DATA PROCESSING ADDENDUM

Updated July, 2023

 

This Data Processing Addendum, including the Standard Contractual Clauses and UK Addendum referenced herein and Exhibits  A and B to this addendum (“DPA”), is incorporated into any existing and currently valid Master Services Agreement or Terms of Use (the “Agreement”) either previously or concurrently made between you (together, with any subsidiaries and affiliated entities, collectively, “Member”) and India USA Partnership™️ Foundation & Bharat USA Foundation NON-PROFIT (together, with any subsidiaries and affiliated entities, collectively “IUP” or “Processor”) and sets forth additiona™️l terms that apply to the extent any information you provide to IUP pursuant to the Agreement includes Personal Data (as defined below). This DPA is effective as set forth in IUP's Terms of Use.

​

1.0 Defined Terms. The following definitions are used in this DPA

​

1.1 “Authorized Personnel” means (a) IUP's employees who have a need to know or otherwise access Personal Data for the purposes of performing applicable services; and (b) IUP’s contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable IUP to perform its obligations under the Agreement and this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data in accordance with the terms and conditions of this DPA.

 

1.2 “CCPA” means the California Consumer Privacy Act California Consumer Privacy Act of 2018, Cal. Civ. Code § [1798.100 - 1798.199.100]​​) ]as amended, including by the California Privacy Rights Act of 2020 and its implementing regulations.

​

1.3 "Member Data" means information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by you or on your behalf as a Member or a user through the Services or by or on behalf of your prospects, Members or other end users of the Services who access the Services for purposes of interacting with you and your users. 

 

1.4 “Data Protection Laws” means all applicable federal, state, and foreign data protection, privacy and data security laws, as well as applicable regulations and formal directives intended by their nature to have the force of law, all as amended from time to time, including, without limitation, the EU Data Protection Laws, UK Data Protection Laws, the Swiss Data Protection Laws, the CCPA, the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), and the Utah Consumer Privacy Act (“UCPA”) but excluding, without limitation, consent decrees. 

 

1.5 “Data Subject” means the individual or consumer to whom Personal Data relates. 

 

1.6 "EU Data Protection Laws” means GDPR together with any applicable implementing legislation or regulations, as well as European Union or Member State laws, as amended from time to time. 

 

1.7 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.) 

 

1.8 “Personal Data” means any Member Data relating to an identified or identifiable natural person that is Processed by IUP on behalf of Member in connection with providing the Services to Member, when such information is protected as “personal data” or “personal information” or a similar term under Data Protection Law(s).  

 

1.9 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. 

 

1.10 “Security Breach” means a confirmed breach of IUP’s information security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data covered by this DPA.

 

1.11 "Services” means the services provided by IUP to you under the Agreement. 

 

1.12 “Standard Contractual Clauses” of “SCCs” means the model clauses for the transfer of Personal Data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e. 

 

1.13 “Swiss Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in Switzerland, including the Federal Act on Data Protection of June 19, 1992 and its ordinances, and, once it entered into force, in accordance with Article 16 paragraph 2 letter d of the future revised Swiss Federal Act on Data Protection dated 25 September 2020 (collectively, “FADP”). 

 

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “SCCs” defined above) issued by the Commissioner under S119A(1) Data Protection Act 2018, Version B1.0, in force 21 March 2022 and available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. 

​

​“UK Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom, including the United Kingdom GDPR and the Data Protection Act 2018.   

​

​“UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018.   

​

​he terms “Processor” and “Controller”, shall have the meanings given to them under the applicable Data Protection Law. Any capitalized terms herein that are not defined in this DPA shall have the meanings associated with them in the Agreement, and are hereby adopted by reference in this Addendum.   

 

2.0 Processing and Transfer of Personal Data

​

2.1Member Obligations. Member is the Controller of Personal Data and shall (a) determine the purpose and essential means of the Processing of Personal Data in accordance with the Agreement; (b) be responsible for the accuracy of Personal Data; and (c) comply with its obligations under Data Protection Laws, including, when applicable, ensuring Member has a lawful basis to collect Personal Data, providing Data Subjects with any required notices, and/or obtaining the Data Subject’s consent to process the Personal Data.

