This Data Protection Addendum (“Addendum“) between Socioverse Tech Private Limited and the Customer (as defined in the Agreement) forms part of the Socioverse Tech Private Limited’s Terms of Service set forth or such other written or electronic agreement incorporating this Addendum, in each case governing Customer’s access to and use of the Services (the “Agreement”).
Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with the Socioverse Tech Private Limited. For the purposes of this Addendum only, and except where otherwise indicated, references to “Customer” shall include Customer and such Affiliates.
The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.2 The terms "Data Fiduciary", "Data Principal", "Personal Data", "Personal Data Breach", "Process", "Processor" and “Data Protection Board” have the same meanings as described in applicable Data Protection Laws, and cognate terms shall be construed accordingly.
1.3 Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Terms.
This Addendum is deemed agreed by the Parties and comes into effect on the “Addendum Effective Date”, being the later of (i) the date that this Addendum is accepted by Client; and (ii) Socioverse Tech Private Limited.
The Parties acknowledge and agree that with regard to the Processing of Client Personal Data, and as more fully described in Annex 1 hereto, Client acts as a Data fiduciary and Socioverse Tech Private Limited acts as a Processor (as defined in section 5.2.4 below).
The Parties expressly agree that Client shall be solely responsible for ensuring timely communications to Client’s Affiliates or the relevant Data fiduciary(s) who receive the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enable Client’s Affiliates or the relevant Data fiduciary(s) to comply with such Laws.
In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the details of the Processing of the Client Personal Data to be Processed by Socioverse Tech Private Limited pursuant to this Addendum. Either Party may make reasonable amendments to Annex 1 by written notice to the other Party and as reasonably necessary to meet those requirements. Annex 1 does not create any obligation or rights for any Party.
5.1 Client shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum. As between the Parties, Client shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Socioverse Tech Private Limited of Client Personal Data. Client agrees not to provide Socioverse Tech Private Limited with any data concerning a natural person’s health, religion, biometric or any special categories of data.
5.2 Socioverse Tech Private Limited shall comply with all applicable Data Protection Laws in the Processing of Client Personal Data and Socioverse Tech Private Limited shall:
5.2.1 Process the Client Personal Data relating to the categories of Data Principals for the purposes of the Terms and for the specific purposes in each case as set out in Annex 1 to this Addendum and otherwise solely on the documented instructions of Client, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Terms including with regard to transfers of Client Personal Data to a third country outside to an international organization; Socioverse Tech Private Limited shall immediately inform Client if, in Socioverse Tech Private Limited’s opinion, an instruction infringes applicable Data Protection Laws;
5.2.2 Ensure that persons authorized to process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
5.2.3 Implement and maintain the technical and organizational measures set out in the Terms and, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement any further appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of the Processing of Client Personal Data as per following:
(a) pseudonymization and encryption of Client Personal Data;
(b) ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services that process Client Personal Data;
(c) restoring availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident; and
(d) regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Client Personal Data.
Any amendment to such agreed measures that is necessitated by Client shall be dealt with via an agreed change control process between Socioverse Tech Private Limited and Client;
5.2.4 Client (on behalf of the relevant Data fiduciary(s), as applicable), hereby expressly and specifically authorizes Socioverse Tech Private Limited to engage another Processor to Process the Client Personal Data ("Other Processor"), and specifically the Other Processors listed in Annex 2 hereto, subject to Socioverse Tech Private Limited's:
(a)notifying Client of any intended changes to its use of Other Processors listed in Annex 2 by emailing notice of the intended change to Client;
(b)including data protection obligations in its contract with each Other Processor that are materially the same as those set out in this Addendum; and
(c) remaining liable to the Client for any failure by each Other Processor to fulfill its obligations in relation to the Processing of the Client Personal Data.
