This Jio Haptik Technologies Limited (Company) Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Jio Haptik Technologies Limited (Company) on behalf of Customer in connection with the Services under the Jio Haptik Technologies Limited (Company) Master Service Agreement (including any Professional Services Statement of Work) between Jio Haptik Technologies Limited (Company) and Customer (the “Agreement”).
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an executed amendment to the Agreement. The terms and conditions of the Data Processing Agreement apply where the EU GDPR applies to Customer or to Jio Haptik Technologies Limited (Company) or to any of their respective Affiliates.
We periodically update the terms of this DPA. Jio Haptik Technologies Limited (Company) will let you know when we do via email.
The term of this DPA shall follow the Term of the Agreement. Word or phrases not otherwise defined herein shall have the meaning as set forth in the Master Service Agreement.
Definitions:
California Personal Information” means Personal Data in relation to which Customer is a Business under the CCPA.
“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
“Business”, “Sell” and “Service Provider” shall have the meanings given to them in the CCPA.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, and the CCPA; in each case as amended, repealed, consolidated or replaced from time to time.
“Data Subject” means the individual to whom Personal Data relates.
“European Data” means Personal Data, the Processing of which, is subject to European Data Protection Laws.
“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.
“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Jio Haptik Technologies Limited and/or its Sub-Processors in connection with the provision of the Services. “Personal Data Breach” shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
Standard Contractual Clauses” means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, in the form set out at Annex 3.
“Sub-Processor” means any Processor engaged by Jio Haptik Technologies Limited or its Affiliates to assist in fulfilling Jio Haptik Technologies Limited’s obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or Jio Haptik Technologies Limited Affiliates but shall exclude any Jio Haptik Technologies Limited employee or consultant.
1. Security Best Practices.
2. Security Management.
Company will develop, implement, maintain, and enforce a written information privacy and security program ("Security Program") that (i) complies with security best practices, (ii) includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Data and (iii) is appropriate to the nature, size and complexity of Company’s business operations and the Customer Data involved.
Company will notify Client of details regarding any material changes to its Security Program that may adversely affect the privacy and security of any Client and Customer Data.
Company will designate a senior employee to be responsible for overseeing and carrying out its Security Program and for communicating with Client on information security matters. Upon Client’s request, Company’s Security Officer will provide Client with the contact information of one or more Company representatives who will be available to discuss any privacy and security concerns (e.g., discovered vulnerability, exposed risk, reported concern) with Client and to communicate the level of risk associated with such concerns and any remediation thereof.
3. Personnel Security.
Prior to assigning any of its Personnel to positions in which they will, or Company reasonably expects them to, have access to Customer Data. Company will conduct or verify background checks on such Personnel, except where expressly prohibited by law. For the purposes of this Exhibit, "Personnel" means Company’s employees, independent contractors, and subcontractors that have access to Personal Data.
Company Personnel will, upon hiring, and at least annually thereafter, participate in privacy and security awareness training. This training will cover, at a minimum, Company’s privacy and security policies, including acceptable use, password protection, data classification, Breach reporting, the repercussions of violations, and brief overviews of Applicable Laws and Regulations.
Company must maintain a security process to conduct appropriate due diligence prior to utilizing subcontractors to provide any of the Services. Company will assess the security capabilities of any such subcontractors on an annual basis to ensure subcontractor's ability to comply with this Exhibit and the terms of the Agreement. The due diligence process will provide for the identification and resolution of significant security issues prior to engaging a subcontractor, written information security requirements that require subcontractor to adhere to Company's key information security policies and standards within all contracts, and for the identification and resolution of any security issues during the term of the Agreement.
4. Physical Security.
5. Logical Security.
prevent unauthorized access to Customer/Client Data;
limit access to Personnel with a business need to know;
follow principle of least privilege allowing access to only the information and resources that are necessary under the terms of the Agreement; and
have the capability of detecting, logging, and reporting access to the system or network or attempts to breach security of the system or network.
All Personnel must have an individual account that authenticates that individual's access to Customer/Client Data. Access controls and passwords must be configured in accordance with industry standards and best practices. Passwords will be hashed with industry standard algorithms per the Storage, Handling and Disposal Section, below.
6. Telecommunication and Network Security.
Company will deploy reasonably appropriate firewall technology in the operation of Company’s sites. Traffic between Company and Client will be protected and authenticated by industry standard cryptographic technologies. Specifically, firewall(s) must be able to effectively perform the following functions: stateful inspection, logging, support for all IPsec standards and certificates, support for strong encryption and hashing, ICMP and SNMP based monitoring and anti-spoofing.
At a minimum, Company will review firewall rule sets annually to ensure that legacy rules are removed, and active rules are configured correctly.
Company will deploy intrusion detection or preferably prevention systems (IDS/IPS) in order to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host.
Company will deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a maximum period of 180 days.
7. Malicious Code Protection.
All workstations and servers will run the current version of industry standard anti-virus software with the most recent updates available on each workstation or server. Virus definitions must be updated within twenty-four (24) hours of release by the anti-virus software vendor. Company will configure this equipment and have supporting policies to prohibit users from disabling anti-virus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Company’s or Client’s computing environment.
Company will have current anti-virus software configured to run real-time scanning of machines. and a full system scan on a regularly scheduled interval not to exceed seven (7) calendar days.
Company will scan incoming and outgoing content for malicious code on all gateways to public networks, including, but not limited to, email and proxy servers.
Company will quarantine or remove files that have been identified as infected and will log the event.
8. Data Loss Prevention.
9. Systems Development and Maintenance.
Documentation: Company will maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store any Customer/Client Data.
