TerraBridge Logo
DATA PROCESSING ADDENDUM
Last Updated: August 28, 2025

This Data Processing Addendum (“DPA”), including Exhibit A thereto, is entered into by and between TerraBridge Paraassist LLP (“TerraBridge”) and you (“Service Provider”) (jointly the “Parties”) in connection with TerraBridge’s use of Service Provider’s services (“the Services”), and reflects the Parties' agreement with regard to the Processing of Consumer Personal Information in accordance with the requirements of the Applicable Privacy Laws. This DPA shall be effective on the date Service Provider collects or Processes Consumer Personal Information (the “Effective Date”).

Definitions

“Applicable Privacy Laws” means all applicable Indian laws governing the processing and/or protection of personal data, including the Digital Personal Data Protection Act, 2023 (DPDPA 2023), theInformation Technology Act, 2000, and the rules made thereunder, each as amended or replaced from time to time, along with any implementing regulations. “Data Principal” means the individual to whom the personal data relates, as defined under the Applicable Privacy Laws.

“Personal Data” means any data about an individual who is identifiable by or in relation to such data, as defined under the Applicable Privacy Laws, and which is Processed by the Service Provider on behalf of TerraBridge in connection with provision of the Services.

“Process”, “Processed” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Regulator” means any authority or government body having jurisdiction to enforce compliance with the Applicable Privacy Laws, including but not limited to the Data Protection Board of Indiaestablished under the DPDPA 2023, and any successor or replacement authority.

A “Security Incident” has occurred when the Service Provider has knowledge of, or reasonably believes there has been: a loss of; or actual or attempted unauthorized or unlawful access to, acquisition, use, or disclosure of; or any other compromise of Personal Data within the possession or control (physical or IT environment) of the Service Provider.

Terms such as “Consent,” “Notice,” “Data Fiduciary,”“Data Processor,” “De-identification,” and “Anonymization” shall have the meaning ascribed to them in the Applicable Privacy Laws.

Service Provider’s Obligations

1. Restrictions on Personal Data The Service Provider will Process Personal Data only as necessary to perform the Services. The Service Provider will not under any circumstances sell, share, or otherwise Process Personal Data for any purpose not directly related to providing the Services. The Service Provider agrees and warrants that it will not disclose or transfer Personal Data to any third party in exchange for monetary or other valuable consideration.

2. Exception for Authorized Parties Notwithstanding the restrictions above, the Service Provider may disclose or transfer Personal Data to its own service providers (“Authorized Parties”) to the extent necessary to perform the Services and in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) and other Applicable Privacy Laws. The Service Provider shall ensure that all Authorized Parties are contractually bound by terms no less protective of Personal Data than this Agreement. Upon TerraBridge’s request, the Service Provider shall promptly provide a list of Authorized Parties with access to Personal Data. If TerraBridge reasonably objects to any Authorized Party and no suitable alternative is agreed upon, TerraBridge may terminate the Services without further liability.

3. Assistance with Data Principal Requests If the Service Provider, directly or indirectly, receives a request from a Data Principal relating to their Personal Data (“Request”), the Service Provider shall provide a copy of the Request to TerraBridge within two (2) business days. The Service Provider shall notify TerraBridge in writing and liaise with TerraBridge before responding. The Service Provider shall not communicate with the Data Principal regarding such Request without TerraBridge’s written consent. If TerraBridge receives the Request, the Service Provider shall provide all necessary assistance (such as access, correction, or erasure of Personal Data) within five (5) business days. If unable, the Service Provider shall promptly explain the reasons for delay or legal grounds for refusal, and indicate a specific timeline for compliance.

4. Cooperation with Regulators The Service Provider shall cooperate with and assist TerraBridge in: (a) fulfilling its obligations under the DPDPA, the IT Act, and other Applicable Privacy Laws; and (b) responding to any request, inquiry, or legal action from the Data Protection Board of India or other Regulator.

5. Disclosure to Authorities If the Service Provider is legally required to disclose any Personal Data to law enforcement or government authorities, it shall notify TerraBridge in writing and liaise with TerraBridge before complying. If the Service Provider receives any communication from a Regulator relating to Personal Data, it shall forward a copy to TerraBridge within two (2) business days. The Service Provider shall not respond directly without TerraBridge’s prior written consent.

6. Retention of Personal Data The Service Provider will retain Personal Data only as directed by TerraBridge. At termination of the Agreement or upon written request, the Service Provider shall securely return or delete all Personal Data within thirty (30) days, unless retention is legally required. If retention is required, the Service Provider shall notify TerraBridge within twenty (20) days of termination, stating the legal basis. The Service Provider shall provide TerraBridge with certification of deletion/removal within thirty (30) business days.

7. Confidentiality The Service Provider shall treat all Personal Data as strictly confidential. It shall ensure that employees, contractors, and third parties engaged in Processing Personal Data are subject to legally enforceable confidentiality obligations and have received adequate data protection and security training before accessing Personal Data.

8. Reasonable Security Measures The Service Provider warrants that it has implemented reasonable security practices and procedures as prescribed under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and other applicable Indian standards. Such measures must be appropriate to the sensitivity of the Personal Data being processed, and failure to maintain them shall be considered a breach of this Agreement.

