Orangescrum Logo

DATA PROCESSING ADDENDUM

Below is a draft Data Processing Addendum (DPA) that you can integrate with your master services agreement or terms.

DATA PROCESSING ADDENDUM (“DPA”)

Last Revised:

This DPA is incorporated by reference into the Agreement (Master Services Agreement / Terms of Service / Subscription Agreement) between Orangescrum (“Processor”) and the Government Agency (“Controller” or “Customer”). This DPA applies to the extent Orangescrum processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

Unless otherwise defined, capitalized terms in this DPA shall have the meanings given below or in the main Agreement.

1.1 “Controller” means the party which determines the purposes and means of processing Personal Data (in many cases, the Customer).

1.2 “Processor” means Orangescrum, which processes Personal Data on behalf of the Controller.

1.3 “Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to names, addresses, email, identifiers, etc., that is processed under the Agreement.

1.4 “Processing / Process / Processes” means any operation performed on Personal Data (collection, recording, organization, storage, alteration, retrieval, use, disclosure, erasure, etc.).

1.5 “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

1.6 “Data Subject” means the natural person to whom the Personal Data relates.

1.7 “Personal Data Breach” means a security incident resulting in unauthorized or unlawful access, disclosure, alteration, loss or destruction of Personal Data.

2. Roles & Scope

  • Customer is the Controller (or, where applicable, a Processor) and retains control over the Personal Data and instructs Processor regarding its processing.
  • Orangescrum is the Processor acting strictly on Customer’s documented instructions for the purposes of providing Services under the Agreement.
  • This DPA applies only to Personal Data for which Customer acts as Controller.

3. Processor Obligations & Restrictions

3.1 Limited Use

Processor shall process Personal Data only for the purposes set out in the Agreement and this DPA, following Customer’s documented instructions. Processors shall not use Personal Data for its own purposes (e.g. marketing) unless expressly permitted.

3.2 Confidentiality

Processors shall ensure that all persons authorized to process Personal Data are bound by confidentiality obligations.

3.3 Security Measures

Processors shall implement appropriate technical and organizational measures to protect Personal Data, in accordance with industry best practices and applicable laws. Examples include:

  • Encryption (in transit & at rest)
  • Access controls, role-based access, least privilege
  • Logging, monitoring & audit trails
  • Network security (firewalls, intrusion detection)
  • Patching, vulnerability management
  • Regular security assessments, penetration testing
  • Employee training, background checks
  • Incident detection & response capability

3.4 Sub-processors

  • Processors may engage Sub-processors only with prior written consent of the Customer (or via a general authorization).
  • Processors must flow down equivalent data protection obligations to Sub-processors (no less protective than those in this DPA).
  • Customers may require that a Sub-processor be removed or replaced if it fails to comply.
  • Processor shall maintain a list of current Sub-processors and make it available to Customer (upon request).

3.5 Cross-border Data Transfers

  • Personal Data shall not be transferred across national borders without Customer’s prior written consent, unless permitted under law and with legal safeguards (e.g. Standard Contractual Clauses, Binding Corporate Rules, or government-mandated safeguards).
  • If data must be processed outside India (or the jurisdiction), the transfer must comply with relevant data protection regulations and government approvals (e.g. data residency requirements).

3.6 Data Subject Rights & Assistance

  • Processor shall assist Customer in responding to Data Subject requests (access, correction, deletion, objection) insofar as reasonably possible.
  • The processor shall maintain appropriate records to demonstrate compliance.

3.7 Personal Data Breach Notification

  • Processor shall notify Customer promptly (and in any case within [24 hours or shorter as required by law or government statute]) about any confirmed or reasonably suspected Personal Data Breach.
  • Processor’s notification must include: nature of breach, categories of data affected, likely consequences, remedial actions, steps to mitigate risk, timeline, contact point for queries.
  • Processor shall cooperate with Customer in managing and notifying regulatory authorities or affected Data Subjects as required.

3.8 Return or Deletion of Data

  • Upon expiry or termination of Agreement, Processor shall, at Customer’s choice, return all Personal Data to Customer or securely delete/destroy it (unless retention is required by applicable law).
  • The processor must certify in writing that deletion is complete, and take care to securely wipe storage mediums.

3.9 Audit & Inspection Rights

  • Customers may audit Processor’s compliance (including security controls, policies, logs) subject to prior notice (e.g. 30 days), during normal business hours, and under confidentiality.
  • The processor shall provide necessary information, access, and cooperation.

3.10 Survival

  • The provisions of this DPA survive termination or expiration of the Agreement, as long as the Processor retains or has access to Personal Data.

3.11 Liability & Indemnification

  • Processor shall be liable for damages due to its breach of this DPA, data protection laws, or misuse of Personal Data.
  • Customers may require indemnification for breaches or regulatory fines (subject to negotiation).

3.12 Conflicts & Priority

  • In case of conflict between this DPA and main Agreement, this DPA prevails regarding data processing obligations.

Suggested Adjustments / Enhancements & Integration Steps

  • Customization per Government Agency: For each Gov client, maintain an annex listing specific security control requirements, data classification rules, retention rules, compliance requirements (e.g. local laws, RTI, etc.).
  • Stronger Penalties or SLA-linked Data Guarantees: Given government procurement norms, you might need liquidated damages, performance bonds, or escrow of source code in extreme cases.
  • Localization / Data Residency: If the government mandates data storage within Indian territory (or a given state), specify that explicitly, and restrict cross-border transfers.
  • Higher Confidentiality / Classified Data: For classified or secret data, you might impose stricter controls (e.g. stricter encryption, no cloud outside secure zones, special access).
  • Regulatory Compliance: Integrate clauses referencing the Indian IT Act, possible upcoming data protection law, audit by Comptroller & Auditor General (CAG), etc.
  • Review by Legal Team: Your legal or compliance team must vet these drafts for consistency with procurement, contract, and regulatory frameworks in India / Odisha.