Data Processing Agreement

This Data Processing Agreement (“DPA”) sets out the legally binding terms between Luks Era Technologies, acting as the Data Processor, and the entity accepting these terms, referred to as the Data Controller. This Agreement governs how the Processor accesses, manages, and processes Personal Data while providing its services.

Roles and Responsibilities

Data Controller Obligations

The Data Controller is responsible for:

• Defining the lawful purpose, scope, and legal basis for processing Personal Data
  
  
• Ensuring that all data processing complies with applicable data protection laws and regulatory requirements
  
  

Data Processor Obligations

The Data Processor shall:

• Process Personal Data strictly according to the Controller’s documented instructions
  
  
• Use Personal Data exclusively for approved service purposes
  
  

Scope of Personal Data Processing

The Processor will handle Personal Data solely for the following purposes:

• Initiating, verifying, and completing payment transactions
  
  
• Conducting KYC verification and applying fraud prevention measures
  
  
• Authenticating users via two-factor authentication or other secure methods
  
  
• Preparing reconciliation statements and transaction-related reports
  
  
• Complying with instructions from the RBI and other authorized payment networks
  
  

Data Security Measures

The Processor shall implement appropriate technical and organizational safeguards, including:

• Encryption of Personal Data during transmission and storage
  
  
• Mandatory multi-factor authentication (MFA) for platform access
  
  
• Secure handling, storage, and management of cryptographic keys
  
  
• Routine vulnerability assessments and penetration testing
  
  

Additional Security Controls

• Personnel with access to Personal Data must maintain strict confidentiality
  
  
• Employees must undergo regular training on data protection and information security
  
  

Assistance with Data Subject Rights

The Processor shall assist the Controller in handling requests from Data Subjects, including:

• Accessing Personal Data
  
  
• Correcting or updating inaccurate or incomplete information
  
  
• Deleting Personal Data, including requests under the “Right to be Forgotten”
  
  
• Enabling data portability
  
  
• Restricting or objecting to specific processing activities
  
  

Subprocessor Management

• No Subprocessor may be engaged without prior written consent from the Controller
  
  
• All authorized Subprocessors must be contractually bound to data protection obligations equivalent to this DPA
  
  

Personal Data Breach Notification

In case of a Personal Data breach, the Processor must notify the Controller within 24 hours and provide:

• A detailed description of the breach and surrounding circumstances
  
  
• Categories and approximate number of affected Data Subjects
  
  
• Immediate actions taken to mitigate the impact
  
  
• Recommended measures to prevent future incidents
  
  

Audit and Compliance

The Controller has the right to conduct audits or inspections, with reasonable prior notice, to verify compliance with this DPA.

Data Retention and Secure Disposal

• Personal Data will be retained only as long as necessary to support payment processing and meet regulatory requirements, including RBI guidelines
  
  
• Upon service termination, Personal Data must be securely deleted or returned unless retention is mandated by law
  
  

Regulatory Notifications

The Processor shall promptly inform the Controller of any legal, regulatory, or compliance changes that may affect lawful processing of Personal Data.

Liability and Indemnity

• Each Party is responsible for losses or damages resulting from its own breach of this Agreement
  
  
• The Processor agrees to indemnify and hold the Controller harmless against penalties, claims, or losses arising from non-compliance with data protection obligations
  
  

Governing Law and Jurisdiction

• This DPA is governed by the laws of India
  
  
• All disputes under this Agreement fall under the exclusive jurisdiction of Indian courts
  
  

Amendments

Any modifications or changes to this DPA must be documented in writing and formally executed by both the Data Controller and the Data Processor.

Acceptance of Terms

By accepting this DPA, both Parties confirm that they have read, understood, and agreed to all terms, responsibilities, and obligations set forth in this Agreement.