In relation to any notice received the Client shall have a period of 30 (thirty) days from the date of the notice to inform Socioverse Tech Private Limited in writing of any reasonable objection to the use of that Other Processor. The parties will then, for a period of no more than 30 (thirty) days from the date of the Client's objection, work together in good faith to attempt to find a commercially reasonable solution for the Client which avoids the use of the objected-to Other Processor. Where no such solution can be found, either Party may (notwithstanding anything to the contrary in the Terms) terminate the relevant Services immediately on written notice to the other Party, without damages, penalty, or indemnification whatsoever;
5.2.5 To the extent legally permissible, promptly notify Client of any communication from a Data Principal regarding the Processing of Client Personal Data, or any other communication (including from a Data Protection Board) relating to any obligation under the applicable Data Protection Laws in respect of the Client Personal Data and, taking into account the nature of the Processing, assist Client (or the relevant Data fiduciary) by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s, Client’s Affiliates’ or the relevant Data fiduciary(s)’ obligation to respond to requests for exercising the Data Principal's rights laid down in Chapter III DPDPA; Client agrees to pay Socioverse Tech Private Limited for time and for out of pocket expenses incurred by Socioverse Tech Private Limited in connection with the performance of its obligations under this Section 5.2.5;
5.2.6 Upon Socioverse Tech Private Limited’s becoming aware of a Personal Data Breach involving Client Personal Data, notify Client without undue delay, of any Personal Data Breach involving Client Personal Data, such notice to include all information reasonably required by Client (or the relevant Data fiduciary) to comply with its obligations under the applicable Data Protection Laws;
5.2.7 To the extent required by the applicable Data Protection Laws, provide reasonable assistance to Client, Client’s Affiliates’ or the relevant Data fiduciary(s)’ with its obligations pursuant to Chapter 2 of the DPDPA taking into account the nature of the Processing and information available to Socioverse Tech Private Limited;
5.2.8 Cease Processing the Client Personal Data upon the termination or expiry of the Terms, and at option of Client, Client’s Affiliates or the relevant Data fiduciary(s) either return or delete (including by ensuring such data is in non-readable format) all copies of the Client Personal Data Processed by Socioverse Tech Private Limited, unless (and solely to the extent and for such period as) Country law requires storage of the Personal Data. Notwithstanding the foregoing or anything to the contrary contained herein, Socioverse Tech Private Limited may retain Personal Data and shall have no obligation to return Personal Data to the extent required by applicable laws or regulations obligations. Any such Personal Data retained shall remain subject to the obligations of confidentiality set forth in the Terms, and
5.2.9 Make available to Client all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, by Client, or an auditor mandated by Client. For the purposes of demonstrating compliance with this Addendum, the Parties agree that once per year during the term of the Terms, Socioverse Tech Private Limited will provide to Client, on reasonable notice, responses to cybersecurity and other assessments. Client agrees to pay Socioverse Tech Private Limited for time and for out-of-pocket expenses incurred by Socioverse Tech Private Limited in connection with assistance provided in connection with such audits, responses to cybersecurity, and other assessments.
Socioverse Tech Private Limited is certified by Information Security Management as per ISO 27001:2022. Socioverse Tech Private Limited shall notify Client in writing without undue delay if it can no longer comply with its obligations under the Privacy compliance, and, in such a case, Socioverse Tech Private Limited will have the option of (i) promptly taking reasonable steps to remediate any non-compliance with applicable obligations under this Addendum, or (ii) engaging in a good faith dialogue with Client to determine a new data transfer mechanism to carry out the purposes of the Terms. Socioverse Tech Private Limited acts as a Processor with respect to Personal Data received pursuant to a data transfer.
In the event the Privacy Compliance is invalidated, Client and each Client Affiliate (on behalf of the relevant Data fiduciary(s), as the case may be), if applicable (as "data exporter") and Socioverse Tech Private Limited (as "data importer"), with effect from the commencement of the relevant transfer, shall enter into the Data fiduciary to Processor (mutatis mutandis, as the case may be) in respect of any transfer (or onward transfer) from Client or Client Affiliate to Socioverse Tech Private Limited, where such transfer would otherwise be prohibited by applicable Data Protection Laws or by the terms of data transfer agreements put in place to address applicable Data Protection Laws. Appendix 1 to the Data fiduciary to Processor shall be deemed to be prepopulated with the relevant sections of Annex 1 to this Addendum and the processing operations are deemed to be those described in the Terms. Appendix 2 to the Data fiduciary to Processor shall be deemed to be prepopulated with the following "Taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of the varying likelihood for the rights and freedoms of natural persons, Socioverse Tech Private Limited shall implement appropriate technical and organizational measures as set forth in the Addendum."
