Data Processing Addendum

We diligently safeguard and protect your valuable data. This commitment is reflected in our comprehensive Data Processing Addendum (DPA), which not only adheres to GDPR standards but also underscores our unwavering dedication to data privacy and security.

Last reviewed on 12^th June, 2024

Introduction

This Data Processing Addendum ("DPA") supplements the Terms of Use ("TOU"), as updated from time to time between you (together with subsidiaries and affiliated entities, collectively, "Customer") and OneBanc Technologies Private Limited (together with subsidiaries, collectively, ”OneBanc" / "us" / "we") (hereinafter collectively referred to as "Parties" and individually "Party") when the GDPR applies to the customer's use of our services. This DPA is effective from the date the customer agrees with the TOU. If there is any conflict between this DPA and the TOU, to the extent permissible by applicable law, the relevant terms of the TOU shall prevail over this DPA.

Definitions

"Account Data" means information about the Customer that the Customer provides in connection with the creation or administration of accounts, such as first and last name, username, and email address of an authorized user or Customer's billing contact. The Customer shall ensure that all account data is current and always correct during the term of the TOU.

"Authorized User" means an individual employee, agent, or contractor of the Customer for whom subscriptions to services have been granted following the terms of the TOU.

"Bank" means the banking partners engaged by us.

"Customer Credentials" means access passwords, keys, or other credentials used by the Customer in connection with the services.

"Customer Data" means any personal data that we process on behalf of the Customer as a data processor while providing our services.

"Data Controller" means an entity that determines the purposes and means of the processing of personal data.

"Data Processor" means an entity that processes personal data on behalf of a Data Controller.

"Data Protection Law" means all data protection and privacy laws and regulations of the EU, EEA, and their member states, applicable to the processing of personal data.

"Data Subject" means the identified or identifiable person to whom personal data relates.

"EEA" means the European Economic Area, the United Kingdom, and Switzerland.

"EU" means the European Union.

"GDPR" means
1. The regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
2. The (United Kingdom) Data Protection Act, 2018.

"Personal Data" means any information relating to an identified or identifiable natural person as defined in the GDPR.

"Processing" means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. "Process", "Processes" and "Processed" shall be interpreted accordingly.

"SCC" means the standard contractual clauses as approved by the European Commission.

"Services" means any product or service provided by us according to our TOU.

Scope and Roles

We have agreed to enter this DPA based on the Customer's belief that Customer Data may include Personal Data that originates from EU/EEA and/or that is otherwise subject to the GDPR. Accordingly, this DPA supplements the TOU and applies exclusively to our Processing of Customer Data in providing Services under the TOU to the Customer.

OneBanc agrees to comply with the following provisions with respect to any Personal Data Processed for the Customer in connection with the provision of the Services.

The Parties agree that regarding the Processing of Personal Data, we are the Data Controller and as well as Data Processor, acting on behalf of the Customer or the Bank, as further described in Annex 1 ("Details of Data Processing") of this DPA. Each Party will comply with its respective obligations under the Data Protection Law.

Processing of Personal Data

We are responsible for the control of Personal Data and must comply with our obligations as a Data Controller under the Data Protection Law, for justification of any transfer of Customer Data and our decisions and actions regarding the Processing and use of Personal Data.

We agree that it has provided notice and received all consents and rights necessary under the Data Protection Law to Process Customer Data and provide the Services.

Processing of Customer Data

By entering this DPA, the Customer instructs us to Process Customer Data to provide the Services in accordance with the features and functionality of the Services.

In connection with our delivery of the Services to the Customer, we shall Process certain categories and types of Customer Data, only for the purposes described in this DPA and only in accordance with the Customer's documented lawful instructions, including with regards to transfer of Customer data to a third country or an international organization, unless we are required to do so by EU or Member State of the EU law to which we are subject. In such a case, we shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

The Parties agree that this DPA sets out the Customer's complete and final instructions to us about the Processing of Customer Data. The Processing outside the scope of these instructions shall require a prior written agreement between Customer and us.

