Data Processing Agreement

This Data Processing Agreement (“DPA”) defines a legally enforceable framework between Bizquirk Innovation, acting in the capacity of the “Data Processor,” and the organization or individual agreeing to these conditions, identified as the “Data Controller.” This Agreement regulates how the Processor manages, accesses, and handles Personal Data while providing transaction-related digital services.

Roles of the Parties

The Controller retains full authority to decide the objectives, methods, and lawful grounds for Processing Personal Data and continues to bear accountability for compliance with all Applicable Data Protection Laws.

The Processor shall handle Personal Data exclusively in accordance with written and documented directions issued by the Controller and solely for purposes directly related to providing authorized transaction processing services.

Scope of Processing

The Processor is permitted to Process Personal Data only for the following defined activities:

• Initiating, validating, authorizing, and completing digital transactions
• Identity verification and risk monitoring for fraud prevention
• User verification and secure authentication procedures, including multi-step verification
• Transaction monitoring, reporting, settlement tracking, and reconciliation activities
• Adherence to regulatory requirements issued by RBI, NPCI, and applicable financial network authorities

Security Measures

The Processor agrees to maintain suitable technical and organizational safeguards, including but not limited to:

• Industry-aligned security standards for handling, transmitting, and storing sensitive financial data
• Encryption mechanisms applied to data both during transmission and while stored
• Multi-level authentication controls governing system and infrastructure access
• Secure cryptographic key handling and lifecycle management
• Periodic system vulnerability scans, security audits, and penetration assessments

The Processor shall ensure that all authorized personnel adhere to confidentiality obligations and receive continuous training on secure data handling practices.

Data Subject Rights

The Processor shall reasonably assist the Controller in responding to requests made by Data Subjects under Applicable Laws, including assistance relating to:

• Requests for access to Personal Data
• Requests for correction or updating of inaccurate data
• Requests for deletion of Personal Data
• Requests for data portability
• Requests to restrict, object to, or limit Processing activities

Subprocessors

The Processor shall not appoint or involve any Subprocessor without receiving prior written authorization from the Controller.

All approved Subprocessors must operate under written agreements that enforce data protection responsibilities equal to or more stringent than those established under this DPA.

Data Breach Notification

The Processor shall inform the Controller within twenty-four (24) hours upon becoming aware of any breach involving Personal Data.

Such notification shall include detailed information regarding:

• The nature and scope of the security incident
• The categories and estimated number of impacted Data Subjects
• Immediate corrective actions taken to control and mitigate the incident
• Preventive measures planned to avoid recurrence of similar incidents

Audit & Compliance

Upon providing reasonable advance notice, the Controller reserves the right to assess the Processor’s adherence to this DPA. The Processor shall make available all relevant documentation, internal policies, and compliance evidence required to demonstrate conformity with data protection obligations.

Data Retention & Deletion

Personal Data shall be stored only for the duration required to complete transaction-related services and to meet legal and regulatory retention obligations, including those mandated by RBI.

Following termination of services, the Processor shall securely return or permanently erase all Personal Data, unless continued retention is required under applicable laws.

Legal & Regulatory Changes

The Processor shall promptly notify the Controller if any modification to laws, regulations, or regulatory guidance affects its ability to Process Personal Data in accordance with this Agreement.

Liability & Indemnification

Each Party shall remain responsible for losses arising from its own failure to comply with the terms of this Agreement. The Processor agrees to indemnify and hold the Controller harmless against penalties, damages, or claims resulting from violations of data protection responsibilities.

Governing Law & Dispute Resolution

This Agreement shall be interpreted and governed in accordance with the laws of India. All disputes arising under this DPA shall fall under the exclusive jurisdiction of courts located in India.

Amendments

Any change, revision, or modification to this Agreement shall be valid only if documented in writing and executed by both Parties.

Acknowledgment and Acceptance

By entering into this Agreement, both Parties confirm that they have read, understood, and accepted all provisions contained within this Data Processing Agreement.