This Data Processing Agreement ("Agreement") is entered into between:
1. The company mentioned in the corresponding Order Form which is receiving access to the Product ("Controller"); and
2. ("TurningCloud Solutions Pvt Ltd,") a company incorporated in India and having its registered address at Tower B, 703, Business Zone, Nirvana Country, South City II, Gurugram (HR) 122018 ("Processor").
This Agreement supplements the Software as a Service (SaaS) Subscription Agreement ("MSA") entered into via the corresponding Order Form between the parties, solely to govern the processing of Personal Data. This Agreement is co-terminus with the MSA and is governed by the MSA. In case of any conflict between the terms of this Agreement and the MSA, the MSA shall prevail.
The below Annexes are a part of this Agreement:
Annex I – Description of Processing
Annex II – Security Measures
Annex III – Approved Subprocessors
Annex IV – HIPAA Business Associate Addendum (if applicable)
1. DEFINITIONS
"Personal Data", "Processing", "Data Subject", "Controller", "Processor" shall have the meanings ascribed under Applicable Laws.
"Applicable Laws" refers to GDPR, CCPA/CPRA, and DPDP Act.
2. SCOPE OF PROCESSING
Processor shall process Personal Data only on documented instructions from Controller and solely for the purpose of providing the Platform and associated items under the MSA, and as defined in the MSA.
Categories of Data Subjects: Authorized Users and other stakeholders of the Controller.
Types of Data: Names, email IDs, telephone numbers.
3. COMPLIANCE WITH LAWS
Processor shall comply with all Applicable Laws and assist Controller in fulfilling its legal obligations including:
- Responding to Data Subject rights requests (access, correction, deletion)
- If applicable, implementing safeguards for processing sensitive personal data/PHI under HIPAA
- Supporting privacy impact assessments and breach notification procedures
Where conflicts arise, the stricter standard shall apply.
4. SECURITY MEASURES
Processor shall implement appropriate technical and organizational measures to protect Personal Data, including encryption, pseudonymization, access controls, monitoring, and incident response procedures.
5. SUBPROCESSORS
Processor may engage Subprocessors only with prior written consent of Controller. A current list shall be maintained and shared upon request. Processor shall ensure Subprocessors are contractually bound to comply with obligations equivalent to this Agreement.
6. DATA TRANSFERS
Controller and its stakeholders are forbidden from sharing, using, processing or collecting data belonging to UK or EU nationals on the Processor's SaaS platform under the MSA.
Where Personal Data is transferred outside its jurisdiction of origin, the Parties shall ensure adequate safeguards, including Standard Contractual Clauses (EU/UK), compliance with US state laws, and adherence to India's DPDP Act restrictions.
7. AUDIT RIGHTS & DATA SUBJECT RIGHTS
Controller may conduct reasonable audits of Processor's compliance with this Agreement upon 30 days' notice, limited to once annually unless a breach has occurred. Processor shall assist Controller in fulfilling data subject rights, including rights of access, rectification, erasure, portability, restriction, and objection, as well as opt-out rights under CCPA/CPRA and grievance redressal under DPDP Act.
8. DATA RETENTION AND DELETION
Upon termination or expiry of the MSA, Processor shall, at Controller's option, delete or return all Personal Data and certify such deletion unless otherwise required by law. Secure deletion methods shall be used.
9. BREACH NOTIFICATION
Processor shall notify Controller of any Personal Data breach without undue delay and in no event later than 72 hours after discovery. Processor shall cooperate in remediation efforts.
10. LIABILITY
Processor shall be responsible to the Controller against any claims, fines, or losses arising from breach of this Agreement, subject to any liability caps in the MSA.
11. TERM AND TERMINATION
This Agreement shall remain in effect for the duration of the MSA. It may be terminated independently upon mutual agreement or breach of obligations herein.
12. GOVERNING LAW & JURISDICTION
This corresponding clause in the MSA applies.
13. ORDER OF PRECEDENCE
The MSA prevails over any conflicting terms in this Agreement. If any provision is invalid, the remainder shall remain in full force and effect
ANNEX I – DESCRIPTION OF PROCESSING
Nature of Processing:
Provision of cloud-based software services for supply chain operations and management, tracking, analytics, and user administration.
Purpose of Processing:
Facilitate data entry, storage, access, transmission, and reporting relating to supply chain operations.
Categories of Data Subjects:
- Employees of Controller
- End customers
- Authorized Users
- Contractors or agents interacting with the platform
Types of Personal Data Processed:
- Contact details (name, email, phone number)
- Identification data
- IP addresses and device metadata (for access logs)
Duration of Processing:
For the term of the MSA, unless a longer retention period is agreed or legally required.
ANNEX II – SECURITY MEASURES
Processor shall implement, at a minimum, the following technical and organizational security controls:
1. Encryption
- AES-256 encryption at rest and TLS 1.2+ in transit
- Secure key management practices
2. Access Controls
- Role-based access control (RBAC)
- Least privilege policy enforcement
3. Monitoring & Logging
- Real-time intrusion detection
- Audit logs with tamper protection
4. Availability & Resilience
- Daily backups stored in secure locations
- Disaster recovery testing annually
- SLA-compliant uptime guarantees
5. Personnel Safeguards
- Background screening of staff with data access
- Mandatory data protection training
- Confidentiality agreements for employees and subcontractors
6. Incident Management
- Formal incident response plan
- Notification to Controller within 72 hours of confirmed breach
7. Certifications (if applicable)
ANNEX III – APPROVED SUBPROCESSORS
Currently there are no subprocessors. Processor shall notify Controller of any intended changes to Subprocessors and allow objection within a reasonable timeframe.
ANNEX IV – HIPAA BUSINESS ASSOCIATE ADDENDUM
To the extent Processor handles Protected Health Information ("PHI") as defined under HIPAA:
1. Permitted Uses
Processor may use PHI only to provide services under the Master Subscription Agreement and as permitted by HIPAA.
2. Disclosure Restrictions
Processor shall not disclose PHI except as authorized in writing by Controller or as required by law.
3. Safeguards
Processor shall implement administrative, physical, and technical safeguards to protect PHI in compliance with 45 CFR §§164.306–316.
4. Breach Notification
Processor shall notify Controller of any unauthorized use or disclosure of PHI within 72 hours of discovery.
5. Mitigation and Cooperation
Processor shall mitigate harmful effects of any known breach and cooperate with investigations or corrective actions.
6. Subcontractors
Processor shall ensure any subcontractors that handle PHI enter into a contract with equivalent HIPAA obligations.
7. Termination
Upon termination, Processor shall return or securely destroy PHI unless retention is required by law.
This Addendum supplements and forms part of the DPA and shall be interpreted in accordance with HIPAA.