circle line

EU General Data Protection Regulation - Data Privacy Annexure

 

This Jio Haptik Technologies Limited (Company) Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Jio Haptik Technologies Limited (Company) on behalf of Customer in connection with the Services under the Jio Haptik Technologies Limited (Company) Master Service Agreement (including any Professional Services Statement of Work) between Jio Haptik Technologies Limited (Company) and Customer (the “Agreement”).

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an executed amendment to the Agreement. The terms and conditions of the Data Processing Agreement apply where the EU GDPR applies to Customer or to Jio Haptik Technologies Limited (Company) or to any of their respective Affiliates.

We periodically update the terms of this DPA. Jio Haptik Technologies Limited (Company) will let you know when we do via email.

The term of this DPA shall follow the Term of the Agreement. Word or phrases not otherwise defined herein shall have the meaning as set forth in the Master Service Agreement.

Definitions:

  • California Personal Information” means Personal Data in relation to which Customer is a Business under the CCPA.

  • “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

  • “Business”, “Sell” and “Service Provider” shall have the meanings given to them in the CCPA. 

  • “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

  • “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, and the CCPA; in each case as amended, repealed, consolidated or replaced from time to time. 

  • “Data Subject” means the individual to whom Personal Data relates.

  • “European Data” means Personal Data, the Processing of which, is subject to European Data Protection Laws.

  • “European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

  • “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

  • “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Jio Haptik Technologies Limited and/or its Sub-Processors in connection with the provision of the Services. “Personal Data Breach” shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

  • “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

  • “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

  • Standard Contractual Clauses” means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, in the form set out at Annex 3.

  • “Sub-Processor” means any Processor engaged by Jio Haptik Technologies Limited or its Affiliates to assist in fulfilling Jio Haptik Technologies Limited’s obligations with respect to the provision of the Services under the Agreement.  Sub-Processors may include third parties or Jio Haptik Technologies Limited Affiliates but shall exclude any Jio Haptik Technologies Limited employee or consultant.

1. Security Best Practices.

  • The Company should provide a secure environment for Confidential Information and any hardware and software, including servers, network and data components, to be supported as part of its performance under this Agreement and will at all times, remain at the higher of (i) applicable security and privacy laws and regulations, (ii) applicable privacy and security rules imposed by industry groups, (iii) Privacy & IT Security Best Practices (as defined by ISO 27001), and (iv) all security requirements, obligations, specifications and event reporting procedures as required in any applicable exhibit or schedule hereof.

2. Security Management. 

  • Company will develop, implement, maintain, and enforce a written information privacy and security program ("Security Program") that (i) complies with security best practices, (ii) includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Data and (iii) is appropriate to the nature, size and complexity of Company’s business operations and the Customer Data involved.

  • Company will notify Client of details regarding any material changes to its Security Program that may adversely affect the privacy and security of any Client and Customer Data.

  • Company will designate a senior employee to be responsible for overseeing and carrying out its Security Program and for communicating with Client on information security matters. Upon Client’s request, Company’s Security Officer will provide Client with the contact information of one or more Company representatives who will be available to discuss any privacy and security concerns (e.g., discovered vulnerability, exposed risk, reported concern) with Client and to communicate the level of risk associated with such concerns and any remediation thereof.

3. Personnel Security.

  • Prior to assigning any of its Personnel to positions in which they will, or Company reasonably expects them to, have access to Customer Data. Company will conduct or verify background checks on such Personnel, except where expressly prohibited by law. For the purposes of this Exhibit, "Personnel" means Company’s employees, independent contractors, and subcontractors that have access to Personal Data.

  • Company Personnel will, upon hiring, and at least annually thereafter, participate in privacy and security awareness training. This training will cover, at a minimum, Company’s privacy and security policies, including acceptable use, password protection, data classification, Breach reporting, the repercussions of violations, and brief overviews of Applicable Laws and Regulations.

  • Company must maintain a security process to conduct appropriate due diligence prior to utilizing subcontractors to provide any of the Services. Company will assess the security capabilities of any such subcontractors on an annual basis to ensure subcontractor's ability to comply with this Exhibit and the terms of the Agreement. The due diligence process will provide for the identification and resolution of significant security issues prior to engaging a subcontractor, written information security requirements that require subcontractor to adhere to Company's key information security policies and standards within all contracts, and for the identification and resolution of any security issues during the term of the Agreement.

