This Data Processing Addendum (“DPA”) is incorporated into the Order Form and read with the HyperStart Terms of Service (“Terms”), between HyperVerge Technologies Private Limited (“HyperStart”) and the client entity referred in the Order Form (“Client”).

Client and HyperStart shall be individually referred to as the “Party” and collectively as the “Parties”.

1. Definitions

Terms not defined in this DPA shall have the meaning ascribed to them in the Terms. For this DPA, the following terms and those defined within the body of this DPA apply:

“Data Fiduciary” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws” means the relevant data protection and data privacy laws, rules and regulations applicable to Processing of Personal Data by HyperStart, including Digital Personal Data Protection Act, 2023 (“DPDPA”), rules made thereunder, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 as applicable.

“Data Principal” means the identified or identifiable person to whom Personal Data relates. “Personal Data” means any information that describes, relates to or identifies a natural person, or is capable of identifying such person, or as defined under the applicable Data Protection Laws, which is provided by the Client to HyperStart.

“Process” or “Processing” means any operation or set of operations performed on the Personal Data such as transfer, storage, organization/classification, adaptation or alteration, disclosure, retrieval, use, or making available, erasure or destruction. “Processor” means the entity which Processes Personal Data on behalf of the Data Fiduciary.

“Security Incident” shall mean a security breach of HyperStart’s systems leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data provided by the Client.

“Sub-processors” means an entity engaged by HyperStart in accordance with this DPA, to Process Personal Data to provide Services to the Client.

2. Processing of Personal Data

2.1. Role of Parties: The Parties agree that with regards to Processing of Personal Data, Client is the Data Fiduciary and HyperStart is the Processor.

2.2. Compliance: The Parties shall comply with their respective obligations under the Data Protection Laws.

2.3. Consents: Client is responsible to obtain consents from Data Principals as required by Data Protection Laws for Processing of Personal Data by HyperStart.

2.4. Quality of Personal Data: Client is responsible to ensure accuracy and quality of Personal Data Provided to HyperStart.

2.5. Purpose limitation: HyperStart shall Process Personal Data only for (i) providing Services in accordance with the Terms and this DPA ; (ii) complying with reasonable written instructions of the Client for provision of Services as mutually agreed between Parties (collectively the “Purpose”). HyperStart shall not Process Personal Data beyond any period necessary to accomplish the Purpose.

2.6. Disclosure: HyperStart shall not disclose Personal Data to third parties except to employees, Sub-processors, or advisers who have a need to know the Personal Data, and are under confidentiality and privacy obligations at least as restrictive as those described under this DPA. Unless prohibited by Data Protection Laws or a legally-binding request of law enforcement, HyperStart shall promptly notify the Client of any request by government agency or law enforcement authority for access to Personal Data, and shall render reasonable assistance to the Client, if Client wishes to contest the access.

3. Sub-processing

3.1. Appointment of Sub-processors: Client authorises HyperStart to engage Sub-processors to the extent necessary for HyperStart to provide Services to the Client.

3.2. List of Sub-processors: HyperStart’s list of Sub-processors is accessible at https://www.hyperstart.com/sub-processors/

3.3. Appropriate agreement with Sub-processors: With respect to each Sub-processor, HyperStart shall ensure to enter into an agreement with the Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor.

3.4. Liability for Sub-processors: HyperStart shall be liable to the Client for the acts and omissions of the Sub-processor in relation to HyperStart’s obligations under this DPA and the Terms.

4. Data Security

4.1. Client is responsible for implementing adequate access controls and security measures of its systems and networks through which the Platform is accessed, in accordance with generally accepted industry practices.

4.2. HyperStart has obtained third party certifications such as ISO 27001, SOC 2 Type 2. Upon Client’s written request, HyperStart shall make available its third-party certifications and policies implemented by HyperStart.

4.3. HyperStart will maintain all Personal Data in strict confidence using appropriate technical and organisation measures to prevent unauthorized access, use or disclosure of Personal Data in accordance with generally accepted industry practices and Data Protection Laws.

4.4. HyperStart will ensure that its systems are maintained in a secure place, preventing unauthorized penetration and entry, and which is suitable to the nature of its activities and the sensitivity of the Personal Data. HyperStart will take measures to monitor and document the entry and exit from the premises in which the systems are located, as well as the setting and removing of equipment in and from the premises.

4.5. HyperStart will maintain access controls and follow principles of least privilege in relation to access to the Personal Data. HyperStart will revoke the authorizations to access Personal Data of such individuals upon the termination of their role.

4.6. HyperStart will ensure that the systems are managed and operated properly, to ensure that the Personal Data is logically separated from any other data it holds for other clients and/or third parties.

4.7. HyperStart will (i) not connect the systems to the internet without installing appropriate security measures against unauthorized penetration or programs that are capable of causing damage or disruption to such systems; and (ii) use appropriate industry standard encryption methods in any transfer of Personal Data over the internet.

4.8. HyperStart shall ensure it undertakes manual reviews and automated scans and regular assessments, audits, or other technical and operational testing of its systems Processing Personal Data, at least once every 12 months.

5. Security Incident Notification

5.1. HyperStart will maintain a reasonable security incident framework in place in accordance with Data Protection Laws.

5.2. HyperStart will report Security Incidents to the Client, without undue delay and within the time permitted under Data Protection Laws, but in no event within forty-eight (48) hours of detection. Such notice will include necessary details required under Data Protection Laws for the Client to comply with its own notification obligations to regulatory authorities or Data Principals affected by the Security Incident.

5.3. HyperStart will provide commercially reasonable cooperation to the Client and take such reasonable steps to assist in the investigation, mitigation, remediation of such Security Incident.’

5.4. HyperStart will take all reasonable measures necessary to prevent any further unauthorized third-party access, disclosure, loss of Personal Data.

5.5. The obligations herein do not apply to incidents that are caused by the Client, its authorized users, and/or any third-party products and/or services used by the Client in combination with Services.

6. Data Principal Rights

HyperStart will notify the Client if HyperStart receives a request from a Data Principal and shall not respond to that request except on the documented instructions of the Client or as required by Data Protection Laws. HyperStart will assist with the reasonable requests of the Client to facilitate the fulfilment of Client’s obligation to respond to requests for exercising Data Principal’s rights laid down in Data Protection Laws.

7. Deletion of Personal Data

7.1. HyperStart will securely delete Personal Data, and procure deletion of Personal Data from its Sub-processors, upon receipt of written request from the Client and reasonably demonstrate to the Client that it has undertaken deletion. Client can make deletion requests at [email protected]

7.2. The Client acknowledges and agrees that the deletion of Personal Data, may affect the availability, accuracy, or functionality of the Services. HyperStart disclaims all liability for any limitations, disruptions, or issues in the performance of the Services arising directly or indirectly from such deletion of Personal Data.

7.3. Upon termination or expiration of the Order Form, HyperStart will securely delete, and require its Sub-processors to delete, Personal Data within thirty (30) days of termination or expiration. If the Client wants the data to be deleted sooner, the Client can make a request under Clause 7.1.

7.4. All deletion of Personal Data will be conducted in accordance with standard industry practices for deletion.

8. Data Protection Impact Assessments

Upon Client’s prior written request, HyperStart shall provide reasonable assistance to the Client with any data protection impact assessments, including any prior consultations to any supervisory authority of the Client, which are required under Data Protection Laws. Such cooperation will be offered solely in relation to Processing of Personal Data by HyperStart and to the extent such information is not available with the Client. The Client shall bear sole responsibility for conducting the data protection impact assessment and for any external costs associated with such assessment, including legal, consultancy, or third-party service provider fees.

9. Data Protection Officer

HyperStart has a data protection officer responsible for its data protection that can be reached at [email protected]

10. Contact

Client can write to [email protected] for all queries relating to this DPA and Processing of Personal Data.

11. Order of Precedence

In the event of any conflict or inconsistencies between this DPA, the Terms and any other document between the parties, this DPA shall prevail.

12. Reference of terms by incorporation

This DPA shall be read with and form part of the Order Form. All other provisions of the Terms shall be applicable mutatis mutandis to this DPA.

13. Term

This DPA shall be co-terminus with the Order Form.

This Data Processing Addendum (“DPA”) is incorporated into the Order Form and read with the HyperStart Terms of Service (“Terms”), between HyperVerge Technologies Private Limited (“HyperStart”) and the client entity referred in the Order Form (“Client”).

Client and HyperStart shall be individually referred to as the “Party” and collectively as the “Parties”.

1. Definitions

Terms not defined in this DPA shall have the meaning ascribed to them in the Terms. For this DPA, the following terms and those defined within the body of this DPA apply:

“Data Fiduciary” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws” means the relevant data protection and data privacy laws, rules and regulations applicable to Processing of Personal Data by HyperStart, including Digital Personal Data Protection Act, 2023 (“DPDPA”), rules made thereunder, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 as applicable.

“Data Principal” means the identified or identifiable person to whom Personal Data relates. “Personal Data” means any information that describes, relates to or identifies a natural person, or is capable of identifying such person, or as defined under the applicable Data Protection Laws, which is provided by the Client to HyperStart.

“Process” or “Processing” means any operation or set of operations performed on the Personal Data such as transfer, storage, organization/classification, adaptation or alteration, disclosure, retrieval, use, or making available, erasure or destruction. “Processor” means the entity which Processes Personal Data on behalf of the Data Fiduciary.

“Security Incident” shall mean a security breach of HyperStart’s systems leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data provided by the Client.

“Sub-processors” means an entity engaged by HyperStart in accordance with this DPA, to Process Personal Data to provide Services to the Client.

2. Processing of Personal Data

2.1. Role of Parties: The Parties agree that with regards to Processing of Personal Data, Client is the Data Fiduciary and HyperStart is the Processor.

2.2. Compliance: The Parties shall comply with their respective obligations under the Data Protection Laws.

2.3. Consents: Client is responsible to obtain consents from Data Principals as required by Data Protection Laws for Processing of Personal Data by HyperStart.

2.4. Quality of Personal Data: Client is responsible to ensure accuracy and quality of Personal Data Provided to HyperStart.

2.5. Purpose limitation: HyperStart shall Process Personal Data only for (i) providing Services in accordance with the Terms and this DPA ; (ii) complying with reasonable written instructions of the Client for provision of Services as mutually agreed between Parties (collectively the “Purpose”). HyperStart shall not Process Personal Data beyond any period necessary to accomplish the Purpose.

2.6. Disclosure: HyperStart shall not disclose Personal Data to third parties except to employees, Sub-processors, or advisers who have a need to know the Personal Data, and are under confidentiality and privacy obligations at least as restrictive as those described under this DPA. Unless prohibited by Data Protection Laws or a legally-binding request of law enforcement, HyperStart shall promptly notify the Client of any request by government agency or law enforcement authority for access to Personal Data, and shall render reasonable assistance to the Client, if Client wishes to contest the access.

3. Sub-processing

3.1. Appointment of Sub-processors: Client authorises HyperStart to engage Sub-processors to the extent necessary for HyperStart to provide Services to the Client.

3.2. List of Sub-processors: HyperStart’s list of Sub-processors is accessible at https://www.hyperstart.com/sub-processors/

3.3. Appropriate agreement with Sub-processors: With respect to each Sub-processor, HyperStart shall ensure to enter into an agreement with the Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor.

3.4. Liability for Sub-processors: HyperStart shall be liable to the Client for the acts and omissions of the Sub-processor in relation to HyperStart’s obligations under this DPA and the Terms.

4. Data Security

4.1. Client is responsible for implementing adequate access controls and security measures of its systems and networks through which the Platform is accessed, in accordance with generally accepted industry practices.

4.2. HyperStart has obtained third party certifications such as ISO 27001, SOC 2 Type 2. Upon Client’s written request, HyperStart shall make available its third-party certifications and policies implemented by HyperStart.

4.3. HyperStart will maintain all Personal Data in strict confidence using appropriate technical and organisation measures to prevent unauthorized access, use or disclosure of Personal Data in accordance with generally accepted industry practices and Data Protection Laws.

4.4. HyperStart will ensure that its systems are maintained in a secure place, preventing unauthorized penetration and entry, and which is suitable to the nature of its activities and the sensitivity of the Personal Data. HyperStart will take measures to monitor and document the entry and exit from the premises in which the systems are located, as well as the setting and removing of equipment in and from the premises.

4.5. HyperStart will maintain access controls and follow principles of least privilege in relation to access to the Personal Data. HyperStart will revoke the authorizations to access Personal Data of such individuals upon the termination of their role.

4.6. HyperStart will ensure that the systems are managed and operated properly, to ensure that the Personal Data is logically separated from any other data it holds for other clients and/or third parties.

4.7. HyperStart will (i) not connect the systems to the internet without installing appropriate security measures against unauthorized penetration or programs that are capable of causing damage or disruption to such systems; and (ii) use appropriate industry standard encryption methods in any transfer of Personal Data over the internet.

4.8. HyperStart shall ensure it undertakes manual reviews and automated scans and regular assessments, audits, or other technical and operational testing of its systems Processing Personal Data, at least once every 12 months.

5. Security Incident Notification

5.1. HyperStart will maintain a reasonable security incident framework in place in accordance with Data Protection Laws.

5.2. HyperStart will report Security Incidents to the Client, without undue delay and within the time permitted under Data Protection Laws, but in no event within forty-eight (48) hours of detection. Such notice will include necessary details required under Data Protection Laws for the Client to comply with its own notification obligations to regulatory authorities or Data Principals affected by the Security Incident.

5.3. HyperStart will provide commercially reasonable cooperation to the Client and take such reasonable steps to assist in the investigation, mitigation, remediation of such Security Incident.’

5.4. HyperStart will take all reasonable measures necessary to prevent any further unauthorized third-party access, disclosure, loss of Personal Data.

5.5. The obligations herein do not apply to incidents that are caused by the Client, its authorized users, and/or any third-party products and/or services used by the Client in combination with Services.

6. Data Principal Rights

HyperStart will notify the Client if HyperStart receives a request from a Data Principal and shall not respond to that request except on the documented instructions of the Client or as required by Data Protection Laws. HyperStart will assist with the reasonable requests of the Client to facilitate the fulfilment of Client’s obligation to respond to requests for exercising Data Principal’s rights laid down in Data Protection Laws.

7. Deletion of Personal Data

7.1. HyperStart will securely delete Personal Data, and procure deletion of Personal Data from its Sub-processors, upon receipt of written request from the Client and reasonably demonstrate to the Client that it has undertaken deletion. Client can make deletion requests at [email protected]

7.2. The Client acknowledges and agrees that the deletion of Personal Data, may affect the availability, accuracy, or functionality of the Services. HyperStart disclaims all liability for any limitations, disruptions, or issues in the performance of the Services arising directly or indirectly from such deletion of Personal Data.

7.3. Upon termination or expiration of the Order Form, HyperStart will securely delete, and require its Sub-processors to delete, Personal Data within thirty (30) days of termination or expiration. If the Client wants the data to be deleted sooner, the Client can make a request under Clause 7.1.

7.4. All deletion of Personal Data will be conducted in accordance with standard industry practices for deletion.

8. Data Protection Impact Assessments

Upon Client’s prior written request, HyperStart shall provide reasonable assistance to the Client with any data protection impact assessments, including any prior consultations to any supervisory authority of the Client, which are required under Data Protection Laws. Such cooperation will be offered solely in relation to Processing of Personal Data by HyperStart and to the extent such information is not available with the Client. The Client shall bear sole responsibility for conducting the data protection impact assessment and for any external costs associated with such assessment, including legal, consultancy, or third-party service provider fees.

9. Data Protection Officer

HyperStart has a data protection officer responsible for its data protection that can be reached at [email protected]

10. Contact

Client can write to [email protected] for all queries relating to this DPA and Processing of Personal Data.

11. Order of Precedence

In the event of any conflict or inconsistencies between this DPA, the Terms and any other document between the parties, this DPA shall prevail.

12. Reference of terms by incorporation

This DPA shall be read with and form part of the Order Form. All other provisions of the Terms shall be applicable mutatis mutandis to this DPA.

13. Term

This DPA shall be co-terminus with the Order Form.