Data Processing Agreement

1.1 “Affiliate” means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.

1.2 “Authorized Sub-Processor” means a third-party who has a need to know or otherwise access Customer’s Personal Data to enable Fairlx to perform its obligations under this DPA or the Agreement, and who is either (1) listed in Exhibit B or (2) subsequently authorized under Section 3.2 of this DPA.

1.3 “Customer Account Data” means personal data that relates to Customer’s relationship with Fairlx, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Customer Account Data also includes any data Fairlx may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by Data Protection Laws and regulations.

1.4 “Customer Usage Data” means Service usage data collected and processed by Fairlx in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

1.5 “Data Exporter” means Customer.

1.6 “Data Importer” means Fairlx.

1.7 “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data, primarily: (i) the Digital Personal Data Protection Act, 2023 (“DPDPA”) and the rules framed thereunder; (ii) the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”); and, to the extent applicable to Personal Data of individuals in other jurisdictions: (iii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”); (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (v) the UK Data Protection Act 2018; (vi) the California Consumer Privacy Act (“CCPA”); and (vii) the Swiss Federal Act on Data Protection; in each case, as updated, amended or replaced from time to time.

1.8 “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of Personal Data, as defined under the DPDPA. In the context of this DPA the Customer is the Data Fiduciary.

1.9 “Data Principal” means the individual to whom the Personal Data relates, as defined under the DPDPA. Where used in this DPA the term “Data Subject” shall be read as synonymous with Data Principal.

1.10 “Data Processor” means any person who processes Personal Data on behalf of a Data Fiduciary, as defined under the DPDPA. In the context of this DPA Fairlx is the Data Processor.

1.11 “Data Protection Board” means the Data Protection Board of India established under Section 18 of the DPDPA, or any successor regulatory authority.

1.12 “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).

1.13 “ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.

1.14 “ex-UK Transfer” means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.

1.15 “Services” shall have the meaning set forth in the Agreement.

1.16 “UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the Information Commissioner’s Office of the United Kingdom (including all Part 2 Mandatory Clauses).

2.1 The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor (or as a Data Fiduciary under the DPDPA) and, except as expressly set forth in this DPA or the Agreement, Fairlx is a processor (or a Data Processor under the DPDPA). Customer shall, in its use of the Services, process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Fairlx to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Fairlx by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Fairlx regarding the processing of such Personal Data.

2.2 Fairlx shall not process Personal Data (i) for purposes other than those set forth in the Agreement and/or Exhibit A, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by any applicable law or Supervisory Authority to which Fairlx is subject; in such a case, Fairlx shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, or (iii) in violation of Data Protection Laws. Customer hereby instructs Fairlx to process Personal Data in accordance with the foregoing.

2.3 The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects (or Data Principals), are described in Exhibit A to this DPA.

2.4 Following completion of the Services, at Customer’s choice, Fairlx shall return or delete Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable law (including retention obligations under the IT Act and DPDPA). If return or destruction is impracticable or prohibited by law, Fairlx shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law) and shall continue to appropriately protect the Personal Data. If Fairlx will be transferring Personal Data outside of the European Union under the Standard Contractual Clauses as described in Section 5, the parties agree that the certification of deletion shall be provided by Fairlx only upon Customer’s request.

2.5 CCPA. Except with respect to Customer Account Data and Customer Usage Data, the parties acknowledge and agree that Fairlx is a service provider for the purposes of the CCPA (to the extent it applies). Fairlx shall not sell any such personal information. Fairlx shall not retain, use or disclose any personal information provided by Customer pursuant to the Agreement except as necessary for the specific purpose of performing the Services, or as permitted by the CCPA.

2.6 DPDPA Compliance. To the extent the DPDPA applies to the processing of Personal Data under this DPA: (i) Fairlx shall process Personal Data only in accordance with the instructions of the Customer (Data Fiduciary); (ii) Customer warrants that it has obtained lawful consent from the Data Principal for the processing of such data, or has another valid legal basis for such processing under the DPDPA; (iii) Fairlx shall implement appropriate technical and organizational measures to comply with the DPDPA; and (iv) Fairlx shall assist the Customer in fulfilling its obligations to respond to requests from Data Principals to exercise their rights under the DPDPA.

3.1 Customer acknowledges and agrees that Fairlx may (1) engage its affiliates and the Authorized Sub-Processors listed in Exhibit B (the “List”) to this DPA to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this DPA, Customer provides general written authorization to Fairlx to engage sub-processors as necessary to perform the Services.

3.2 The List may be updated by Fairlx from time to time. At least fifteen (15) days before enabling any third party other than existing Authorized Sub-Processors to access or participate in the processing of Personal Data, Fairlx will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Fairlx within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Fairlx from offering the Services to Customer.

3.3 If Customer reasonably objects to an engagement in accordance with Section 3.2, and Fairlx cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Fairlx. Discontinuation shall not relieve Customer of any fees owed to Fairlx under the Agreement.

3.4 If Customer does not object to the engagement of a third party in accordance with Section 3.2, that third party will be deemed an Authorized Sub-Processor for the purposes of this DPA.

3.5 Fairlx will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Fairlx under this DPA with respect to the protection of Personal Data. In case an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with Fairlx, Fairlx will remain liable to Customer for the performance of the Authorized Sub-Processor’s obligations under such agreement.

