This Data Processing Addendum (the "DPA") forms part of, and is subject to, the agreement between Kaaspo Enterprises Private Limited ("pPULSE", "we", "us") and the customer named in the applicable order form or online sign-up (the "Customer"). It governs the processing of personal data by us on behalf of the Customer in connection with the Services, and reflects the parties' obligations under the Digital Personal Data Protection Act, 2023 of India (the "DPDP Act"), the EU and UK General Data Protection Regulations (together, "GDPR") where applicable, and other equivalent data-protection laws.
Capitalised terms used but not defined in this DPA have the meanings given to them in the DPDP Act, the GDPR, or, where neither defines them, in our Terms of service. In addition:
The Customer is the Data Fiduciary (or controller) of Customer Personal Data. We are the Data Processor (or processor). We process Customer Personal Data only on the Customer's documented instructions, including those reflected in the Services configuration, the Order Form, the Documentation, and this DPA.
This DPA applies to the extent we process Customer Personal Data in connection with the Services and remains effective for as long as we process such data on the Customer's behalf.
The categories of Data Subjects, types of Customer Personal Data, processing operations, retention, and frequency are described in Annex A. The technical and organisational security measures we apply are described in Annex B. Our current sub-processors are described in Annex C.
The Customer's use of the Services constitutes its standing instruction to us to process Customer Personal Data as required to provide the Services and to comply with this DPA. The Customer may issue additional reasonable instructions, provided that we may charge for any work that is materially outside scope. We will notify the Customer if we believe an instruction violates applicable law and may decline to act on such an instruction.
We ensure that all personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and have received suitable training. We restrict access on a need-to-know basis.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are described in Annex B and may be updated from time to time, provided that the overall level of protection is not materially diminished.
The Customer grants us a general authorisation to engage Sub-processors for the purpose of providing the Services, subject to the conditions in this Section 7.
The current list of Sub-processors is set out in Annex C and is also available on request from privacy@ppulse.com.
We will give the Customer at least thirty (30) days' written notice (which may be by email or by a public update to Annex C) of any intended addition or replacement of a Sub-processor.
The Customer may object on reasonable, documented grounds related to data protection. If the parties cannot agree a workaround within a reasonable period, the Customer may terminate the affected portion of the Services and receive a pro-rata refund of pre-paid fees for the unused portion.
Each Sub-processor is bound by a written contract that imposes data-protection obligations no less protective than those in this DPA. We remain responsible for our Sub-processors' performance.
We provide reasonable assistance to the Customer to enable it to respond to requests by Data Subjects to exercise their rights, including rights of access, correction, deletion, portability, and objection. Where a Data Subject contacts us directly, we will, unless prohibited by law, refer them to the Customer.
We notify the Customer without undue delay (and in any event within seventy-two (72) hours of becoming aware) of a confirmed Personal Data Breach affecting Customer Personal Data. Our notice will describe the nature of the breach to the extent then known, the categories and approximate number of affected Data Subjects and records, the likely consequences, and the measures we are taking. We provide reasonable cooperation to help the Customer meet its own breach-notification obligations.
Where Customer Personal Data is transferred outside India or, where applicable, outside the European Economic Area, the United Kingdom, or another jurisdiction with restrictions on cross-border transfer, we will ensure that an appropriate safeguard is in place. Such safeguards may include the EU Standard Contractual Clauses (in their then-current approved form), the UK International Data Transfer Agreement or Addendum, country-level adequacy decisions, or any successor mechanism approved by the relevant authority. The parties agree that, to the extent applicable, the standard contractual clauses are deemed to be incorporated into this DPA by reference.
We make available to the Customer such information as is reasonably necessary to demonstrate our compliance with this DPA, including by providing copies of relevant third-party audit reports, summaries of penetration test results, and security questionnaires under non-disclosure. The Customer may request an audit of our compliance no more than once per twelve (12) months on at least thirty (30) days' written notice, conducted during business hours, at the Customer's expense, and subject to a reasonable confidentiality undertaking. The auditor must not be a competitor of ours.
On termination or expiry of the Services, we will, at the Customer's choice and unless prohibited by law, either return Customer Personal Data to the Customer or delete (or anonymise) it. Customers can export Customer Personal Data through the Services during the wind-down period set out in our Terms of service. After that period, we will delete or anonymise Customer Personal Data within ninety (90) days, except where a longer retention is required by applicable law.
This DPA takes effect on the date the Customer accepts our Terms of service or signs an Order Form, and remains in force for as long as we process Customer Personal Data on the Customer's behalf. The obligations in Sections 5, 6, 9, 12, 14, and 15 survive termination to the extent any Customer Personal Data is retained.
The liability of each party arising out of or in connection with this DPA is subject to the limitations and exclusions set out in our Terms of service. This DPA does not increase or extend either party's liability beyond the limits in the Terms of service.
If any provision of this DPA is found unenforceable, the remainder remains in effect. In the event of conflict between this DPA and our Terms of service, this DPA prevails to the extent of the conflict and only with respect to processing of Customer Personal Data. This DPA is governed by the laws specified in our Terms of service. Notices under this DPA must be given in accordance with our Terms of service.
We implement and maintain the technical and organisational measures described in our Security overview, which is incorporated into this DPA by reference. These include, without limitation:
The categories of Sub-processors we currently use are:
The current list of named Sub-processors is available on request and is updated under Section 7.3.
Kaaspo Enterprises Private Limited
Attn: Privacy Officer
Chennai, Tamil Nadu, India
Email: privacy@ppulse.com
Start a free 14 day trial in minutes, or chat with us about a custom rollout for your team.