This Data Processing Addendum (“DPA”) forms an integral part of, and is incorporated by reference into, the agreement (the “Agreement”) entered into between Dott Connect Private Limited, a company incorporated under the laws of India, having its registered office in India (hereinafter referred to as the “Processor”, “Dott”, “DCPL”), and the entity executing or otherwise agreeing to the Agreement (hereinafter referred to as the “Controller” or “Customer”).

This DPA shall apply to the extent that Dott processes Personal Data on behalf of the Controller in the course of providing services under the Agreement.

1. Definitions and Interpretation

For the purposes of this DPA, the terms “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, and “Sub-Processor” shall have the meanings ascribed to them under applicable data protection laws, including, where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

“Applicable Data Protection Law” shall mean all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable, the GDPR and any other data protection or privacy laws in force in relevant jurisdictions.

Unless otherwise defined herein, capitalised terms shall have the meanings assigned to them in the Agreement.

2. Scope and Roles

The parties acknowledge and agree that, for the purposes of this DPA, the Controller determines the purposes and means of the Processing of Personal Data, and Dott acts solely as a Processor in respect of such Processing.

This DPA applies to the Processing of Personal Data by Dott in connection with the provision of its platforms and services, including but not limited to the 360° feedback platform (Dott 360), the engagement and experience survey platform (Dott Sense), and the Elyevate learning platform (ELA).

Dott shall process Personal Data strictly in accordance with the documented instructions of the Controller, as set out in the Agreement or otherwise communicated in writing, unless Processing is required by applicable law to which Dott is subject. In such a case, Dott shall, to the extent permitted by law, inform the Controller of such legal requirement prior to Processing.

3. Nature and Purpose of Processing

The Processing of Personal Data by Dott shall be limited to what is necessary for the provision of the services under the Agreement. Such Processing may include, without limitation, the collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, aggregation, anonymisation, and deletion of Personal Data.

The purpose of such Processing includes the administration and operation of feedback programs, the conduct of engagement and experience surveys, the delivery of learning and development programs, the generation of reports and analytics, and the provision of platform functionality, maintenance, and support.

4. Categories of Data Subjects and Personal Data

The Personal Data processed under this DPA may relate to Data Subjects including, but not limited to, employees, workforce members, survey respondents, feedback providers, learners, participants in training or development programs, and authorised representatives of the Controller.

Such Personal Data may include, without limitation, identity and contact information, professional and organisational data, feedback responses, survey inputs, behavioural and competency-related data, learning activity and performance data, and system-generated metadata relating to use of the Platform.

5. Obligations of the Processor

Dott shall process Personal Data only on behalf of the Controller and in accordance with the Controller’s documented instructions. Dott shall not process Personal Data for its own independent purposes and shall promptly inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

Dott shall ensure that all persons authorised to process Personal Data are subject to appropriate obligations of confidentiality, whether contractual or statutory, and shall take reasonable steps to ensure the reliability and integrity of such personnel.

6. Confidentiality

Dott acknowledges that Personal Data constitutes confidential information of the Controller. Dott shall implement appropriate measures to ensure that Personal Data is protected against unauthorised or unlawful Processing and against accidental loss, destruction, or damage.

Access to Personal Data shall be restricted to authorised personnel who require such access for the performance of their duties, and such access shall be governed by appropriate access control mechanisms.

7. Security of Processing

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks to the rights and freedoms of Data Subjects, Dott shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Such measures shall include, as appropriate, the encryption of Personal Data in transit and at rest, the implementation of role-based access controls and least privilege principles, mechanisms for ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems, and processes for regularly testing and evaluating the effectiveness of security measures.

Dott’s information security framework is designed in alignment with industry-recognised standards, including the principles of ISO/IEC 27001, and is subject to ongoing review and enhancement as part of its security and compliance programme.

8. Sub-Processing

The Controller hereby authorises Dott to engage Sub-Processors for the purpose of providing the Services. Dott shall ensure that any Sub-Processor is bound by a written agreement imposing obligations no less protective than those set out in this DPA.

Dott shall remain fully liable for the performance of its Sub-Processors’ obligations and shall ensure that access to Personal Data by Sub-Processors is limited to what is necessary for the performance of their functions.

9. International Transfers

To the extent that the Processing of Personal Data involves transfers to jurisdictions outside the country of origin, Dott shall ensure that such transfers are subject to appropriate safeguards in accordance with Applicable Data Protection Law, including the use of contractual or other legally recognised transfer mechanisms where required.

10. Assistance to the Controller

Taking into account the nature of the Processing, Dott shall provide reasonable assistance to the Controller in fulfilling its obligations under Applicable Data Protection Law, including in relation to:

• responding to requests from Data Subjects;
• ensuring compliance with obligations relating to data security, breach notification, and impact assessments; and
• cooperating with supervisory authorities where required.

11. Personal Data Breach

In the event of a Personal Data Breach, Dott shall notify the Controller without undue delay upon becoming aware of such breach. Such notification shall include, to the extent reasonably available, information regarding the nature of the breach, the categories of data affected, and the measures taken or proposed to address the breach.

Dott shall take appropriate steps to mitigate the effects of the breach and to prevent its recurrence.

12. Retention and Deletion

Upon termination or expiry of the Agreement, Dott shall, at the choice of the Controller, delete or return all Personal Data, unless retention is required by Applicable Data Protection Law. Where deletion is requested, such deletion shall be carried out in accordance with Dott’s data retention and deletion procedures.

13. Audit and Compliance

Dott shall make available to the Controller such information as is reasonably necessary to demonstrate compliance with the obligations set out in this DPA. Where required, the Controller may conduct audits or inspections, subject to reasonable notice, confidentiality obligations, and limitations designed to prevent disruption to Dott’s operations and to protect the confidentiality of other customers.

14. Liability

Each party’s liability arising under or in connection with this DPA shall be subject to the limitations of liability set out in the Agreement.

15. Governing Law

This DPA shall be governed by and construed in accordance with the governing law specified in the Agreement, and any disputes arising hereunder shall be subject to the dispute resolution mechanism set out therein.