DATA PROCESSING ADDENDUM
1. DEFINITION AND SCOPE
The definitions of “personal data”, “processor” and “controller” shall have the same meaning as prescribed in the GDPR.
This DPA applies when Wishup processes the User’s data for offering remote Virtual Assistants, Contractors or Consultants who provide help with technical, non-technical and/ or specialised professional services for entrepreneurs, businesses and professionals (“Service(s)”). For the purposes of this DPA, the User shall be termed as the controller and Wishup shall be considered as the processor.
2. DATA PROCESSING
(i) Purpose: Wishup confirms that while processing the User’s data it shall only act in accordance with the instructions received from the controller and as may be necessary for the purposes of providing Services to the User.
(ii) Duration: The duration for which the data shall be processed by the processor would be limited to the User’s subscription of Wishup’s services and shall be determined by the User.
(v) Obligations and rights of the controller: The rights and obligations of the controller are provided under this DPA.
3. SECURITY OF DATA
Wishup uses commercially reasonable physical, administrative and technological safeguards and security measures to protect against unauthorised access to all information that it collects and processes. These security measures include and are not limited to the following:
(a) the pseudonymisation and encryption of personal data;
(b) ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) periodical testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In the event that any information under Wishup’s control is compromised as a result of a breach of security, Wishup will take reasonable steps to investigate the situation and, where appropriate, notify the data subjects if the data is compromised and undertake appropriate measures as available in law.
In case the Users wish to audit and verify the security measures adopted by the Wishup, they may do so by making a written request to Wishup clearly stating the reasons and the objective of making the request. Upon being satisfied of the reasonableness and bona fides of the request for audit or verification, Wishup may allow the Users an opportunity to carry out the security audit and verification.
By using Wishup’s Services, the User authorises Wishup to sub-contract its data Processing obligations under this DPA to third-party vendors and other service providers as needed to fulfill the User’s Service requests or to perform services on behalf of Wishup such as billing, emailing, payment processing, hosting, and record-keeping services. As on the date of this DPA, the following sub-processors are engaged by Wishup:
i. Algolia Inc. – For internal app searches
ii. Zapier Inc. – For operational processes
iii. Zoho Corporation Pvt. Ltd. – For billing related services
iv. Facebook Inc. – For advertisements
v. Mailchimp – For sending newsletters to Users
vi. Pipedrive Inc. - Customer Relationship Management
vii. Amazon Web Services (AWS) – Server
Wishup warrants that the same data protection obligations as set out in this DPA also apply to its sub-processors, to the extent applicable to the nature of the Services provided by such Sub-processor. Any copies of the agreement with a sub-processor would be provided to the User only upon a request being made by the User. If a User has any objection to the appointment of a sub-processor, the same shall be made in writing to Wishup. In the event that Wishup appoints new or additional sub-processors, the same shall be notified to the Users within 30 days of appointing such sub-processor.
5. TERMINATION AND DELETION OF DATA
6. SECURITY INCIDENT MANAGEMENT
Wishup shall, to the extent permitted by law, notify the User of any breach of security or security incident within a period of 48 hours of becoming aware of the security incident. The notification for security incident shall include details and particulars about the nature of the incident, data and time of the incident taking place, number of Users affected, categories of data involved, measures taken to address the incident and mitigate the possible adverse effects, the name and contact details of the data protection officer or other contact, and a description of the likely consequences of the incident.
7. DISPUTE RESOLUTION AND EXCLUSIVE JURISDICTION
Users agree that any dispute or difference arising out of or in connection with this DPA shall be resolved by a sole arbitrator mutually appointed under the Arbitration and Conciliation Act, 1996, as amended from time to time. The decision of the arbitrator shall be final and binding. The juridical seat of arbitration would be in New Delhi, India. Courts at New Delhi, India would have exclusive jurisdiction over any dispute or legal proceedings arising out of or in connection with this DPA.
8. ENTIRE AGREEMENT/ SEVERABILITY
This DPA was last updated on 20th of May, 2020.