DATA PROCESSING AGREEMENT

Effective Date: May 1, 2025

1. INTRODUCTION

This Data Processor Agreement ("Agreement") outlines the terms and conditions under which Depth Nepal ("Processor," "we," "our," or "us") processes personal data on behalf of our clients ("Controller," "client," or "you") in connection with the services we provide.

This Agreement is designed to ensure compliance with applicable data protection laws and to clarify the respective roles and responsibilities of both parties with regard to personal data processing.

2. DEFINITIONS

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or deletion.
  • Data Subject: The identified or identifiable natural person to whom the personal data relates.
  • Controller: The entity that determines the purposes and means of processing personal data (our client).
  • Processor: The entity that processes personal data on behalf of the Controller (Depth Nepal).
  • Sub-processor: Any processor engaged by Depth Nepal to process personal data on behalf of our clients.

3. SCOPE AND PURPOSE OF PROCESSING

3.1 Services

This Agreement applies to all data processing activities conducted by Depth Nepal on behalf of the Controller in connection with our data engineering, business intelligence, advanced analytics, credit scoring, and data-driven product design services.

3.2 Processing Activities

We will process personal data only to the extent necessary to provide the agreed services and in accordance with:

  • The terms of this Agreement
  • The Controller's documented instructions
  • Applicable data protection laws

3.3 Duration

This Agreement remains in effect for the duration of our service agreement with the Controller and continues until all personal data is deleted or returned as instructed by the Controller.

4. CONTROLLER RESPONSIBILITIES

The Controller warrants and represents that:

  • Legal Basis: The Controller has a valid legal basis for the processing of personal data and has obtained all necessary consents, authorizations, and permissions for the processing of such data by the Processor.
  • Lawful Instructions: All instructions given to the Processor comply with applicable data protection laws.
  • Data Subject Rights: The Controller is responsible for handling requests and notices related to data subjects.
  • Data Quality: The Controller ensures the personal data is accurate, lawful, and valid.

5. PROCESSOR OBLIGATIONS

  • Processing Limitations: Only process personal data under Controller's instructions; notify if illegal.
  • Confidentiality: Personnel are bound to confidentiality and data is accessed only as needed.
  • Security Measures: Implement encryption, pseudonymization, system integrity, and incident response practices.
  • Sub-processors: Only use authorized sub-processors and impose equivalent protection terms.
  • Data Subject Requests: Assist the Controller with requests and obligations.
  • Breach Notification: Notify without delay and assist in containment and resolution.
  • Data Protection Impact Assessments: Provide support where required.
  • Return or Deletion of Data: Delete or return all data upon service termination, based on the Controller's request.
  • Compliance Demonstration: Allow audits and provide compliance information.

6. INTERNATIONAL DATA TRANSFERS

  • Transfer Mechanisms: Use Standard Contractual Clauses and obtain Controller consent for international transfers.
  • Transfer Impact Assessment: Support required risk assessments for overseas data transfers.

7. RECORDS OF PROCESSING

Depth Nepal will maintain records of all processing activities carried out on behalf of the Controller, including:

  • Contact details of parties and their DPOs
  • Types of processing and international transfers
  • Security measures overview

8. LIABILITY AND INDEMNIFICATION

  • Direct Liability: Depth Nepal is liable for processing violations.
  • Indemnification: Each party indemnifies the other for violations of the agreement.

9. MISCELLANEOUS

  • Amendments: Changes require written consent from both parties.
  • Severability: If one part is invalid, the rest remains enforceable.
  • Governing Law: This Agreement is governed by the laws of Nepal.
  • Jurisdiction: Disputes are handled exclusively in the courts of Nepal.

10. CONTACT INFORMATION

For matters related to this Data Processor Agreement, please contact:

Depth Nepal
Email: info@depthnepal.com