedures relevant to the protection of Personal Information. Before the commencement of such an audit, the Data Controller and the Data Processor will mutually agree on the scope, timing, and duration of the audit. The Data Processor shall have the right to approve or reject, in reasonable good faith, the personnel or auditor conducting any audit. Audits shall be limited to once per calendar year, unless otherwise required by applicable Data Protection Law.

6.3 The Parties further agree that each Party shall make available to the other all information necessary to demonstrate compliance with the obligations contained in this Agreement.

6.4 The Parties agree that each Party shall allow to the other Party an opportunity to cause an inspection of the former Party's premises and facilities where Personal Information is stored or Processed, subject to reasonable prior notice and during normal business hours.

6.5 The Data Processor shall ensure that equivalent audit rights are included in its agreements with Sub-Processors, enabling the Data Processor to verify Sub-Processor compliance with data protection obligations.

7.1 The Parties agree and undertake to duly examine, remain vigilant and notify the other in case a Party becomes aware of the existence of a breach of any obligation contained in any Data Protection Law so as to enable the Parties to cooperate in the rectification and curing of such breach, as well as to report such breach, and to share liability proportionately (where liability cannot be attributed to a single Party).

8.1 Scope. This section shall apply only with respect to European Information.

8.2 Roles of the Parties. When Processing European Information in accordance with Your Instructions, the Parties acknowledge and agree that You are the Data Controller of European Information and the Data Processor is the Processor, as determined under applicable European law.

8.3 Instructions. If the Data Processor is of the opinion that Your Instruction infringes European Data Protection Laws (where applicable), the Data Processor shall inform You without delay.

8.4 Objection to Sub-Processors. The Data Processor shall extend to You the opportunity to object to the engagement of any Sub-Processors on reasonable grounds relating to the protection of Personal Information within 10 days of notifying You of such engagement, in accordance with the procedures set out in Section 4.4 of this Agreement.

8.5 Sub-Processor Agreements. You acknowledge that the Data Processor may be restricted from disclosing Sub-Processor agreements, but the Data Processor shall use reasonable efforts to require any Sub-Processor so appointed to permit to disclose the said agreement to You, and shall provide (on a confidential basis) all information reasonably possible.

8.6 Transfer mechanisms for data transfers. The Data Processor shall not transfer European Information to any country or recipient not recognised as providing an adequate level of protection for Personal Information (within the meaning of applicable European Data Protection Laws), unless such transfer can be shown to be in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognised by the relevant authorities or courts as providing an adequate level of protection for Personal Information, to a recipient that has achieved binding corporate rules authorisation in accordance with European Data Protection Laws, or to a recipient that has executed appropriate Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.

The Data Processor has entered into Standard Contractual Clauses (Module 2: Controller to Processor) with its infrastructure Sub-Processors, governed by the law of Germany, to ensure that European Information transferred to third countries is afforded an adequate level of protection.

8.7 If for any reason the Data Processor cannot comply with its obligations under this Agreement, and You intend to suspend the transfer of European Information to the Data Processor or terminate this Agreement, You agree to provide the Data Processor with reasonable notice to enable the curing of such non-compliance and You agree to reasonably cooperate with the Data Processor to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If the Data Processor is unable to cure the non-compliance, You may suspend or terminate the service under the Terms of Use without liability to either Party.

9.1 Scope. This section shall apply only with respect to California Personal Information.

9.2 Roles of the Parties. When Processing California Personal Information in accordance with Your Instructions, the Parties acknowledge and agree that You are a Business, and the Data Processor is a Service Provider for the purposes of the CCPA.

9.3 Responsibilities. The Parties agree that the Data Processor shall Process California Personal Information as a Service Provider strictly for the purpose of fulfilling the services under the Terms of Use or as otherwise permitted by the CCPA.

10.1 Scope. This section shall apply only with respect to Personal Information that is subject to the Digital Personal Data Protection Act, 2023 ("DPDPA") and other applicable data protection and privacy laws of India.

10.2 Roles of the Parties. When Processing Personal Information subject to Indian data protection laws in accordance with Your Instructions, the Parties acknowledge and agree that You are the Data Fiduciary (or equivalent role under applicable Indian law) and the Data Processor is the Data Processor acting on Your behalf.

10.3 Compliance. The Data Processor shall Process Personal Information subject to Indian data protection laws in compliance with the DPDPA and any rules or regulations made thereunder, as applicable. The Data Processor shall implement reasonable security safeguards to protect Personal Information from Personal Information Breaches, in accordance with the requirements of applicable Indian data protection laws.

10.4 Data Subject Rights. The Data Processor shall assist the Data Controller in responding to requests from Data Subjects exercising their rights under Indian data protection laws, including the right to access, correction, and erasure of their Personal Information.

10.5 Breach Notification. In the event of a Personal Information Breach affecting Personal Information subject to Indian data protection laws, the Data Processor shall notify the Data Controller without undue delay and shall cooperate with the Data Controller in complying with any breach notification obligations under the DPDPA or other applicable Indian data protection laws.

11.1 Amendments. Notwithstanding anything to the contrary and without prejudice to any of the sections in this Agreement, the Data Processor reserves the right to make any updates and changes to this Agreement. Material changes to this Agreement will be notified through the FlexiFunnels platform or via email.

11.2 Severability. If any individual provisions of this Agreement are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement will not be affected. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

11.3 Limitation of Liability. Each Party and each of their affiliate's liability, taken in aggregate, arising out of or related to this Agreement, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the 'Disclaimer of Liability' section of the Terms of Use and any reference in such section to the liability of a Party means aggregate liability of that Party and all its affiliates under this Agreement.

11.4 Governing Law. This Agreement shall be governed by and construed in accordance with the Governing Law and Jurisdiction clause of the Terms of Use, unless required otherwise by Data Protection Laws.

11.5 Order of Precedence. Nothing in this Agreement reduces the Data Processor's obligations under the Terms of Use in relation to the protection of Personal Information or permits the Data Processor to Process (or permit the Processing of) Personal Information in a manner which is prohibited by the Terms of Use. In the event of any conflict or inconsistency between this Agreement and the Standard Contractual Clauses (where applicable), the Standard Contractual Clauses shall prevail. Subject to the foregoing, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the Parties, including the Terms of Use, the provisions of this Agreement shall prevail with regard to the subject matter of data processing.

11.6 Entire Agreement. This Agreement, together with the Terms of Use, the Privacy Policy, and any Standard Contractual Clauses entered into between the Parties, constitutes the entire agreement between the Parties with respect to the subject matter hereof, and supersedes all prior or contemporaneous communications, agreements and understandings (whether written or oral) relating to the same.