Data Processing Agreement (DPA)
This Data Processing Agreement (DPA) is entered between You (“Customer”) and PopulationCouncil Consulting Pvt. Ltd. (“PC Consulting”).
1. Preamble and Subject Matter:
General: This DPA forms an integral part of the Terms of Service Governing the use of MQUAD (“Terms of Service”) entered into between You and PC Consulting. Per the Terms of Service, You have engaged PC Consulting to provide access to MQUAD, a web-based survey application platform for conducting surveys and collecting Data. PC Consulting agrees to provide access to MQUAD, subject to the terms of this DPA.
2. Definitions
Throughout this Data Processing Agreement, certain words or phrases are used which shall be construed as follows:
2.1. Customer: The company or user that holds an account on MQUAD to create and host surveys through MQUAD.
2.2. Data: A representation of information, facts, concepts, opinions, or instructions suitable for communication, interpretation, or processing by humans or machine. For the purpose of this Agreement, ‘Data’ may also include ‘Personal Data’.
2.3. Data Protection Laws: The Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and any other applicable data protection laws.
2.4. Data Subject: The identified or identifiable natural person to whom personal data relates.
2.5. Personal Data: Any information related to an identified or identifiable natural person (Data Subject) processed by PC Consulting on behalf of the Customer.
2.6. Services: The services provided through MQUAD.
2.7. Sub-processor: A third-party subcontractor engaged by PC Consulting.
3. Scope
3.1. PC Consulting, through the MQUAD platform, allows the Customer to formulate and conduct online surveys and process data independently. PC Consulting is only liable for providing the software application, allowing access to the surveys via the MQUAD platform and ensuring the security of data.
4. Obligations of PC Consulting
4.1. PC Consulting shall process data only on behalf of and in accordance with the documented instructions of the Customer and in compliance with applicable Data Protection Laws.
4.2. Confidentiality: PC Consulting shall ensure that persons authorized to process Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3. Security: PC Consulting shall implement appropriate security measures for Data processing, including, but not limited to, the pseudonymization and encryption of Data, the ability to ensure the confidentiality, integrity, availability, and resilience of processing systems, the ability to restore access to Data in the event of a technical incident, and regular testing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
4.4. Sub-processing: PC Consulting may engage sub-processors for Data processing, whenever needed. PC Consulting shall ensure that any sub-processor it engages is bound by a written agreement that is as protective of Data as this DPA. PC Consulting shall notify the Customer of any changes to sub-processors and shall remain liable to the Customer for the performance of the sub-processor’s obligations.
4.5. Data Subject Rights: PC Consulting shall assist the Customer, as reasonably required, in responding to Data Subject requests under the applicable data protection laws.
4.6. Records of Processing Activities: PC Consulting shall maintain accurate records of processing activities and provide the Customer with a summary of such processing activities upon request.
4.7. Audit: PC Consulting shall permit the Customer or its appointed auditors to conduct an audit of PC Consulting’s processing activities, data protection policies and procedures, and any other relevant material to verify compliance with this DPA. Such audits may be conducted no more than once per year and shall be subject to reasonable advance notice and any confidentiality obligations required by PC Consulting.
5. Obligations of Customer
5.1. It is hereby agreed and acknowledged that the Customer is the Data Fiduciary as defined in Section 2(i) of the Digital Personal Data Protection Act, 2023 with regard to the Data of the Data Subjects. The Customer shall have sole responsibility for the accuracy, quality, and legality of the Data and the means of acquiring such Data.
5.2. The Customer commits to comply with all applicable data protection laws and regulations, ensuring that Processing instructions align with Data Protection Laws including, but not limited to, (i) transmission of Data to PC Consulting, (ii) the use of any Data in connection with any marketing or advertising, and/or (iii) Processing and use of the Data Subject’s Data. PC Consulting will promptly inform the Customer if it believes a Processing instruction infringes Data Protection Laws. The Customer is solely responsible for safeguarding the rights of the Data Subject in accordance with the applicable Data Protection Laws.
5.3. The Customer warrants the right to transfer or provide access to Data to PC Consulting for Processing.
5.4. The Customer agrees to provide PC Consulting with complete, accurate, and up-to-date information about the data to be processed and the purposes of the processing.
