LEGAL · PREDIXION AI

Data Processing Agreement

TEMPLATE FOR INCORPORATION INTO CLIENT MASTER SERVICES AGREEMENTS

This Data Processing Agreement (“DPA”) is entered into between the client identified in the applicable Master Services Agreement or Statement of Work (“Data Fiduciary,” “Client,” or “you”) and Digital Outcomes Technologies Private Limited, operating as Predixion AI, CIN U72900MH2021PTC360260 (“Data Processor,” “Predixion AI,” “we,” or “us”), and forms part of the agreement between the parties governing the provision of VOIZ, KOLLECT, LEADX, and/or AGENTX services (the “Principal Agreement”). This DPA applies to the extent Predixion AI processes personal data on behalf of the Client in the course of providing the Services.

1. Definitions

  • “DPDP Law” means the Digital Personal Data Protection Act, 2023, the Digital Personal Data Protection Rules, 2025, and any subsequent amendments, rules, or notifications issued thereunder, together with any other applicable data protection law.
  • “Data Fiduciary,” “Data Processor,” “Data Principal,” and “Personal Data” have the meanings given to them under DPDP Law.
  • “Board” means the Data Protection Board of India.
  • “Personal Data Breach” means any unauthorized or accidental access, disclosure, alteration, loss, or destruction of Personal Data processed under this DPA.
  • “Sub-processor” means any third party engaged by Predixion AI to process Personal Data on behalf of the Client in connection with the Services.

2. Scope, Nature, and Duration of Processing

Predixion AI shall process Personal Data on behalf of the Client only as described in Annexure A (Description of Processing) to this DPA, and only for the duration necessary to provide the Services under the Principal Agreement, unless a longer retention period is required by applicable law or agreed in writing.

3. Client's Instructions and Purpose Limitation

Predixion AI shall process Personal Data only on the documented instructions of the Client, including with regard to transfers of Personal Data, unless required to do otherwise by applicable law. Predixion AI shall promptly inform the Client if, in its opinion, an instruction infringes DPDP Law.

Predixion AI shall not process Personal Data for any purpose other than providing the Services and shall not use, retain, or disclose Personal Data for its own independent purposes. In particular, Predixion AI shall not use the Client's Personal Data to train, fine-tune, or improve any general-purpose or cross-client machine-learning model. Any analytics, evaluations, or insights that Predixion AI derives from processing the Client's Personal Data are generated solely to deliver and improve the Services provided to that Client, and Predixion AI shall not disclose the Client's Personal Data to other clients.

4. Confidentiality

Predixion AI shall ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory, and are trained on the requirements of this DPA and applicable DPDP Law. These confidentiality obligations shall survive termination or expiry of the Principal Agreement and this DPA.

5. Security Measures

Predixion AI shall implement and maintain reasonable technical and organizational security safeguards appropriate to the nature and sensitivity of the Personal Data processed, including, at a minimum:

  • Encryption of Personal Data in transit and at rest.
  • Access controls restricting Personal Data access to personnel who require it to perform the Services, on a least-privilege basis.
  • Logging and monitoring of access to systems processing Personal Data, with logs retained for a minimum of one year.
  • Regular data backups and a documented business continuity process.
  • A documented incident response process.

A more detailed description of these safeguards is set out in Predixion AI's Information Security Policy, which is incorporated into this DPA by reference and may be provided to the Client on request.

6. Sub-processors

The Client provides general authorization for Predixion AI to engage Sub-processors to support the provision of the Services, subject to the following conditions:

  • Predixion AI shall maintain a current list of Sub-processors and make it available to the Client on request (see Predixion AI's published Sub-processor List).
  • Predixion AI shall give the Client reasonable prior notice of any intended change involving the addition or replacement of a Sub-processor, and shall provide the Client an opportunity to object on reasonable data-protection grounds.
  • Predixion AI shall impose data protection obligations on each Sub-processor that are substantially equivalent to those set out in this DPA, through a written contract.
  • Predixion AI remains liable to the Client for the acts and omissions of its Sub-processors to the same extent Predixion AI would be liable if performing the services of each Sub-processor directly.

7. Assistance with Data Principal Rights

Taking into account the nature of the processing, Predixion AI shall provide reasonable assistance to the Client, by appropriate technical and organizational measures, to enable the Client to respond to requests from Data Principals exercising their rights under DPDP Law (including access, correction, and erasure requests), to the extent such requests relate to Personal Data processed by Predixion AI under this DPA.

8. Personal Data Breach Notification

Predixion AI shall notify the Client without undue delay, and in any event within 48 (forty-eight) hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA, to enable the Client to meet its own notification obligations to the Board and affected Data Principals under DPDP Law. Such notification shall include, to the extent known at the time: a description of the nature of the breach; the categories and approximate number of Data Principals and Personal Data records affected; the likely consequences; and the measures taken or proposed to address the breach. Where all such information is not available within that period, Predixion AI may provide it in phases without undue further delay as the investigation progresses.

9. Cross-Border Transfer

Predixion AI may process Personal Data using infrastructure located outside India, consistent with DPDP Law, which currently permits transfer of Personal Data outside India except to jurisdictions specifically restricted by the Central Government. Predixion AI shall notify the Client of the jurisdictions in which Personal Data is processed and shall not transfer Personal Data to a restricted jurisdiction.

10. Audit Rights

Predixion AI shall make available to the Client information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Client or an auditor mandated by the Client, subject to reasonable advance notice, confidentiality obligations, and no more than once per calendar year, unless required following a Personal Data Breach or a regulatory request.

11. Return or Deletion of Personal Data

On termination or expiry of the Principal Agreement, or earlier upon the Client's written request, Predixion AI shall, at the Client's election, return or securely delete all Personal Data processed under this DPA, and shall delete existing copies, unless applicable law requires continued storage, in which case Predixion AI shall isolate and protect the Personal Data from further processing.

12. Liability

Liability arising under this DPA shall be governed by the liability provisions of the Principal Agreement, unless the parties agree otherwise in writing.

13. Term

This DPA shall remain in effect for as long as Predixion AI processes Personal Data on behalf of the Client under the Principal Agreement.

14. Governing Law

This DPA is governed by the laws of India, consistent with the governing law provisions of the Principal Agreement.

Annexure A — Description of Processing

  • Categories of Data Principals: [e.g., the Client's borrowers, customers, or leads contacted through VOIZ, KOLLECT, or LEADX]
  • Categories of Personal Data: [e.g., name, phone number, loan/account reference, call recordings and transcripts, repayment or contact status]
  • Purpose of Processing: [e.g., outbound/inbound voice collections calls, lead qualification calls, related analytics and quality review]
  • Duration of Processing: [to align with the term of the Principal Agreement and any agreed post-termination retention period]