Personal Data Processing

To the extent Vendor processes personal data on behalf of Client in connection with the Services, Vendor acts as a data processor and Client as a data controller (or equivalent roles under applicable law, including the DPDP Act 2023 where relevant). Vendor shall (a) process personal data solely on documented instructions from Client and as necessary to perform the Services, (b) ensure that personnel authorized to process personal data are bound by confidentiality obligations, (c) implement appropriate technical and organizational measures to protect personal data, (d) not engage sub-processors without Client's prior written consent, (e) assist Client in responding to data subject requests, and (f) upon termination, delete or return all personal data at Client's election. The parties shall enter into a separate data processing addendum if required by applicable law.