 

2.2 IUP Obligations. IUP is the Processor of Personal Data and shall (a) Process Personal Data on Member’s behalf in accordance with Member’s written instructions (unless waived in a written requirement) provided during the term of this DPA, and (b) comply with its obligations under Data Protection Laws. A description of the processing of Personal Data intended to be carried out under this DPA is set out in Annex 1 of Exhibit A attached hereto. The parties agree that the Agreement, including this DPA, together with Member’s use of the Services in compliance with the Agreement, constitute Member’s complete and final written instructions to IUP in relation to the Processing of Personal Data, and additional instructions outside the scope of these instructions shall require a prior written and mutually executed agreement between Member and IUP. In the event IUP reasonably believes there is a conflict with any Data Protection Law and Member’s instructions, IUP will inform Member promptly and the parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.

 

2.3 Data Use. IUP shall not use of Personal Data, except for usage of Personal Data pursuant to Member’s instructions, and as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under Data Protection Laws.

 

2.4 Location of Processing. The parties acknowledge and agree that Processing of Personal Data will occur in the United States and perhaps in other jurisdictions outside the residence of a Data Subject and Member shall comply with all notice and consent requirements for such transfer and processing to the extent required by Data Protection Laws.

 

2.5 Return or Destruction of Data. IUP shall return or securely destroy Personal Data, in accordance with Member’s instructions, upon Member’s request or upon termination of Member’s account(s) unless Personal Data must be retained to comply with applicable law.

​

3.0 EU, Swiss and United Kingdom Data Protection Laws.

 

This Section 3 shall apply with respect to Processing of Personal Data when such Processing is subject to the EU Data Protection Laws, Swiss Data Protection Laws, or UK Data Protection Laws.

 

1. Transfers of Personal Data. Member acknowledges and agrees that IUP is located in the United States and that Member’s provision of Personal Data from the European Economic Area  (“EU”), Switzerland, or the United Kingdom to IUP for Processing is a transfer of Personal Data to the United States. All transfers of Member Personal Data out of the EU (“EU Personal Data”), Switzerland (“Swiss Personal Data”), or the United Kingdom (“UK Personal Data”) to the United States shall be governed by the Standard Contractual Clauses, and the UK Addendum as applicable, as follows:

2. For such transfers of EU Personal Data or transfers containing Swiss Personal Data that are subject to both EU Data Protection Laws and Swiss Data Protection Laws (in this latter case, the parties shall adopt the GDPR standard for all data transfers), Module 2 of the SCCs for Controller to Processor transfers, together with Annexes  set out in Exhibit A to this DPA, shall apply and are incorporated into this DPA, and the parties agree that the following terms apply: (a) Clause 7 shall not apply; (b) Option 2 of Clause 9(a) shall apply with a time period of 30 days in advance; (c) the optional language in Clause 11(a) shall not apply; (d) the governing law shall be that of Ireland in Clause 17; (e) disputes shall be resolved by the courts of Ireland in Clause 18; and (f) the annexes are completed in Exhibit A to this DPA. 

3. For such transfers of only Swiss Personal Data, Module 2 of the SCCs for Controller to Processor transfers, together with Annexes set out in Exhibit A to this DPA, shall apply and are incorporated into this DPA, and the parties agree that the following terms apply: (a) Clause 7 shall not apply; (b) Option 2 of Clause 9(a) shall apply with a time period of 30 days in advance; (c) the optional language in Clause 11(a) shall not apply; (d) the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner; (e) the governing law shall be that of Switzerland in Clause 17 ; (e) disputes shall be resolved by the courts of Switzerland  in Clause 18; (f) the annexes are completed in Exhibit A to this DPA and (g) any references to the GDPR are to be understood as references to the FADP. 

