This Data Processing Agreement (“DPA”) establishes the legally binding terms between Zerion Apex, acting in the role of Data Processor, and the entity accepting these terms, referred to as the Data Controller. This Agreement governs the manner in which the Processor accesses, manages, and processes Personal Data while delivering its services.

Roles and Obligations

Responsibilities of the Data Controller

The Data Controller is responsible for:

• Defining the lawful purpose, scope, and legal basis for the processing of Personal Data
  
• Ensuring that all data processing activities comply with applicable data protection laws and regulatory requirements
  

Responsibilities of the Data Processor

The Data Processor shall:

• Process Personal Data strictly in accordance with the Controller’s documented instructions
  
• Use Personal Data solely for approved and authorized service purposes
  

Scope of Personal Data Processing

The Processor will process Personal Data only for the following activities:

• Initiating, validating, and completing payment transactions
  
• Performing KYC verification and implementing fraud prevention mechanisms
  
• Authenticating users through two-factor authentication or other secure verification methods
  
• Generating reconciliation statements and transaction-related reports
  
• Complying with directives issued by the RBI and other authorized payment networks
  

Data Protection and Security Measures

The Processor shall apply suitable technical and organizational safeguards, including:

• Encryption of Personal Data during both transmission and storage
  
• Mandatory use of multi-factor authentication (MFA) for platform access
  
• Secure storage, handling, and management of cryptographic keys
  
• Regular vulnerability assessments and penetration testing
  

Additional Security Controls

• Personnel with access to Personal Data must adhere to strict confidentiality obligations
  
• Employees are required to undergo periodic training on data protection and information security
  

Support for Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject requests, including:

• Access to Personal Data
  
• Correction or updating of inaccurate or incomplete information
  
• Deletion of Personal Data, including requests under the “Right to be Forgotten”
  
• Enabling data portability
  
• Restricting or objecting to specific processing activities
  

Use of Subprocessors

• No Subprocessor may be appointed without the Controller’s prior written consent
  
• All approved Subprocessors must be contractually bound by data protection obligations equivalent to those set out in this DPA
  

Personal Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller within 24 hours and provide:

• A detailed explanation of the breach and surrounding circumstances
  
• The categories and approximate number of affected Data Subjects
  
• Immediate steps taken to mitigate potential impact
  
• Recommended actions to prevent recurrence
  

Audit and Compliance

The Controller has the right to conduct audits or inspections, subject to reasonable prior notice, to verify the Processor’s compliance with the terms of this DPA.

Data Retention and Secure Disposal

• Personal Data shall be retained only for the duration necessary to support payment processing and satisfy regulatory obligations, including those prescribed by the RBI
  
• Upon termination of services, Personal Data must be securely deleted or returned, unless continued retention is required under applicable law
  

Regulatory Communication

The Processor shall promptly notify the Controller of any legal, regulatory, or compliance changes that may impact the lawful processing of Personal Data.

Liability and Indemnity

• Each Party is accountable for losses or damages arising from its own breach of this Agreement
  
• The Processor agrees to indemnify and hold the Controller harmless against penalties, claims, or losses resulting from failure to comply with data protection obligations
  

Governing Law and Jurisdiction

• This DPA is governed by the laws of India
  
• All disputes arising under this Agreement fall within the exclusive jurisdiction of Indian courts
  

Modifications to the Agreement

Any amendments or changes to this DPA must be made in writing and formally executed by both the Data Controller and the Data Processor.

Acceptance of Terms

By accepting this DPA, both Parties confirm that they have read, understood, and agreed to all terms, responsibilities, and obligations set forth in this Agreement.