This Data Processing Agreement (“DPA”) establishes a legally binding relationship between FINFLAREON, acting as the “Data Processor,” and the entity agreeing to these terms, acting as the “Data Controller.” It governs how the Processor handles Personal Data in relation to the services provided.

Roles and Responsibilities

Data Controller:

• Determines the purposes and lawful basis for processing Personal Data.
• Ensures all processing activities comply with applicable Data Protection Laws.

Data Processor:

• Processes Personal Data strictly according to the Controller’s documented instructions.
• Uses Personal Data solely to deliver the services.

Scope of Data Processing

The Processor will process Personal Data exclusively for:

• Initiating, authorizing, and settling payment transactions
• Conducting KYC verification and preventing fraud
• Authenticating customers, including via two-factor authentication (2FA)
• Preparing transaction reports and performing reconciliations

Security Measures

The Processor commits to implementing appropriate technical and organizational safeguards, including:

• Encryption of Personal Data both at rest and in transit
• Multi-factor authentication for system access
• Secure key management protocols
• Regular penetration testing and vulnerability assessments

Additional Obligations:

• Enforce confidentiality requirements for all personnel
• Provide staff training on data protection and security best practices

Support for Data Subject Rights

The Processor will assist the Controller in enabling Data Subject rights under applicable law, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to data portability
• Right to restrict or object to processing

Subprocessors

• The Processor will not engage any Subprocessor without the prior written consent of the Controller.
• Any approved Subprocessor must enter into agreements guaranteeing data protection safeguards at least equivalent to those in this DPA.

Data Breach Notification

In case of a Personal Data breach, the Processor shall notify the Controller within 24 hours of discovery, including:

• Nature of the breach
• Categories and approximate number of affected Data Subjects
• Steps taken to contain and mitigate the breach
• Measures planned to prevent recurrence

Audits and Compliance

• The Controller may conduct audits with reasonable notice to verify compliance with this DPA.
• The Processor will provide access to relevant records, and policies

Data Retention and Disposal

• Personal Data will be retained only as long as necessary for payment processing and legal compliance, including RBI-mandated retention periods.
• Upon termination of services, the Processor will securely erase or return all Personal Data unless retention is required by law.

Regulatory and Legal Updates

The Processor will promptly inform the Controller of any legal or regulatory changes that may impact the ability to process Personal Data in compliance with this DPA.

Liability and Indemnification

• Each Party is responsible for any damages resulting from its own breach of this Agreement.
• The Processor shall indemnify the Controller against penalties, claims, or losses resulting from non-compliance with data protection obligations.

Governing Law and Jurisdiction

• This DPA is governed by the laws of India.
• All disputes arising under this Agreement are subject to the exclusive jurisdiction of Indian courts.

Amendments

Any modifications to this Agreement must be made in writing and signed by both Parties.

Confirmation

By entering into this DPA, both Parties confirm that they have read, understood, and accepted all terms and conditions outlined herein.