Customer Responsibilities and Restrictions

Without limiting our responsibilities under the TOU, the Customer is solely responsible for:

Account Data, Customer Data, and Customer Credentials (including activities conducted with Customer Credentials), subject to our Processing obligations under the TOU and this DPA.

Providing any notices required by Data Protection Law to, and receiving any required consents and authorizations required by Data Protection Law from, persons whose Personal Data may be included in Account Data, Customer Data or Customer Credentials.

Ensuring no Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing through the Services.

Security

Considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity of impact on the rights and freedoms of Data Subject, we shall in relation to Customer Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk (including those outlined in Annex 2, "Security Measures"). In assessing the appropriate level of security, we shall consider the risks that are presented by Processing Customer Data including the risks presented by a Customer Data breach (as defined in the Customer Data Breach Management Section).

Sub-Processors

The Customer acknowledges and agrees that we may engage third-party sub-processors in connection with the provision of Services, and hereby share consent with us. As a condition to permitting a third-party sub-processor to Process Customer Data, we will enter into a written agreement with the sub-processor containing data protection obligations no less protective than those in this DPA with respect to Customer Data. We will restrict our sub-processors access to only what is necessary to maintain the Services or to provide the Services to Customers. Subject to this Section (Sub-Processors), we reserve the right to engage and substitute sub-processors as it deems appropriate, but shall:
1. Remain responsible to the Customer for the provision of the Services.
2. Be liable for the actions and omissions of our sub-processors undertaken in connection with our performance of this DPA to the same extent we would be liable if performing the Services directly.

Upon the Customer's request by email to compliance@onebanc.ai , we will provide the Customer with a list of then-current third-party sub-processors and the nature of the services they provide. The Customer may object to any new sub-processor on reasonable legal grounds (the "Objection Notice") relating to the protection of the Customer Data, in which case we shall have the right to satisfy the objection through one of the following:
1. We will cancel our use of the sub-processor for Customer Data or will offer an alternative to provide the Services without such a sub-processor.
2. We will take the corrective steps requested by the Customer in our Objection Notice (which removes the Customer's objection) and proceed to use the sub-processor for Customer Data.
3. We may cease to provide, or the Customer may agree not to use (temporarily or permanently), the aspect of the Services that would involve the use of such sub-processor about Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope.

All Objection Notices under the above sub-section must be submitted by email to us at compliance@onebanc.ai . If none of the options outlined in Clause (a), (b), or (c) of the above sub-section are reasonably available and the Customer's objection has not been resolved to the Parties' mutual satisfaction within 30 days of our receipt of the Objection Notice, either Party may terminate the affected Services and we will refund the service fee to the Customer on pro-rata basis.

Data Subject Rights

If we receive a request from a Data Subject, we will provide reasonable assistance in addressing the request.

What are your Data Subjects Rights?

Access to information: You may request a record of your personal information being processed by us, upon the verification of your identity and other information as per the company's internal policy.

Review, Correct and Rectify Information: You may review, correct, or rectify the inaccurate personal information that is stored with us.

Withdrawing consent:

You may withdraw the consent to Processing that you have given us and prevent further Processing of your personal information subject to the terms of this Data Processing Addendum.

You may also withhold your consent prior to the collection and Processing of your combined information.

You have the right to withdraw your consent at any time by using the "Consent Manager" option on the app.

You can also exercise any of the mentioned rights by submitting a request to compliance@onebanc.ai & and we will respond to the requests in accordance with the applicable laws.

Deletion Upon Expiration

Upon termination of the TOU and/or DPA, we will initiate a process upon the Customer's written request that deletes Customer Data in our possession or control.

Customer Data Breach Management

We will notify the Customer without undue delay, and in any event within such timeline as may be prescribed by the GDPR from time to time, after becoming aware of a Personal Data breach with respect to Customer Data transmitted, stored, or otherwise Processed by us or our sub-processors ("Customer Data Breach"). Such notice may be provided:

By posting a notice in the Services.

