TERMS AND CONDITIONS

2. Roles of the Parties

The Parties acknowledge and agree that for the processing of Customer Personal Data, the Customer acts as a Business or Controller, and STACKINTEL Private Limited acts as a Service Provider or Processor, as further detailed in Annex 1. This Addendum applies only to the processing of Customer Personal Data by STACKINTEL Private Limited in these roles.

The Customer is solely responsible for timely communication with its Affiliates or relevant Controllers receiving the Services, as needed to comply with applicable Data Protection Laws.

3. Description and Purpose of Personal Data Processing

Annex 1 of this Addendum outlines the parties' understanding of the subject matter and details of Customer Personal Data processing by STACKINTEL Private Limited. Annex 1 may be reasonably amended by mutual written agreement to meet requirements. It does not create obligations or rights for any party.

The purpose of processing under this Addendum is to provide the Services as per the Agreement and any Order Form(s).

4. Description of Personal Data Processing

The Customer must comply with all applicable Data Protection Laws when performing this Addendum and processing Customer Personal Data. When accessing and using the Services, the Customer will process Customer Personal Data within the Services and provide STACKINTEL Private Limited with instructions in line with applicable Data Protection Laws. The Customer is solely responsible for complying with Data Protection Laws regarding the collection and transfer of Customer Personal Data to STACKINTEL Private Limited. The Customer agrees not to provide STACKINTEL Private Limited with health, religious, or any other special categories of data as per applicable laws.

STACKINTEL Private Limited will comply with all applicable Data Protection Laws when processing Customer Personal Data and will:

• Process Customer Personal Data for the purposes of the Agreement and as detailed in Annex 1, solely based on the Customer's documented instructions for providing the Services and fulfilling its Agreement obligations. The Agreement, this Addendum, and Customer's use of the Services' features constitute Customer's written instructions regarding Customer Personal Data processing.
• Use, retain, disclose, or otherwise process Customer Personal Data only on behalf of the Customer, for the specific business purpose of providing the Services, and according to Customer's instructions, as described in the Agreement. STACKINTEL Private Limited will not sell or share Customer Personal Data, nor will it use, retain, disclose, or process Customer Personal Data outside its business relationship with the Customer or for any other purpose (including STACKINTEL Private Limited's commercial purposes), unless required or permitted by law. STACKINTEL Private Limited will immediately inform Customer if it cannot meet its Data Protection Law obligations or if an instruction infringes applicable Data Protection Laws. Customer can take reasonable steps to ensure STACKINTEL Private Limited's processing complies with Customer's Data Protection Law obligations and can discontinue or remedy unauthorized use.
• Have rights to process Customer Personal Data only: (i) as necessary to (a) perform Business Purposes and Agreement obligations; (b) operate, manage, test, maintain, and enhance the Services, including its business operations; (c) disclose aggregate statistics about Services without individual identification; and/or (d) protect Services from threats; or (ii) if required by a court order or authorized governmental agency, with prior notice to Customer; (iii) as otherwise expressly authorized by Customer.
• Not combine Customer Personal Data it processes for Customer with Personal Data received from or on behalf of others, or collected from its own interactions, unless necessary to perform any Business Purpose permitted or required under the Agreement for the Services.
• Implement and maintain measures to ensure that STACKINTEL Private Limited personnel authorized to process Customer Personal Data are bound by confidentiality or statutory obligations, unless disclosure is legally required.
• Implement and maintain technical and organizational measures as outlined in the Agreement. Considering the state of the art, implementation costs, nature, scope, context, and purposes of processing, as well as risks to data subjects' rights, further commercially reasonable administrative, technical, and organizational measures will be implemented to ensure appropriate security for Customer Personal Data processing, specifically:
  • Pseudonymization and encryption of Customer Personal Data;
  • Ensuring ongoing confidentiality, integrity, availability, and resilience of STACKINTEL Private Limited's systems that process Customer Personal Data;
  • Restoring Customer Personal Data availability and access promptly after a physical or technical incident; and
  • Regularly testing and evaluating the effectiveness of technical and organizational security measures for Customer Personal Data processing.
• Customer agrees that STACKINTEL Private Limited is authorized to engage and appoint Sub-processors, including those in Annex 2, provided STACKINTEL Private Limited:
  • Notifies Customer at least thirty (30) calendar days in advance of any intended Sub-processor changes or additions by emailing notice;
  • Includes data protection obligations in Sub-processor contracts that are substantially similar to those in this Addendum; and
  • Remains liable to Customer for any Sub-processor's failure to fulfill its obligations regarding Customer Personal Data processing.
• If a notice is received under section 4.2(d)(i), Customer has 30 days to object in writing to the Sub-processor on data protection grounds. The parties will then work in good faith for up to 30 days to find a commercially reasonable solution avoiding the objected-to Sub-processor. If no solution is found, either Party may terminate the relevant Services immediately with written notice, without damages, penalty, or indemnification (but without prejudice to fees incurred before termination).
• Promptly notify Customer, to the extent legally permissible, of any legally binding requests (e.g., court order, subpoena) for Customer Personal Data disclosure by STACKINTEL Private Limited. If not legally binding, STACKINTEL Private Limited will reject the request and notify Customer. A record of all legally binding disclosure requests will be kept.
• Promptly notify Customer, to the extent legally permissible, of any communication from a Data Subject concerning Customer Personal Data processing, or any other communication (including from a Supervisory Authority) related to obligations under applicable Data Protection Laws. STACKINTEL Private Limited will not respond to such requests or complaints unless expressly authorized by Customer or legally required. STACKINTEL Private Limited will reasonably assist Customer (or the relevant Controller) with appropriate technical and organizational measures, where possible, to fulfill Customer's (or its Affiliates' or Controllers') obligations in responding to data subject rights requests. Customer agrees to pay STACKINTEL Private Limited for time and out-of-pocket expenses incurred under this Section 4.2(e).
• Upon becoming aware of a Personal Data Breach involving Customer Personal Data, STACKINTEL Private Limited will notify Customer without undue delay. Such notice will include, to the extent reasonably available to STACKINTEL Private Limited, timely information required by Customer (or the relevant Controller) to comply with data breach reporting obligations under applicable Data Protection Laws. STACKINTEL Private Limited will also take necessary measures to remedy or mitigate the breach effects and keep Customer reasonably informed.
• Provide reasonable assistance to Customer, Customer's Affiliates, or relevant Controller(s) with their obligations under applicable Data Protection Laws, considering the nature of processing and available information, to the extent required by law. Customer agrees to pay STACKINTEL Private Limited for time and out-of-pocket expenses for assistance provided under applicable laws.
• Cease processing Customer Personal Data upon Agreement termination or expiry. At Customer's (or its Affiliates' or relevant Controllers') option, return or delete (including by rendering non-readable) all Customer Personal Data copies processed by STACKINTEL Private Limited, unless applicable law requires retention. Retained Customer Personal Data remains subject to Agreement confidentiality obligations.
• Maintain necessary records to demonstrate compliance with its obligations for Customer Personal Data processing on behalf of the Customer.
• Make available to Customer all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, by Customer or a Customer-mandated independent third-party auditor. Customer must provide reasonable prior notice of intent to audit, conduct audits during STACKINTEL Private Limited's normal business hours, and take reasonable measures to avoid disrupting STACKINTEL Private Limited's operations. To demonstrate compliance under this Section 4.2(i), the Parties agree that, initially, once per year during the Agreement term (unless required by a Supervisory Authority or due to a Customer Personal Data Breach at STACKINTEL Private Limited), STACKINTEL Private Limited will provide Customer with responses to cybersecurity and other assessments. Only if Customer cannot establish STACKINTEL Private Limited's compliance from these responses may Customer request to inspect STACKINTEL Private Limited's processing operations. Customer agrees to pay STACKINTEL Private Limited for time and out-of-pocket expenses for assistance with such audits and assessment responses.

5. Restricted Transfers

When Customer Personal Data is transferred from Customer and/or its Affiliates (as exporter) to STACKINTEL Private Limited (as importer) in a Restricted Transfer subject to relevant Area Law, the transfer will be governed by the appropriate Controller to Processor Contractual Clauses.

6. Precedence

The provisions of this Addendum are supplementary to the Agreement. If there's any inconsistency, this Addendum's provisions will prevail. Should any provision of this Addendum and/or the Agreement contradict the Controller to Processor Contractual Clauses, the Controller to Processor Contractual Clauses will take precedence.

7. Indemnity

To the extent permitted by law, the Customer agrees to (a) defend STACKINTEL Private Limited and its Affiliates ("Indemnified Parties") against any third-party claims, demands, suits, or proceedings ("Claim"), and (b) indemnify and hold harmless the Indemnified Parties from all losses, damages, liabilities, fines, penalties, settlements, and costs (including reasonable legal and consultancy fees) incurred due to any breach by the Customer of this Addendum or its obligations under applicable Data Protection Laws. STACKINTEL Private Limited may participate in the defense and/or settlement of a Claim under this Section 7.1 with its own counsel at its own expense.

8. Severability

The Parties agree that if any part of this Addendum is deemed unlawful or unenforceable by a court, it will not invalidate or render unenforceable any other part of this Addendum.

9. Miscellaneous

This Addendum considers and adheres to the following principles:

• Privacy by Design and default
• Ensuring security of Processing
• Notification of breaches involving Customer Personal Data to the relevant Supervisory Authority
• Notification of breaches involving Customer Personal Data to Customer
• Conducting Privacy Impact Assessments where appropriate and required by applicable Data Protection Law
• Assurance of STACKINTEL Private Limited's assistance if prior consultations with relevant Supervisory Authorities are needed and required by applicable Data Protection Laws.
• STACKINTEL Private Limited will comply with all statutory and regulatory requirements, ISO 27001:2013, ISO 27701:2019, and DPDPA requirements.

If a Data Subject wishes to exercise their data subject rights under applicable Data Protection Law (e.g., right to access, correct, and/or erase Personal Data controlled by STACKINTEL Private Limited), they can submit such requests by contacting STACKINTEL Private Limited's Data Protection Officer (DPO) below. Concerns or complaints related to Customer Personal Data can also be directed to the DPO:

Name: Salil Chaturvedi
Email ID: Salil@stackintel.in

No temporary files are generated during processing.

Annex 1 to Data Protection Addendum

Description of Processing Activities for Customer Personal Data

1. List of Parties

2. Competent Supervisory Authority

The competent supervisory authority/ies in accordance with Applicable Data Protection Clause: Data Protection Authority

3. Processing Information

Subject matter and duration of the Processing of the Personal Data

The processing of personal data involves onboarding customers to our applications, completing KYC (Know Your Customer) procedures, and creating behavioral analytics for customers. This processing will last as long as needed to achieve its purpose, typically for the entire customer or employee relationship, with data retention for a specified period after relationship termination, as per legal and company policies.

The nature and purpose of the Processing of the Personal Data

Nature: StackIntel primarily processes personal data for fintech services and related products. Our focus is on verifying customer identity to prevent fraud and on collecting and maintaining information about individuals and businesses. Purpose: The purpose of processing personal data in fintech is to facilitate secure and efficient financial transactions, provide personalized financial services, and ensure regulatory compliance. Personal data is often used for identity verification, risk assessment, and enhancing user experiences.

The categories of Data Subject to whom the Customer Personal Data relates

The types of data include:

• Personal information
• Employment information
• Credit background
• Behavioral analysis

The types of Customer Personal Data to be Processed

Personal identification information: This may include names, date of birth, gender, contact details (e.g., mobile numbers, email addresses), and residential addresses.

Financial information: This may involve bank account details and financial transaction records.

Employment information: Details related to employment history, occupation, and employer information.

Geolocation data: We may collect location data through mobile applications or other means.

Special categories of data

None

The obligations and rights of Client

The Client's obligations and rights are detailed in the Terms and this Addendum.

Data exporter (as applicable)

The data exporter is: The Client of the Company who uses the Services.

Data importer (as applicable)

The data importer is: STACKINTEL Private Limited, a company that provides services to the client, requiring access to the client's query data.

Processing operations (as applicable)

The transferred personal data will undergo the following basic processing activities: provision of Company Services to Client. To provide people data, the Company receives identifying Personal Data, allowing it to query, cleanse, standardize, enrich, send to additional data providers when necessary, and store the query information.

4. Technical and Organisational Security Measures

This section describes the technical and organizational security measures implemented by STACKINTEL Private Limited as the data processor/data importer. These measures are designed to ensure an appropriate level of security, considering the nature, scope, context, purpose of processing, and risks to individuals' rights and freedoms.

4.1. Security

Security Management System.

Organization. STACKINTEL Private Limited appoints qualified security personnel responsible for developing, implementing, and maintaining the Information Security Program.

Policies. Management reviews and supports all security-related policies to ensure the security, availability, integrity, and confidentiality of Customer Personal Data. These policies are updated at least annually.

Assessments. STACKINTEL Private Limited hires a reputable independent third-party to perform annual risk assessments of all systems containing Customer Personal Data.

Risk Treatment. STACKINTEL Private Limited maintains a formal and effective risk treatment program, including penetration testing, vulnerability management, and patch management, to identify and protect against potential threats to Customer Personal Data security, integrity, or confidentiality.

Vendor Management. STACKINTEL Private Limited maintains an effective vendor management program.

Incident Management. STACKINTEL Private Limited regularly reviews security incidents, including determining root causes and corrective actions.

Standards. STACKINTEL Private Limited operates an information security management system compliant with ISO/IEC 27001:2013.

