Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Terms of Service or any other written or electronic agreement between Arham Web Works, operating under the brand Quizify (“Processor”), and the customer entity using Quizify services (“Controller”).

By using Quizify’s services, the Controller accepts this DPA.

1. Definitions

For the purposes of this DPA:

• Controller means the customer who determines the purposes and means of processing personal data.

• Processor means Quizify (a SaaS product of Arham Web Works), which processes personal data on behalf of the Controller.

• Data Subject means an identified or identifiable individual whose personal data is processed.

• Personal Data means any information relating to a Data Subject.

• Services means the online quiz, form, and survey platform provided by Quizify.

• Subprocessor means any third party engaged by Quizify to process personal data on behalf of the Controller.

2. Subject Matter and Duration

This DPA governs the processing of personal data by Quizify on behalf of the Controller in connection with the Services. Processing will continue for as long as the Controller uses the Services or until termination of the Agreement, whichever is earlier.

3. Roles of the Parties

• The Controller is responsible for determining the purpose and lawful basis of processing personal data.

• The Processor acts only on documented instructions from the Controller, unless required by law to act otherwise.

• The Processor will not use personal data for its own purposes.

4. Obligations of the Processor

The Processor agrees to:

1. Process personal data only in accordance with Controller’s documented instructions.

2. Ensure persons authorized to process personal data are bound by confidentiality.

3. Implement appropriate technical and organizational measures to ensure data security.

4. Assist the Controller in fulfilling obligations regarding data subject rights.

5. Assist the Controller in ensuring compliance with data protection obligations, including security, breach notifications, and impact assessments.

6. Delete or return personal data at the end of the service provision, unless retention is required by law.

5. Obligations of the Controller

The Controller agrees to:

1. Ensure that it has a lawful basis for processing personal data.

2. Provide clear privacy notices to data subjects.

3. Manage data subject requests in a timely manner.

4. Configure retention and deletion settings as required.

5. Ensure that exports or transfers to third-party tools are lawful.

6. Subprocessing

• The Controller authorizes the Processor to use subprocessors listed in this DPA.

• Current subprocessors:

  • Cloudways – Hosting and infrastructure

  • Brevo – Marketing email communications

  • Zeptomail – Transactional and notification emails

  • Charla – Customer support chat services

  • Paddle – Subscription billing and payment processing

• The Processor will notify the Controller of any intended changes to subprocessors, giving the Controller an opportunity to object where legally required.

7. International Transfers

• Personal data may be transferred and stored outside the European Economic Area.

• Where such transfers occur, the Processor ensures adequate safeguards (such as contractual commitments) are in place.

8. Security Measures

The Processor implements technical and organizational measures appropriate to the level of risk, including but not limited to:

• Encryption of data in transit and at rest

• Access controls and authentication

• Regular backups and secure storage

• Logging and monitoring

• Regular security testing and reviews

9. Data Breach Notification

• In the event of a personal data breach, the Processor will notify the Controller without undue delay after becoming aware of the breach.

• Such notification will include details sufficient to enable the Controller to comply with its obligations under applicable law.

10. Assistance with Data Subject Rights

• The Processor will assist the Controller, where possible, in responding to data subject requests under GDPR (access, rectification, erasure, restriction, portability, and objection).

• The Processor will not respond directly to data subjects without the Controller’s instruction, unless required by law.

11. Liability

• Each party’s liability under this DPA is subject to the limitations of liability in the main Agreement between the parties.

• The Controller is responsible for the lawfulness of personal data collection and for providing notices to data subjects.

12. Governing Law and Jurisdiction

• This DPA shall be governed by and construed in accordance with the laws of India.

• Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Gujarat, India.

13. Termination and Data Deletion

• Upon termination of the Services, the Processor will delete or return all personal data to the Controller, unless retention is required by law.

• Backups will be securely deleted within the Processor’s standard retention cycle.

14. Miscellaneous

• This DPA prevails over any conflicting provisions in the main Agreement.

• If any provision is invalid or unenforceable, the remaining provisions remain in effect.

15. Signatures

Signed for and on behalf of the Controller
Customer Name: ____________________________
Signature: _________________________________
Name: ____________________________________
Title: _____________________________________
Date: _____________________________________

Signed for and on behalf of the Processor
Arham Web Works (trading as Quizify)
Signature: _________________________________
Name: ____________________________________
Title: _____________________________________
Date: _____________________________________