Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement between the Institute (“Customer”) and Pathshala Inc. (“Pathshala”) and governs Pathshala's processing of Personal Data on Customer's behalf in the course of providing Pathshala OS (the “Service”). By accepting the MSA, Customer accepts this DPA. In the event of a conflict between this DPA and the MSA on data-protection matters, this DPA prevails.

Capitalised terms not defined here have the meanings in the MSA, the GDPR, the UK GDPR, the DPDP Act 2023, or other applicable data-protection law (collectively, “Data Protection Laws”). In particular:

• Personal Data, Controller, Processor, Data Subject, Processing have the meanings in the GDPR / UK GDPR / DPDP Act.
• Customer Personal Data means Personal Data within the Customer Data (as defined in the MSA).
• EU SCCs means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914.
• UK IDTA means the United Kingdom International Data Transfer Addendum to the EU SCCs issued by the ICO.

Pathshala will process Customer Personal Data as a Processor on behalf of Customer (the Controller) to deliver the Service for the duration of the Subscription, plus any retention tail under MSA §7. See Annex 1 for the categories of Personal Data, categories of Data Subjects, and processing activities.

Pathshala will process Customer Personal Data only:

• on the documented instructions of Customer, which include the configuration choices Customer makes in the portal and the terms of the MSA + this DPA;
• where required by EU, UK, US, or Indian law to which Pathshala is subject, in which case Pathshala will (unless prohibited by law) inform Customer of that legal requirement before processing.

Pathshala will inform Customer if it considers an instruction to infringe Data Protection Laws.

Pathshala will ensure that personnel authorised to process Customer Personal Data are bound by appropriate written confidentiality obligations and have received privacy and security training.

Pathshala will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk — see Annex 2. Customer agrees that, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, the measures in Annex 2 satisfy GDPR Art. 32, UK GDPR Art. 32, and DPDP Act §8(5).

Customer authorises Pathshala to engage the sub-processors listed in Annex 3 (and on the public Sub-processors page) for the processing activities described there.

Pathshala will:

• impose on each sub-processor written contractual obligations substantially the same as those in this DPA;
• remain responsible for the sub-processor's performance;
• give Customer at least thirty (30) days' prior written notice of any intended addition or replacement of a sub-processor (the Sub-processors page is updated and Customer is emailed);
• permit Customer to object on reasonable data-protection grounds during that 30-day window; if Pathshala cannot reasonably accommodate the objection, Customer may terminate the affected part of the Service under MSA §14.

Taking into account the nature of the processing, Pathshala will assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to requests by Data Subjects to exercise their rights under Data Protection Laws. If Pathshala receives a Data Subject request directly, it will, unless legally prohibited, forward it to Customer without undue delay rather than respond itself, and will assist Customer in responding.

Pathshala will notify Customer without undue delay, and in any event no later than seventy-two (72) hours after becoming aware, of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent known, include the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed.

Pathshala primarily stores Customer Personal Data on AWS infrastructure in the United States. Where the transfer of Personal Data from the EEA, UK, Switzerland, or another jurisdiction with cross-border transfer requirements to the United States or any other third country requires additional safeguards:

• EU SCCs. The parties agree the EU SCCs (module two, controller-to-processor) are incorporated into this DPA by reference, with Customer as data exporter and Pathshala as data importer. The optional docking clause, governing law (Ireland), forum (Ireland), and audit clause (Clause 8.9(c)) are selected.
• UK IDTA. The UK IDTA is incorporated by reference; the parties agree Tables 1–4 are populated from the corresponding fields of the EU SCCs above, with UK governing law where required.
• India DPDP. Pathshala will transfer Customer Personal Data only to jurisdictions not restricted by the Central Government under §16 of the DPDP Act 2023.

Pathshala will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Once per twelve-month period, on at least thirty (30) days' prior written notice, Customer (or an independent auditor mandated by Customer who is not a competitor of Pathshala and is under a written confidentiality obligation) may conduct a remote, document-based audit at Customer's cost during normal business hours and in a manner that does not unreasonably interfere with Pathshala's operations. Pathshala may satisfy this audit right by providing the most recent third-party security report or SOC report it holds.

On termination or expiry of the Subscription, Pathshala will, at Customer's choice, return or delete Customer Personal Data in accordance with the retention rules in MSA §7, except where storage of Customer Personal Data is required by law.