Contacts
+91 77039 82223
Follow us:
Book a Demo
Close

Contacts

INDIA, USA, CANADA, UK, UAE

+91 77039 82223

xploro@xplorotech.com

Call us: +91 77039 82223
Follow us:
Book a Demo
Book a Demo

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM (DPA)

VENTA Xploro POS
Provided by XploroTech Solutions Private Limited

Effective Date: 01 March 2026
Last Updated: 01 March 2026
Version: 1.0

This Data Processing Addendum (“DPA”) forms part of the Master Service Agreement between:

XploroTech Solutions Private Limited (“Company”, “Processor”)
and
The Client (“Data Controller”).

This DPA governs processing of personal data under applicable Indian laws including:

  • Digital Personal Data Protection Act, 2023 (DPDP Act)
  • Information Technology Act, 2000
  • Applicable Rules thereunder

1. ROLE OF THE PARTIES

For purposes of this DPA:

  • The Client acts as the Data Controller.
  • XploroTech Solutions Private Limited acts as the Data Processor.

The Client determines:

  • What data is collected
  • Why data is collected
  • Lawful basis of processing

The Company processes data only as instructed by the Client via use of the Software.

2. TYPES OF DATA PROCESSED

Depending on usage, the Software may process:

  • Customer names
  • Phone numbers
  • Email addresses
  • Billing addresses
  • GST numbers
  • Transaction data
  • Payment information (non-card sensitive)
  • Employee login details
  • IP addresses
  • Device identifiers
  • Usage logs

The Company does not intentionally collect:

  • Aadhaar numbers
  • Biometric data
  • Sensitive financial credentials
  • Bank account passwords
  • OTP data

Unless manually entered by the Client.

3. PURPOSE OF PROCESSING

Data is processed solely for:

  • Billing operations
  • Reporting
  • Inventory management
  • Analytics
  • System security
  • Backup and disaster recovery
  • Technical support

The Company does not sell personal data.

4. CLIENT OBLIGATIONS

The Client warrants that:

  • It has lawful authority to collect and process personal data.
  • Required consent from customers/employees has been obtained.
  • It complies with DPDP Act and applicable data protection laws.
  • Data entered into the system is lawful and not prohibited.

The Company is not responsible for:

  • Improper data collection by the Client.
  • Failure to obtain consent.
  • Use of data for unlawful purposes.

5. SECURITY MEASURES

The Company implements reasonable technical and organizational safeguards including:

  • Encrypted communication (HTTPS)
  • Role-based access controls
  • Secure authentication mechanisms
  • Server-level security measures
  • Regular backups
  • Logging and monitoring systems

However, no system can guarantee absolute security.

The Client is responsible for:

  • Protecting passwords
  • Limiting employee access
  • Ensuring secure local devices

6. SUB-PROCESSORS

The Company may engage sub-processors including:

  • Cloud hosting providers
  • Data center operators
  • Infrastructure service providers

The Company ensures such sub-processors maintain appropriate security standards.

7. DATA BREACH NOTIFICATION

In the event of a confirmed personal data breach affecting Client Data, the Company shall:

  • Notify the Client within a reasonable time
  • Provide available information about the breach
  • Cooperate in mitigation efforts

The Client remains responsible for regulatory reporting obligations unless otherwise required by law.

8. DATA RETENTION & DELETION

Client Data shall be retained:

  • During active subscription
  • For backup and compliance purposes
  • For legal defense where required

Upon written request and subject to legal obligations, the Company may:

  • Provide data export
  • Delete account data after termination

System logs may be retained for security and audit protection.

9. CROSS-BORDER DATA TRANSFER

If data is processed outside India, the Company shall ensure:

  • Adequate protection mechanisms
  • Compliance with applicable regulations

The Client consents to such transfers where necessary for service delivery.

10. AUDIT RIGHTS

The Client may request reasonable information regarding data protection practices.

The Company is not obligated to allow intrusive audits of its proprietary systems unless legally required.

11. LIMITATION OF LIABILITY

Data processing liability remains subject to limitation clauses defined in the Master Service Agreement.

12. TERMINATION

This DPA remains effective:

  • For the duration of the Master Service Agreement
  • For as long as data is retained

13. MODIFICATIONS

The Company may update this DPA to reflect changes in law or operational practices.

Material changes may require re-acceptance.

ACKNOWLEDGEMENT

By accepting the Master Service Agreement, the Client agrees to this Data Processing Addendum.