Data Protection Addendum

This Data Protection Addendum ("Addendum") is entered into by and between Fitsol Supply Chain Solutions Private Limited("Fitsol") and the Customer (as defined in the Agreement), collectively referred to as the "Parties," and forms an integral part of the Fitsol Terms of Service available at [Company's Terms of Use URL] or any other written or electronic agreement incorporating this Addendum (the "Agreement").

The Customer enters into this Addendum on behalf of itself and any of its Affiliates authorized to use the Services under the Agreement. For the purposes of this Addendum, except where explicitly stated otherwise, the term "Customer" shall include both the Customer and such Affiliates.

1. Definitions

For the purposes of this Addendum, the following terms shall have the meanings set forth below:

1.1 "Affiliate"

means any entity that, directly or indirectly, controls, is controlled by, or is under common control with a Party, where "control" means the ownership of more than fifty percent (50%) of the voting securities of an entity or the ability to otherwise direct the management and policies of such entity.

1.2 "Customer Personal Data"

means any Personal Data provided by or made available by Customer to Fitsol, or collected by Fitsol on behalf of the Customer, that is subject to Processing by Fitsol under the Agreement.

1.3 "Data Protection Laws"

means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Fitsol.

1. The Information Technology Act, 2000 (as amended)
2. The Digital Personal Data Protection (DPDP) Act, 2023
3. The European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
4. Applicable data protection regulations under SOC 2 compliance standards.

1.4 "Security Incident"

means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Fitsol.

1.5 "Services"

means the technology solutions, managed services, and other related services provided by Fitsol to the Customer under the Agreement.

2. Scope and Application

2.1 This Addendum applies to Fitsol’s Processing of Customer Personal Data under the Agreement, to the extent that such Processing is subject to Data Protection Laws, as further described in Annexure 1.

2.2 In the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall prevail to the extent of any inconsistency in respect of data protection obligations.

3. Roles of the Parties

3.1 The Parties acknowledge and agree that, with respect to the Processing of Customer Personal Data:

a) The Customer acts as a Data Controller (under GDPR) or Business (under DPDP Act).

b) Fitsol acts as a Data Processor (under GDPR) or Service Provider (under DPDP Act).

3.2 Fitsol shall process Customer Personal Data only in accordance with the documented instructions of the Customer, as outlined in this Addendum and the Agreement,and detailed out in Annexure 1.

4. Processing Terms

4.1 Fitsol shall:

a) Process Customer Personal Data solely for the purpose solely for the purposes described in Annexure 1, unless expressly agreed in writing by the Customer;

b) Implement and maintain appropriate technical and organizational measures to ensure the security, confidentiality, and integrity of Customer Personal Data;

c) Not Sell, Share, or Transfer Customer Personal Data to any third party except as expressly permitted under this Addendum;

d) Assist the Customer in fulfilling its legal obligations under applicable Data Protection Laws, including but not limited to:
Responding to Data Subject Rights Requests;
Conducting Data Protection Impact Assessments;
Providing information regarding security safeguards implemented by Fitsol.

4.2 In the event of a Security Incident, Fitsol shall notify the Customer without undue delay and take necessary remedial actions to mitigate the impact.

5. International Data Transfers

5.1 If Customer Personal Data is transferred to a jurisdiction outside India, the European Economic Area (EEA), United Kingdom, or any other jurisdiction requiring adequate data transfer safeguards, such transfers shall be subject to:

Standard Contractual Clauses (SCCs).
Any other applicable mechanism as per Data Protection Laws.

Furthermore, International transfers of Customer Personal Data shall adhere to the sub-processor and jurisdictional specifics outlined in Annexure 1 apart from the aforementioned jurisdictions.

6. Data Retention and Deletion

6.1 Upon termination or expiry of the Agreement, Fitsol shall, at the election of the Customer:

Return all Customer Personal Data to the Customer, or
Securely delete all Customer Personal Data, except where retention is required by applicable law.

6.2 Fitsol shall certify the completion of such deletion or return upon request by the Customer.

6.3 Data retention periods or criteria used to determine such periods are described in Annexure 1.

7. Liability and Indemnity

7.1 The Customer shall indemnify, defend, and hold Fitsol harmless from any claims, fines, penalties, or liabilities arising from:

Customer’s breach of this Addendum;
Customer’s failure to comply with applicable Data Protection Laws.

8. Severability

8.1 If any provision of this Addendum is found to be unlawful or unenforceable, the remainder of the Addendum shall remain in full force and effect.

9. Miscellaneous

9.1 Privacy by Design and Security

Fitsol shall implement appropriate safeguards in compliance with GDPR, DPDP Act, IT Act, and SOC 2 standards,more adequately detailed in Annexure 1.

9.2 Data Protection Officer (DPO) Contact

Any data protection-related inquiries shall be directed to Fitsol's Data Protection Officer:

Mr. Akshay Tandon - akshay.tandon@fitsol.green

Annexure 1 to Data Protection Addendum

This Annexure includes certain details of the Processing of Customer Personal Data by Fitsol in connection with the Services.

1. List of Parties

Data Exporter

Name:	Customer (as defined in the Agreement)
Address:	As set forth in the relevant Order Form
Contact person's name, position and contact details:	As set forth in the relevant Order Form
Activities relevant to the data transferred under these Clauses:	Recipient of the Services provided by Fitsol in accordance with the Agreement
Signature and date:	Signature and date are set out in the Agreement
Role (controller/processor):	Controller

Data Importer

Name:	Fitsol Supply Chain Solutions Pvt Ltd
Address:	718-719, 7th Floor, DLF Star Tower, Arjun Marg, DLF City Phase 1, Gurugram 122002, Haryana
Contact person's name, position and contact details:	Akshay Tandon, Co-Founder & CTO, akshay.tandon@fitsol.green
Activities relevant to the data transferred under these Clauses:	Provision of the Services to the Customer in accordance with the Agreement
Signature and date:	Signature and date are set out in the Agreement
Role (controller/processor):	Processor

2. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs):

The authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

3. Processing Information

Categories of data subjects whose personal data is transferred:	Customers' authorized users of the Services
Categories of personal data transferred:	Processed automatically by the Services: Names Email IDs Processed where and to the extent provided by Customer or its authorized users in connection with audit services provided by Fitsol: Address Date of birth
Sensitive personal data transferred:	None
Frequency of the transfer:	Continuous
Nature of the processing:	The nature of the processing is more fully described in the Agreement and accompanying order forms but will include the following basic processing activities: Providing Services to the Customer. In order to provide people data, Fitsol receives identifying Customer Personal Data to permit Fitsol to query, cleanse, standardize, enrich, (when required) send to additional data to feed providers, and to store the query information.
Purpose of the data transfer and further processing:	The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement and accompanying order forms and has functions included but not limited to the following: Account registration & authentication Customer support & communication Marketing & promotional campaigns Analytics & performance tracking Legal or compliance requirements
Period for which the personal data will be retained or criteria used to determine that period:	The period for which the Customer Personal Data will be retained is more fully described in the Agreement, Addendum, and accompanying order forms and is perpetual unless the user requests deletion or unless defined otherwise in the aforementioned documents.
Security measures deployed to protect the data:	The security measures may be more fully described in the Agreement, Addendum, and accompanying order forms, the following measures are included but not limited to: Encryption of data in transit and at rest Firewalls & Intrusion Detection Systems Role-Based Access Control (RBAC) Compliance with SOC 2 standards
Sub processor name, purpose and location:	Firecrawl (data collection) - USA United Logistics Interface Portal (logistics datasets) - India Telenity (SIM tracking) - Turkey Authbridge (driver onboarding) - India AWS, Google Cloud (cloud storage providers) - USA Zoho CRM (customer lifecycle management) - India Atlassian (project management) - USA Slack (collaboration and communication) - USA
Sub processor transfers – subject matter, nature, and duration of processing:	The subject matter, nature, and duration of the Processing more fully described in the Agreement, Addendum, and accompanying order forms