Data Processing Agreement

1. Definitions

Controller / Data Fiduciary: The Agency or Enterprise customer who determines the purposes and means of processing personal data of their own clients.

Processor / Qbiqal: Qbiqal Technologies Pvt. Ltd., who processes personal data on behalf of the Controller to deliver the platform services.

Data Subject / Data Principal: The individual whose personal data is being processed.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

2. Scope & Relationship

This DPA applies to all personal data processed by Qbiqal on behalf of Agency and Enterprise subscribers (the Controller) in connection with the Qbiqal platform services.

Qbiqal processes personal data only as instructed by the Controller and does not process data for its own purposes beyond what is necessary to operate the platform.

This DPA is incorporated into and forms part of the Qbiqal Terms of Service. In case of conflict between this DPA and the Terms, this DPA prevails with respect to data processing matters.

3. Processing Instructions

Qbiqal shall process personal data only:

• On the documented instructions of the Controller (including instructions given via the platform configuration).
• As required by applicable Indian law, in which case Qbiqal shall notify the Controller before processing unless prohibited by law.

The Controller warrants that it has obtained all necessary consents and has a lawful basis for any personal data submitted to the platform.

4. Sub-Processors

The Controller authorizes Qbiqal to engage the following sub-processors:

Qbiqal will notify Controllers of any planned changes to sub-processors with at least 14 days notice via email to [email protected].

5. Security Obligations

Qbiqal implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• AES-256-GCM encryption for all sensitive data at rest.
• TLS 1.2+ for all data in transit.
• Role-based access control with principle of least privilege.
• Regular vulnerability assessments and dependency audits.
• Immutable audit logs for all critical platform operations.
• Multi-tenant data isolation at the database level.

6. Data Subject Rights

Taking into account the nature of the processing, Qbiqal shall assist the Controller in fulfilling their obligations to respond to requests from Data Principals to exercise their rights under the DPDP Act 2023.

Controllers can submit Data Principal rights requests to [email protected] or WhatsApp +91 74392 87439. Qbiqal will respond within 30 days.

7. Breach Notification

In the event of a personal data breach affecting Controller data, Qbiqal will:

• Notify the Controller within 72 hours of becoming aware of the breach.
• Provide details of the nature, scope, and categories of data affected.
• Outline the measures taken and proposed to address the breach.

Breach notifications will be sent to the primary account email address and to [email protected].

8. Data Return & Deletion

Upon termination of the service agreement, Qbiqal will:

• Provide the Controller a 30-day window to export all data.
• Delete all Controller personal data within 30 days of the export window closing, except where retention is required by Indian law.
• Provide written confirmation of deletion upon request.

9. Governing Law

This DPA is governed by the laws of India and the DPDP Act 2023. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of competent courts in India.

For DPA-related enquiries: [email protected] · +91 74392 87439