4. Physical Security.

  • The physical security processes in this section apply to all facilities at which Customer/Client Data is accessed, processed, stored, transferred, or maintained, including any floor space where Services are performed in which Personnel have access to Customer/Client Data, and servers or other equipment that process or store Customer/Client Data (the "Secure Area").
  • Secure Area: Customer/Client Data will only reside within a Secure Area. Company will restrict access to and will control and monitor any Secure Area and will maintain physical security controls at the Secure Area, on a 24-hours-per-day, 7-days-per-week basis ("24/7"). Company will revoke any Personnel's access to Secure Areas within twenty-four (48) hours of the cessation of such Company Personnel's need to access buildings, system(s) or application(s).

5. Logical Security.

  • The logical security processes in this section apply to all Company’s systems or Company’s agents' or its assigns' systems and supporting networks used to provide the services on which Customer/Client Data is accessed, processed, stored, transferred, or maintained.
  • Company must employ access control mechanisms that: 
    • prevent unauthorized access to Customer/Client Data;

    • limit access to Personnel with a business need to know;

    • follow principle of least privilege allowing access to only the information and resources that are necessary under the terms of the Agreement; and

    • have the capability of detecting, logging, and reporting access to the system or network or attempts to breach security of the system or network.

  • All Personnel must have an individual account that authenticates that individual's access to Customer/Client Data. Access controls and passwords must be configured in accordance with industry standards and best practices. Passwords will be hashed with industry standard algorithms per the Storage, Handling and Disposal Section, below.

6. Telecommunication and Network Security.

  • Company will deploy reasonably appropriate firewall technology in the operation of Company’s sites. Traffic between Company and Client will be protected and authenticated by industry standard cryptographic technologies. Specifically, firewall(s) must be able to effectively perform the following functions: stateful inspection, logging, support for all IPsec standards and certificates, support for strong encryption and hashing, ICMP and SNMP based monitoring and anti-spoofing.

  • At a minimum, Company will review firewall rule sets annually to ensure that legacy rules are removed, and active rules are configured correctly.

  • Company will deploy intrusion detection or preferably prevention systems (IDS/IPS) in order to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host.

  • Company will deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a maximum period of 180 days.

7. Malicious Code Protection.

  • All workstations and servers will run the current version of industry standard anti-virus software with the most recent updates available on each workstation or server. Virus definitions must be updated within twenty-four (24) hours of release by the anti-virus software vendor. Company will configure this equipment and have supporting policies to prohibit users from disabling anti-virus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Company’s or Client’s computing environment.

  • Company will have current anti-virus software configured to run real-time scanning of machines. and a full system scan on a regularly scheduled interval not to exceed seven (7) calendar days.

  • Company will scan incoming and outgoing content for malicious code on all gateways to public networks, including, but not limited to, email and proxy servers.

  • Company will quarantine or remove files that have been identified as infected and will log the event.

8. Data Loss Prevention.

  • Company will have policies, procedures, and technical controls in place to prevent data loss.

9. Systems Development and Maintenance.

  • Documentation: Company will maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store any Customer/Client Data.

  • Vulnerability Management and Application Security Assessments. Company will run internal and external network vulnerability scans at least quarterly and after any material change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades). Vulnerabilities identified and rated as critical/high risk by Company will be remediated within ninety (90) days of discovery. 

    • For all Internet-facing applications that collect, transmit or display Customer Data, Company agrees to conduct an application security assessment review to identify common security vulnerabilities as identified by industry-recognized organizations (e.g., OWASP Top 10 Vulnerabilities; CWE/SANS Top 25 vulnerabilities) annually or for all major releases, whichever occurs first. The scope of the security assessment will primarily focus on application security, including, but not limited to, a static code analysis or penetration test of the application, as well as a code review. At a minimum, it will cover the OWASP Top 10 vulnerabilities (https://www.owasp.org).

    • Company may utilize a qualified third party to conduct the application security assessments. Company may conduct the security assessment review themselves, provided that Company’s Personnel performing the review are sufficiently trained, follow industry standard best practices, and the assessment process is reviewed and approved by Company. Vulnerabilities identified and rated as critical/high risk by Company will be remediated within ninety (90) days of discovery.

  • Source code review: Company will have a documented program for secure code reviews and maintain documentation of secure code reviews performed for all applications that store or process Customer Data.

  • Patch Management: Company will patch all workstations and servers with all current operating system, database and application patches deployed in Company’s computing environment according to a schedule predicated on the criticality of the patch. Company will perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched. All emergency or critical rated patches must be applied as soon as possible but at no time will exceed six weeks from the date of release.

10. Storage, Handling, and Disposal.

  • Data Segregation: Company will physically or logically separate and segregate Customer Data from its other Client’s data.

