DATA PROCESSING AGREEMENT


This Data Processing Agreement (“Agreement”) is in addition and not in derogation of the FlexiFunnels Terms of Use (“Terms of Use”) and Privacy Policy (“Privacy Policy”) publicly displayed on its website https://www.flexifunnels.com, as amended from time to time as well as any other agreements that govern the use of the FlexiFunnels website or services. This Agreement is entered into between you along with any entity you represent (“Data Controller” , “You”, or “Your”) and Misfits Change Makers Private Limited along with any affiliates or associates engaged for the purposes outlined in this Agreement (“Data Processor” ).

They may be collectively referred to as “Parties” and individually as “Party”. Terms used in this Agreement but not defined herein shall first take the meaning set forth in the Terms of Use, and if still not defined, shall take the meaning prescribed under the applicable law.

WHEREAS, the Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing; and

WHEREAS, the Parties wish to lay down their rights and obligations with respect to the same.
IT IS AGREED AS FOLLOWS:



1. Definitions and Interpretations

1.1. “California Personal Information” shall mean Personal Information that is subject to the laws of California, particularly the CCPA.

1.2. “CCPA” shall mean the California Consumer Protection Act of 2018.

1.3. “Data Controller” shall mean the entity that determines the purposes and means of processing Personal Information and includes any natural or legal person, public authority, agency or any body, which along or jointly with others, has the competency and authority to determine the purposes and means of processing of Personal Information.

1.4. “Data Protection Laws” means all applicable worldwide legislation involving the protection and processing of data and privacy which applies to the respective Party to this Agreement, including without limitation the EU General Data Protection Regulation, the CCPA, and the data protection and privacy laws of India, in each case as amended, repealed, consolidated or replaced from time to time.

1.5. “Data Subject” means an identified or identifiable natural person or the individual to whom the Personal Information relates.

1.6. “European Information” means Personal Information that is subject to the protection of European Data Protection Laws.

1.7. “European Data Protection Laws” shall include the data protection and privacy laws applicable in Europe, including Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, applicable data protection laws of the United Kingdom, and the Swiss Federal Data Protection Act, 1992 along with its Ordinance, in each case, as may be amended, superseded or replaced.

1.8. “Instructions” shall mean the written, documented instructions issued by You to the Data Processor, and directing the same to perform a specific or general action with regard to the Personal Information (including, but not limited to, depersonalising, blocking, deletion, making available, or otherwise).

1.9. “Personal Information” shall mean any identifiable information of the Data Controller where such information is protected as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

1.10. “Personal Information Breach” shall mean any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed by the Data Processor in connection with the services provided under the Terms of Use. This shall not include any unsuccessful attempts or activities that do not compromise the security of the Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

1.11. “Processing” means, including its variants, any operation or set of operations which is performed on Personal Information, encompassing the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction or erasure of Personal Information performed by the Data Processor in compliance with the Instructions issued by You.

1.12. “Processor” means an entity that Processes Personal Information on behalf of the Data Controller.

1.13. “Sub-Processor” means a Processor engaged by or acting on behalf of a party who is acting as a Processor to Process Personal Information.



2. Your Responsibilities

2.1 Compliance with Laws. Within the scope of this Agreement and the Terms of Use, You will be responsible for complying with all requirements that apply to You under applicable Data Protection Laws with respect to the Processing of Personal Information.

In particular, but without prejudice to the generality of the foregoing, You acknowledge and agree that You will be solely responsible for: (i) the accuracy, quality and legality of Personal Information and the means by which You have acquired the same; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of Personal Information, including obtaining any necessary consents and authorisations (including use for marketing purposes); (iii) ensuring You have the right to transfer, or provide access to, the Personal Information to the Data Processor for Processing in accordance with the terms of this Agreement; (iv) ensuring that Instructions issued to the Data Processor comply with applicable laws, including Data Protection Laws; (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created using the services under the Terms of Use, including those relating to obtaining consents where required to send emails, the content of the emails and its email deployment practices. You will inform the Data Processor if You are not able to comply with Your responsibilities under this section or applicable Data Protection Laws.

2.2 Instructions. The Parties agree that the services provided under the Terms of Use, along with the terms of this Agreement, constitute Your complete Instructions to the Data Processor in relation to the Processing of Personal Information, so long as You may provide additional Instructions during Your continued relationship with the Data Processor that are consistent with this Agreement, and the nature and lawful use of the services under the Terms of Use.