9. Security Incident Upon discovering a Security Incident (as defined under the DPDPA), the Service Provider shall notify TerraBridge immediately, and no later than 48 hours after discovery. The Service Provider shall fully cooperate with TerraBridge in investigating, containing, and remedying the incident, including assisting with any notifications to the Data Protection Board of India and affected Data Principals, as required under Applicable Privacy Laws.

10. Audit Rights Upon TerraBridge’s written request, the Service Provider shall permit TerraBridge (or its designated third party) to conduct an audit or assessment of the Service Provider’s data protection and security controls relevant to Personal Data. Such cooperation shall include access to knowledgeable personnel, policies, infrastructure, and relevant systems within fourteen (14) days of TerraBridge’s request.

11. Indemnification The Service Provider shall indemnify and hold harmless TerraBridge, its affiliates, officers, directors, and employees against all claims, damages, penalties, fines, or expenses (including reasonable legal fees) arising out of or relating to the Service Provider’s or its Authorized Parties’ breach of this Agreement or any Applicable Privacy Laws.

12. Termination This Agreement shall terminate automatically when the Services expire or are terminated. TerraBridge may, upon written notice, immediately terminate the Services or suspend processing if the Service Provider breaches any obligations under this Agreement or Applicable Privacy Laws. Obligations that are intended to survive termination (including confidentiality, indemnification, and cooperation clauses) shall continue in force.

13. General If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall remain in full force. The Parties may substitute such provision with a valid and enforceable one that best reflects the intent.

Facsimile, scanned, or electronic signatures shall bind the Parties as originals. This Agreement may be executed in counterparts.

Notwithstanding anything to the contrary, no partner, member, or shareholder of TerraBridge shall be personally liable for obligations arising under this Agreement.

EXHIBIT A: DATA PROTECTION ADDENDUM (INDIA)

The terms used in this Data Protection Addendum (“Addendum”) shall have the definitions set forth in the Digital Personal Data Protection Act, 2023 (DPDPA 2023), unless otherwise defined herein. The term “Service Provider” shall include contractors, agents, or affiliates engaged by the Service Provider.

1. Purpose Limitation

The Service Provider shall not use, disclose, or transfer anyPersonal Data provided by TerraBridge (“TerraBridge Information”) except for the limited and specific purpose of providing the Services to TerraBridge (the “Contracted Purpose”). The Service Provider shall not retain, use, or disclose TerraBridge Information:

  • (a) for any purpose other than the Contracted Purpose;
  • (b) outside of its direct business relationship with TerraBridge; or
  • (c) by combining TerraBridge Information with personal data collected from other sources, unless expressly authorized by TerraBridge in writing or required by law.

2. Compliance with Applicable Privacy Laws

The Service Provider shall comply with all applicable provisions of the DPDPA, the IT Act, and the SPDI Rules. This includes, without limitation:

  • cooperating with TerraBridge in responding to and fulfilling Data Principal requests (such as access, correction, withdrawal of consent, or deletion requests); and
  • implementing reasonable security safeguards appropriate to the sensitivity of the TerraBridge Information, in line with Section 8 of the DPDPA and the SPDI Rules, to protect against unauthorized or unlawful access, destruction, use, modification, or disclosure.

3. Oversight and Verification

TerraBridge shall have the right to take reasonable and appropriate steps to ensure the Service Provider uses TerraBridge Information in compliance with this Addendum and the DPDPA. Such steps may include:

  • contractual assurances;
  • periodic audits, reviews, or assessments (by TerraBridge or a third party); and
  • requiring the Service Provider to provide documentation verifying compliance.

4. Notification of Non-Compliance

If the Service Provider determines that it can no longer comply with its obligations under this Addendum or Applicable Privacy Laws, it shall promptly notify TerraBridge in writing.

TerraBridge shall have the right to take reasonable steps to stop and remediate any unauthorized use of TerraBridge Information, including requiring the Service Provider to delete or return such information.

5. Data Principal Requests

The Service Provider shall reasonably cooperate with TerraBridge to enable TerraBridge to respond to Data Principal requests in accordance with Applicable Privacy Laws. The Service Provider shall not respond to Data Principals directly, except with TerraBridge’s prior written consent.

6. Subcontracting

If the Service Provider engages a subcontractor in connection with the Contracted Purpose:

  • (a) the Service Provider shall notify TerraBridge of the engagement in advance; and
  • (b) the Service Provider shall ensure such subcontractor is contractually bound by obligations no less protective than those in this Addendum and in compliance with Applicable Privacy Laws.

7. Retention & Deletion

Upon termination or expiration of the Services, or upon TerraBridge’s written request, the Service Provider shall securely delete or return all TerraBridge Information within thirty (30) days, unless retention is required under Indian law. Where retention is required, the Service Provider shall provide TerraBridge with written notice stating the legal basis for such retention.

8. General

Any provision of this Addendum that is held to be invalid or unenforceable shall not affect the validity of the remaining provisions. This Addendum may be executed in counterparts, including via electronic signatures, which shall be binding.