  • Electronic Form Data. Company will utilize Industry Standard Encryption Algorithms and Key Strengths to encrypt the following: 

    • All Customer Data that is in electronic form while in transit over all public wired networks (e.g., Internet) and all wireless networks; and

    • All Customer Data stored in databases, in file systems, and on various forms of online and offline media (DASD, tape, etc.)

  • Key Management. Where encryption is utilized, Company will maintain a key management process that meets the following minimum requirements: 

    • At least one key custodian must be officially designated.

    • Key custodians must ensure that all keys used in a storage encryption solution are secured and managed properly to support the security of the solution.

    • Key management must be planned to include secure key generation, use, storage and revocation.

    • Key management practices must support the recovery of encrypted data if a key is inadvertently disclosed, destroyed or becomes unavailable.

    • Key custodians must ensure that access to encryption keys is properly restricted to approved administrators. Private keys must not be stored on the same media and/or virtual instance as the data they protect.

    • Authentication must be required in order to gain access to keys.

    • Keys will be rotated annually and must be replaced before they expire.

  • Physical Form Data. Company will only store Customer Data in physical form in a Secure Area, and Company will establish and operate a document control system to record and track the transfer of all Customer Data that is in physical form both (i) between and within Company facilities, and (ii) via any external shipment. Such a control system will include, at minimum, a description of the specific records being transferred (e.g., customer or employee records, etc.), as well as the parties who are preparing, shipping, receiving, and processing such materials.

 I. Unless explicitly stated otherwise in this agreement, the Client shall be responsible to ensure that relevant consents as per applicable laws and regulations have been obtained from the individuals/ data subjects and recorded and the correctness and accuracy of such Personal Information and the Company shall have no liability towards the Client or the Users arising as a result of the collection, correctness, accuracy and processing of any such Personal Data. 


 II. The Client shall be responsible to maintain records of all consent acceptance and refusal for seven (7) years. The Client shall also be responsible to provide details of consent acceptance and/ or refusal within 15 calendar days of the Company’s written request for the same. The Client will be liable to pay for any damages that the Company incurs due to inaccurate and/ or insufficient consent records.


 III. The Company will use the Personal Data only on the directions of the Client. The Company will not use Personal Data collected on behalf of the Client, received from the Client or its personnel or otherwise processed on behalf of the Client for any purpose other than as necessary to perform services under this Agreement.


 IV. Parties shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Personal Data, as strictly necessary for the purposes of this Agreement, and to comply with Applicable Laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.


 V. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of storing, controlling and/ or processing personal data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Parties shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.


 VI. The Parties will ensure that they are in compliance with all applicable laws while handling any personal information and shall execute such agreements as may be necessary to ensure compliance with applicable laws. 


 VII. The Company shall not under any circumstances, be liable for any damage, destruction, unauthorized access, or loss of Personal Data.  


 VIII. The subject-matter:

  • The chatbot is built to disseminate information about Client products and services and generate leads for the Client. These details are collected so that the prospect can be contacted via call and/or email by the Client. 

IX. The transfer nature and purpose of the processing:

  • Leads generated from the bots will be shared with the Client. The Client may reach out to the leads over other channels like call and/or email for conversions and sale.

  • For bots that do not generate leads, Personal Data may be collected to respond to queries of data subjects when they utilize bots on the Client’s website.

  • Additionally, some data may be downloaded on dedicated endpoint asset of Company for analytics and research purpose. This downloaded data is deleted within 15 business days from the endpoint to maintain compliance.

 X. Categories of personal data:

  • Details collected by the data subject may include but not be limited to be name, email address, telephone number, address, job titles, device ID, IP address, location data, education information, identification numbers, order information, transactional information, Company name and purpose of visit on Client’s website. Additional details may be requested to provide services mentioned as part of Client agreements and to comply with laws and regulations.

 XI. The obligations and rights of the Controller:

  • The Controller (Client) is responsible to securely store and maintain privacy for subject data and Personal Data.
  • For customers availing Agent Chat functionality, the Controller (Client) has access to the Company’s portal for accessing chat transcripts. Controls over information security for Personal Data in chat transcripts must be implemented.
  • Access to Analytics Dashboard will be provided by the Company. Controller (Client) should ensure appropriate safeguards for limiting and securing access.
  • It is the responsibility of the Controller (Client) to implement any and all security measures for protection of Personal Data received from the Company.

 XII. The obligations and rights of the processor:

  • Company (processor) will store Personal Data securely and limit access to this data through permissions.
  • Company (processor) is responsible to securely share Personal Data to the Client (Controller).
  • Company (processor) will inform the Client (Controller) in case of a data breach of Personal Data collected for that respective Client.

