Data Processing Agreement

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the service agreement between Incresco Technology Solutions Private Limited ("Processor" or "Incresco") and the Client ("Controller") and governs the processing of personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Definitions

In this DPA, the following terms have the meanings set out below:

• "Controller" means the entity that determines the purposes and means of processing personal data
• "Processor" means Incresco, which processes personal data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data
• "Data Subject" means the individual to whom personal data relates
• "Sub-processor" means any third party engaged by the Processor to process personal data
• "GDPR" means Regulation (EU) 2016/679

2. Scope and Applicability

2.1 Scope of Processing

This DPA applies to all processing of personal data by Incresco on behalf of the Controller in connection with the provision of services.

2.2 Nature and Purpose of Processing

• Nature: AI consulting, software development, cloud services, data analytics
• Purpose: To provide professional services as outlined in the service agreement
• Duration: For the term of the service agreement and as required for legal compliance

2.3 Categories of Data Subjects

• Employees and contractors of the Controller
• Customers and clients of the Controller
• End users of Controller's products or services
• Other individuals as specified in the service agreement

2.4 Types of Personal Data

• Contact information (name, email, phone number)
• Professional information (job title, company)
• Technical data (IP addresses, device information)
• Usage data and analytics
• Other data as specified in the service agreement

3. Processor's Obligations

3.1 Processing Instructions

Incresco shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries or international organizations, unless required to do so by applicable law.

3.2 Confidentiality

Incresco shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

Incresco shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
• Ability to restore availability and access to personal data in a timely manner in the event of an incident
• Regular testing, assessment, and evaluation of the effectiveness of security measures
• Access controls and authentication mechanisms
• Secure development practices and code reviews

3.4 Sub-processing

Incresco may engage sub-processors to assist in providing services. The Controller provides general authorization for the engagement of sub-processors, subject to:

• Incresco informing the Controller of any intended changes concerning the addition or replacement of sub-processors
• The Controller having the opportunity to object to such changes within 30 days
• Incresco imposing the same data protection obligations on sub-processors as set out in this DPA

3.5 Data Subject Rights

Incresco shall, to the extent possible, assist the Controller in responding to requests from data subjects to exercise their rights under GDPR, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

3.6 Assistance to Controller

Incresco shall assist the Controller in ensuring compliance with obligations under GDPR Articles 32 to 36, taking into account the nature of processing and information available to Incresco.

3.7 Data Breach Notification

Incresco shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach affecting the Controller's data.

3.8 Deletion or Return of Data

At the Controller's choice, Incresco shall delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.

3.9 Audit Rights

Incresco shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

4. Controller's Obligations

The Controller shall:

• Ensure that processing instructions comply with applicable data protection laws
• Have a legal basis for the processing of personal data
• Inform Incresco of any restrictions on processing
• Ensure that data subjects have been informed about the processing
• Respond to data subject requests in a timely manner

5. International Data Transfers

Where Incresco transfers personal data outside the European Economic Area (EEA), it shall ensure that:

• The transfer is to a country with an adequacy decision, or
• Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), or
• The Controller has provided explicit consent for the transfer

6. Sub-processors

Current sub-processors engaged by Incresco include:

• Cloud Infrastructure Providers: AWS, Google Cloud Platform, Microsoft Azure
• Analytics Services: Google Analytics (with IP anonymization)
• Communication Tools: Email service providers, CRM systems

An up-to-date list of sub-processors is available upon request at dpo@increscotech.com

7. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the main service agreement.

8. Term and Termination

This DPA shall remain in effect for the duration of the service agreement and shall automatically terminate upon termination of the service agreement, subject to the data deletion or return obligations.

9. Governing Law

This DPA shall be governed by the same law as the main service agreement. For GDPR purposes, the supervisory authority shall be determined based on the Controller's location.

10. Amendments

Incresco may amend this DPA from time to time to reflect changes in data protection laws or processing practices. Material changes will be communicated to the Controller with reasonable notice.

11. Contact Information

For questions or concerns regarding this DPA:

• Data Protection Officer: dpo@increscotech.com
• Legal Department: legal@increscotech.com
• Address: Incresco Technology Solutions Private Limited, Bengaluru, India

12. Acceptance

By engaging Incresco's services, the Controller acknowledges and agrees to the terms of this Data Processing Agreement. For a signed copy of this DPA, please contact our legal department.