DATA PROCESSING AGREEMENT

Agreement

This DATA PROCESSING AGREEMENT (this "Agreement") executed between:

Prontus Technologies Pvt. Ltd., a company registered in India whose registered address is 35, Manorama Estate, Rasulgarh, Bhubaneswar, Odisha - 751010 ("Processor" and/or "Prontus Technologies Pvt. Ltd." and/or "Trilyo");

Any person or entity using the Services through the website www.trilyo.com & signing up for a PoC of Trilyo or taking a paid subscription of Trilyo. ("Controller");

Hereinafter collectively referred to as "Parties" and individually "Party".

Preamble

The Processor is engaged in the business of providing "a customer data exchange platform that helps hoteliers/enterprises in managing their customer interaction data across various interfaces they have customer interactions on", hereinafter referred to as the "Services"

This Agreement is applicable insofar as providing the Services and carrying out the processing of the Personal Data (as defined below).

Please note that if you wish to turn off the cookies in your web browser, you might not be able to take advantage of many features of our Service(s).

In performing the Services, the Processor will process data for which the Controller is and remains responsible. These data include Personal Data, to the extent applicable, the laws governing the handling of the personal data of the natural persons who are the data subjects ("Privacy Law").

The Parties want to lay down in this Agreement the conditions on which these Personal Data will be processed.

Scope

1.1. This Agreement is applicable insofar as in providing the Services and consequently carrying out of one or more Processing Operations.

1.2. The processing of personal data which is carried out in providing the Services is further herein referred to as the "Processing Operations". The personal data processed in this connection are the "Personal Data".

1.3. It shall be the obligation of the Controller to ensure that all Personal Data provided to/received by the Processor for carrying out Processing Operation is carried out in complete compliance of the relevant applicable law governing the collection of Personal Data by the Controller, and the transfer of the Personal Data from the Controller to the Processor.

1.4. With regard to the Processing Operations, the Controller is the party responsible for the Processing Operations and the Processor is the party processing them. The natural persons who are actually using the Services of the Processor and their representatives, if any, are further herein also referred to as the "End Users".

SUBJECT

2.1. The Processor shall be responsible for processing the Personal Data on behalf of the Controller on the written and explicit instructions of the Controller. Further provided that, the Controller has and shall retain full control of the Personal Data provided to the Process.

2.2. The Processor, shall not without the prior consent of the Controller, transfer any Personal Data to any country, where the Processor is required to take consent subject to the applicable Privacy law.

2.3. The Processing Operations are only carried out in connection with the Services. The Processor shall not process Personal Data other than as required for the provision of the Services.

2.4. The Processor will perform the Processing Operations in a proper way and with due care.

SECURITY MEASURES

3.1. The Processor shall take all the technical and organizational security measures as maybe required subject to the provisions of the Privacy Law, to ensure the protection of the Personal Data to be processed subject to this Agreement.

3.2. The Processor shall ensure that persons, not limited to employees, who participate in Processing Operations at the Processor duly execute a confidentiality agreement with respect to the protection of Personal Data.

3.3. The Processor has appointed an officer ("Officer"), to facilitate and ensure due protection to the Personal Data. The Controller may reach out to the Officer, at support@trilyo.com

DATA LEAKS & PRIVACY IMPACT ASSESSMENT

4.1. The Processor shall notify the Controller of any "personal data breach" within a reasonable period of time. Such a breach shall hereafter be referred to as a "Data Leak".

4.1. The Processor shall notify the Controller of any "personal data breach" within a reasonable period of time. Such a breach shall hereafter be referred to as a "Data Leak".

4.3. The Processor shall not be under the obligation to inform the Controller of a Data Leak where the Processor, in good faith, determines that the Data Leak shall not pose a risk to the rights and freedoms of natural persons and/or Personal Data. In an event where a Data Leak may affect the rights and freedoms of the natural persons and/or Personal Data, the Processor shall inform the Controller. The Processor shall document all Data Leaks, also those which may not have been reported to the Controller and provide the Controller with a written report mentioning such Data Leaks on a quarterly basis.

4.4. It is exclusively up to the Controller to determine whether a Data Leak established at the Processor is to be reported to the supervisory authority and/or to the persons involved.

4.5. The Processor will assist the Controller insofar as is reasonably possible and taking into account the nature of the Processing Operations and the latest technology.

ENGAGEMENT OF SUB-PROCESSORS

5.1. In performing the Processing Operations, the Processor may engage a third party as the sub-processor ("Sub-Processors"). However, the Processor shall be liable to disclose to the Controller, within a reasonable period of time, the name of Sub-Processor and nature of activities carried by the Sub-Processer, upon the Controller making a written request.

5.2. The Processor shall ensure that the Sub-Processors enter into an agreement in which he at least observes the same legal obligations and any additional obligations as those the Processor has under this Agreement. If a Sub-Processor does not want to accept the additional obligations under this Agreement, the Controller can request the Processor to cease carrying out the Processing Operation via the said Sub-Processor.

CONFIDENTIALITY OBLIGATION

6.1. The Processor shall keep the Personal Data confidential. The Processor shall further ensure that the Personal Data shall not, directly or indirectly, become available to any third-parties. This prohibition does not apply if provisions to the contrary are laid down in this Agreement and/or insofar as a statutory regulation or judgment requires any disclosure.

6.2. The Processor shall inform the Controller of any request for access to, provision of or other form of requesting and communicating Personal Data contrary to the confidentiality obligation included in this clause.

