Data Processing Agreement

Parties

1. Scope and Purpose

This DPA applies where BLACK FORCE SERVICES processes personal data on behalf of the Business User as a Data Processor under the Digital Personal Data Protection Act, 2023. Processing is solely for providing GemSetu Platform services:

• Account creation and authentication
• GeM tender tracking and bid management
• Payment processing and subscription management
• Customer support and communication
• AI-assisted features (with explicit consent)
• Compliance with legal and regulatory obligations

2. Data Fiduciary Obligations

BLACK FORCE SERVICES shall:

• Process personal data only on documented instructions from the Business User
• Ensure confidentiality obligations for all personnel handling personal data
• Implement appropriate security safeguards (AES-256 at rest, TLS 1.3 in transit, RBAC, MFA, RLS)
• Not engage Sub-Processors without prior authorisation (current list below)
• Assist with Data Principal rights requests
• Notify of personal data breaches within 24 hours
• Delete or return all personal data after service termination
• Make available information for compliance audits

3. Sub-Processors

* Cross-border transfers to the US governed by valid contracts incorporating DPDP Act obligations, SOC 2 Type II compliance, and explicit user consent.

4. Cross-Border Transfers

Personal data is transferred to Sub-Processors in the United States (Resend and OpenAI). Such transfers are governed by:

• Valid contracts incorporating DPDP Act obligations
• SOC 2 Type II compliance of Sub-Processors
• Explicit consent from Data Principals for US transfers
• Training opt-out enabled for OpenAI API requests
• Monitoring of restricted country notifications by the Central Government

We shall notify you of any intended changes to Sub-Processors at least 15 days in advance.

5. Security Safeguards

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access control (RBAC) with multi-factor authentication (MFA)
• Row-level security policies on primary database (Supabase)
• Regular security assessments and vulnerability management
• Comprehensive audit logs retained for minimum 1 year
• Encrypted backups with tested restoration procedures
• Incident response plan for breach detection and remediation

6. Personal Data Breach Notification

We shall notify you without undue delay, and in any case within 24 hours of becoming aware of a personal data breach. The notification shall include:

• Nature of the breach and categories/approximate number of affected Data Principals
• Likely consequences
• Measures taken or proposed to address the breach
• Contact details for further information

We shall cooperate in notifying the Data Protection Board of India and affected Data Principals within 72 hours as required by the DPDP Act, 2023.

7. Data Principal Rights

We shall assist you in responding to Data Principal requests to exercise their rights under the DPDP Act, 2023:

• Right to access (Section 11)
• Right to correction and erasure (Section 12)
• Right to grievance redressal (Section 13)
• Right to nominate (Section 14)

8. Data Return and Deletion

Upon termination, we shall return all personal data in a commonly used, machine-readable format within 15 days, and delete all copies unless retention is required by law. Written certification of deletion provided upon request.

9. Audit and Compliance

You have the right to audit our compliance with this DPA, including review of security policies, audit logs, Sub-Processor contracts, and breach response procedures. Audits limited to once per year, with 30 days notice, at your expense.

10. Governing Law

This DPA is governed by the laws of India, including the DPDP Act, 2023. Disputes resolved through arbitration in New Delhi under the Arbitration and Conciliation Act, 1996.

11. Contact

Rahul Jain, Grievance Officer
BLACK FORCE SERVICES
D-11, Sanjay Mohalla, Gali Number 2, Bhajanpura
New Delhi, North East Delhi, Delhi, 110053, India
Email: [email protected]