Data Processing Agreement

This DPA is between Klaro Care Technologies Pvt. Ltd. ("Processor") and the customer or partner organisation that has accepted this agreement ("Controller"). It supplements the underlying commercial agreement and applies whenever the Processor processes personal data on behalf of the Controller — for example, group health cover, employee onboarding, payroll-deducted policies, or affinity programs.

• Personal data — as defined under the Digital Personal Data Protection Act, 2023 (DPDP).
• Sensitive personal data — health information, biometric identifiers, financial details.
• Data principal — the natural person to whom the personal data relates.
• Processing — any operation on personal data, automated or not.
• Subprocessor — third parties engaged by the Processor to assist in fulfilling its obligations.

The Controller determines the purpose and means of processing. The Processor processes personal data only on documented instructions from the Controller, except where required by Indian law (IRDAI returns, DPDP audits, court orders). The Processor will inform the Controller of any such legal requirement before processing, unless the law itself prohibits disclosure.

• Encryption at rest (AES-256-GCM) for all personal data; TLS 1.2+ in transit.
• Field-level encryption for Aadhaar, PAN, bank account numbers, health declarations.
• Access via least-privilege RBAC, MFA-mandatory for privileged accounts, full audit log retained 7 years.
• Annual third-party penetration tests + quarterly internal reviews.
• SOC 2 Type II + ISO 27001 + IRDAI ISNP-empanelled controls.
• CERT-In incident reporting within 6 hours of detection.

The Processor engages subprocessors for hosting (AWS Mumbai region), payment processing (Cashfree), SMS / email / WhatsApp delivery (MSG91, SendGrid, WATI), KYC verification (NSDL / UIDAI / DigiLocker), and document storage (S3 + KMS-managed encryption keys). The current list and changes are published at klarocare.in/legal/subprocessors. The Controller will receive at least 30 days' notice of any new subprocessor added to the list and may object on reasonable grounds.

Personal data of Indian residents is hosted within India (AWS ap-south-1, Mumbai). Cross-border transfers are restricted to subprocessors that have signed Standard Contractual Clauses, and only where necessary for service delivery (e.g. global email-delivery network). Sensitive personal data does not leave India.

• Access — within 30 days of a verified request.
• Correction — promptly, in line with IRDAI's underwriting cooperation rules.
• Erasure — except where regulatory retention applies (e.g. policy archive).
• Withdrawal of consent — terminates further processing for that purpose.
• Data portability — machine-readable export within 30 days.
• Grievance — escalated to our Data Protection Officer (contact below).

In the event of a personal data breach, the Processor will notify the Controller within 24 hours of confirmed detection, with what's known at the time and a follow-up update within 72 hours. Material breaches involving sensitive personal data are reported to CERT-In and the affected data principals as required under DPDP and CERT-In Directions, April 2022.

The Controller may audit the Processor's compliance with this DPA up to once per year on 30 days' written notice, during business hours, and subject to confidentiality. The Processor will provide independent assurance reports (SOC 2, ISO 27001) in lieu of direct audits where the Controller agrees.

Upon termination of the underlying agreement, the Processor will, within 30 days, return or de-identify all personal data, unless retention is required by law (typically 7 years for IRDAI-regulated records). Backups are purged within their normal cycle (90 days), with restorations during that window de-identified before any access.

DPO: Privacy & Compliance Office, Klaro Care Technologies Pvt. Ltd.
Email: dpo@klarocare.in
Postal: Mumbai office (full address in master agreement)
The DPO is empowered to act independently on data-protection matters and reports directly to the Board.

This agreement is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts of Mumbai, Maharashtra. Where this DPA conflicts with the underlying commercial agreement on data protection, this DPA prevails.