Data Processing Agreement
- Home
- Data Processing Agreement
This Data Processing Agreement (“DPA”) establishes a legally binding understanding between Ecomwave Creations, referred to as the “Data Processor”, and the entity accepting these terms, referred to as the “Data Controller.” This DPA defines how the Processor handles Personal Data in connection with the payment gateway services provided.
Roles and Responsibilities
Data Controller:
- Determines the purposes and legal basis for processing Personal Data
- Ensures adherence to applicable Data Protection Laws
Data Processor:
- Processes Personal Data strictly according to the Controller’s documented instructions
- Uses Personal Data solely to provide the payment gateway services
Scope of Data Processing
The Processor shall handle Personal Data only for the following purposes:
- Initiating, authorizing, and settling payment transactions
- Conducting Know Your Customer (KYC) verification and preventing fraudulent activity
- Authenticating customers, including via two-factor authentication (2FA)
- Preparing transaction reports and performing reconciliations
- Ensuring compliance with RBI, NPCI, and relevant payment network regulations
Security Measures
The Processor commits to implementing appropriate technical and organizational safeguards, including:
- PCI DSS compliance for processing, storing, and transmitting cardholder data
- Encryption of Personal Data at rest and during transmission
- Multi-factor authentication for system access
- Secure key management procedures
- Regular penetration testing and vulnerability assessments
Additionally, the Processor will:
- Maintain confidentiality obligations for all personnel
- Provide staff training on data protection and security best practices
Assistance with Data Subject Rights
The Processor will support the Controller in fulfilling Data Subject rights under applicable law, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to data portability
- Right to restrict or object to processing
Subprocessors
- The Processor shall not engage any Subprocessor without prior written approval from the Controller
- Any approved Subprocessor must enter into agreements providing data protection safeguards equivalent to those in this DPA
Data Breach Notification
In the event of a Personal Data breach, the Processor will notify the Controller within 24 hours of discovery, including details such as:
- Nature of the breach
- Categories and approximate number of affected Data Subjects
- Steps taken to contain and mitigate the breach
- Measures planned to prevent recurrence
Audits and Compliance
- The Controller may conduct audits with reasonable prior notice to verify compliance with this DPA
- The Processor will provide access to records, policies, and certifications, including PCI DSS compliance reports
Data Retention and Disposal
- Personal Data will be retained only for as long as required for payment processing and legal obligations, including RBI-mandated retention periods
- Upon termination of services, the Processor will securely erase or return all Personal Data, unless retention is legally mandated
Regulatory and Legal Updates
The Processor shall promptly notify the Controller of any legal or regulatory changes affecting the ability to process Personal Data in compliance with this DPA
Liability and Indemnification
- Each Party is responsible for damages arising from its own breach of this Agreement
- The Processor will indemnify the Controller against penalties, claims, or losses resulting from non-compliance with data protection obligations
Governing Law and Jurisdiction
- This DPA is governed by the laws of India
- Any disputes arising under this Agreement shall be subject to the exclusive jurisdiction of Indian courts
Amendments
Any modifications to this Agreement must be made in writing and signed by both Parties
Confirmation
By entering into this DPA, both Parties acknowledge that they have read, understood, and accepted all terms and conditions described herein.