Corporate Data Protection Addendum (CDPA)

This Corporate Data Protection Addendum ("CDPA Agreement") is entered into as of 07/02/2025, by and between CZYRIS TECH & INNOVATION DEVELOPMENT LABS (CTIDL), a company incorporated under the laws of India, with its principal place of business at Surat, Gujarat, India. ("Company"), and its employees, vendors, customers, and other stakeholders (collectively, "Parties").

1. PURPOSE

The purpose of this Agreement is to ensure compliance with the following applicable data protection laws:

• Information Technology Act, 2000 (India) and its associated IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

• Digital Personal Data Protection Act, 2023 (India)

• General Data Protection Regulation (GDPR) – European Union

• California Consumer Privacy Act (CCPA) – United States

This Agreement sets forth the obligations of CTIDL and the Parties regarding the collection, processing, storage, transfer, and security of personal data.

2. DEFINITIONS

• Personal Data: Any information that relates to an identified or identifiable natural person. 

• Data Controller: The entity that determines the purposes and means of processing personal data. 

• Data Processor: The entity that processes personal data on behalf of the Data Controller. 

• Sensitive Personal Data: Includes but is not limited to financial data, health data, biometric data, and any other category as defined under applicable law. 

• Data Subject: An individual whose personal data is being collected, stored, or processed.

3. DATA COLLECTION AND PROCESSING PRINCIPLES

• Lawfulness, Fairness, and Transparency: All personal data must be processed lawfully, fairly, and in a transparent manner. 

• Purpose Limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 

• Data Minimization: Only necessary data shall be collected and processed. 

• Accuracy: Reasonable steps shall be taken to ensure that personal data is accurate and up to date. 

• Storage Limitation: Personal data shall not be kept longer than necessary for the purposes for which it was collected. 

• Integrity and Confidentiality: Adequate security measures shall be implemented to protect personal data against unauthorized processing, accidental loss, destruction, or damage.

4. RIGHTS OF DATA SUBJECTS

• Right to Access: Data subjects have the right to request access to their personal data. 

• Right to Rectification: Data subjects can request corrections to inaccurate or incomplete data. 

• Right to Erasure (Right to be Forgotten): Data subjects can request the deletion of personal data under specific conditions. 

• Right to Data Portability: Data subjects can request a copy of their personal data in a structured, machine-readable format. 

• Right to Object: Data subjects can object to the processing of their data for marketing or other legitimate interests.

• Right to Restrict Processing: Data subjects can request limited processing of their personal data under certain circumstances.

5. COMPLIANCE WITH RELEVANT DATA PROTECTION LAWS

• IT Act, 2000 & IT Rules, 2011 (India)

• Digital Personal Data Protection Act, 2023 (India)

• GDPR (EU)

• CCPA (US)

6. DATA SECURITY MEASURES

• Encryption & Anonymization: Sensitive data shall be encrypted and anonymized where feasible. 

• Access Controls: Restricted access to personal data based on the "least privilege" principle. 

• Regular Security Audits: Conduct periodic security audits to ensure compliance with best practices. 

• Data Breach Response Plan: Implement a structured incident response plan for timely mitigation and reporting of breaches.

7. THIRD-PARTY DATA PROCESSORS

• All third-party service providers handling personal data on behalf of CTIDL must comply with this Agreement and relevant data protection laws.

• Data Processing Agreements (DPAs) shall be executed with all vendors handling personal data.

8. CROSS-BORDER DATA TRANSFER

• Ensure compliance with applicable laws for international data transfers.

• Utilize Standard Contractual Clauses (SCCs) where required under GDPR.

• Implement binding corporate rules (BCRs) or equivalent mechanisms for secure transfers.

9. RECORD-KEEPING AND AUDITS

• Maintain records of data processing activities, including consent records.

• Conduct internal and external audits to verify compliance with this Agreement.

10. ENFORCEMENT AND LIABILITY

• Violations of this Agreement shall result in disciplinary action, including termination of contracts and legal action where applicable.

• Liability for data breaches shall be determined as per applicable laws and contractual obligations.

11. GOVERNING LAW AND DISPUTE RESOLUTION

• This Agreement shall be governed by the laws of Surat, Gujarat, India.

• Any disputes arising out of this Agreement shall be resolved through arbitration/mediation in Surat, Gujarat, India.

12. AMENDMENTS AND UPDATES

• This Agreement may be updated periodically to align with changes in data protection laws and business requirements.