Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Allumer Fintech Private Limited and professionals who use the Finamize platform. This DPA is established in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and outlines the obligations of each party regarding the processing of personal data.

1. Scope of Processing

This DPA applies to all personal data processed by Allumer Fintech Private Limited on behalf of professionals using the Platform. The categories of data processed include client identification data (name, PAN, address), financial data (portfolio details, tax records), communication data (messages exchanged through the Platform), and transaction data (payment records, subscription details).

2. Data Controller vs Processor

For the purposes of the DPDP Act, registered professionals on the Platform act as Data Fiduciaries (controllers) with respect to their clients’ personal data. Allumer Fintech Private Limited acts as a Data Processor when processing client data on behalf of professionals, and as a Data Fiduciary for platform account data and usage analytics.

3. Sub-processors

Allumer Fintech Private Limited may engage sub-processors to assist in delivering Platform services. Current sub-processors include cloud infrastructure providers, payment gateway providers, and email delivery services. We will notify professionals of any changes to sub-processors with at least 30 days’ advance notice and obtain consent where required.

4. Data Security Measures

We implement technical and organisational measures to protect personal data, including encryption of data at rest and in transit using AES-256 and TLS 1.3, row-level security policies ensuring data isolation between professionals, regular vulnerability assessments and penetration testing, and access controls with role-based permissions and audit logging.

5. Breach Notification

In the event of a personal data breach, Allumer Fintech Private Limited will notify the affected professional within 72 hours of becoming aware of the breach, as mandated by the DPDP Act. The notification will include the nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken to mitigate the impact.

6. Data Subject Rights

We will assist professionals in fulfilling data subject (Data Principal) requests under the DPDP Act, including requests for access to personal data, correction of inaccurate data, erasure of personal data, and data portability. Requests will be processed within the timelines prescribed under the DPDP Act.

7. Cross-Border Transfers

Personal data processed through the Platform is primarily stored within India. Where cross-border data transfers are necessary (such as for cloud infrastructure services), we ensure compliance with the DPDP Act provisions on cross-border data transfers and only transfer data to jurisdictions not restricted by the Central Government. Adequate safeguards, including contractual protections, are in place for all international transfers.