3.6 If Customer and Fairlx have entered into Standard Contractual Clauses as described in Section 5 (Transfers of Personal Data), (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Fairlx of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Fairlx to Customer pursuant to Clause 5(j) of the UK SCCs or Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Fairlx beforehand, and that such copies will be provided by Fairlx only upon request by Customer.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Fairlx shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibit C sets forth additional information about Fairlx’s technical and organizational security measures.

5.1 The parties agree that Fairlx’s primary processing operations take place in India. Customer acknowledges that the transfer of Personal Data to India is necessary for the provision of the Services. Fairlx shall process Personal Data in accordance with the DPDPA and any other applicable Data Protection Laws of India.

5.2 India Cross-Border Transfers

Where Fairlx transfers Personal Data outside of India: (i) Fairlx shall comply with Section 16 of the DPDPA and any notifications issued by the Central Government of India restricting the transfer of Personal Data to certain countries or territories outside India; and (ii) Fairlx shall ensure that the recipient of such Personal Data is subject to obligations that are at least as stringent as those set out in this DPA and the DPDPA.

5.3 Ex-EEA Transfers (Secondary)

Where the GDPR applies to the processing of Personal Data, the parties agree that ex-EEA Transfers are made pursuant to the EU SCCs. For the purposes of this Section, appropriate modules (Controller-to-Controller, Controller-to-Processor, etc.) shall be deemed to apply based on the relationship of the parties.

5.4 Ex-UK Transfers (Secondary)

Where the UK GDPR applies, the parties agree that ex-UK Transfers are made pursuant to the UK SCCs (or UK Addendum). References to the GDPR will be deemed to be references to the UK GDPR and the UK Data Protection Act 2018.

5.5 Supplementary Measures

In respect of any international transfers, Fairlx maintains appropriate security measures as set forth in Exhibit C. Fairlx has not received any formal legal requests from government intelligence agencies for access to Customer’s Personal Data (“Government Agency Requests”). If such a request is received, Fairlx shall attempt to redirect the agency to Customer and provide notice unless legally prohibited.

6.1 DPDPA Rights. To the extent the DPDPA applies, Fairlx shall assist Customer in fulfilling its obligations to respond to requests from Data Principals to exercise their rights, including: (i) the right to withdraw consent; (ii) the right to grievance redressal; (iii) the right to nominate any individual to exercise rights in the event of death or incapacity; and (iv) rights of correction, completion, updating, and erasure of Personal Data.

6.2 GDPR/CCPA Rights. To the extent the GDPR or CCPA applies, Fairlx shall notify Customer of requests by Data Subjects to exercise their rights of access, rectification, erasure, data portability, and objection. Fairlx will advise the Data Subject to submit their request directly to Customer.

6.3 Customer is solely responsible for responding to such requests, including using the functionality of the Services. Fairlx shall provide reasonable assistance where necessary, provided Customer is unable to respond without Fairlx’s assistance and Fairlx is able to do so in accordance with applicable laws.

7.1 Fairlx shall provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under Data Protection Laws (including DPDPA and GDPR) to conduct data protection impact assessments or demonstrate compliance.

7.2 Fairlx shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA. Customer shall have the right to review such records upon reasonable notice.

7.3 Fairlx shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, to the extent required by Data Protection Laws. Such audits shall be conducted no more than once per year during business hours and with reasonable prior notice.

7.4 Fairlx shall immediately notify Customer if an instruction, in Fairlx’s opinion, infringes Data Protection Laws or the requirements of the Data Protection Board of India or any other relevant Supervisory Authority.

7.5 In the event of a Personal Data Breach, Fairlx shall, without undue delay, inform Customer and take reasonable steps to remediate such breach. Fairlx shall provide Customer with information necessary for Customer to notify the Data Protection Board of India or other relevant authorities and Data Principals/Subjects.

7.6 Where the GDPR applies, Fairlx shall provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.

7.7 The obligations described in Sections 7.5 and 7.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. Fairlx’s obligation to report or respond to a Personal Data Breach under Sections 7.5 and 7.6 will not be construed as an acknowledgement by Fairlx of any fault or liability with respect to the Personal Data Breach.

The parties acknowledge and agree that with respect to Customer Account Data and Customer Usage Data, Fairlx is an independent controller (or Data Fiduciary), not a joint controller with Customer. Fairlx will process such data (i) to manage the relationship with Customer; (ii) for accounting, audits, and tax compliance; (iii) to investigate and prevent fraud or security incidents; and (iv) as otherwise required by applicable laws (including retention obligations under the IT Act).

Fairlx may also process Customer Usage Data to provide, optimize, and maintain the Services. Any processing by Fairlx as a controller is based on contractual necessity or legitimate interests, and is carried out in accordance with Data Protection Laws.

9.1 Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses (where they apply); (2) the terms of this DPA; (3) the Agreement; and (4) any other written agreement executed by the parties.

9.2 Governing Law. This DPA and the processing of Personal Data hereunder shall be governed by and construed in accordance with the laws of India. The parties agree that the courts of Hyderabad, Telangana, India shall have exclusive jurisdiction over any disputes arising out of or in connection with this DPA.

The following details the parties and Authorized Sub-Processors involved in the processing of Personal Data.

1. The Parties

2. Authorized Sub-Processors

Fairlx maintains technical and organizational measures to ensure a level of security appropriate to the risk.