Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Terms of Service between Bizalys Infosystems Private Limited ("Processor") and the subscribing entity ("Client" or "Data Fiduciary") for processing of Personal Data under the Digital Personal Data Protection Act, 2023 ("DPDP Act").

1. Definitions

Terms defined in the DPDP Act and Terms of Service apply. Additionally:

• Personal Data: Any data about an identifiable individual as defined under DPDP Act
• Data Principal: Individual to whom Personal Data relates
• Processing: Any operation on Personal Data including collection, storage, use, disclosure, and erasure
• Sub-processor: Third party engaged by Processor to process Personal Data

2. Roles and Responsibilities

2.1 Client Role

Client is the Data Fiduciary responsible for:

• Determining purposes of processing
• Obtaining valid consents from Data Principals
• Ensuring lawful basis for processing
• Responding to Data Principal requests

2.2 Processor Role

Bizalys is Data Processor, processing Personal Data only on Client's documented instructions, subject to Bizalys's independent obligations strictly as a Data Processor under applicable law.

3. Processing Details

• Subject Matter: Provision of practice management SaaS services
• Duration: Term of the Services Agreement plus retention period
• Nature: Storage, retrieval, computation, transmission of Client Data
• Categories of Data: As determined by Client (may include contact details, financial records, client information)
• Data Principals: Client's employees, clients, and other individuals whose data is uploaded

4. Processor Obligations

Processor shall:

• Process Personal Data only on Client's documented instructions, unless required by law
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist Client in responding to Data Principal requests, within reasonable time as prescribed under applicable law, subject to reasonable administrative effort
• Notify Client of data breaches without undue delay
• Delete or return Personal Data upon termination (after 30-day export period)
• Make available information necessary to demonstrate compliance

5. Client Obligations

Client shall:

• Ensure lawful basis exists for all processing
• Obtain and maintain valid consents where required
• Provide clear instructions for processing
• Fulfill Data Principal rights obligations
• Not upload data that Client is not authorized to process

6. Security Measures

Processor implements reasonable security safeguards including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256), or equivalent industry-accepted standards
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Incident response procedures
• Employee security training

7. Sub-processors

7.1 Authorization

Client authorizes use of sub-processors listed at https://bizalys.com/service-providers (or available upon written request).

7.2 New Sub-processors

Processor will notify Client of new sub-processors with 30 days' notice. Client may object on reasonable grounds. Processor may offer commercially reasonable alternatives or allow termination without penalty.

7.3 Liability

Processor remains liable for sub-processor compliance with this DPA.

8. Data Transfers

Personal Data is primarily stored in India. Cross-border transfers will occur only to jurisdictions permitted under DPDP Act, subject to notifications, directions, or restrictions issued by the Central Government from time to time, with appropriate safeguards.

9. Data Breach Notification

Processor will notify Client of any Personal Data breach without undue delay upon becoming aware. Notification will include: nature of breach, categories of data affected, likely consequences, and measures taken. Processor shall provide necessary information to enable Client's notifications to Data Protection Board and Data Principals as required under DPDP Act. Cooperation in breach response does not constitute admission of liability.

10. Data Principal Requests

Processor will assist Client in responding to Data Principal requests (access, correction, erasure) by providing relevant data and technical capabilities. Processor will redirect any direct requests from Data Principals to Client. Assistance provided within reasonable time as prescribed under applicable law.

11. Audits

Processor will make available information necessary to demonstrate compliance. Client may request third-party audits with reasonable notice (not more than once annually), at Client's expense, subject to confidentiality and security constraints. Processor may provide audit reports, certifications, or summaries in lieu of on-site audits where appropriate.

12. Data Retention and Deletion

Upon termination of Services:

• Client may export data for 30 days
• After export period, Processor will delete Personal Data unless retention required by law, contract, or legal hold
• Deletion includes production systems and backups (backup deletion within 90 days)

13. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service, unless otherwise agreed in an Enterprise SLA. Nothing in this DPA excludes liability for willful misconduct or gross negligence.

14. Term

This DPA is effective upon acceptance of Terms of Service and continues until all Personal Data is deleted or returned. Provisions relating to confidentiality, liability, and audit rights survive termination.

15. Governing Law

This DPA is governed by the laws of India. Courts at Nashik, Maharashtra shall have exclusive jurisdiction, subject to arbitration provisions in the Terms of Service. In case of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA prevails.

16. Contact

For DPA inquiries, please contact us at: