Data Protection Addendum

This Data Protection Addendum ("DPA") is an integral part of the Terms of Service, which can be accessed at https://iedge.in/terms-of-service.html, or , if applicable, any other separate written agreement (referred to as the "Agreement" or "Services Agreement"), by and between iEdge Digital Business Cards (a division of FutureSoft India Pvt Ltd), and the Customer/Client named in the Agreement, pursuant to which Customer/Client has purchased a subscription to access and use the Service (as defined in the Agreement). The parties intend this DPA to be an extension of the Agreement that will outline certain requirements for iEdge’s processing of certain personal data provided or made available by Customer/Client, or collected or otherwise obtained by iEdge, in the course of providing services to Customer/Client.

Definitions
Purpose
Scope
Data Protection
Security Measures
Annex 1

Definitions

"Agreement" means the agreement between the Controller and the Processor for the provision of the Services;

"CCPA" means the California Consumer Privacy Act of 2018, along with its regulations and as amended from time to time;

"Data Protection Legislation" means all applicable laws relating to privacy and the processing of personal data that may exist in any relevant jurisdiction where iEdge conducts business. Data Protection Legislation includes, but is not limited to, EU GDPR and UK GDPR.

“Data Subject” shall have the same meaning as in Data Protection Law or means a “Consumer” as that term is defined in the CCPA;

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

“Personal Data” shall have the same meaning as in Data Protection Law;

“Processor” means the Company, including as applicable any “Service Provider” as that term is defined by the CCPA;

“Services” means all services and software applications and solutions provided to the Controller by the Processor under and as described in the Agreement;

“Sub-Processor” means any third party (including the Processor’s Affiliates) engaged directly or indirectly by the Processor to process Personal Data under this DPA in the provision of the Services to the Controller;

"UK GDPR” means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

Purpose

The Processor has agreed to provide the Services to the Controller in accordance with the terms of the Agreement. In providing the Services, the Processor shall process Customer Data on behalf of the Controller. Customer Data may include Personal Data. The Processor will process and protect such Personal Data in accordance with the terms of this DPA.

Scope

The parties agree that, as between the parties, Customer is a data controller and that iEdge is a processor in relation to personal data that iEdge processes on behalf of Customer in the course of providing the services under the Services Agreement ("Services"). The subject-matter of the data processing, the types of personal data processed, and the categories of data subjects will be defined by, and/or limited to that necessary to carry out the Services described in, the Services Agreement. The processing will be carried out until the date iEdge ceases to provide the Services to Customer. The categories of data subjects and personal data are set forth on Annex 1 hereto.

Data Protection

In respect of personal data processed in the course of providing the Services, iEdge shall adhere to the following requirements:

iEdge will process the personal data only in accordance with the written instructions from Customer and only in compliance with Data Protection Legislation. Such instructions may be specific or of a general nature as set out in this DPA, the Services Agreement, or as otherwise notified by Customer to iEdge in writing from time to time. The nature and purposes of the processing shall be limited to that necessary to carry out such instructions, and not for iEdge's own purposes, or for any other purposes except as required by law. If IEdge is required by law to process the personal data for any other purpose, iEdge will inform Customer of such requirement prior to the processing unless prohibited by law from doing so.
iEdge will process the personal data only to the extent, and in such manner, as is necessary for the provision of the Services. iEdge may only correct, delete or block the personal data processed on behalf of Customer as and when instructed to do so by Customer.
iEdge will implement and maintain appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected and as a minimum shall be in accordance with the Data Protection Legislation and Good Industry Practice. Such measures shall include, as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
iEdge will not give access to or transfer any personal data to any third party (including group companies or subcontractors) without giving Customer prior notice and an opportunity to object to Customer via an update to https://iedge.in/legal/subprocessors.html; notwithstanding the foregoing, the sub-contractors listed on https://iedge.in/legal/subprocessors.html as of the date of this DPA are deemed pre-approved by Customer, subject to the conditions contained herein. Where Customer does not object in good faith on grounds related to data protection to IEdge engaging a subcontractor to carry out any part of the Services, IEdge must ensure the reliability and competence of such third party, its employees or agents who may have access to the personal data processed in the provision of the Services, and must include in any contract with such third party provisions in favor of Customer which are substantially equivalent to those in this DPA and the Services Agreement and as are required by applicable Data Protection Legislation. For the avoidance of doubt, where a third party fails to fulfill its obligations under any sub-processing agreement or any applicable Data Protection Legislation, IEdge will remain fully liable to Customer for the fulfillment of its obligations under this DPA and the Services Agreement.
iEdge will take reasonable steps to ensure the reliability and competence of any IEdge personnel who have access to the personal data. IEdge will ensure that all IEdge personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this DPA.
iEdge will take all reasonable steps to assist Customer in meeting Customer’s obligations under applicable Data Protection Legislation, including Customer’s obligations to respond to requests by data subjects to exercise their rights with respect to personal data, adhere to data security obligations, respond to data breaches and other incidents involving personal data, conduct data protection impact assessments, and consult with supervisory authorities. IEdge will promptly inform Customer in writing if it receives: (i) a request from a data subject concerning any personal data; or (ii) a complaint, communication, or request relating to Customer’s obligations under Data Protection Legislation.
iEdge will not retain any of the personal data for longer than is necessary to provide the Services. At the end of the Services, or upon Customer's request, IEdge will securely destroy or return (at Customer’s election) the personal data to Customer.
With regard to personal data related to data subjects located in the European Economic Area or the United Kingdom, Customer hereby gives consent to the processing of such personal data in the India by iEdge, provided that
- iEdge will take such steps as may reasonably be required by Customer on an ongoing basis to ensure there is adequate protection for such personal data in accordance with applicable Data Protection Legislation
- iEdge will process such data in accordance with pursuant to either the standard contractual clauses. For the purposes of the descriptions in the standard contractual clauses and only as between Customer and IEdge, Customer agrees that Customer is a data controller and "data exporter" and IEdge is the data processor and "data importer" under the standard contractual clauses.

