Logo

Data Processing Agreement

Data Processing Agreement (DPA)

When you choose to use our platform, you place trust in how your information is treated. This Data Processing Agreement (“DPA”) defines the official terms between ONSOFT ENTERPRISES, serving as the “Data Processor,” and the individual or entity accepting these conditions, referred to as the “Data Controller.” The intention is to outline the proper handling, protection, and use of Personal Data connected to payment gateway services available on our platform.

For ease of reference, the words “we,” “our,” and “us” represent ONSOFT ENTERPRISES. The terms “you” and “your” represent the party who agrees to and relies upon these terms when engaging with the services.

Through this agreement, both sides share a clear understanding of how Personal Data is managed with integrity. It provides confidence that every step of the process is safeguarded, offering reassurance for anyone reading these terms that their data remains a priority.

Roles of the Parties

Every agreement works best when the roles are clearly understood. Within this arrangement, the party identified as the Controller determines the reasons for processing Personal Data, sets the legal grounds for doing so, and ensures compliance with applicable data protection obligations.

The Processor, in turn, manages Personal Data strictly according to the documented instructions provided by the Controller. Such handling is carried out only as needed to deliver the payment gateway services covered under this agreement.

By defining these responsibilities, both sides remove uncertainty and establish trust. For anyone reviewing these terms, it becomes clear that transparency and accountability guide the way Personal Data is managed, helping you feel secure in how information is treated.

Scope Of Processing

Whenever you share your details with us, you expect them to be used responsibly. This section explains the specific ways Personal Data is processed to make your payment journey safe and dependable.

Personal Data is handled for purposes such as initiating, approving, and completing payment transactions. It is also essential for KYC verification, which helps confirm identities and block fraudulent activities before they create risks. To further safeguard your transactions, authentication practices are applied, including the use of two-factor authentication.

Along with these protections, your information supports proper reporting and reconciliation of transactions, giving you clarity and reliability in your records. The Processor also ensures that all actions follow the requirements of RBI, NPCI, and the applicable payment networks.

Security Measures

Protecting your information is more than a responsibility—it is a commitment to keeping your trust intact. The Processor employs strict safeguards that are both technical and organizational, ensuring risks are minimized and reliability stays strong.

These protections include:

  • Full compliance with PCI DSS requirements whenever cardholder data is stored, transmitted, or processed.
  • Advanced encryption methods that protect data in transit as well as at rest.
  • Multi-factor authentication controls that prevent unauthorized access to systems.
  • Secure key management practices that ensure cryptographic materials remain protected from misuse.
  • Regular vulnerability assessments and penetration testing to detect and fix weaknesses before they can be exploited.

In addition to these measures, confidentiality is enforced across the team, with every staff member receiving proper training on handling Personal Data securely.

By implementing these practices, we want you to feel confident that your information is not only protected by standards but also by ongoing dedication to your safety.

Data Subject Rights

Your personal data should always stay within your control, and this agreement reflects that principle. The Processor supports the Controller in meeting responsibilities under Applicable Laws by ensuring that requests from individuals are handled promptly and appropriately.

As part of this commitment, you are entitled to know what information is held about you and to request corrections if any detail is incomplete or inaccurate. You may also ask for your data to be removed when circumstances make such erasure appropriate. If needed, your information can be provided in a structured and portable format, giving you flexibility in how it is used. In addition, you have the ability to place limits on processing or to object to the way your data is managed.

These rights ensure that your choices are central to how information is handled. The Processor’s role is to help the Controller give real effect to these protections, so you can be confident that your personal data is treated with respect and accountability.

Subprocessors

Protecting your information requires not only care but also transparency about who may be involved in processing it. For this reason, the Processor will only engage a Subprocessor after receiving prior written approval from the Controller. This guarantees that no outside party participates without the Controller’s knowledge and agreement.

If a Subprocessor is authorized, that party must sign a binding contract requiring them to meet data protection standards that are at least equal to, or stronger than, those within this Data Processing Agreement. These obligations ensure that safeguards remain consistent, regardless of who is handling the data.

With these rules in place, you can feel confident that any third party brought into the process is bound by the same level of responsibility and protection, keeping your information secure at every step.

Data Breach Notification

Safeguarding personal information also means being ready to act quickly if something goes wrong. In the rare case that the Processor identifies an incident affecting Personal Data, the Controller will be notified immediately, and always within 24 hours.

That notification will clearly outline the situation by explaining the type of breach that occurred, identifying the categories of Data Subjects involved along with an approximate number, describing the actions already taken to contain the issue, and detailing the preventive measures planned to reduce the risk of similar events.

This process ensures that nothing is hidden and that transparency is maintained throughout. For anyone relying on these services, it means your interests are protected through rapid communication and a clear plan of response, reinforcing the trust placed in how your data is handled.

Audit & Compliance

Ensuring that commitments are honored requires visibility, and this agreement gives the Controller the ability to confirm how responsibilities are carried out. With reasonable advance notice, the Controller may request an audit to review the Processor’s adherence to this Data Processing Agreement.

To make such a review effective, the Processor will provide the Controller with access to essential documents, including internal policies, relevant records, and certifications such as PCI DSS compliance reports. These resources give a clear picture of how safeguards are maintained and obligations are fulfilled.

Data Retention & Deletion

The way information is stored matters just as much as how it is used. For that reason, the Processor retains Personal Data only for the period necessary to complete payment processing and to comply with legal requirements, including those set by RBI.

Once the services are concluded, all Personal Data will either be securely deleted or returned to the Controller, unless specific laws require it to be kept for a longer duration. This ensures that information is never held beyond what is genuinely needed.

Legal & Regulatory Changes

Protecting personal data requires keeping pace with the law, and this agreement recognizes that rules may change over time. If any shift in legal or regulatory requirements affects how the Processor manages Personal Data under this Agreement, the Controller will be informed promptly.

This notification ensures that both parties remain fully aware of changes that may influence compliance and have the opportunity to respond quickly. Adjustments can then be made so that sensitive information continues to be protected in line with current standards.

Liability & Indemnification

Clear accountability strengthens trust and ensures that responsibilities are more than just words on paper. Under this Agreement, any Party that fails to meet its obligations will be liable for damages that result from that failure.

Furthermore, the Processor agrees to indemnify the Controller against fines, losses, or claims that may arise due to the Processor’s breach of data protection duties. This commitment prevents the Controller from carrying the weight of non-compliance caused by the Processor’s actions.

Governing Law & Dispute Resolution

Every agreement requires a clear foundation, and that includes knowing which laws will guide its interpretation. This Agreement shall be governed by and enforced in accordance with the laws of India.

Should any dispute arise from the terms or performance of this Agreement, such matters will be subject to the exclusive jurisdiction of the courts situated in India. This ensures that any disagreement is resolved within a defined and consistent legal framework.

Amendments

Agreements are meant to adapt when circumstances change, but adjustments must be handled with care and fairness. Any modification to this Agreement will only take effect when it is written down and formally agreed to by both Parties through signature.

This process prevents misunderstandings, avoids assumptions, and ensures that every update is recognized equally. Both Parties gain the same clarity about their obligations, leaving no room for doubt.

Acknowledgment and Acceptance

Strong agreements are built on understanding, and this section ensures that both Parties enter with complete awareness. By agreeing to this Data Processing Agreement, each Party confirms that the terms have been reviewed with care, fully understood, and formally accepted.

This confirmation is not just a procedural step; it reflects a joint promise to honor responsibilities and safeguard the handling of Personal Data in line with the commitments outlined here.