2.3 Security. You are responsible for independently determining whether the data security provided for in the Terms of Use and this Agreement adequately meets Your obligations under applicable Data Protection Laws. You are also responsible for Your secure use of the services provided under the Terms of Use, including protecting the security of Personal Information in transit to and from the Data Processor (including to securely backup or encrypt any such Personal Information).




3. Data Processor Obligations

3.1 Compliance with Instructions. The Data Processor will only Process Personal Information for the purposes prescribed in the Privacy Policy and this Agreement, or as otherwise agreed within the scope of Your lawful Instructions, except where and to the extent otherwise required by applicable law. The Data Processor will not be responsible for any compliance with Data Protection Laws that have to be effectuated by You that are not generally applicable to the Data Processor.

3.2 Conflict of Laws. In the event that the Data Processor is unable to Process Personal Information in accordance with the Instructions issued by You due to a legal requirement under any applicable law, the Data Processor will (i) promptly notify You of that legal requirement to the extent permitted by applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Information) until such time as You issue new Instructions with which the Data Processor is able to comply. If this provision is invoked, the Data Processor will not be liable to You under the Terms of Use or this Agreement for any failure to perform the services under the Terms of Use until such time as You issue new Instructions with regard to the Processing of Personal Information.

3.3 Security. The Data Processor agrees and undertakes to implement and maintain appropriate technical and organisational measures to protect Personal Information from Personal Information Breaches. Notwithstanding any provision to the contrary, the Data Processor may modify or update the security measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by such measures.

3.4 Confidentiality. The Data Processor shall ensure that any personnel authorised to Process Personal Information on behalf of the Data Processor is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to the particular Personal Information.

3.5 Duration. The duration of the Processing covered by this Agreement shall be in accordance with the duration of the Terms of Use. Personal Information shall be Processed for the term of this Agreement plus the period from expiry of the term of this Agreement until the deletion or return of Personal Information as described below.

3.6 Data Subject Requests. The Data Processor shall assist the Data Controller to enable the Data Controller to respond to any request from a Data Subject to exercise any of its rights under applicable Data Protection Laws, or any other correspondence, inquiry or complaint received from a Data Subject in connection with the processing of Personal Information.

3.7 Personal Information Breaches. The Data Processor shall notify You without undue delay after becoming aware of any Personal Information Breach and will provide timely updates and information relating to the Personal Information Breach as it becomes known or reasonably requested by You. At Your request, the Data Processor will promptly provide You with such reasonable assistance as necessary to enable You to take necessary steps to protect the sanctity of the Personal Information shared with the Data Processor, as well as to notify the same to competent authorities, if You are required to do so under Data Protection Laws.

3.8 Deletion or Return of Personal Data. The Data Processor will delete or return all Personal Information Processed pursuant to this Agreement, on termination or expiration of Your services under the Terms of Use. However, where the applicable law requires the Data Processor to retain some or all of the Personal Information, or where the Data Processor has archived Personal Information on backup systems, the Data Processor shall securely isolate the same and protect it from any further Processing and delete the same in accordance with established deletion practices of the Data Processor. You may request the deletion or return of Your Personal Information by issuing appropriate Instructions to the Data Processor including a termination of Your account with the Data Processor.



4. Sub-Processors

4.1 The Data Processor reserves the right to engage affiliate Sub-pProcessors to carry out the Processing of Personal Information on behalf of the Data Processor. The Data Processor shall notify You of any changes to the entity in charge of Processing Your Personal Information. You agree and consent to the appointment of such affiliate Sub-pProcessors, and waive any objection to the Processing of Personal Information by affiliate Sub-pProcessors. The Data Processor undertakes to onboard affiliate Sub-pProcessors only after thorough scrutiny and due diligence, to ensure that the Processing of Your Personal Information is undertaken only in compliance with the requirements contained in this Agreement. This shall be to ensure that the Data Processor is ensuring that at least the same level of protection is being extended to the Processing of Personal Information by affiliate Subp-Processors. The Data Processor shall remain responsible for the affiliate Subp-Processors’ compliance with the obligations of this Agreement and for any acts or omissions of such affiliate Sub-pProcessor that causes a breach of any of the obligations contained in this Agreement.



5. Data Transfers

You acknowledge and agree that the Data Processor may access and Process Personal Information on a global basis as necessary to provide the services under the Terms of Use in accordance with this Agreement. Wherever Personal Data is transferred outside its country of origin, the Data Processor shall ensure that such transfers are made in compliance with the requirements of Data Protection Laws.



6. Auditing

6.1 The Parties agree and consent that either in compliance with applicable law or as and when deemed necessary by the Data Processor, the Data Controller and Data Processor may perform, and accordingly shall assist in the conducting of, audits regarding the Processing of Personal Information as well as its compliance with Data Protection Laws, either at the instance of a Party or by an auditor appointed by a Party.

6.2 The Parties further agree that each Party shall make available to the other all information necessary to demonstrate compliance with the obligations contained in this Agreement.

6.3 The Parties agree that each Party shall allow to the other Party an opportunity to cause an inspection of the former Party’s premises and facilities where Personal Information is stored or Processed.



7. Vigilance

7.1 The Parties agree and undertake to duly examine, remain vigilant and notify the other in case a Party becomes aware of the existence of a breach of any obligation contained in any Data Protection Law so as to enable the Parties to cooperate in the rectification and curing of such breach, as well as to report such breach, and to share liability proportionately (where liability cannot be attributed to a single Party).



8. Provisions for European Information

8.1 Scope.
This section shall apply only with respect to European Information.

8.2 Roles of the Parties. When Processing European information in accordance with Your Instructions, the Parties acknowledge and agree that You are the Data Controller of European Information and the Data Processor is the Processor, as determined under applicable European law.

8.3 Instructions. If the Data Processor is of the opinion that Your Instruction infringes European Data Protection Laws (where applicable), the Data Processor shall inform You without delay.

8.4 Objection to affiliate processors. The Data Processor shall extend to You the opportunity to object to the engagement of any affiliate processors on reasonable grounds relating to the protection of Personal Information within 30 days of notifying You of such engagement. In the event that You notify the Data Processor of a valid objection, the Parties shall discuss Your concerns in good faith with a view to achieving a commercially reasonable solution. If no such solution can be reached, the Data Processor shall, at its sole discretion, permit You to suspend or terminate the services under the Terms of Use without liability to either Party (but without prejudice to any fees incurred by You prior to suspension or termination).

8.5 Affiliate processor Agreements. You acknowledge that the Data Processor may be restricted from disclosing affiliate processor agreements, but the Data Processor shall use reasonable efforts to require any affiliate processor so appointed to permit to disclose the said agreement to You, and shall provide (on a confidential basis) all information reasonably possible.

8.6 Transfer mechanisms for data transfers. The Data Processor shall not transfer European Information to any country or recipient not recognised as providing an adequate level of protection for Personal Information (within the meaning of applicable European Data Protection Laws), unless such transfer can be shown to be in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognised by the relevant authorities or courts as providing an adequate level of protection for Personal Information, to a recipient that has achieved binding corporate rules authorisation in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.

8.7 If for any reason the Data Processor cannot comply with its obligations under this Agreement, and You intend to suspend the transfer of European Information to the Data Processor or terminate this Agreement, You agree to provide the Data Processor with reasonable notice to enable the curing of such non-compliance and You agree to reasonably cooperate with the Data Processor to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If the Data Processor is unable to cure the non-compliance, You may suspend or terminate the service under the Terms of Use without liability to either Party.



9. Additional provisions for California Personal Information

9.1 Scope.
This section shall apply only with respect to California Personal Information.

9.2 Roles of the Parties. When Processing California Personal Information in accordance with Your Instructions, the Parties acknowledge and agree that You are a Business, and the Data Processor is a Service Provider for the purposes of the CCPA.

9.3 Responsibilities. The Parties agree that the Data Processor shall Process California Personal Information as a Service Provider strictly for the purpose of fulfilling the services under the Terms of Use or as otherwise permitted by the CCPA.



10. General Provisions


10.1 Amendments.  Notwithstanding anything to the contrary and without prejudice to any of the sections in this Agreement, the Data Processor reserves the right to make any updates and changes to this Agreement.

10.2 Severability. If any individual provisions of this Agreement are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement will not be affected.

10.3 Limitation of Liability.
Each Party and each of their affiliate’s liability, taken in aggregate, arising out of or related to this Agreement, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the ‘Disclaimer of Liability’ section of the Terms of Use and any reference in such section to the liability of a Party means aggregate liability of that Party and all its affiliates under this Agreement.

10.4 Governing Law. This Agreement shall be governed by and construed in accordance with the Governing Law and Jurisdiction clause of the Terms of Use, unless required otherwise by Data Protection Laws.