Intangles Lab Private Limited- Customer Data Processing Addendum

 

This Data Processing Addendum (hereinafter “DPA”) is effective as of as of the date of accepting the End User License Agreement (“EULA”) as available at:https://www.intangles.ai/end-user-license-agreement/(“Effective Date”) by and between the “You/Users/Customer” will include any party (either business user or personal user as the case may be) (the “Customer”) as set out during the time of accepting the EULA or availing the Subscription of the Service, and Intangles Lab Private Limited (the “Company”/ “Intangles”/”Company”) having its registered office at:  9th Floor, Orville Business Port, Viman Nagar, Pune, Maharashtra, India – 411014. The Customer and the Company are individually referred to as “Party” and collectively as “Parties”. This DPA supplements the EULA and Subscription of the Service, agreed and accepted by the Parties (“Agreement”) under which the Processer provides the Customer services (the “Services”).

The Parties seek to implement this DPA in order to comply with the requirements of applicable data protection laws in relation to the Company’s Processing of Personal Data (each capitalised term as defined under the applicable data protection laws as part of its obligations under the Agreement. The terms “Process”, “Processing” and “Personal Data” used in this DPA shall have the same meaning as defined in the applicable data protection laws.

This DPA shall apply to Company’s Processing of Personal Data, whether provided by the Customer or/and its affiliates, or otherwise, as part of Company’s obligations under the Agreement.

Except as modified below, the terms of the Agreement shall remain in full force and effect.

  1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the applicable data protection laws or the Agreement. The following terms shall have the corresponding meanings assigned to them below:

  • Applicable DP Laws” means any and all laws, statutes, regulations, by-laws, orders, ordinances, court decrees and binding guidelines that apply to the processing of personal data under the Agreement.The Applicable DP Laws in this DPA are limited to EU and UK Data Protection Law and India Data Protection Law.
  • Customer Personal Data”means personal data provided or made available to the Company by or on behalf of the Customer or collected or created for the Customer, which is processed by the Company for and on behalf of the Customer pursuant to the Agreement, as described in more detail in Annex 1.
  • Data Transfer” means an onward transfer of the Personal Data from the Customer to the Company, or between two establishments of the Company, or with a Sub processor by the Company.
  • “EU and UK Data Protection Law” means the EU General Data Protection Regulation 2016/679 “GDPR”, and any applicable national laws made under the GDPR, and any regulation superseding any of the foregoing and the UK Data Protection Law.
  • EUStandard Contractual Clauses” means the contractual clauses attached hereto as Schedule 1 pursuant to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection or any updated version thereof.
  • “IDTA” means International Data Transfer Addendum to the EU Standard Contractual Clauses the contractual clauses attached hereto as Schedule 2 issued by the commissioner under S119A(1) Data Protection Act 2018.
  • India Data Protection Law” means the Information Technology Act, 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, The Indian Computer Emergency Response Team (“CERT-In”) Direction on Cyber Security Incident Reporting dated April 28, 2022 (“CERT-In Directions”), Digital Personal Data Protection Act 2023 (“DPDPA”) as and when enforceable and any other personal data privacy and protection laws in India that will supersede the present laws in future.
  • Losses” means: (a) costs (including legal costs), claims, demands, actions, settlements, ex-gratia payments, charges, procedures, expenses, losses and damages (including relating to material and non-material damage); and (b) to the extent permitted by applicable law including Applicable DP laws: (i) administrative fines, penalties, sanctions, liabilities or other remedies  imposed by a court or regulatory authority; (ii) compensation to an individual ordered by a court or regulatory authority; and  (iii) the costs of compliance with investigations by a regulatory authority.
  • Sub processor” means a processor/ sub-contractor appointed by the Company for the provision of all or parts of the Services and who Processes the Personal Data as provided by the Customer and/or the Company.
  • “UK Data Protection Law” means the UK GDPR, the United Kingdom Data Protection Act 2018, the Privacy and Electronic Communications Regulations, and any regulation superseding any of the foregoing.
  1. Purpose of this Addendum:

This DPA sets out various obligations of the Company in relation to the Processing of Customer Personal Data and shall be limited to the Company’s obligations under the Agreement. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.

