This Data Processing Agreement (“DPA”) sets forth the legally binding terms between Torgenpay, hereafter called the “Data Processor,” and the entity agreeing to these terms, hereafter called the “Data Controller.” This Agreement regulates how the Processor manages Personal Data in connection with the services provided.
Roles and Responsibilities
Data Controller:
- Determines the purpose and lawful basis for processing Personal Data
- Ensures all processing activities comply with applicable Data Protection Regulations
Data Processor:
- Processes Personal Data strictly according to the Controller’s documented instructions
- Uses Personal Data solely to provide services as directed
Scope of Data Processing
The Processor will handle Personal Data only for the following purposes:
- Initiating, authorizing, and completing payment transactions
- Performing KYC verification and preventing fraudulent activity
- Authenticating customers via two-factor authentication (2FA) or equivalent methods
- Preparing transaction summaries and reconciliation reports
- Ensuring compliance with RBI, and other applicable payment network regulations
Security and Data Protection Measures
The Processor commits to implementing appropriate technical and organizational safeguards, including:
- Encryption of Personal Data during storage and transmission
- Multi-factor authentication for system-level access
- Secure cryptographic key management protocols
- Regular penetration testing and vulnerability assessments
Additionally, the Processor shall:
- Impose strict confidentiality obligations on all personnel with access to data
- Conduct regular staff training on data protection and security procedures
Assistance with Data Subject Rights
The Processor will support the Controller in meeting legal obligations related to Data Subject rights, including:
- Right of access to Personal Data
- Right to correction or rectification
- Right to erasure (“Right to be forgotten”)
- Right to data portability
- Right to restrict or object to processing
Subprocessors
- No Subprocessor shall be engaged without prior written consent from the Controller
- All approved Subprocessors must sign agreements ensuring data protection standards equivalent to this DPA
Data Breach Notification
In the event of a Personal Data breach, the Processor shall notify the Controller within 24 hours and provide:
- Nature and details of the breach
- Categories and estimated number of affected Data Subjects
- Actions taken to contain and mitigate impact
- Corrective measures planned to prevent future incidents
Audit and Compliance Rights
The Controller may conduct audits or inspections with reasonable prior notice to verify compliance with this DPA.
The Processor shall provide access to all relevant documentation, and policies.
Data Retention and Deletion
Personal Data will be retained only as long as necessary for payment processing and regulatory compliance, including RBI retention requirements.
Upon termination of services, the Processor will securely erase or return all Personal Data unless legal obligations require continued retention.
Regulatory Updates and Legal Compliance
The Processor will promptly inform the Controller of any changes in laws, regulations, or industry standards affecting lawful processing of Personal Data under this DPA.
Liability and Indemnity
Each Party is liable for damages caused by its own breach of this Agreement.
The Processor agrees to indemnify and hold the Controller harmless from penalties, claims, or losses resulting from non-compliance with data protection obligations.
Governing Law and Jurisdiction
This DPA is governed by the laws of India.
All disputes arising from or related to this Agreement fall under the exclusive jurisdiction of Indian courts.
Amendments
Any changes to this DPA must be made in writing and signed by both the Controller and the Processor.
Acknowledgment
By executing this DPA, both Parties confirm that they have read, understood, and agreed to all terms and conditions stated herein.
.avif)
.avif)
.avif)