Data Processing Agreement
This DPA outlines the responsibilities between Ciruss OS (Data Processor) and our merchant clients (Data Fiduciaries).
1. Definitions and Scope
This Data Processing Agreement ("DPA") supplements the Terms of Service. It applies when Ciruss OS processes personal data on behalf of the customer ("Merchant") in the course of providing the Service. The Merchant acts as the Data Fiduciary, and Ciruss OS acts as the Data Processor under the DPDP Act 2023.
2. Processing of Personal Data
Ciruss OS shall only process personal data based on the documented instructions of the Merchant. Ciruss OS will immediately inform the Merchant if, in its opinion, an instruction infringes applicable data protection laws.
3. Security Measures
Ciruss OS shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes encryption in transit and at rest, regular security audits, and ensuring that all personnel authorized to process personal data have committed themselves to confidentiality.
4. Sub-processors
The Merchant provides a general authorization for Ciruss OS to engage sub-processors (such as AWS for hosting). Ciruss OS will inform the Merchant of any intended changes concerning the addition or replacement of sub-processors, giving the Merchant the opportunity to object to such changes.
5. Data Subject Rights & Incident Management
Ciruss OS shall assist the Merchant in fulfilling its obligations to respond to requests for exercising data subject rights. In the event of a personal data breach, Ciruss OS shall notify the Merchant without undue delay after becoming aware of the breach, providing sufficient information to allow the Merchant to meet any obligations to report the breach to authorities.