Data Protection Addendum
Data Protection Addendum
This Data Protection Addendum ("Addendum") is entered into by and between Fitsol Supply Chain Solutions Private Limited ("Fitsol") and the Customer (as defined in the Agreement), collectively referred to as the "Parties", and forms an integral part of the Fitsol Terms of Service available at https://fitsol.green/terms or any other written or electronic agreement incorporating this Addendum (the "Agreement").
The Customer enters into this Addendum on behalf of itself and any of its Affiliates authorized to use the Services under the Agreement. For the purposes of this Addendum, except where explicitly stated otherwise, the term "Customer" shall include both the Customer and such Affiliates.
1. Definitions
For the purposes of this Addendum, the following terms shall have the meanings set forth below:
1.1 "Affiliate"
means any entity that, directly or indirectly, controls, is controlled by, or is under common control with a Party, where "control" means the ownership of more than fifty percent (50%) of the voting securities of an entity or the ability to otherwise direct the management and policies of such entity.
1.2 "Customer Personal Data"
means any Personal Data provided by or made available by Customer to Fitsol, or collected by Fitsol on behalf of the Customer, that is subject to Processing by Fitsol under the Agreement.
1.3 Data Protection Laws
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Fitsol.
- The Information Technology Act, 2000 (as amended)
- The Digital Personal Data Protection (DPDP) Act, 2023
- The European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
- Applicable data protection regulations under SOC 2 compliance standards
1.4 "Security Incident"
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Fitsol.
1.5 Services
means the technology solutions, managed services, and other related services provided by Fitsol to the Customer under the Agreement.
2. Scope and Application
2.1 This Addendum applies to Fitsol’s Processing of Customer Personal Data under the Agreement, to the extent that such Processing is subject to Data Protection Laws, as further described in Annexure 1.
2.2 In the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall prevail to the extent of any inconsistency in respect of data protection obligations.
3. Roles of the Parties
3.1 The Parties acknowledge and agree that, with respect to the Processing of Customer Personal Data:
- The Customer acts as a Data Controller (under GDPR) or Business (under DPDP Act).
- Fitsol acts as a Data Processor (under GDPR) or Service Provider (under DPDP Act).
3.2 Fitsol shall process Customer Personal Data only in accordance with the documented instructions of the Customer, as outlined in this Addendum and the Agreement, and detailed out in Annexure 1.
4. Processing Terms
4.1 Fitsol shall:
- Process Customer Personal Data solely for the purposes described in Annexure 1, unless expressly agreed in writing by the Customer;
- Implement and maintain appropriate technical and organizational measures to ensure the security, confidentiality, and integrity of Customer Personal Data;
- Not Sell, Share, or Transfer Customer Personal Data to any third party except as expressly permitted under this Addendum;
- Assist the Customer in fulfilling its legal obligations under applicable Data Protection Laws, including but not limited to:
- Responding to Data Subject Rights Requests;
- Conducting Data Protection Impact Assessments;
- Providing information regarding security safeguards implemented by Fitsol.
4.2 In the event of a Security Incident, Fitsol shall notify the Customer without undue delay and take necessary remedial actions to mitigate the impact.
5. International Data Transfers
5.1 If Customer Personal Data is transferred to a jurisdiction outside India, the European Economic Area (EEA), United Kingdom, or any other jurisdiction requiring adequate data transfer safeguards, such transfers shall be subject to:
- Standard Contractual Clauses (SCCs)
- Any other applicable mechanism as per Data Protection Laws
Furthermore, International transfers of Customer Personal Data shall adhere to the sub-processor and jurisdictional specifics outlined in Annexure 1 apart from the aforementioned jurisdictions.
6. Data Retention and Deletion
6.1 Upon termination or expiry of the Agreement, Fitsol shall, at the election of the Customer:
- Return all Customer Personal Data to the Customer, or
- Securely delete all Customer Personal Data, except where retention is required by applicable law.
6.2 Fitsol shall certify the completion of such deletion or return upon request by the Customer.
6.3 Data retention periods or criteria used to determine such periods are described in Annexure 1.
7. Liability and Indemnity
7.1 The Customer shall indemnify, defend, and hold Fitsol harmless from any claims, fines, penalties, or liabilities arising from:
- Customer’s breach of this Addendum
- Customer’s failure to comply with applicable Data Protection Laws
8. Severability
8.1 If any provision of this Addendum is found to be unlawful or unenforceable, the remainder of the Addendum shall remain in full force and effect.
9. Miscellaneous
9.1 Privacy by Design and Security
Fitsol shall implement appropriate safeguards in compliance with GDPR, DPDP Act, IT Act, and SOC 2 standards, more adequately detailed in Annexure 1.
9.2 Data Protection Officer (DPO) Contact
Any data protection-related inquiries shall be directed to Fitsol's Data Protection Officer:
Mr. Akshay Tandon - akshay.tandon@fitsol.green
Annexure 1 to Data Protection Addendum
This Annexure includes certain details of the Processing of Customer Personal Data by Fitsol in connection with the Services.
1. List of Parties
Data Exporter
| Name: | Customer (as defined in the Agreement) |
| Address: | As set forth in the relevant Order Form |
| Contact person & details: | As set forth in the relevant Order Form |
| Activities relevant to data transfer: | Recipient of the Services provided by Fitsol in accordance with the Agreement |
| Signature and date: | Signature and date are set out in the Agreement |
| Role (controller/processor): | Controller |
Data Importer
| Name: | Fitsol Supply Chain Solutions Private Limited |
| Address: | 718-719, 7th Floor, DLF Star Tower, Arjun Marg, DLF City Phase 1, Gurugram 122002, Haryana |
| Contact person & details: | Akshay Tandon, Co-Founder & CTO, akshay.tandon@fitsol.green |
| Activities relevant to data transfer: | Provision of the Services to the Customer in accordance with the Agreement |
| Signature and date: | Signature and date are set out in the Agreement |
| Role (controller/processor): | Processor |
2. Processing Details
| Category of Personal Data | Purpose of Processing | Legal Basis |
|---|---|---|
| Name, Email, Phone | Account Management & Service Delivery | Consent / Contractual Obligation |
| Transaction History | Billing & Payments | Contractual Obligation |
3. Data Retention
| Category of Personal Data | Retention Period | Deletion Method |
|---|---|---|
| Name, Email, Phone | Until account closure + 2 years | Secure Deletion |
| Transaction History | 7 years | Archival & Secure Deletion |
4. Security Measures
| Measure | Description |
|---|---|
| Encryption | AES-256 encryption in transit and at rest |
| Access Control | Role-based access and multi-factor authentication |
| Monitoring | Regular audits, logging, and intrusion detection |
5. Sub-processors
| Sub-processor Name | Location | Purpose |
|---|---|---|
| AWS | India / Singapore / USA | Cloud Hosting & Storage |
| SendGrid | USA | Email Delivery Services |