Last updated on March 6th , 2024.
This Data Processing Agreement (“DPA ”) is to be read in conjunction with the Terms of Subscription which is available at (“ Agreement ”).
This Data Processing Agreement (“DPA”) is between APPRAEZ IT SOLUTIONS LLP (R-COMMUNITY) , ( “Service Provider” ), and you ( “Customer” ) governing your use of the host of Products and Services of the Service Provider (“Product”).
The Customer and Service Provider are individually referred to as “Party” and collectively as “Parties”.
WHEREAS:
1. The Service Provider is in the business of providing information technology services and other allied services and provides a comprehensive management system for residential and commercial properties.
2. The Customer is availing Services from Service Provider’s platform as specified in the Order Form (“Product”). While rendering Services, the Product of the Service Provider shall process Personal Data (as defined herein) provided by the Customer.
3. As per data protection laws of certain jurisdiction, there must be a contract between a data controller and a data processor containing certain provisions regarding the processing of personal data.
1.1. This DPA forms an integral part of the Agreement, and all engagement letters, documents, addenda, schedules, and exhibits incorporated therein, and all communications sent in connection therewith; and
1.2. This DPA amends and replaces any provisions in the Agreement that conflict with the terms of this DPA, provided that, unless expressly stated otherwise in this DPA, nothing in this DPA shall change either party’s exclusions and limitations of liability under the Agreement and all provisions relating to liability and indemnities set out in the remainder of the Agreement shall continue to apply notwithstanding this DPA coming into effect.
2.1. Affiliate means, with respect to a party, an entity that (directly or indirectly) controls, is controlled by or is under common control with, such party, where control refers to the power to direct or cause the direction of the management policies of another entity, whether through ownership of voting securities, by contract or otherwise.
2.2 Data Controller means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and in this DPA shall refer to the Customer.
2.3. Data Protection Laws means all laws and regulations applicable to the Processing of Personal Data under the Agreement and, other laws and regulations of relating to data protection.
2.4. Data Subject means the individual to whom Personal Data relates.
2.5. Data Subject Request means a Data Subject's request to exercise that person's rights under Data Protection Laws in respect of that person's Personal Data, including, without limitation, the right to access, correct, amend, transfer, obtain a copy of object to the processing of, block or delete such Personal Data.
2.6. Personal Data means any information relating to an identified or identifiable natural person made available to Service Provider in connection with the Services; an identifiable natural person (Data Subject), is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, mental, economic, cultural, or social identity of that natural person. Personal Data shall refer to the Personal Data shared by the Customer to the Service Provider for the purpose of availing Services.
2.7. Processing or Process means any operation or set of operations which is performed by or on behalf of Service Provider as part of the Services upon Personal Data, whether by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
2.8. Data Processor means the entity which Processes Personal Data on behalf of the Controller and in this DPA shall refer to the Service Provider.
2.9. Security Incident means any personal data breach or other incident that has resulted, or is reasonably likely to result, in any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, access to or encryption of (a) Personal Data or (b) other information under Service Provider's control where such incident has the potential to harm Customer's business, Customers, employees, systems or reputation.
2.10. Subcontractor means a third-party subcontractor engaged by or on behalf of Data Processor that will Process Personal Data as part of the performance of the Services.
3.1. The Parties acknowledge and agree that in relation to this DPA, Customer shall be the Data Controller and Service Provider shall be the Data Processor. While this Agreement proceeds to elaborates on the Role of the Data Processor, the Data Controller agrees to be compliant with its obligations with regard to receiving and continuing to keep the consent of the Data Subjects for the purpose of Data Processing and Storage, as well as all other obligations under applicable laws for Personal Data Privacy.
4.1 The Service Provider agrees to Process Personal Data only on Customer's behalf and in accordance with Customer's written instructions or for the performance of the Services as per the Order Form and shall treat Personal Data as Confidential Information subject to the confidentiality provisions of the Agreement. Customer shall instruct Service Provider to Process Personal Data in accordance with the Agreement and to comply with Customer's other reasonable instructions (e.g., via email) where such instructions are consistent with the Agreement.
4.2.The Service Provider shall inform Customer within reasonable time, if, in Service Provider's reasonable opinion, Service Provider believes that any instruction given by Customer infringes Data Protection Laws.
4.3.The Service Provider's Processing of Personal Data shall comply with its obligations under Data Protection Laws and Service Provider shall not perform the Services in a manner that causes Customer to violate Data Protection Laws.
5.1. The purpose of Processing of Personal Data by Service Provider is the performance of the Services pursuant to the Agreement.
6.1. All Personal Data supplied by the Customer to the Service Provider shall at all times remain the property of the Customer. Nothing contained in this DPA shall vest the ownership in any Personal Data shared to the Service Provider.
7.1. Other than as expressly permitted by the Agreement or required by law, Service Provider shall not disclose Personal Data to any third parties without Customer's prior consent.
8.1. Data Subject Requests
8.1.1. The Service Provider shall, to the extent permitted by law, promptly notify Customer upon receipt of a Data Subject request. Service Provider shall not respond to any such Data Subject’s request without Customer's prior written instructions.