4. For transfers of Swiss Personal Data subject to Sections 3.1.a. and 3.1.b of this DPA, the term 'member state' shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in Switzerland in accordance with Clause 18c. ​ 

5. For such transfers of UK Personal Data, Module 2 of the SCCs shall apply as set forth in subsection 3.1.a. above, and the UK Addendum as set out in Exhibit B to this DPA shall apply and is incorporated into this DPA.

6. GDPR and UK GDPR Obligations. IUP shall: (a) assist Member, to a reasonable extent, in complying with its obligations with respect to EU Personal Data pursuant to Articles 32 to 36 of GDPR(or their equivalent under UK Data Protection Laws for UK Personal Data); (b) maintain a record of all categories of Processing activities carried out on behalf of Member in accordance with Article 30(2) of the GDPR(or their equivalent under UK Data Protection Laws for UK Personal Data); and (c) cooperate, on request, with an EU or UK supervisory authority regarding the performance of the Services. 

 

1. United States Data Protection Laws.

This Section 4 shall apply with respect to Processing of Personal Data when such Processing is subject to Data Protection Laws in the United States.

 

1. CCPA/CPRA. This subsection 4.1 applies to IUP’s, and IUP acts as Member’s service provider with respect to, Processing of Personal Data subject to the CCPA. Member discloses the Personal Data to IUP, and IUP shall Process such Personal Data only for the purposes as set out in this Agreement, including this DPA.

 

1. IUP shall not:

   1. Sell or share the Personal Data;

   2. Retain, use, or disclose the Personal Data (i) for any purpose other than the business purposes as set out in the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA; or (ii) outside of the direct business relationship between the parties;

   3. Combine the Personal Data that IUP receives from, or on behalf of, Member with Personal Data that IUP receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that IUP may combine Personal Data to perform any business purpose as permitted by the CCPA, including regulations thereto, or by regulations adopted by the California Privacy Protection Agency.

 

1. IUP shall comply with obligations applicable to it as a service provider under the CCPA, and shall provide Personal Data with the same level of privacy protection as is required by the CCPA.

 

1. Member shall have the right to take reasonable and appropriate steps to help ensure that IUP uses the Personal Data in a manner consistent with Member’s obligations under the CCPA. The process for such steps shall be as set out in Section 9 below.

2. IUP shall notify Member if it makes a determination that it can no longer meet its obligations as a service provider under the CCPA. If IUP so notifies Member, Member shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

 

1. For any sub-processors used by IUP to process Personal Data subject to the CCPA, in addition to its obligations in Section 5 below, IUP’s agreement with any such sub-processor shall obligate such sub-processor to observe the requirements set forth in subsection 4.1.a above.

 

1. For purposes of this Section 4, the terms “consumer”, “service provider”, “sell” and “share” shall have the meanings given to them under the CCPA.

 

1. Virginia, Colorado, Connecticut and Utah. For the avoidance of doubt and for purposes of the VCDPA, CPA, CTDPA and UCPA, the relevant details of Processing set forth in Section B in Exhibit A shall apply.
    

1. Sub-processors

   1. Sub-processor List. Member consents to IUP’s use of the sub-processors set out in Exhibit A attached hereto. IUP may update its list of sub-processors from time to time, and shall make available any updates to such list upon request by email.

 

1. Notice. IUP will provide Member with a mechanism to receive notice of updates to its sub-processor list. IUP will notify Member via such mechanism if Member has signed up to receive notification of any such updates at least thirty (30) days prior to any such update taking effect. Member may make an objection to a new sub-processor within thirty (30) days of receiving a notification from IUP by email. If Member has reasonable concerns related to such sub-processor’s data protection. Upon Member’s objection, the parties shall work together in good faith to address Members concerns. If the parties are unable to reach a resolution, Member may terminate that portion of the Services that involve the use of such sub-processor without penalty.

2. Sub-processor Agreements. IUP shall enter into a written agreement with any such sub-processor containing data protection obligations that are at least as restrictive as its obligations in this DPA.