Security Measures

Access control

iEdge has established a robust access control system to ensure that only authorized personnel have access to Personal Data. Access to Personal Data is restricted to authorized individuals who require it solely for support purposes. This access is governed by a role-based access control system, which grants access only to the data necessary for the specific support task.

All iEdge personnel authorized to access Personal Data undergo training to ensure compliance with relevant Data Protection Laws. Furthermore, they are bound by perpetual confidentiality obligations, applicable to their support duties.

Audit logging

We maintain relevant audit logs, documenting access to sensitive information, including personal data. These logs are exclusively accessed by the Security team.

Data encryption and pseudonymization

We employ encryption and pseudonymization techniques to safeguard Personal Data from unauthorized access, disclosure, or destruction. iEdge utilizes cutting-edge encryption technologies to ensure the security of data during transmission and storage.

Data storage and retention

We take necessary measures to securely store and retain Customers' data. This includes logically separating Customers' data from system and application data, as well as implementing access controls and monitoring mechanisms. Additionally, we regularly assess and test the effectiveness of our technical and organizational measures to ensure data security.

iEdge has also implemented measures to ensure the availability and accessibility of Personal Data in case of physical or technical incidents.

Data Breaches

We have established processes to address data breaches, which involve notifying relevant stakeholders in accordance with the type of incident and applicable legislation.

Software Development

Our development process adheres to a secure methodology, incorporating peer review, secure coding, and thorough testing.

System configuration

iEdge implements measures to safeguard the security and integrity of our systems and processes, including our system configuration and default settings. We adhere to industry best practices and standards to ensure secure system configurations and prevent vulnerabilities from default settings.

We conduct regular reviews and updates of our system configuration settings to align with our security policies. Additionally, we enforce stringent controls over changes to system configurations, requiring documentation, approval, and testing before implementation.

Moreover, our software development processes incorporate secure coding practices, and we consistently assess and update default configurations to maintain security and mitigate potential vulnerabilities.

Assistance to Customer as a Data Controller

iEdge recognizes its role as a Data Processor and acknowledges the responsibility to support the Customer in safeguarding the security and integrity of Personal Data. Accordingly, we have enacted targeted technical and organizational measures to facilitate effective assistance to the Customer in their capacity as a Data Controller.

A pivotal measure we've implemented involves the formation of a specialized customer support team comprising personnel trained in compliance with relevant Data Protection Laws and regulations. This team is tasked with assisting the Customer in managing and processing Personal Data, including addressing requests for data access, rectification, and deletion.

Certifications

The iEdge platform is developed by the parent company FutureSoft India Pvt Ltd, which is an ISO 27001 certified company. iEdge has also obtained VAPT certification. We undergo regular audits and assessments to uphold this certification, ensuring our adherence to relevant data protection laws.

Annex 1: Data Processing Details

Data exporter

The data exporter is Customer.

Data importer

The data importer is iEdge.

Data subjects

The personal data transferred concern the following categories of data subjects:

The Customer
Individual contacts of the Customer
Any other data subjects whose data may be processed from time to time under the Agreement and this DPA

Categories of data

The personal data transferred concern the following categories of data:

First and last name
Designation
Phone number
Email address
Photographs and/or video of data subjects
Mailing or other address information
IP address
Employee ID
Date of birth
Social media profiles
Company Name
Company Size
Text Message
IP address
Device type and browser information