This Data Processing Addendum (“DPA”) supplements the master service agreement between Praxxii Global (the “Processor”) and the Client (the “Controller”) and governs the processing of personal data on the Controller's behalf in connection with the services described in the Engagement Contract.
1. Definitions
Capitalised terms not defined here have the meanings given in the GDPR (EU 2016/679), the UK GDPR, India's Digital Personal Data Protection Act 2023 (“DPDP”), the California Privacy Rights Act (“CPRA”), or the UAE Personal Data Protection Law (“PDPL”), as applicable to the parties.
2. Scope and roles
The Controller is the data controller (or business / data fiduciary in the equivalent regimes); Praxxii Global is the data processor (or service provider / data processor). The subject matter, duration, nature, purpose, categories of data, and data subjects are described in Annex A. Praxxii Global shall process Personal Data only on documented instructions from the Controller, including with regard to international transfers, unless required by law to do otherwise.
3. Confidentiality
Praxxii Global ensures persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security measures
Praxxii Global implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit (TLS 1.2+) and at rest where applicable
- Role-based access control with least-privilege defaults; mandatory MFA for all production access
- Logging, monitoring, and timely patching of systems
- Regular review of these measures and security training for personnel
- Documented incident-response and breach-notification procedures (see §8)
5. Sub-processors
The Controller authorises Praxxii Global to engage the sub-processors listed at /sub-processors. Praxxii Global imposes data-protection obligations on each sub-processor that are no less protective than those set out in this DPA. Praxxii Global will notify the Controller in writing at least 30 days before engaging any new sub-processor that would materially change the processing; the Controller may object on reasonable grounds within 14 days.
6. Data-subject rights
Taking into account the nature of processing, Praxxii Global assists the Controller by appropriate technical and organisational measures, insofar as possible, in the fulfilment of the Controller's obligation to respond to requests from data subjects exercising their rights under the applicable law. Requests received directly by Praxxii Global from a data subject relating to the Controller's data will be promptly forwarded to the Controller.
7. International transfers
Where personal data of EEA, UK, or Swiss data subjects is transferred outside those jurisdictions, the parties shall execute the relevant Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum as applicable. For India-resident data subjects, transfers occur in accordance with DPDP §16. For UAE-resident data subjects, transfers comply with PDPL.
8. Personal-data breach
Praxxii Global shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting the Controller's data. The notification shall include, to the extent then known: the nature of the breach, categories and approximate numbers of data subjects and records concerned, the likely consequences, and the measures taken or proposed.
9. Audits
On Controller request and reasonable notice (no more than once per 12-month period unless required following a Personal Data Breach or by a competent supervisory authority), Praxxii Global shall make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller and bound by confidentiality obligations no less stringent than those set out herein.
10. Deletion or return of personal data
On termination of the engagement, Praxxii Global shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless retention is required by applicable law. Default retention windows are described in the Privacy Policy.
11. Liability
The liability provisions of the master Engagement Contract apply to the obligations under this DPA. Where applicable law assigns joint and several liability to controllers and processors, the parties' allocation between themselves remains as set forth in the Engagement Contract.
12. Governing law and conflicts
This DPA is governed by Indian law and is subject to the dispute-resolution mechanism in the Engagement Contract's Clause 17, except where mandatory law of the data subject's jurisdiction otherwise requires. In the event of a conflict between this DPA and the Engagement Contract, this DPA prevails as to the processing of Personal Data; in the event of a conflict with the Standard Contractual Clauses, the Standard Contractual Clauses prevail.
Annex A — Description of processing
Subject matter: Provision of cross-border performance marketing, registration, payments, paid-media, SEO, and analytics services as described in the Engagement Contract.
Duration: The term of the Engagement Contract plus retention periods described in the Privacy Policy.
Nature and purpose of processing: Storage, analysis, transmission, and deletion of personal data necessary to deliver the Services.
Categories of data subjects: Controller's end-customers, prospects, visitors, and employees acting on its behalf.
Categories of personal data: Identifiers (name, email, phone, postal address); commercial information; online identifiers (IP, cookies, device IDs); inferences derived from advertising-platform telemetry. No special-category data is processed unless explicitly authorised in writing.
Annex B — Sub-processor list
Maintained at /sub-processors and updated as described in §5.