The provisions of this Addendum are supplemental to the provisions of the Terms. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Terms, the provisions of this Addendum shall prevail.
To the extent permissible by law, Client shall indemnify and hold harmless Socioverse Tech Private Limited against all (i) losses, (ii) third-party claims, (iii) administrative fines, and (iv) costs and expenses (including without limitation, reasonable legal, investigatory and consultancy fees and expenses) reasonably incurred in relation to (i), (ii) or iii), suffered by Socioverse Tech Private Limited and that arise from any breach by Client of this Addendum or of its obligations under applicable Data Protection Laws.
The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.
The organization ensures that the contract to process Personal data addresses the organization’s role in providing assistance with the customer's obligations.
The Agreement considers the following and follows
a. Privacy by Design and default
b. Achieving Security of Processing
c. Notification of breaches involving Personal data to Data Protection Board
d. Notification of breaches involving Personal data to Customers and Personal data Principals,
e. Conducting Privacy Impact Assessment
f. Assurance of Assistance by the Personal data Processors if prior consultations with relevant Personal data Protection authorities are needed.
g. Socioverse Tech Private Limited shall inform the customer if, in its opinion, a processing instruction infringes applicable legislation or regulation.
h. The organization does not use Personal data processed under a contract for the purposes of Marketing and Advertising
i. Coordinate with Clients to help Audit the systems. The organization provides the customer with the appropriate information so that it can demonstrate compliance with its obligations
j. Socioverse Tech Private Limited shall use AWS as sub processors with Security and Privacy requirements fully filled.
k. The organization shall comply with all statutory and regulatory requirements, as applicable.l
l. The Data shall be deleted, or de-identified after the processing is complete (This is after the retention period selected is complete).
m. Socioverse Tech Private Limited shall inform 24 hours in advance to clients in case of any legally binding requests for disclosure of Personal data.
n. Access, Correction, and/or Erasure of the Personal data of Data Principals can be done by contacting the Data Protection Officer (DPO) below. Also, raising concerns and/or any complaints related with Personal data that can be done by contacting the Data Protection Officer below:
Name: Mukul Bhati
Email ID: dpo[AT]nected.ai
Contact Number: +91 99717-95464
Socioverse Tech Private Limited | Customer: Click or tap here to enter text. |
---|---|
By | |
Print Name: Nected | Print Name: |
Title: Data Protection Officer | Title: |
Date: | Date: |
This Annex includes certain details of the Processing of Client Personal Data as required by DPDPA and, as applicable
Subject matter and duration of the Processing of the Personal Data
The subject matter and duration of the Processing of the Client's Personal Data are set out in Section 2 of the Terms.
The nature and purpose of the Processing of Personal Data
Due diligence and Background Verification of Organizations and Individuals.
The categories of Data Subject to whom the Client's Personal Data relates
- Employees and Contractors of Clients.
The types of Client Personal Data to be Processed
Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Related person, Related URL, User ID, and Username
Special categories of data
None
The obligations and rights of Client
The obligations and rights of Client are set out in the Terms and this Addendum.
Data exporter (as applicable)
The data exporter is: Client of Socioverse Tech Private Limited that uses the Services
Data importer (as applicable)
The data importer is: a company that provides services to the client, which requires receiving the Client’s query data
Processing operations (as applicable)
The personal data transferred will be subject to the following basic processing activities: The provision of Socioverse Tech Private Limited Limited to Client for Due Dillegence and Background Verification as per Client requirements.
Name of Other Processor | Description of Processing | Location of Other Processor |
---|---|---|
Amazon Web Services | Hosting the Production Environment | Mumbai (India) |