By sending an email to the email address from which the account of Authorized User was created.

Pursuant to the notice provisions of the TOU. The Customer shall ensure that its contact information is current and accurate at all times during the terms of this DPA.

We will promptly take all actions relating to our security measures (and those of our sub-processors) that it deems necessary and advisable to identify and remediate the cause of the Customer Data Breach. In addition, we will promptly provide the Customer with:

Reasonable cooperation and assistance with regard to the Customer Data Breach,

Reasonable information in our possession concerning the Customer Data Breach insofar as it affects the Customer, including remediation efforts and any notification to supervisory authorities

To the extent known:
1. The possible cause of the Customer Data Breach;
2. The categories of Customer Data involved
3. The possible consequences to Data Subject.

Our notification of or response to a Customer Data Breach under this Section will not constitute an acknowledgment of fault or liability with respect to the Customer Data Breach, and the obligations herein shall not apply to Personal Data Breaches that are caused by the Customer, Authorized Users, or providers of Customer components (such as systems, platforms, services, software, devices, etc.). If the Customer decides to notify a supervisory authority, Data Subject, or the public of a Customer Data Breach, the Customer will provide us with advance copies of the proposed notices and, subject to applicable law (including any mandated deadlines under Data Protection Law), allow us an opportunity to provide any clarifications or corrections to those notices. Subject to applicable law, we will not refer to the Customer in any public filings, notices, or press releases associated with the Customer Data Breach without the Customer's prior consent.

Compliance and Reviews

Upon request, we shall supply, on a confidential basis, a copy of our audit reports (if any) to the Customer, so that the Customer can verify our compliance with the applicable audit standards and this DPA. We shall also provide written responses, on a confidential basis, to all the Customer's reasonable requests for information to confirm our compliance with this DPA.

Impact Assessment and Additional Information

We shall provide the Customer with reasonable cooperation and assistance needed to fulfil the Customer's obligation under Data Protection Law, to the best of our abilities and as far as our resources allow, including:

Conducting a data protection impact assessment related to the Customer's use of the Services, to the extent the Customer does not otherwise have access to the relevant information, and to the extent such information is available to us.

Providing reasonable assistance to the Customer in cooperation or prior consultation with the supervisory authority in the performance of our tasks relating to this Section to the extent required by Data Protection Law.

International Transfers

The Customer acknowledges that we may transfer and process Customer Data anywhere in the world where we, our affiliates, or our sub-processors maintain data Processing operations. We shall always ensure that such transfers are made in compliance with the requirements of the Data Protection Law and this DPA. To the extent that we are a recipient of Customer Data protected by Data Protection Law ("EU Data") in a country outside of Europe that is not recognized as providing an adequate level of protection for Personal Data (as described in applicable Data Protection Law), the parties agree that we shall abide by the GDPR. Sub-processors used by us to process any Customer Data protected by Data Protection Law and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) will provide an adequate level of protection for Personal Data.

Processing as Controller

We function as a controller as well as a processor with respect to Customer Data. In relation to the Processing of Account Data, we may be considered a controller for certain Processing of Customer Personal Data.

Limitation of Liability

Our aggregate liability, arising out of or in relation to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitation of liability provisions of the TOU.

Miscellaneous Provisions

Any claims brought under or in connection with this DPA are subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the TOU.

No one other than a Party to this DPA, its successors, and permitted assignees shall have any right to enforce any of its terms.

Any claims against us under this DPA shall be brought solely by the entity that is a Party to the DPA.

This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the TOU unless required otherwise by applicable Data Protection Law.

The Customer ensures that the decision to agree with the terms and conditions of this DPA was made lawfully by the Customer.

This DPA replaces any previous DPAs concluded between us and the Customer.

This DPA comes into force from the day you agreed with our Terms of Use and continues if you are receiving our Services or the date from which we started our implementation, that is, 23rd May 2022.

