Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement / Terms of Use ("Agreement") between the Data Fiduciary and Arrowhead (the "Data Processor"). Except as modified herein, the Agreement remains in full force and effect.

Unless otherwise defined herein, terms shall have the meaning assigned under the DPDP Act.

"Personal Data" means any data about an identifiable individual processed by the Data Processor on behalf of the Data Fiduciary.

"Sub-Processor" means a third party engaged by the Data Processor to process Personal Data on its behalf.

The Data Processor shall process Personal Data solely for the purpose of providing the Services under the Agreement and in accordance with documented lawful instructions of the Data Fiduciary.

Nothing in this DPA shall grant the Data Fiduciary any rights in the Data Processor's underlying platform, models, software, tools, algorithms, or methodologies.

Details of Data Principals, categories of Personal Data, and nature of processing are described in Annex I.

Personal Data shall be processed for the duration of the Agreement, subject to retention provisions set out herein.

The Data Fiduciary shall:

The Data Processor shall:

The Data Processor may use anonymized and aggregated data derived from Personal Data for analytics, service improvement, benchmarking, security enhancement, and product development purposes, provided such data does not identify any Data Principal or the Data Fiduciary.

Outputs generated specifically for the Data Fiduciary from its Personal Data shall belong to the Data Fiduciary; however, the Data Processor retains ownership of the underlying software, models, algorithms, and analytical methodologies used to generate such outputs.

Sub-Processors listed in Annex III are authorized.

The Data Processor shall remain responsible for ensuring Sub-Processors comply with obligations substantially similar to those contained herein.

The Data Processor shall comply with applicable cross-border transfer requirements under the DPDP Act, as applicable to Data Processors.

The Data Processor shall implement technical and organizational measures including:

The Data Processor shall notify the Data Fiduciary without undue delay after confirming a Personal Data Breach affecting Personal Data processed under this DPA and provide reasonable assistance in investigation and regulatory notification.

Notification shall not imply admission of fault.

Upon reasonable prior written notice, the Data Processor shall provide information necessary to demonstrate compliance.

Audits shall be conducted no more than once annually, during business hours, and shall not disrupt operations.

Independent certifications may be provided in lieu of on-site audits where applicable.

Upon termination, the Data Processor shall return or delete Personal Data upon written request.

Deletion shall occur in accordance with the Data Processor's standard retention and backup policies.

Archival backups may be retained for a limited period as part of disaster recovery processes and shall remain protected.

The Data Processor's liability under this DPA shall be subject to the limitations of liability set out in the Agreement.

Data Principals: Users designated by the Data Fiduciary.

Categories of Personal Data: Name, phone number, email, address, call recordings, transcripts, interaction data, and related metadata.

Purpose: Delivery of Services as per the Agreement.