Vulnerability Management and Application Security Assessments. Company will run internal and external network vulnerability scans at least quarterly and after any material change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades). Vulnerabilities identified and rated as critical/high risk by Company will be remediated within ninety (90) days of discovery.
For all Internet-facing applications that collect, transmit or display Customer Data, Company agrees to conduct an application security assessment review to identify common security vulnerabilities as identified by industry-recognized organizations (e.g., OWASP Top 10 Vulnerabilities; CWE/SANS Top 25 vulnerabilities) annually or for all major releases, whichever occurs first. The scope of the security assessment will primarily focus on application security, including, but not limited to, a static code analysis or penetration test of the application, as well as a code review. At a minimum, it will cover the OWASP Top 10 vulnerabilities (https://www.owasp.org).
Company may utilize a qualified third party to conduct the application security assessments. Company may conduct the security assessment review themselves, provided that Company’s Personnel performing the review are sufficiently trained, follow industry standard best practices, and the assessment process is reviewed and approved by Company. Vulnerabilities identified and rated as critical/high risk by Company will be remediated within ninety (90) days of discovery.
Source code review: Company will have a documented program for secure code reviews and maintain documentation of secure code reviews performed for all applications that store or process Customer Data.
Patch Management: Company will patch all workstations and servers with all current operating system, database and application patches deployed in Company’s computing environment according to a schedule predicated on the criticality of the patch. Company will perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched. All emergency or critical rated patches must be applied as soon as possible but at no time will exceed six weeks from the date of release.
10. Storage, Handling, and Disposal.
Data Segregation: Company will physically or logically separate and segregate Customer Data from its other Client’s data.
Electronic Form Data. Company will utilize Industry Standard Encryption Algorithms and Key Strengths to encrypt the following:
All Customer Data that is in electronic form while in transit over all public wired networks (e.g., Internet) and all wireless networks; and
All Customer Data stored in databases, in file systems, and on various forms of online and offline media (DASD, tape, etc.)
Key Management. Where encryption is utilized, Company will maintain a key management process that meets the following minimum requirements:
At least one key custodian must be officially designated.
Key custodians must ensure that all keys used in a storage encryption solution are secured and managed properly to support the security of the solution.
Key management must be planned to include secure key generation, use, storage and revocation.
Key management practices must support the recovery of encrypted data if a key is inadvertently disclosed, destroyed or becomes unavailable.
Key custodians must ensure that access to encryption keys is properly restricted to approved administrators. Private keys must not be stored on the same media and/or virtual instance as the data they protect.
Authentication must be required in order to gain access to keys.
Keys will be rotated annually and must be replaced before they expire.
Physical Form Data. Company will only store Customer Data in physical form in a Secure Area, and Company will establish and operate a document control system to record and track the transfer of all Customer Data that is in physical form both (i) between and within Company facilities, and (ii) via any external shipment. Such a control system will include, at minimum, a description of the specific records being transferred (e.g., customer or employee records, etc.), as well as the parties who are preparing, shipping, receiving, and processing such materials.
I. Unless explicitly stated otherwise in this agreement, the Client shall be responsible to ensure that relevant consents as per applicable laws and regulations have been obtained from the individuals/ data subjects and recorded and the correctness and accuracy of such Personal Information and the Company shall have no liability towards the Client or the Users arising as a result of the collection, correctness, accuracy and processing of any such Personal Data.
II. The Client shall be responsible to maintain records of all consent acceptance and refusal for seven (7) years. The Client shall also be responsible to provide details of consent acceptance and/ or refusal within 15 calendar days of the Company’s written request for the same. The Client will be liable to pay for any damages that the Company incurs due to inaccurate and/ or insufficient consent records.
III. The Company will use the Personal Data only on the directions of the Client. The Company will not use Personal Data collected on behalf of the Client, received from the Client or its personnel or otherwise processed on behalf of the Client for any purpose other than as necessary to perform services under this Agreement.
IV. Parties shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Personal Data, as strictly necessary for the purposes of this Agreement, and to comply with Applicable Laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
V. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of storing, controlling and/ or processing personal data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Parties shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
VI. The Parties will ensure that they are in compliance with all applicable laws while handling any personal information and shall execute such agreements as may be necessary to ensure compliance with applicable laws.
VII. The Company shall not under any circumstances, be liable for any damage, destruction, unauthorized access, or loss of Personal Data.
VIII. The subject-matter:
The chatbot is built to disseminate information about Client products and services and generate leads for the Client. These details are collected so that the prospect can be contacted via call and/or email by the Client.
IX. The transfer nature and purpose of the processing:
Leads generated from the bots will be shared with the Client. The Client may reach out to the leads over other channels like call and/or email for conversions and sale.
For bots that do not generate leads, Personal Data may be collected to respond to queries of data subjects when they utilize bots on the Client’s website.
Additionally, some data may be downloaded on dedicated endpoint asset of Company for analytics and research purpose. This downloaded data is deleted within 15 business days from the endpoint to maintain compliance.
X. Categories of personal data:
XI. The obligations and rights of the Controller:
XII. The obligations and rights of the processor:
XIII. Breach Notification and Response Procedures:
XIV. Rights of data subjects:
The Parties are responsible for ensuring the rights of data subjects in accordance with the following.
The parties are responsible for assisting each other to the extent this is relevant and necessary for both parties to comply with their obligations to the data subjects.
XV. Data Subject Requests:
XVI. Responsibilities of the parties:
XVII. Additional Provisions for European Data:
XVIII. Additional Applicable Data Protection Laws:
Last updated on: 29th June 2022
Asia Pacific | EMEA | North America | [email protected]