Ecomewise Innovations | Secure Payments And Smarter Online Transactions

This Data Processing Agreement (“DPA”) establishes a legally binding framework between Ecomewise Innovations, hereinafter referred to as the “Data Processor,” and the entity agreeing to these terms, hereinafter referred to as the “Data Controller.” It governs how the Processor handles Personal Data in relation to the services provided.

Roles of the Parties

Controller : Determines the purposes and legal basis for processing Personal Data and remains responsible for compliance with all applicable data protection laws.
Processor : Processes Personal Data exclusively according to documented instructions from the Controller and only for delivering services.

Scope of Processing

The Processor shall handle Personal Data solely for the following purposes:

Initiation, authorization, and settlement of payment transactions.
KYC (Know Your Customer) verification and fraud prevention.
Customer authentication, including two-factor authentication (2FA).
Transaction reporting and reconciliation.

Security Measures

The Processor shall implement appropriate technical and organizational measures, including but not limited to:

Encryption of data both in transit and at rest.
Multi-factor authentication for system access.
Secure management of cryptographic keys.
Regular vulnerability assessments and penetration testing.

Personnel of the Processor shall maintain strict confidentiality and undergo training on data security best practices.

Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject rights requests under applicable laws, including:

Right of access.
Right to rectification.
Right to erasure.
Right to data portability.
Right to restrict or object to processing.

Subprocessors

The Processor shall not appoint any Subprocessor without prior written consent from the Controller. All approved Subprocessors must enter into written agreements imposing data protection obligations no less stringent than those outlined in this DPA.

Data Breach Notification

The Processor must notify the Controller within 24 hours of becoming aware of any Personal Data breach. The notification shall include:

Nature of the breach.
Categories and approximate number of affected Data Subjects.
Actions taken to contain and mitigate the breach.
Measures planned to prevent future incidents.

Audit & Compliance

The Controller may, with reasonable notice, audit the Processor’s compliance with this DPA. The Processor shall provide access to relevant records, and policies.

Data Retention & Deletion

Personal Data shall be retained only for as long as necessary for payment processing and compliance with legal requirements. Upon termination of services, the Processor shall securely delete or return all Personal Data unless retention is legally required.

Legal & Regulatory Changes

The Processor shall promptly inform the Controller of any changes in law or regulations that could affect its ability to process Personal Data in accordance with this Agreement.

Liability & Indemnification

Each Party shall be responsible for damages arising from its breach of this Agreement. The Processor shall indemnify the Controller against fines, claims, or damages resulting from non-compliance with data protection obligations.

Governing Law & Dispute Resolution

This Agreement shall be interpreted in accordance with Indian law. Any disputes arising from this Agreement shall fall under the exclusive jurisdiction of Indian courts.

Amendments

Any changes or amendments to this Agreement must be documented in writing and signed by both Parties.

Acknowledgment and Acceptance

By entering into this Agreement, both Parties confirm their understanding of and agreement to the terms set forth in this Data Processing Agreement.