  1. Details of Customer Personal Data. The Customer authorizes the Company to Process such Customer Personal Data the extent of which is determined and controlled by the Customer. The current nature of the Customer Personal Data is specified in Annex 1 to Schedule 1to this DPA.
  2. Purpose of Processing. The objective of Processing of Customer Personal Data by the Company shall be limited to the Company’s provision of the Services to the Customer/ its Client, pursuant to the Agreement.
  3. Customer’s Obligations regarding Customer Personal Data.
  1. The Customer warrants that it has the right and authority to request the Company to Process the Personal Data and that its instructions for the Processing of Personal Data shall comply with Applicable DP Laws.
  2. The Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data, and the means by which the Customer acquired Customer Personal Data.
  3. The Customer must ensure that any required consents have been obtained, and any notices served, to individuals to ensure that the Company has all required rights to process Customer Personal Data, and that the Company’s processing of Customer Personal Data as envisaged in this Agreement will comply with Applicable DP Laws;
  1. Duration of Processing. The Company will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the Customer.
  2. The Company’s obligations.
  1. The Company will follow written and documented instructions received, including by email, from the Customer, its affiliate, agents or personnel, with respect to the Processing of Customer Personal Data (each, an “Instruction”).
  2. The Processing described in the Agreement and the relating documentation shall be considered as Instruction from the Customer.
  3. At the Customer’s request, the Company will provide reasonable assistance to the Customer in responding to/ complying with requests / directions by Individuals in exercising their rights or of the applicable regulatory authorities regarding Company’s Processing of Customer Personal Data.
  4. Upon Customer’s request, the Company will provide the Customer with reasonable cooperation and assistance needed to fulfil the Customer’s obligation under Applicable DP Laws to carry out a data protection impact assessment related to the Customer’s use of the Services.
  5. The cost of any assistance provided by the Company to the Customer in accordance with this DPA will be borne by the Customer.
  6. Aggregated Data: Company may use aggregated, de-identified, or anonymized data (including benchmarks, metrics, usage information, or extracts of raw data) (“Aggregated Data”) for Company’s general business purposes (including to improve artificial intelligence, statistical inferencing, machine learning algorithms, to develop other products or services, or for testing, analytical, or other purposes), provided that no such Aggregated Data will be identified as derived from or in any way associated with Individuals. Controller irrevocably and unconditionally assigns any and all rights, title, and interest (including all intellectual property rights relating thereto) that it may have to such Aggregated Data to Company, without any royalty or accounting obligations to the Controller or any other party. Where applicable, Controller warrants that the engagement with Client allows Company utilize/own Aggregated Data as per this DPA.
  7. Technical, Organizational Measures. To Process the Customer Personal Data, the Company will only use personnel who are (i) informed of the confidential nature of the Customer Personal Data, (ii) actually performing the Services in accordance with the Agreement. The Company will regularly train individuals having access to Customer Personal Data in data security and data privacy in accordance with accepted industry practice and shall ensure that all the Customer Personal Data is kept as strictly confidential. Having regard to the state of technological development and the cost of implementing any measures, the Company will take appropriate technical and organizational measures against the unauthorized or unlawful processing of Customer Personal Data and against the accidental loss or destruction of, or damage to, Customer Personal Data to ensure a level of security appropriate to: (a) the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage; and (b) the nature of the data to be protected as per the measures stated in Annex 2 of Schedule 1.
  8. Audit Rights
  1. Upon Customer’s reasonable prior written request, the Company will make available to the Customer, information as is reasonably necessary to demonstrate Company’s compliance with its obligations under the Applicable DP Laws in respect of its Processing of the Customer Personal Data. When the Customer wishes to conduct the audit (by itself or through a representative) at Company’s site, it shall provide at least thirty (30) days’ prior written notice to the Company; the Company will provide reasonable cooperation and assistance in relation to audits, including inspections, conducted by the Customer or its representative.
  2. The Customer shall bear the expense of such an audit.
  1. Mechanism of Data Transfers.
  1. EU and UK Data Protection Law:Any Data Transfer for the purpose of Processing by the Company in a country outside the European Economic Area (the “EEA”) shall take place in compliance with the EU Standard Contractual Clauses and UK Standard Contractual Clauses as detailed in Schedule 1 and Schedule 2 to the DPA as the case may be. Where such model clauses have not been executed at the same time as this DPA, the Company shall not unduly withhold the execution of such template model clauses, where the transfer of Customer Personal Data outside of the EEA is required for the performance of the Agreement.
  1. Sub processors.
  2. The Customer acknowledges and agrees that the Company may engage a third-party Sub processor(s) in connection with the performance of the Services. The current Sub processors engaged by the Companys and approved by the Customer are listed in Schedule 2 hereto. The Company shall remain liable to Customer for any failure on behalf of a Sub processor to fulfil its data protection obligations under the DPA in connection with the performance of the Services.
  3. The Company shall execute the appropriate written agreements with the Sub processors in accordance with, and not less protective than, the provisions of this DPA.
  4. If the Customer has a concern that the Sub processor(s) Processing of Customer Personal Data is reasonably likely to cause the Customer to breach its data protection obligations under the GDPR, the Customer may object to Company’s use of such Sub processor and the Company shall comply with the directions/ Instructions of the Customer.
  5. Customer Personal Data Breach Notification.
  1. The Company shall maintain defined procedures in case of a Customer Personal Data Breach (as defined under theApplicable DP Laws) and shall without undue delay notify Customer if it becomes aware of any Customer Personal DataBreach, unless such Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  2. The Company shall provide the Customer with all reasonable assistance to comply with the notification of Customer Personal Data Breach to supervisory authority and/or theaffected Individuals, to identify the cause of such Data Breach and take such steps as reasonably required to mitigate and remedy such Data Breach.
  3. No Acknowledgement of Fault by Company.Company’s notification of or response to a Customer Personal Data Breach under this DPA will not be construed as an acknowledgement by Company of any fault or liability with respect to the Data Breach.
  1. Return and Deletion of Customer Personal Data.
  1. The Company shall at least sixty (60) days from the end of the Agreement or cessation of the Company’s Services under the Agreement, whichever occurs earlier, shall delete all Customer Personal Data, or if the Customer so instructs, the Companyshall return to the Customer all the Customer Personal Data. The Company shall return such Customer Personal Data in a commonly used formats or in the then current format in which it was stored at discretion of the Customer, soon as reasonably practicable following receipt of Customer’s notification.
  2. In any case, the Company shall delete Customer Personal Data including all the copies of it as soon as reasonably practicable following the end of the Agreement.
  1. The Company will only be liable to the Customer for damage caused by the processing of Customer Personal Data where it has not complied with its obligations either under the Applicable DP Laws or where it has processed the Customer Personal Data contrary to the lawful Processing Instructions of the Customer. The Company’s maximum aggregate liability directly arising under this DPA (whether in contract, tort, including negligence) for all direct damages shall be limited to fees paid by the Customerin 3 months immediately preceding the date on which such claimhas arisen. For the avoidance of doubt, this liability cap is an aggregate liability for this agreement and the incidence of more than one claim will not enlarge this limit. In no event will the Company be liable for indirect or consequential losses, including loss of profit, loss of goodwill, special or punitive damages, even if advised of the possibility of such damages.Where both parties are responsible for the act, or omission to act, resulting in the payment of Losses for a party or both parties, then each party shall only be liable for that part of such Losses which is in proportion to its respective responsibility.
  2. Termination of the DPA. This DPA will continue in force until the termination of the Agreement (the “Termination Date”).