​

1. Member Representation and Warranty

Member represents and warrants on behalf of itself and its employees that the Personal Data provided to IUP for processing under the Agreement and this DPA is collected and/or validly obtained and utilized by Member and its employees in compliance with all Data Protection Laws, including without limitation the disclosure, informed affirmative consent and targeted advertising provisions of Data Protection Laws, including without limitation Chapter II of the GDPR, and Member shall defend, indemnify and hold harmless IUP from and against all loss, expense (including reasonable out-of-pocket attorneys’ fees and court costs), damage, or liability arising out of any claim arising out of a breach of this Section 6. 

 

1. Data Protection

   1. Data Security. IUP will utilize commercially reasonable efforts to protect the security, confidentiality, and integrity of the Personal Data transferred to it using reasonable administrative, physical, and technical safeguards. Notwithstanding the generality of the foregoing, IUP shall: (a) employ reasonable administrative, physical, and technical safeguards (including commercially reasonable safeguards against worms, Trojan horses, and other disabling or damaging codes) to afford protection of the Personal Data in accordance with Data Protection Laws as would be appropriate based on the nature of the Personal Data; (b) utilize commercially reasonable efforts to keep the Personal Data reasonably secure and in an encrypted form, and use industry standard security practices and systems applicable to the use of Personal Data to prevent, and take prompt and proper remedial action against unauthorized access, copying, modification, storage, reproduction, display, or distribution of Personal Data; and (c) cease to retain documents containing Personal Data, or remove the means by which Personal Data can be associated with particular individuals reasonably promptly after it is reasonable to assume that (i) the specified purposes are no longer being served by IUP’s retention of Personal Data, and (ii) retention is no longer necessary for legal or business purposes. 

 

1. Authorized Personnel. IUP shall ensure that Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with obligations at least as restrictive as those contained in this DPA

 

1. Security Breaches. After confirmation of a Security Breach, (a) IUP will promptly: (i) notify Member of the Security Breach; (ii) investigate the Security Breach; (iii) provide Member with necessary details about the Security Breach as required by applicable law; and (iv) take reasonable actions to prevent a recurrence of the Security Breach; and (b) IUP agrees to cooperate in Member’s handling of the matter by: (i) providing reasonable assistance with Member’s investigation; and (ii) making available relevant records and other materials related to the Security Breach’s effects on Member, as required to comply with Data Protection Laws.

 

1. Assistance

   1. Processor Assistance. Upon Member's written request, IUP shall provide reasonable assistance to Member as necessary in order to assist Member with meeting its obligations under Data Protection Laws, including by providing information to Member about IUP’s technical and organizational security measures, and as needed to complete data protection assessments. 

 

1. Data Subject Requests. IUP shall reasonably assist Member with the fulfilment of Member’s obligations to Data Subjects exercising rights afforded by Data Protection Laws, with respect to Personal Data in the event that Member cannot act on such request without IUP’s assistance. If a Data Subject makes a request to IUP to exercise a right with respect to his or her Personal Data of which Member is the Controller, IUP will promptly inform Member of the request, and will advise the Data Subject to submit their request directly to Member. Member will be responsible for addressing such request. 

 

1. Audits

Within thirty (30) days of Member’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement, IUP shall make available to Member (or a mutually agreed upon third-party auditor) information reasonably necessary to demonstrate IUP’s compliance with the obligations set forth in this DPA. 

 

1. Miscellaneous

   1. Conflict. In the event of any conflict or inconsistency between this DPA and Data Protection Laws, Data Protection Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the Processing of Personal Data. 

 

1. Amendments. This DPA shall not be modified except in accordance with the “Changes” section of IUP’s Terms of Use or the terms set out in the Agreement for modification. To the extent that it is determined by any data protection authority that the Agreement or this DPA is insufficient to comply with Data Protection Laws or changes to Data Protection Laws, Member and IUP agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with all Data Protection Laws. 

 

1. Liability. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DPA” means  this DPA including its exhibits and appendices. 

 

1. Entire Agreement. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. This DPA, together with the Agreement, is the final, complete and exclusive agreement of the Parties will be made available upon request by email, with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.