Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the Master Services Agreement for PortfolioIQ™ and the applicable Order Form(s) between Vy Labs Technologies Private Limited (“Company”) and the customer identified in the Order Form (“Customer”) (together, the “Agreement”). This DPA applies to the Processing of Personal Data by Company on behalf of Customer in connection with the Services. If there is any conflict between this DPA and the Agreement, this DPA will control solely to the extent of such conflict with respect to the Processing of Personal Data.

  1. Definitions

Capitalized terms not defined herein shall have the meanings set out in the Agreement.

For purposes of this DPA:

“Applicable Data Protection Law” means GDPR and any other data protection law applicable to the Processing of Personal Data under the Agreement.

“Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, and “Personal Data Breach” have the meanings given in Applicable Data Protection Law.

“EU GDPR” means Regulation (EU) 2016/679.

“Standard Contractual Clauses” or “SCCs” means, if required, the European Commission’s standard contractual clauses for transfers of personal data to processors in third countries.

  1. Roles of the Parties

(i). Customer is the Controller and Company is the Processor in respect of Personal Data Processed under the Agreement.

(ii). Customer instructs Company to Process Personal Data solely for the purpose of providing the Services, including the extraction, standardization, storage, and delivery of Processed Data and related support services, as described in the Order Form and this DPA.

(iii). Company shall not Process Personal Data for any purpose other than as set out in the Agreement, this DPA, or Customer’s documented instructions, unless required by law.

(iv). Company may Process de-identified, aggregated, or anonymized data derived from the Services for product improvement, analytics, benchmarking, and service development, provided that such data cannot reasonably identify a Data Subject or Customer and is no longer Personal Data.

  1. Details of Processing

The subject matter, duration, nature, and purpose of processing, as well as categories of data subjects and personal data, are described in Annex 1.

  1. Customer Instructions

(i). Company shall Process Personal Data only on Customer’s documented instructions, including with regard to transfers of Personal Data, unless required to do otherwise by applicable law. If Company believes an instruction infringes Applicable Data Protection Law, it shall promptly inform Customer.

(ii). Customer is responsible for the accuracy, quality, and lawfulness of the Personal Data it provides to Company and for ensuring that it has all necessary rights, notices, and consents required for Company’s Processing of such Personal Data.

  1. Confidentiality

Company shall ensure that persons authorized to Process Personal Data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

  1. Security

(i). Company shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

(ii). The initial security measures are described in Annex 2 and may be updated from time to time, provided they remain no less protective in substance.

  1. Sub-processors

(i). Customer authorizes Company to engage sub-processors necessary to provide the Services, including hosting, infrastructure, storage, support, and related service providers.

(ii). Company shall impose on each sub-processor written data protection obligations no less protective than those in this DPA.

(iii). Company shall remain liable to Customer for the performance of its sub-processors with respect to their Processing of Personal Data.

(iv). Company shall provide Customer with notice of material changes to its sub-processor list by reasonable means. If Customer has a bona fide data protection objection to a new sub-processor, the Parties will work in good faith to resolve it commercially.

  1. Assistance

Taking into account the nature of the Processing, Company shall provide reasonable assistance to Customer, to the extent legally required and to the extent reasonably possible, in relation to:

a) Data Subject requests to exercise rights under Applicable Data Protection Law;
b) security of Processing;
c) Personal Data Breach notifications;
d) data protection impact assessments; and
e) consultation with supervisory authorities, where required.

  1. Personal Data Breach

Company shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA and shall take reasonable steps to mitigate and remediate the breach. Company’s notification shall include, to the extent known at the time: the nature of the breach, likely consequences, measures taken or proposed, and a contact point for more information.

  1. International Transfers

(i). Where Applicable Data Protection Law requires an approved transfer mechanism for an international transfer of Personal Data, the Parties shall implement such mechanism, including the SCCs where appropriate, and Customer appoints Company as a Processor for such transfers to the extent permitted by law.

  1. Return and Deletion

(i). At the end of the applicable Services or upon Customer’s written request, Company shall, at Customer’s choice, delete or return Personal Data Processed under this DPA, subject to applicable legal retention requirements.

(ii). Unless required by law to retain it, Company shall delete existing copies of such Personal Data within 15 days after termination or expiry, consistent with the Agreement. Backup copies may persist for a limited period in accordance with ordinary backup retention cycles, provided they are securely isolated and not actively used except for restoration, legal compliance, or security purposes.

  1. Audits

(i). Company shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

(ii). Subject to reasonable confidentiality, security, and operational constraints, Company shall allow for and contribute to audits or inspections conducted by Customer or an auditor mandated by Customer, no more than once annually unless a material security incident or regulatory inquiry reasonably requires otherwise.

  1. Liability

The Agreement’s limitation of liability and indemnity provisions apply to this DPA to the fullest extent permitted by law, except to the extent mandatory Applicable Data Protection Law requires otherwise.

14. Term

This DPA remains in effect for so long as Company Processes Personal Data on behalf of Customer under the Agreement.

Annexure 1 – Processing Details

Subject matter: Provision of PortfolioIQ services, including receipt of Source Data, extraction and standardization of agreed metrics, generation of Processed Data, and delivery of raw datasets and reports.

Duration: For the term of the applicable Order Form and thereafter until deletion/return under Section 11 of the Agreement.

Nature and purpose of Processing: Collection, hosting, organization, extraction, analysis, standardization, storage, and transmission of customer-provided reports and related data solely to provide the Services.

Categories of Data Subjects: Any individuals whose Personal Data appears in Source Data.

Categories of Personal Data: Any other Personal Data included in Source Data or Processed Data which may include names, contact details, job titles, signatures, identifiers, employment information, company-related performance data, financial information tied to identifiable persons.

Sensitive data: Not intended to be Processed, unless Customer expressly instructs otherwise in writing and such Processing is lawful

Annexure 2 – Security Measures

Company shall maintain a risk-based security program appropriate to the Services, which may include:

  • access controls and least-privilege permissions;

  • authentication controls for administrative access;

  • encryption in transit and, where appropriate, at rest;

  • logging and monitoring of relevant system activity;

  • segregation of customer environments or logical access controls;

  • backup and recovery procedures;

  • secure deletion and media handling;

  • vulnerability and patch management;

  • incident response procedures; and

  • personnel confidentiality and security training.