This Data Processing Agreement ("DPA") serves as a binding contractual framework between Celeritar Innovations, hereinafter referred to as the "Data Processor", and the entity agreeing to these terms, hereinafter referred to as the "Data Controller". It outlines the responsibilities of the Processor in relation to handling Personal Data in connection with the provision of payment gateway services.
The Controller is solely responsible for defining the purposes and legal grounds for Processing Personal Data and ensuring compliance with all Applicable Data Protection Laws.
The Processor, on the other hand, shall handle Personal Data exclusively on documented directives received from the Controller, and strictly for delivering payment gateway services as agreed.
The Processor will carry out Processing activities of Personal Data only for the following specific functions:
The Processor commits to adopting and maintaining suitable technical and organizational safeguards, including but not limited to:
Additionally, the Processor will ensure that its staff members are bound by confidentiality obligations and are trained in industry-standard data protection and security practices.
The Processor shall support the Controller in meeting obligations to Data Subjects under applicable laws, including but not limited to the following rights:
The Processor shall not engage any Subprocessor without prior written approval from the Controller. In cases where a Subprocessor is authorized, such entities must be bound through written agreements enforcing data protection duties equivalent to those described in this DPA.
In the event of a Personal Data Breach, the Processor shall notify the Controller within 24 hours of becoming aware of such an incident. The notice must clearly state:
The Controller reserves the right, with reasonable prior notice, to conduct audits of the Processor’s adherence to this DPA. The Processor shall provide access to necessary documents, records, procedures, and certifications (including PCI DSS compliance attestations).
Personal Data shall be stored only for the duration necessary to complete payment processing and to satisfy legal obligations, including RBI-mandated retention timelines. Once services terminate, the Processor shall either return all Personal Data to the Controller or permanently delete it, unless retention is legally required.
The Processor shall immediately notify the Controller if any change in regulation or legal framework affects its ability to process Personal Data under this Agreement in compliance with applicable laws.
Each Party accepts responsibility for losses or damages caused due to its own breach of this Agreement. The Processor agrees to indemnify and hold the Controller harmless against any penalties, claims, or losses stemming from failure to adhere to its data protection obligations.
This DPA shall be governed by the laws of India. Any dispute that arises under or in connection with this Agreement shall fall within the exclusive jurisdiction of the courts located in India.
Any modification or amendment to this Agreement must be executed in writing and duly signed by both the Processor and the Controller.
By accepting this Agreement, both the Processor and the Controller confirm their full understanding of and commitment to all the terms and obligations contained in this Data Processing Agreement.
