Data Processing Aggreement
Home /
Data Processing Aggreement

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) establishes a legally binding understanding between Mistral Zephyr, referred to as the “Data Processor,” and the entity accepting these terms, referred to as the “Data Controller,”. It governs the Processor’s handling of Personal Data in connection with the payment gateway services provided.

Roles of the Parties

  • Controller determines the purposes and legal basis for Processing Personal Data and remains responsible for compliance with all Applicable Data Protection Laws.
  • Processor processes Personal Data solely on documented instructions from the Controller and only for the purposes of delivering payment gateway services.

Scope Of Processing

The Processor shall process Personal Data strictly for:

  • Payment transaction initiation, authorization, and settlement
  • KYC (Know Your Customer) verification and fraud prevention
  • Customer authentication (including 2FA)
  • Transaction reporting and reconciliation
  • Compliance with RBI, NPCI, and applicable payment network rules

Security Measures

The Processor shall implement appropriate technical and organizational measures, including:

  • PCI DSS compliance for storage, processing, and transmission of cardholder data
  • Data encryption in transit and at rest
  • Multi-factor authentication for system access
  • Secure key management practices
  • Regular vulnerability assessments and penetration testing

The Processor shall ensure its personnel maintain strict confidentiality and are trained in data security best practices.

Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject requests under Applicable Laws, including:

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to restrict or object to Processing

Subprocessors

The Processor shall not engage a Subprocessor without prior written consent from the Controller.

All approved Subprocessors must be bound by written agreements imposing data protection obligations no less protective than those in this DPA.

Data Breach Notification

The Processor shall notify the Controller within 24 hours of becoming aware of any Personal Data Breach.

The notification shall include:

  • Nature of the breach
  • Categories and approximate number of affected Data Subjects
  • Steps taken to contain and mitigate the breach
  • Measures planned to prevent future breaches

Audit & Compliance

The Controller may, upon reasonable notice, audit the Processor’s compliance with this DPA. The Processor shall provide access to relevant records, policies, and certifications (including PCI DSS compliance reports).

Data Retention & Deletion

Personal Data shall be retained only for as long as necessary for payment processing and legal compliance (e.g., RBI-mandated retention periods). Upon termination of services, the Processor shall securely delete or return all Personal Data unless retention is required by law.

Legal & Regulatory Changes

The Processor shall promptly inform the Controller if any change in law or regulation affects its ability to process Personal Data in compliance with this Agreement.

Liability & Indemnification

Each Party shall be liable for damages caused by its breach of this Agreement. The Processor shall indemnify the Controller against any fines, claims, or damages arising from non-compliance with data protection obligation

Governing Law & Dispute Resolution

This Agreement shall be governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts in India.

Amendments

Any amendments to this Agreement must be made in writing and signed by both Parties.

Acknowledgment and Acceptance

By entering this Agreement, both parties affirm their understanding of and agreement to the terms contained within this Data Processing Agreement.