DATA PROTECTION ADDENDUM (DPA)

This Data Protection Addendum (“DPA”) forms part of the Master Services Agreement and/or any Statement of Work entered into by and between the Client (“Controller”) and DPVision Analytics (OPC) Private Limited (“Processor”).

Effective Date: 20 February 2026

1. PURPOSE AND SCOPE

This DPA sets forth the terms and conditions governing the Processing of Personal Data by the Processor on behalf of the Controller in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), and other applicable EU and Member State data protection laws.

2. DEFINITIONS

For the purposes of this DPA, the following definitions shall apply:

– ‘Personal Data’, ‘Processing’, ‘Data Subject’, ‘Controller’, ‘Processor’, ‘Supervisory Authority’, and ‘Personal Data Breach’ shall have the meanings assigned under Article 4 of the GDPR.

– ‘Sub-Processor’ means any third party engaged by the Processor for carrying out specific Processing activities on behalf of the Controller.

– ‘Standard Contractual Clauses (SCCs)’ means the clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR.

3. ROLE OF THE PARTIES

The Parties acknowledge that the Client acts as the Data Controller and DPVision Analytics (OPC) Private Limited acts as the Data Processor / Sub Processor with respect to Personal Data processed under the Agreement.

4. PROCESSING INSTRUCTIONS

The Processor shall Process Personal Data solely on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by Union or Member State law.

5. CONFIDENTIALITY

The Processor shall ensure that all persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. TECHNICAL AND ORGANISATIONAL MEASURES (TOMs)

Pursuant to Article 32 GDPR, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including but not limited to: encryption, pseudonymisation, access controls, regular security testing, incident management procedures, business continuity and disaster recovery mechanisms.

7. SUB-PROCESSORS

The Processor shall not engage another Processor without prior specific or general written authorization of the Controller. Where general authorization is given, the Processor shall inform the Controller of any intended changes and provide the opportunity to object.

The Processor shall impose data protection obligations on Sub-Processors that are no less protective than those set out in this DPA.

8. INTERNATIONAL DATA TRANSFERS

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure appropriate safeguards under Chapter V GDPR, including but not limited to: Standard Contractual Clauses (SCCs), adequacy decisions under Article 45 GDPR, or other legally recognized transfer mechanisms.

9. DATA SUBJECT RIGHTS

The Processor shall assist the Controller, through appropriate technical and organisational measures, in fulfilling obligations to respond to Data Subject requests under Chapter III GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection.

10. PERSONAL DATA BREACH

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and in any event within 48 hours after becoming aware of the breach, providing sufficient information to enable the Controller to comply with Articles 33 and 34 GDPR.

11. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments and prior consultations with Supervisory Authorities where required under Articles 35 and 36 GDPR.

12. RECORDS OF PROCESSING

The Processor shall maintain records of Processing activities pursuant to Article 30(2) GDPR and make such records available to the Supervisory Authority upon request.

13. AUDIT RIGHTS

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections conducted by the Controller or its mandated auditor.

14. RETURN OR DELETION OF DATA

Upon termination of the Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data and delete existing copies unless Union or Member State law requires storage.

15. LIABILITY AND INDEMNIFICATION

Liability shall be governed in accordance with Article 82 GDPR and applicable contractual provisions. The Processor shall indemnify the Controller for damages resulting from Processing that infringes GDPR where the Processor has not complied with its obligations.

16. GOVERNING LAW AND JURISDICTION

This DPA shall be governed by the laws of the European Union and the Member State applicable under the Agreement, without prejudice to the mandatory jurisdiction of the competent Supervisory Authority.

IN WITNESS WHEREOF, the Parties have executed this Data Protection Addendum as of the Effective Date.

For the Controller:
Name:
Title:
Signature:
Date:

For the Processor:
DPVision Analytics (OPC) Private Limited™
Authorized Signatory:
Title:
Signature:
Date: