1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined under GDPR Article 4(1).
• "Processing" means any operation or set of operations performed on Personal Data, as defined under GDPR Article 4(2).
• "Controller" means the natural or legal person which determines the purposes and means of the processing of Personal Data.
• "Processor" means the natural or legal person which processes Personal Data on behalf of the Controller.
• "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Supervisory Authority" means an independent public authority established pursuant to GDPR Article 51.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
• "Standard Contractual Clauses (SCCs)" means the clauses adopted by the European Commission to ensure adequate safeguards for the transfer of Personal Data to third countries.

2. Subject Matter, Duration, and Nature of Processing

2.1 Subject Matter

The Processor shall process Personal Data solely for the purpose of providing the gifting, merchandise, and corporate swag management services ("Services") as described in the Terms and Conditions and any applicable order forms or service agreements.

2.2 Duration

Processing shall commence upon execution of the agreement between the Parties and shall continue until the termination or expiry of the Services, unless otherwise agreed in writing or required by applicable law.

2.3 Nature of Processing

Processing activities may include collection, recording, storage, retrieval, use, disclosure, transmission, erasure, and destruction of Personal Data as necessary to deliver the Services.

3. Categories of Personal Data and Data Subjects

3.1 Categories of Personal Data

The Personal Data processed under this DPA may include:

• Identification data: full name, employee ID
• Contact data: email address, phone number, postal/delivery address
• Order and transaction data: items ordered, order history, payment references
• Device and usage data: IP address, browser type, session information
• Preference data: size, customisation choices, communication preferences

3.2 Categories of Data Subjects

Data Subjects may include:

• Employees, contractors, and associates of the Controller
• Recipients of gifts or merchandise ordered through the Service
• Authorised users of the Controller's account on the Platform

4. Obligations of the Controller

The Controller represents and warrants that:

• It has a valid legal basis under GDPR Article 6 (and Article 9, where applicable) to provide Personal Data to the Processor for processing.
• It has provided all required privacy notices to Data Subjects and obtained any necessary consents.
• The instructions it issues to the Processor comply with applicable data protection law.
• It shall promptly notify the Processor of any changes to applicable data protection law that may affect the performance of this DPA.

5. Obligations of the Processor (GDPR Article 28)

In accordance with GDPR Article 28, the Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country or international organisation, unless required to do so by applicable law; in such cases, the Processor shall inform the Controller before processing, unless that law prohibits such information.
• Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement all measures required pursuant to GDPR Article 32 (security of processing).
• Respect the conditions referred to in Article 28(2) and (4) for engaging Sub-Processors.
• Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling its obligation to respond to requests for exercising Data Subjects' rights.
• Assist the Controller in ensuring compliance with its obligations under GDPR Articles 32–36 (security, breach notification, data protection impact assessments, prior consultation).
• At the choice of the Controller, delete or return all Personal Data upon termination of the Services, and delete existing copies unless applicable law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor.
• Immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.

6. Security of Processing (GDPR Article 32)

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Pseudonymisation and encryption of Personal Data;
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.

The Processor shall take steps to ensure that any natural person acting under its authority who has access to Personal Data does not process them except on instructions from the Controller, unless required to do so by applicable law.

7. Sub-Processors

7.1 General Authorisation

The Controller provides general written authorisation for the Processor to engage Sub-Processors to assist in delivering the Services. The Processor shall maintain an up-to-date list of Sub-Processors and make it available to the Controller upon request.

7.2 Sub-Processor Obligations

Where the Processor engages a Sub-Processor, it shall impose on the Sub-Processor data protection obligations equivalent to those set out in this DPA, by way of a written contract. The Processor shall remain fully liable to the Controller for the performance of the Sub-Processor's obligations.

7.3 Objection to New Sub-Processors

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-Processors at least 14 days in advance, giving the Controller the opportunity to object. If the Controller reasonably objects and the Processor cannot accommodate the objection, the Controller may terminate the affected Services with written notice.

8. Data Subject Rights

The Processor shall, upon written request from the Controller and taking into account the nature of the processing, assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure ("right to be forgotten") (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

The Processor shall promptly forward to the Controller any Data Subject request received directly and shall not respond to such requests without the Controller's prior written authorisation, except as required by applicable law.

9. Personal Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. The notification shall include, to the extent then known:

• A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
• The name and contact details of the Data Protection Officer or other point of contact where more information can be obtained;
• A description of the likely consequences of the Data Breach;
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate fully with the Controller and take such steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of any Data Breach.

10. Data Protection Impact Assessment and Prior Consultation

The Processor shall, upon request, provide the Controller with reasonable assistance in conducting Data Protection Impact Assessments (DPIAs) under GDPR Article 35 and in carrying out prior consultations with Supervisory Authorities under GDPR Article 36, where the processing is likely to result in a high risk to the rights and freedoms of natural persons.

11. International Transfers of Personal Data

The Processor shall not transfer Personal Data to a country or territory outside the European Economic Area (EEA) or the United Kingdom unless:

• The transfer is to a country that the European Commission or the UK Information Commissioner's Office has determined offers an adequate level of data protection;
• Appropriate safeguards are in place pursuant to GDPR Article 46 (e.g., Standard Contractual Clauses, Binding Corporate Rules); or
• A derogation under GDPR Article 49 applies.

The Parties agree that, where required, they shall execute the applicable Standard Contractual Clauses as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) or the UK International Data Transfer Agreement, as appropriate.

12. Confidentiality

The Processor shall ensure that all personnel who have access to and/or process Personal Data are subject to binding confidentiality obligations and are informed of their responsibilities under this DPA and applicable data protection law.

13. Audits and Inspections

The Processor shall, upon reasonable prior written notice (not less than 30 days, except in cases of urgent regulatory requirement), make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller, at the Controller's cost, no more than once per calendar year unless required by a Supervisory Authority.

14. Return and Deletion of Personal Data

Upon termination or expiry of the Services, the Processor shall, at the Controller's election:

• Return to the Controller all Personal Data in a commonly used, machine-readable format; and/or
• Securely delete or destroy all Personal Data and any copies thereof,

unless applicable law requires continued storage of the Personal Data, in which case the Processor shall notify the Controller and shall continue to process the data only to the extent and for the duration required by that law.

15. Liability and Indemnification

Each Party shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to it or where it has acted outside of or contrary to the lawful instructions of the other Party. The liability of the Parties under this DPA shall be subject to any limitations of liability agreed between the Parties in the Terms and Conditions, to the extent permitted by applicable law.

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of India and, to the extent required by the GDPR or UK GDPR, the law of the relevant EU Member State or the United Kingdom. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Terms and Conditions, without prejudice to the right of either Party to seek injunctive relief in any court of competent jurisdiction.

17. Changes to this Agreement

We may update this DPA from time to time to reflect changes in applicable data protection law, our Services, or our processing activities. We will notify the Controller of any material changes by posting the updated DPA on this page and updating the "Last Updated" date above. Continued use of the Services after the effective date of the updated DPA constitutes acceptance of its terms.

18. Contact Us

If you have any questions about this DPA or wish to exercise your rights, please contact us at:

• SuperV Technologies Private Limited (Swageazy)
• DX-118, Kendriya Vihar, Sector 56, Gurgaon, Haryana 121104, India
• Email: [email protected]
• Website: https://www.swageazy.com