Schedule 1: EU Standard Contractual Clauses (EU Data Protection Laws Compliance)

In relation to transfers of Customer Personal Data protected by the GDPR, the Customer acknowledges that Customer is a Controller; accordingly, the EU SCCs shall apply to such transfers, completed as follows:Module Two (controller to processor transfer) of the EU SCCs shall apply;

  • in Clause 7, the optional docking clause will apply;
  • in Clause 9, Option 2 “General Written Authorization” for sub-processors will apply, and the time period for prior notice of Sub-processor changes shall be 10 days;
  • in Clause 11, the optional language will not apply;
  • in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
  • in Clause 18(b), disputes shall be resolved before the courts of Ireland;
  • Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA; and
  • Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA.

Schedule 2: IDTA(UK Data Protection Laws Compliance)

In relation to transfers of Customer Personal Data protected by the UK Data Protection Law, the EU SCCs will apply to such transfers in accordance with Schedule 1 above with the following modifications:

  • The EU SCCs shall be deemed amended as specified by the IDTA, which shall be deemed executed between the Customer and the Company
  • Any conflict between the terms of the SCCs and the IDTA shall be resolved in accordance with the IDTA;
  • For the purposes of the IDTA, Tables 1 to 3 in Part 1 of the IDTA shall be deemed completed using the information contained in the Annexes of this DPA; and
  • Table 4 in Part 1 of the IDTA shall be deemed completed by selecting “importer” and “exporter”.

If and to the extent any provision of the Agreement (including this DPA) conflict with the Standard Contractual Clauses or IDTA, the latter shall prevail.

ANNEX I

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: Customer details set out in the Agreement.
Address: Customer details set out in the Agreement.
Contact person’s name, position and contact details: Customer details set out in the Agreement.
Activities relevant to the data transferred under these Clauses: Provision on Services as per the Agreement.
Signature and date: Refer date of DPA signing.
Role (controller/processor): Controller

 

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: Intangles Lab Private Limited
Address: Nyati Tech Park, A-302 Building C2, Wadgaon Sheri Pune 411014
Contact person’s name, position and contact details: dpo@intangles.com
Activities relevant to the data transferred under these Clauses: Processing on behalf of the Customer for rendering Services.
Signature and date: Refer date of DPA signing.
Role (controller/processor): Processor

 

  1. DESCRIPTION OF TRANSFER
Categories of individuals whose personal data is transferred: Vehicle Owner, Vehicle Driver
Categories of personal data transferred: Services Related:Vehicle owner’s name, email address, residential address, Vehicle Information, Vehicle registration number, Vehicle and driver location, Driver Details (driver name, driver’s driving license number or equivalent identification, contact number, emergency contact number), blood group, driver performance information, driver behaviour monitoring, in-vehicle CCTV footage, etc.

User Account Related: name, address, phone number, email address, unique username, corporate name, etc.

App: Device name, model number, device type, IP address, operating system, device compatibility, etc

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. NA
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).  

Continuous

Nature of the processing: To provide Services as set out in the Agreement.
Purpose(s) of the data transfer and further processing: To provide Services as set out in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As per the DPA provisions or as specified by the Controller in subsequent Instructions.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing To provide Services as set out in the Agreement, the processors have been listed in Annex III.

 

  1. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The Companymaintains information technical and organizational security measures equivalent toIndustry Standards such as ISO 27001 further details are made available on request..

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

  1. Cloud Server (AWS, Oracle)
  2. Website analysis tool (Mixpanel)
  3. Mapping tool (e.g. Google Maps)