This Data Processing Addendum (“DPA”), including Exhibit A thereto, is entered into by and between Visa Architect (“Visa Architect/VA”) and you (“Service Provider”) (jointly the “Parties”) in connection with Visa Architect’s use of Service Provider’s services (“the Services”), and reflects the Parties' agreement with regard to the Processing of Consumer Personal Information in accordance with the requirements of the Applicable Privacy Laws. This DPA shall be effective on the date Service Provider collects or Processes Consumer Personal Information (the “Effective Date”).
“Applicable Privacy Laws” means all applicable Indian laws governing the processing and/or protection of personal data, including the Digital Personal Data Protection Act, 2023 (DPDPA 2023), theInformation Technology Act, 2000, and the rules made thereunder, each as amended or replaced from time to time, along with any implementing regulations. “Data Principal” means the individual to whom the personal data relates, as defined under the Applicable Privacy Laws.
“Personal Data” means any data about an individual who is identifiable by or in relation to such data, as defined under the Applicable Privacy Laws, and which is Processed by the Service Provider on behalf of Visa Architect in connection with provision of the Services.
“Process”, “Processed” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Regulator” means any authority or government body having jurisdiction to enforce compliance with the Applicable Privacy Laws, including but not limited to the Data Protection Board of Indiaestablished under the DPDPA 2023, and any successor or replacement authority.
A “Security Incident” has occurred when the Service Provider has knowledge of, or reasonably believes there has been: a loss of; or actual or attempted unauthorized or unlawful access to, acquisition, use, or disclosure of; or any other compromise of Personal Data within the possession or control (physical or IT environment) of the Service Provider.
Terms such as “Consent,” “Notice,” “Data Fiduciary,”“Data Processor,” “De-identification,” and “Anonymization” shall have the meaning ascribed to them in the Applicable Privacy Laws.
1. Restrictions on Personal Data The Service Provider will Process Personal Data only as necessary to perform the Services. The Service Provider will not under any circumstances sell, share, or otherwise Process Personal Data for any purpose not directly related to providing the Services. The Service Provider agrees and warrants that it will not disclose or transfer Personal Data to any third party in exchange for monetary or other valuable consideration.
2. Exception for Authorized Parties Notwithstanding the restrictions above, the Service Provider may disclose or transfer Personal Data to its own service providers (“Authorized Parties”) to the extent necessary to perform the Services and in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) and other Applicable Privacy Laws. The Service Provider shall ensure that all Authorized Parties are contractually bound by terms no less protective of Personal Data than this Agreement. Upon Visa Architect’s request, the Service Provider shall promptly provide a list of Authorized Parties with access to Personal Data. If Visa Architect reasonably objects to any Authorized Party and no suitable alternative is agreed upon, Visa Architect may terminate the Services without further liability.
3. Assistance with Data Principal Requests If the Service Provider, directly or indirectly, receives a request from a Data Principal relating to their Personal Data (“Request”), the Service Provider shall provide a copy of the Request to Visa Architect within two (2) business days. The Service Provider shall notify Visa Architect in writing and liaise with Visa Architect before responding. The Service Provider shall not communicate with the Data Principal regarding such Request without Visa Architect’s written consent. If Visa Architect receives the Request, the Service Provider shall provide all necessary assistance (such as access, correction, or erasure of Personal Data) within five (5) business days. If unable, the Service Provider shall promptly explain the reasons for delay or legal grounds for refusal, and indicate a specific timeline for compliance.
4. Cooperation with Regulators The Service Provider shall cooperate with and assist Visa Architect in: (a) fulfilling its obligations under the DPDPA, the IT Act, and other Applicable Privacy Laws; and (b) responding to any request, inquiry, or legal action from the Data Protection Board of India or other Regulator.
5. Disclosure to Authorities If the Service Provider is legally required to disclose any Personal Data to law enforcement or government authorities, it shall notify Visa Architect in writing and liaise with Visa Architect before complying. If the Service Provider receives any communication from a Regulator relating to Personal Data, it shall forward a copy to Visa Architect within two (2) business days. The Service Provider shall not respond directly without Visa Architect’s prior written consent.
6. Retention of Personal Data The Service Provider will retain Personal Data only as directed by Visa Architect. At termination of the Agreement or upon written request, the Service Provider shall securely return or delete all Personal Data within thirty (30) days, unless retention is legally required. If retention is required, the Service Provider shall notify Visa Architect within twenty (20) days of termination, stating the legal basis. The Service Provider shall provide Visa Architect with certification of deletion/removal within thirty (30) business days.