RETENTION PERIODS AND DELETION

7.1. The Controller shall be responsible for determining the retention periods with regard to the Personal Data to be processed by the Processor and shall inform the Processor of such retention periods in writing at each instance of the sharing of the Personal Data.

7.2. The Processor shall initiate the process of deleting the Personal Data within thirty (30) days of the Controller making a written request to delete the Personal Data and shall ensure that all such Personal Data, for which a deletion request has been made by the Controller, is deleted within one-hundred and eight (180) days of such request being made by the Controller. The Processor shall not be under an obligation to delete the Personal, if such Personal Data shall have to be retained longer subject to the statutory obligations of the Processor, or at the request of the Controller that Personal Data may be retained longer for a longer period of time, subject to a mutual agreement in writing between the Parties for such longer retention of Personal Data in writing, subject statutory retention periods mentioned under the Privacy Law. Any transfer to the Controller takes place at the expense of the Controller.

7.3. The Processor shall inform the Controller in writing as and when all such requested Personal Data, subject to Clause 7.2 has been deleted.

7.4. Unless otherwise agreed by the Parties in writing, the Controller shall be responsible for all back-up of the Personal Data.

RIGHTS OF PERSONS INVOLVED

8.1. In event of the Controller having access to the Personal Data, the Controller shall be responsible for complying with all requests by the natural persons with respect to the Personal Data. The Processor shall, within a reasonable time, pass on to the Controller any requests received by the Processor.

8.2. In the event, that the Parties are unable to comply with the provisions of Clause 8.1, the Processor shall provide its full cooperation to the Controller to:

  • 8.2.1. Provide the natural persons with access to their respective Personal Data after approval from and on the instructions of the Controller,
  • 8.2.2. Remove or correct Personal Data,
  • 8.2.3. Demonstrate that Personal Data has been removed or corrected (or, in the event where the Controller does not agree that the Personal Data are incorrect, the Controller shall record that the natural person considered its Personal Data to be incorrect),
  • 8.2.4. Provide the Controller or the third party appointed by the Controller with the respective Personal Data in a structured, usual and machine-readable form, and
  • 8.2.5. Enable the Controller otherwise to comply with his obligations under the Privacy Law or other applicable legislation in the area of processing Personal Data.

8.3. The costs of and requirements, to enable compliance with the aforementioned Section 8.2, shall be jointly determined by the Parties. However, in the absence of any agreements to this respect, the costs will be borne by the Controller.

INDEMNITY

9.1. The Controller will indemnify the Processor in respect of all direct liabilities, costs and expenses suffered or incurred by the Processor in its capacity as the processor ofthe data of the controller, arising from any security breach in the terms of this agreement, or any negligent act or omission by the controller in the exercise of the rights granted to it under the applicable law provided:

  • 9.1.1. The Processor within a reasonabletime notifies the Controller of any actions, claims or demands brought or made against it concerning any security breach;
  • 9.1.2. The Processor will not compound, settler or admit to any actions, claims or demi settle of demands without the consent of the Controller except by the order of a court of competent jurisdiction;
  • 9.1.3. The Controller will be entitled at its own cost to defend or settle any proceedings;
  • 9.1.4. The Processor shall not have acted on its own accord and independently of the instructions given to it by the Controller in its role as a data processor in accordance with the provisions of this Agreement;
  • 9.1.5. This indemnity shall exclude any loss that has arisen out of negligence or wilful act, de-wilful omission of the Processor, its employees, contractors, or sub-contractors;
  • 9.1.6. Nothing in this agreement shall restrict or interfere with the Controller's rights against the Processor or any person in respect of contributory negligence.

9.2. The Processor's right to claim damages shall be forfeited if the Processor fails to give written notice of any damages that may be sustained as aforesaid within 30 business days, from the occurrence thereof or commences to make good such damages before written notice is given as aforesaid.

9.3. The Processor will indemnify the Controller in respect of all direct liabilities, costs and expenses suffered or incurred by the Controller in its capacity as controller of the data of the processor arising from any security breach in terms of this agreement or negligent act or omission by the Processor in the exercise of the rights granted to it under the Applicable Law provided that:

  • 9.3.1. The Controller within reasonable time notifies the Processor of any actions, claims or demands brought or made against it concerning any alleged security breach;

VERIFICATION

10.1. The Controller shall be entitled to verify the compliance with the provisions of this Agreement once every year at his own expense or to have them verified by an independent registered auditor or registered informatics professional.

10.2. The investigation of the Controller shall always be limited to the systems of the Processor being used for the Processing Operations. The information obtained during the verification shall be dealt with confidentially by the Controller and only be used to verify the compliance of the Processor with the obligations under this Agreement and the information or parts of it will be deleted as soon as possible. The Controller warrants that any third parties engaged will also undertake these obligations.

10.3. Before the commencement of any such audit, Controller and Processor shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which Controller shall be responsible.

OTHER PROVISIONS

11.1. The Processor may modify this Agreement from time to time, as it may deem necessary, or where required by law. Any such changes shall be immediately posted on our website. The Processor shall further inform the Controller immediately after making any changes to this Agreement. The Controller shall be deemed to have accepted the amended terms of this Agreement if the Controller continues to use the Services.

11.2. Neither Party shall assign any part of this Agreement, without the prior written consent of the other Party.

11.3. The Processor shall not sub-contract to any third party any of its rights or obligations under this Agreement save for where permitted by the Parties under this Agreement.

11.4. Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.