Annex 1

Annexure 1 serves as an essential component of a Data Processing Agreement (DPA), providing a clear and comprehensive overview of how personal data is handled and protected, promoting transparency and compliance with data protection regulations.

Details of Data Processing:

Subject matter: The subject matter of the data processing under this DPA is the Customer Data.

Duration of Processing: We will Process Customer Data for the duration of the Services, as described in the TOU.

Nature of the Processing: We provide usage details.

Purpose of the Processing: The purpose of the data processing under this DPA is the provision of the Services.

Categories of Data subject: Any individual accessing and/or using the Services through the Customer's account.

Types of Customer Data:

Identity and Account Opening Information	Full name(s), title, age, gender, and date of birth.
Contact Information	Telephone/mobile number(s), permanent, current, and shipping address, state/city of residence, country, pin code, and email address.
Financial Information	Any other information that is required to be collected as per a specific mandate from any bank or as a legal requirement in India.
Usage and Technical Information	IP addresses, applications, device or browser type, versions and configurations, operating systems, device brand and model, time zone setting, geo-location information, content, unique identifiers associated with your device(s), and pages that you access on the website(s), apps or platforms, and the dates and times that you visit the website, app or platform, and paths taken.
Location information	If you have authorized tracking it will help us provide you location-based services and protect you against fraud.

The Customer acknowledges that we shall have a right to use and disclose data relating to the operation, support, and/or use of the Services for our legitimate business purposes, such as account management, technical support, product development, or other. To the extent any such data is considered Personal Data under the Data Protection Law, we are the Data Controller of such data and accordingly shall process such data in accordance with our Privacy Policy and Data Protection Law.

The Customer acknowledges that in connection with the performance of the Services, we employ the use of cookies, unique identifiers, web beacons, and similar tracking technologies. We shall maintain appropriate notice, consent, opt-in, and opt-out mechanisms as are required by Data Protection Law to enable us to deploy previously mentioned tracking technologies lawfully on and collect data from the devices of Subscribers.

Annex 2

Annexure 2 in a Data Processing Agreement (DPA) contains specific information related to security measures, including a detailed description of the specific safeguards and measures put in place to ensure the security and protection of personal data.

Security Measures

Our Security Measures as of the date of this DPA:

Data Minimization, Access Control, and Employees Education

We collect and Process only the personal data that is necessary for the provision of services.
We restrict access to Customer Data to employees with a defined need-to-know or a role requiring such access.
Our employees are introduced to the best security practices which allow them to identify Customer Data Breach and take any actions needed.

Business Continuity

We maintain business continuity and backup plans to minimize the loss of service and to comply with applicable laws.
The backup plan addresses threats to the Services and any dependencies and has an established procedure for resuming access to, and use of, the Services.
The backup plan is assessed at regular intervals.
Management meetings regarding the determination of the information security risks arising to us are held annually. The management committee determines the risks, discusses them, and searches for ways to prevent them.

Change Control

We maintain policies and procedures for applying changes to the Services, including underlying infrastructure and system components, to ensure quality standards are being met.

We undergo a penetration test of our network and Services on a periodic basis. Any vulnerabilities found during this testing will be remediated in accordance with our procedures.

Data Security

We maintain technical safeguards and other security measures to ensure the security and confidentiality of Customer Data.
We use a data storage center with a location in India.

Encryption and Key Management

We maintain policies and procedures for the management of encryption mechanisms and cryptographic keys in our cryptosystem. We ensure security over SSL/TLS and AES256 encryption.
We enlist encryption at rest and in transit between public networks, as applicable, according to industry-standard practice.

Data Transfer to Sub-Processors

Where sub-processors Process the Personal Data of subscribers, we take steps to ensure that such sub-processors are service providers with whom we have entered a contract that includes terms like this DPA. We conduct appropriate due diligence on our sub-processors. We ensure security over SSL/TLS and AES256 encryption.

Please email us at compliance@onebanc.ai if you have any questions regarding this addendum.