7. Confidentiality The Service Provider shall treat all Personal Data as strictly confidential. It shall ensure that employees, contractors, and third parties engaged in Processing Personal Data are subject to legally enforceable confidentiality obligations and have received adequate data protection and security training before accessing Personal Data.
8. Reasonable Security Measures The Service Provider warrants that it has implemented reasonable security practices and procedures as prescribed under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and other applicable Indian standards. Such measures must be appropriate to the sensitivity of the Personal Data being processed, and failure to maintain them shall be considered a breach of this Agreement.
9. Security Incident Upon discovering a Security Incident (as defined under the DPDPA), the Service Provider shall notify Visa Architect immediately, and no later than 48 hours after discovery. The Service Provider shall fully cooperate with Visa Architect in investigating, containing, and remedying the incident, including assisting with any notifications to the Data Protection Board of India and affected Data Principals, as required under Applicable Privacy Laws.
10. Audit Rights Upon Visa Architect’s written request, the Service Provider shall permit Visa Architect (or its designated third party) to conduct an audit or assessment of the Service Provider’s data protection and security controls relevant to Personal Data. Such cooperation shall include access to knowledgeable personnel, policies, infrastructure, and relevant systems within fourteen (14) days of Visa Architect’s request.
11. Indemnification The Service Provider shall indemnify and hold harmless Visa Architect, its affiliates, officers, directors, and employees against all claims, damages, penalties, fines, or expenses (including reasonable legal fees) arising out of or relating to the Service Provider’s or its Authorized Parties’ breach of this Agreement or any Applicable Privacy Laws.
12. Termination This Agreement shall terminate automatically when the Services expire or are terminated. Visa Architect may, upon written notice, immediately terminate the Services or suspend processing if the Service Provider breaches any obligations under this Agreement or Applicable Privacy Laws. Obligations that are intended to survive termination (including confidentiality, indemnification, and cooperation clauses) shall continue in force.
13. General If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall remain in full force. The Parties may substitute such provision with a valid and enforceable one that best reflects the intent.
Facsimile, scanned, or electronic signatures shall bind the Parties as originals. This Agreement may be executed in counterparts.
Notwithstanding anything to the contrary, no partner, member, or shareholder of Visa Architect shall be personally liable for obligations arising under this Agreement.
The terms used in this Data Protection Addendum (“Addendum”) shall have the definitions set forth in the Digital Personal Data Protection Act, 2023 (DPDPA 2023), unless otherwise defined herein. The term “Service Provider” shall include contractors, agents, or affiliates engaged by the Service Provider.
The Service Provider shall not use, disclose, or transfer anyPersonal Data provided by Visa Architect (“Visa Architect Information”) except for the limited and specific purpose of providing the Services to Visa Architect (the “Contracted Purpose”). The Service Provider shall not retain, use, or disclose Visa Architect Information:
The Service Provider shall comply with all applicable provisions of the DPDPA, the IT Act, and the SPDI Rules. This includes, without limitation:
Visa Architect shall have the right to take reasonable and appropriate steps to ensure the Service Provider uses Visa Architect Information in compliance with this Addendum and the DPDPA. Such steps may include:
If the Service Provider determines that it can no longer comply with its obligations under this Addendum or Applicable Privacy Laws, it shall promptly notify Visa Architect in writing.
Visa Architect shall have the right to take reasonable steps to stop and remediate any unauthorized use of Visa Architect Information, including requiring the Service Provider to delete or return such information.
The Service Provider shall reasonably cooperate with Visa Architect to enable Visa Architect to respond to Data Principal requests in accordance with Applicable Privacy Laws. The Service Provider shall not respond to Data Principals directly, except with Visa Architect’s prior written consent.
If the Service Provider engages a subcontractor in connection with the Contracted Purpose:
Upon termination or expiration of the Services, or upon Visa Architect’s written request, the Service Provider shall securely delete or return all Visa Architect Information within thirty (30) days, unless retention is required under Indian law. Where retention is required, the Service Provider shall provide Visa Architect with written notice stating the legal basis for such retention.
Any provision of this Addendum that is held to be invalid or unenforceable shall not affect the validity of the remaining provisions. This Addendum may be executed in counterparts, including via electronic signatures, which shall be binding.
Legal Disclaimer:
Visa Architect is not a law firm, and we don’t provide legal advice. The information we share through our programs, webinars, emails, templates, and other resources is meant for general guidance and educational purposes only. Using Visa Architect or participating in any of our offerings does not create an attorney-client relationship. If you need advice about your specific situation, we recommend speaking with a qualified U.S. immigration attorney. You can also refer to official U.S. government resources for the most up-to-date information.