 XIII. Breach Notification and Response Procedures:

  • Company will maintain incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of, Security Breaches. Upon discovering or otherwise becoming aware a Breach, Company will take all reasonable measures to mitigate the harmful effects of the Breach. Company will also notify Client and Customer (users) of the Breach as soon as practicable, but in no event later than 72 hours after the Breach. Notice to Customer (user) will include: (i) the identification of the Customer Data which has been or Company reasonably believes has been used, accessed, acquired or disclosed during the incident; (ii) a description of what happened, including the date and time of the incident and the date and time of discovery of the incident, if known; (iii) the scope of the incident, including a description of the type of Customer Data involved in the incident; (iv) a description of Company response to the incident, including steps Company has taken to mitigate the harm caused by the incident; and (v) other information as Customer may reasonably request and is reasonably applicable. Company agrees to cover the costs of any such notification, including reimbursing Client and Customer for any reasonable costs.

  • Company will retain all data related to known and reported Breaches or investigations until Company reasonably determines that the data is no longer needed. Upon Client’s request, Company will permit Client or its third-party auditor to review and verify relevant video surveillance records, access logs and data pertaining to any Breach investigation. Upon conclusion of investigative, corrective, and remedial actions with respect to a Breach, Company will prepare and deliver to Client a final report that describes in detail: (i) the extent of the Breach; (ii) the Customer/Client Data disclosed, destroyed, or otherwise compromised or altered; (iii) all supporting evidence, including, but not limited to, system, network, and application logs; (iv) all corrective and remedial actions completed; and (v) all efforts taken to mitigate the risks of further Breaches.

 XIV. Rights of data subjects:

The Parties are responsible for ensuring the rights of data subjects in accordance with the following.

  • Right Of Access by The Data Subject 
  • Right To Rectification
  • Right To Erasure (The Right to Be Forgotten)
  • Right To Restriction of Processing
  • Notification Obligation Regarding Rectification or Erasure Of Personal Data Or Restriction Of Processing Or Breach
  • Right To Data Portability 
  • Right To Object to Processing

The parties are responsible for assisting each other to the extent this is relevant and necessary for both parties to comply with their obligations to the data subjects.

 

 XV. Data Subject Requests:

  • The Services provides Client with several categories of personal data that Client may use to retrieve, correct, delete, or restrict Personal Data, which Client may use to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”). 
  • To the extent that Client is unable to independently address a Data Subject Request through the Services, then upon Client’s written request Company shall provide assistance to Client to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. 
  • If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Jio Haptik, Jio Haptik will promptly inform Client and will advise the Data Subject to submit their request to Customer. Customer shall be responsible for responding to any such Data Subject Requests or communications involving Personal Data.

 XVI. Responsibilities of the parties:

  • The parties agree that Company (Jio Haptik Technologies Limited) will process EU Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement. Company (Jio Haptik Technologies Limited) shall not (a) Sell EU Personal Information; or (b) retain, use, or disclose EU Personal Information for any purpose other than for the Business Purpose or as otherwise permitted by the GDPR without explicit consent from the customer or data subject.

 XVII. Additional Provisions for European Data:

  • This Section (Additional Provisions for European Data) shall apply only with respect to European Data.
  • Roles of the Parties. When Processing European Data in accordance with Customer’s Instructions, the parties acknowledge and agree that Client is the Controller of European Data and Jio Haptik Technologies Limited is the Processor.
  • Transfer Mechanisms for Data Transfers.
    • Jio Haptik Technologies Limited shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of European Data Protection Law), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Law, or to a recipient that has executed appropriate standard contractual clauses adopted or approved by the European Commission.
    • Client acknowledges that in connection with the performance of the Services, Jio Haptik Technologies Limited, is a recipient of European Data in India. The parties agree that Jio Haptik Technologies Limited makes available the transfer mechanisms listed below:
  • (a) Standard Contractual Clauses: Jio Haptik Technologies Limited, agrees to abide by and process European Data in compliance with the Standard Contractual Clauses. If and to the extent the Standard Contractual Clauses (where applicable) conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict

 XVIII. Additional Applicable Data Protection Laws:

  • Company will adhere to all Applicable Data Protection Laws, such as, but not limited to, General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), Singapore’s Personal Data Protection Act, and all future Applicable Data Protection Laws. 
  • To the extent that the European Union (“EU”) General Data Protection Regulation (“GDPR”) applies to the Subscription Services or Customer Data, for example where the Subscription Services are being provided to Authorized Users located in the EU, or where Customer is seeking to provide the personal data of EU individuals to Company, then the following applies:
 i. for the purposes of the GDPR, Company is a processor, as that term is defined in the GDPR.

 

 Last updated on: 29th June 2022