4.2. Personnel Security.

STACKINTEL Private Limited personnel must adhere to company guidelines on confidentiality, business ethics, appropriate usage, and professional standards. STACKINTEL Private Limited conducts reasonably appropriate background checks (employment history, criminal records) on employees with access to Customer data, as legally permissible and in line with local labor laws, customary practice, and regulations.

Personnel are required to sign a written confidentiality agreement upon hiring and to protect Customer Personal Data at all times. They must acknowledge receipt of and compliance with STACKINTEL Private Limited's confidentiality, privacy, and security policies. Personnel receive privacy and security training on implementing and complying with the Information Security Program. Those handling Customer Personal Data must complete additional role-appropriate requirements (e.g., certifications). STACKINTEL Private Limited's personnel will not process Customer Personal Data without authorization.

4.3. Access Controls

Access Management. STACKINTEL Private Limited has a formal access management process for requesting, reviewing, approving, and provisioning access for all personnel. This limits access to Customer Personal Data and relevant systems to properly authorized persons on a "need for such access" basis. Access reviews are conducted periodically to ensure only essential personnel retain access.

Infrastructure Security Personnel. STACKINTEL Private Limited has a security policy for its personnel and requires security training as part of its personnel training package. STACKINTEL Private Limited's infrastructure security personnel are responsible for ongoing monitoring of its security infrastructure, Services review, and responding to security incidents.

Access Control and Privilege Management. STACKINTEL Private Limited's and Customer's administrators and end users must authenticate using a Multi-Factor authentication system or a single sign-on system to use the Services.

Internal Data Access Processes and Policies - Access Policy. STACKINTEL Private Limited's internal data access policies protect against unauthorized access, use, disclosure, alteration, or destruction of Customer Personal Data. Systems are designed to allow only authorized persons to access data based on "least privileged" and "need to know" principles, preventing unauthorized access. Unique user IDs, strong passwords, two-factor authentication, and monitored access lists minimize unauthorized account use. Access rights are granted or modified based on job responsibilities, duty requirements, need-to-know basis, and in accordance with STACKINTEL Private Limited's internal policies and training. Approvals are managed by workflow tools with audit records. System access is logged for accountability. Password policies (complexity, expiry, lockout, reuse restrictions, re-prompting after inactivity) follow industry standards where passwords are used for authentication.

4.4. Data Centre and Network Security

Data Centres.

Infrastructure. STACKINTEL Private Limited uses AWS as its data center.

Resiliency. Multi-Availability Zones are enabled on AWS, and STACKINTEL Private Limited conducts regular Backup Restoration Testing to ensure resiliency.

Server Operating Systems. STACKINTEL Private Limited's servers are customized and hardened for the application environment and Services security. A code review process is employed to enhance the security of code used for Services and production environments.

Disaster Recovery. STACKINTEL Private Limited replicates data across multiple systems to protect against accidental destruction or loss. Disaster recovery programs are designed, regularly planned, and tested.

Security Logs. STACKINTEL Private Limited's systems log to their respective system log facilities to support security audits and to monitor and detect actual or attempted attacks or intrusions.

Vulnerability Management. STACKINTEL Private Limited regularly performs vulnerability scans on all infrastructure components of its production and development environments. Vulnerabilities are remediated based on risk, with Critical, High, and Medium security patches installed as soon as commercially feasible.

Networks and Transmission.

Data Transmission. Transmissions in the production environment occur via Internet standard protocols.

External Attack Surface. AWS Security Group, acting as a virtual firewall, is in place for the Production environment on AWS.

Incident Response. STACKINTEL Private Limited maintains incident management policies and procedures, including detailed security incident escalation procedures. STACKINTEL Private Limited monitors various communication channels for security incidents, and its security personnel promptly react to suspected or known incidents, mitigate harmful effects, and document incidents and their outcomes.

Encryption Technologies. STACKINTEL Private Limited makes HTTPS encryption (SSL/TLS) available for data in transit.

4.5. Data Storage, Isolation, Authentication, and Destruction.

STACKINTEL Private Limited stores data in a multi-tenant environment on AWS servers. Data, the Services database, and file system architecture are replicated across multiple AWS availability zones. STACKINTEL Private Limited logically isolates data from different customers. A central authentication system is used across all Services to enhance uniform data security. STACKINTEL Private Limited ensures secure disposal of Customer Data through various data destruction processes.

Annex 2

STACKINTEL Private Limited's Sub-processors

As a merchant, we are not liable for any loss or damage resulting directly or indirectly from the denial of authorization for any transaction where the Cardholder has exceeded the pre-set limit mutually agreed upon with our acquiring bank.