8.1.2. The Service Provider shall provide such assistance and take such action as Customer may reasonably request (including assistance by appropriate technical and organizational measures) to allow Service Provider to fulfil its obligations to Customers or under Data Protection Laws in respect of Data Subject Requests, including, without limitation, meeting any deadlines imposed by such obligations.
8.2. Other Complaints and Requests
8.2.1. The Service Provider shall, to the extent permitted by law, promptly notify Customer upon receipt of any complaint or request) relating to (a) Customer's obligations under Data Protection Laws; or (b) Personal Data. In the event if the Customer fails to comply with the instructions of the statutory authorities/regulatory bodies and Service Provider, by written order of such regulatory bodies/statutory authority has been instructed to share the Personal Data, Service Provider shall have the right to share Personal Data to the extent required to comply with such written orders of regulatory bodies or statutory authorities.
8.2.2. The Service Provider shall promptly provide such co-operation and assistance as Customer may request in relation to such complaint or request.
9.1. The Service Provider shall ensure that its personnel engaged in Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements in respect of the Personal Data that survive termination of the personnel engagement.
10.1. Appointment of Subcontractors the Service Provider shall not authorize a Subcontractor to process Personal Data without the prior consent of Customer.
10.2. Responsibility for Subcontractors the Service Provider shall be responsible and liable for the acts, omissions, or defaults of its Subcontractors in the performance of obligations under this DPA or otherwise as if they were Service Provider's own acts, omissions, or defaults.
11.1. The Service Provider shall take appropriate technical and organizational measures to ensure the confidentiality, integrity, availability, and resilience of Service Provider systems used for Processing Personal Data and protect against the unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored, or otherwise Processed.
11.2. The Customer shall implement appropriate technical and organizational measures, which are designed to ensure that:
11.2.1. It complies with all applicable laws for the time being in force.
11.2.2. The data protection principles as per Data Protection Laws are implemented; and
11.2.3. risks to the rights and freedoms of data subjects are minimized.
12.1. The Service Provider shall:
12.1.1. notify Customer within seventy-two (72) hours from becoming aware of the occurrence of any incident which has resulted, or is reasonably likely to result, in a breach of security, including any accidental or unlawful loss, theft, deletion, disclosure or corruption of Personal Data and/or any unauthorized use or access to Personal Data (“Security Incident”).
12.1.2. provide all cooperation and information reasonably requested by Customer in respect of a Security Incident, including, as soon as possible following, and in any event within 48 hours of, the detection of the Security Incident by Service Provider:
12.1.2.1. full details of the Security Incident, including the categories and approximate number of Data Subjects concerned.
12.1.2.2. full details of the Personal Data compromised, including the categories and approximate number of Personal Data records concerned.
12.1.2.3. Where known, details of the likely consequences of the Security Incident.
12.1.2.4. full details of how the Security Incident is being investigated and mitigation and remedial steps already put in place and to be put in place.
12.1.2.5. whether any regulatory authority, the data subjects themselves and/or the media have been informed or is otherwise already aware of the Security Incident, and their response.
13.1. Service Provider shall make available to the Customer, on request, all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Personal Data by the Service Provider.
14.1. Either Party undertakes to notify the other Party immediately upon receiving any complaint, notice or communication from an individual, supervisory, regulatory or government body which relates directly or indirectly to the processing of the Personal Data.
15.1. Upon termination or expiry of the Subscription, Service Provider shall, in accordance with the terms of the Subscription, delete or make available to the Customer for retrieval all relevant Personal Data and any copies made thereof which is in Service Provider’s possession, save to the extent that the Service Provider is required to retain all or any part thereof under any applicable laws for the time being in force.
16.1. The Parties agree that the limitation of liability set out in the Agreement will apply to any liability arising out of violation of the provisions of the DPA by either Party and also to either Party's liability to Data Subjects under the third-party beneficiary provisions of the Standard Contractual Clauses to the extent limitation of such rights is prohibited by Data Protection Laws.
17.1. This DPA shall commence from the Effective Date specified in the Order Form and shall remain valid till the expiry or termination of the Subscription as per the termination clause provided in the Terms of Subscription.
18.1. Dispute Resolution: This DPA shall follow the dispute resolution mechanism as specified in the Agreement.
18.2. Severability: If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of this DPA (as the case may be) will be unimpaired and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law.
18.3. Notices: All Notices, consents, and other communication under this DPA shall be in writing and shall be sent by
18.3.1. registered mail.
18.3.2. personal delivery.
18.3.3. courier to the respective Parties at the addresses set forth herein; or
18.3.4. email to support@rcommunity.app.
18.4. Any Notice given in accordance with point (i) or (iii) above, shall be deemed to have been given two (2) working days after having been mailed; and same day if given in accordance with point (ii) or (iv).
18.5. Waiver: No waiver, express or implied, of any term, condition, or provision hereof by either Party shall be deemed or construed to be a waiver of any other term, covenant, condition, or provision hereof or be deemed or construed to constitute, a like waiver with respect to any future requirement of performance under such terms, covenants, condition, or provision.
18.6. Entire Agreement: The DPA is the final, complete, and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions between the parties with respect to such subject matters. No modification of or amendment to this DPA, or any waiver of any rights under this DPA, will be effective unless accepted by both Parties.