This Data Processing Agreement outlines the responsibilities and obligations between parties involved in handling personal data through our payment gateway services. It forms an integral part of our service terms and governs how data is collected, stored, and processed. By using our platform, you acknowledge and agree to this agreement where applicable. The agreement is designed to ensure lawful and secure data handling practices. It aligns with relevant data protection laws and ensures proper protection for all individuals whose data is processed. This agreement remains valid as long as data processing continues under the scope of the primary service relationship.
The Data Controller is the party that determines the purpose and means of processing personal data. Typically, this would be the user, merchant, or client utilizing our services for transaction handling. The controller is responsible for ensuring that data collection is lawful and that data subjects are informed of how their data will be used. All instructions issued by the controller must comply with applicable data protection laws. We act on such instructions strictly for the scope defined and do not use the data for any other purpose.
As the Data Processor, we act on behalf of the Data Controller to process personal data in accordance with their instructions. Our role is limited to carrying out specific tasks such as storing, transmitting, or securing the data as directed. We do not make independent decisions regarding the use of personal data. All processing is done with strict adherence to legal and contractual obligations. We implement technical and organizational measures to maintain data integrity and confidentiality.
Personal Data refers to any information that can identify an individual directly or indirectly. This may include names, contact details, transaction information, or device identifiers. Only the necessary data required for providing services is collected and processed. We ensure that this data is handled securely and transparently. Personal data is never sold or used for unauthorized purposes. The scope of personal data collected depends on how our services are used.
Processing activities include collection, recording, storage, retrieval, and transmission of personal data as required for service delivery. These activities are performed solely based on the instructions provided by the Data Controller. We may also conduct automated processing to ensure platform functionality, detect fraud, or improve service efficiency. No processing is conducted beyond the defined scope without explicit authorization. Logs of processing activities are maintained for compliance and auditing purposes.
We implement a combination of technical and organizational safeguards to protect personal data from unauthorized access, loss, or misuse. These measures include encryption, access controls, secure storage, and regular security assessments. Our systems are built to prevent vulnerabilities and ensure data integrity. Employees are trained in data protection practices and access is restricted based on roles. We continually monitor systems to detect and respond to any potential security threats.
All personal data processed is treated as strictly confidential. Employees and authorized personnel who handle data are bound by confidentiality agreements. We ensure that data is only accessed by individuals who require it to perform their responsibilities. Confidential information is not disclosed to third parties unless mandated by law or directed by the Data Controller. Any breach of confidentiality is taken seriously and dealt with in accordance with internal policies.
Data subjects have the right to access, correct, delete, or restrict the use of their personal data. We assist the Data Controller in fulfilling these rights in accordance with applicable regulations. Requests from data subjects are processed within reasonable timeframes once verified. We do not respond directly unless authorized or legally required. Users can reach out to the Data Controller to exercise their rights, and we will support the request in the background.
In the event of a data breach, we will notify the Data Controller without undue delay. Our team will provide details of the breach, including the nature of the data affected and any steps taken to contain or mitigate the impact. We work swiftly to investigate the breach and prevent recurrence. If legally required, the Controller may need to inform data subjects and relevant authorities. We maintain internal logs and reports of all breach incidents.
We may engage trusted subprocessors to assist in specific data processing activities. All subprocessors are carefully vetted and are bound by the same data protection obligations outlined in this agreement. A list of current subprocessors is maintained and shared upon request. Data Controllers will be notified of any intended changes to subprocessors, allowing time to raise objections. We ensure all subprocessors adhere to confidentiality and security standards.
All data transfers are conducted in compliance with applicable laws and contractual terms. We ensure that any transmission of data to external parties or locations follows lawful protocols and includes adequate safeguards. Transfers are only made when necessary and with proper controls in place. Where legally restricted, such transfers are avoided or replaced with alternative mechanisms that preserve compliance. We do not transfer personal data to unauthorized locations.
We comply with all relevant data protection laws and regulations that govern the handling of personal data. Our procedures are regularly reviewed to ensure alignment with legal updates and best practices. If required by law, we may disclose data to authorities following proper due process. The Data Controller is responsible for ensuring their own compliance in the collection and use of personal data. Both parties must cooperate to ensure lawful and fair data processing.
The Data Controller may request an audit or inspection to verify our data processing practices. Such audits will be conducted in a manner that minimizes disruption and preserves confidentiality. We will cooperate with auditors, provide access to necessary documentation, and address any findings in good faith. Reasonable advance notice and scope of audit must be mutually agreed upon. Confidentiality and data protection obligations remain in effect during such audits.
Upon completion of services or termination of the agreement, we will delete or return all personal data as instructed by the Data Controller. If data cannot be immediately deleted due to backup or compliance reasons, it will be isolated and securely stored until deletion is feasible. A certificate of deletion can be provided upon request. We do not retain data beyond the agreed duration or use it for any purpose after termination of processing.
Personal data is retained only for as long as necessary to fulfill the processing purposes or comply with legal obligations. Once the retention period expires, data is securely deleted or anonymized. Our retention timelines are regularly reviewed to prevent unnecessary storage. The Data Controller may request earlier deletion under certain conditions. We ensure data is not retained indefinitely without valid grounds.
Each party agrees to notify the other in case of events affecting data protection, such as breaches, audits, or legal inquiries. Timely communication ensures that both parties can fulfill their responsibilities efficiently. Notifications must include all relevant facts and proposed actions. We maintain open channels for such communications to support compliance and transparency. All notifications are handled with due urgency and confidentiality.
Each party is responsible for its respective obligations and liabilities under this agreement. The Data Processor is liable for damages resulting from its own failure to comply with agreed data protection measures. The Data Controller remains liable for ensuring that data collection and instructions are lawful. Liability does not extend to issues arising from misinformation or negligence on the part of the other party. Mutual cooperation is expected to resolve any disputes fairly.
The Data Controller agrees to indemnify the Processor for any claims, penalties, or losses arising from unlawful data instructions or non-compliance with applicable laws. Likewise, the Processor will indemnify the Controller for breaches of this agreement caused by its own misconduct. Indemnity covers direct damages, legal fees, and reasonable costs incurred during resolution. Each party must take steps to mitigate losses wherever possible.
This agreement is governed by Indian laws. Any disputes arising from this agreement shall be subject to the exclusive jurisdiction of the competent courts in that area. Both parties agree to resolve issues amicably before seeking legal remedies. The terms of this agreement are interpreted in accordance with the governing laws.
We reserve the right to update this Data Processing Agreement in line with legal, operational, or service-related changes. Users will be informed of significant changes with adequate notice. Continued use of services after the updated agreement takes effect signifies acceptance. We recommend reviewing this agreement periodically to stay informed. Previous versions may be archived for reference.
We provide innovative payment solutions designed to make every transaction smooth and secure. Our mission is to bridge businesses and customers with reliable, real-time payment experiences.
COMSTOCKER ECART SOLUTIONS PRIVATE LIMITED
Ground, Shop No 07 A Wing, S No 78/8,Plot No 9,10,11, Trimurti Chs, Kulgaon, Behind Saibaba Temple, Rameshwadi, Ambarnath, Thane, Maharashtra, 421503.