5.5. The Customer will maintain a record of processing activities.
5.6. The Customer will, without undue delay, inform PC Consulting of any defects or irregularities in implementing statutory regulations on data privacy.
5.7. The Customer will obtain any necessary consent from Data Subjects for Data processing by PC Consulting and provide evidence of such consent upon request.
5.8. The Customer will implement appropriate technical and organizational measures for the security and confidentiality of data, preventing its unauthorized access, use, disclosure, alteration, or destruction.
5.9. The Customer will promptly notify PC Consulting of any security incidents or data breaches and cooperate in the investigation, mitigation, and remediation.
5.10. The Customer will indemnify PC Consulting and its officers, directors, employees, and agents against claims, damages, liabilities, costs, and expenses arising from any breach of this DPA by the Customer or its representatives.
5.11. The Customer shall treat business secrets and data security measures of PC Consulting confidentially even after the termination of this agreement or the Terms of Service Governing the use of MQUAD.
6. Special Categories of Data
6.1. In relation to the Data of Children or Persons with Disabilities, the Customer shall:
• Obtain explicit consent from Parents/Legal Guardians for processing such Data.
• Ensure that the processing of such data is necessary for carrying out its obligations.
• Implement appropriate technical and organizational measures for the security of such Data,
• Designate a Data Protection Officer to oversee the processing of such data.
6.2. In relation to the Data of Children or Persons with Disability, PC Consulting shall:
• Process Special Categories of Data only based on the documented instructions from the Data Fiduciary.
• Ensure that staff processing such Data are subject to a duty of confidentiality.
• Assist the Data Fiduciary in fulfilling its obligations to respond to data subject requests.
• Ensure that any sub-processor complies with these requirements.
7. Data Breach
Notification: In the event of a Data Breach of Personal Data which is brought to the notice of PC Consulting, it will promptly notify the Customer and the Customer shall intimate the Data Protection Board of India information relating to such Data Breach in the form and manner prescribed under the Digital Personal Data Protection Act, 2023.
8. International Transfer of Data
PC Consulting may process and transfer Data outside India with the Customer’s consent, following applicable laws.
9. Term & Termination
9.1. Term: This DPA shall be effective during the Services under the Terms of Service and shall terminate automatically upon expiration or termination of the Terms of Service.
9.2. Either Party may terminate or suspend this DPA immediately for a material breach by the other Party that remains uncured for a period of 30 days after written notice of the breach. The obligations of PC Consulting and the Customer shall survive termination or expiration of this DPA.
10. Export of Data upon Termination
10.1. Upon termination, PC Consulting shall, at the choice of the Customer, either return or securely delete all Data, unless required by law to retain it. PC Consulting shall assist the Customer in ensuring that Data is returned or securely deleted in accordance with the law. PC Consulting shall comply with this clause within a reasonable time after receiving the request to return or delete the Data.
10.2. In the event that the Customer requests Data export upon termination or expiration of this DPA or the Terms of Service, PC Consulting shall provide it in a machine-readable format, subject to reasonable costs paid by the Customer. Such export shall be carried out in compliance with applicable data protection laws and regulations and shall not compromise the security or confidentiality of data.
11. Inactive Users Policy
If the Customer has not logged in to MQUAD for a period of 180 days, PC Consulting reserves the right to temporarily deactivate or delete the account and associated data with reasonable efforts to notify and obtain consent.
12. Governing Law
This Data Processing Agreement shall be governed by and construed in accordance with the laws of India.
13. Amendments
PC Consulting may modify or update these terms at any time to reflect changes in applicable law, to reflect updates to Services or the technical and/or organizational measures, to account for new Services or functionalities, or for any other reason. The Customer will be informed about the modifications when they login to the MQUAD platform after such modification or update. Continued use of MQUAD by the Customer shall constitute deemed consent unless PC Consulting receives a timely objection from the Customer. Amendments to these terms will be effective immediately when posted on the MQUAD platform.
14. Assignment
14.1. Neither Party may assign or transfer rights or obligations under this DPA without the prior written consent of the other Party.
15. Severability:
15.1. If any provision of this DPA is unenforceable by a court of competent jurisdiction, it will be severed, and the remainder of the agreement will remain in full effect.
In witness whereof, the Parties hereto have caused this Agreement to be executed by their duly empowered representatives.