This Data Processing Addendum (“Addendum”), including Exhibit A, is entered into by and between Green Card Atlas (“GCA”), a legal entity organized under the laws of the United States, and the registered client (“Client” or “Service Provider”) (collectively, the “Parties”), in relation to GCA’s engagement of Service Provider’s services, which include the provision of services via the Green Card Atlas platform. This Addendum governs the processing of consumer personal information (hereinafter “Personal Data”) by the Service Provider on behalf of GCA and is in accordance with applicable data protection laws, including but not limited to laws governing privacy and data protection in the United States and India.

This Addendum shall be effective as of the date upon which the Service Provider collects or processes Personal Data ("Effective Date").

This Addendum is incorporated into and forms part of the Services Agreement (the "Agreement") entered into by the parties regarding the provision of services by GCA (the "Services").

Whereas, GCA provides certain data processing services in connection with its Green Card consultation and application services, and both parties recognize the need to comply with applicable data privacy and security laws in the jurisdictions of the United States and India, including the General Data Protection Regulation ("GDPR") (EU 2016/679), California Consumer Privacy Act (CCPA), and India's Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

This Addendum is designed to establish the responsibilities and obligations of both parties with respect to the processing of personal data.

Definitions

• Applicable Privacy Laws: Refers to all national, state, and international laws, regulations, and guidelines governing the collection, use, and processing of personal data, including the U.S. Federal and State Privacy Laws (e.g., the California Consumer Privacy Act - CCPA) and data protection regulations under Indian law and the European Union’s General Data Protection Regulation (GDPR), as amended from time to time.
• Consumer: Any natural person, household, or device located within the United States or India, whose personal data is collected, processed, or stored by GCA or Service Provider.
• Personal Data: Any information related to an identified or identifiable individual ("Data Subject") that is processed by the Service Provider on behalf of GCA under the scope of services.
• Processing: Any operation or set of operations performed on Personal Data, including, but not limited to, the collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, dissemination, or destruction of Personal Data.
• Security Incident: An event that results in the unauthorized access, loss, or compromise of Personal Data, including potential incidents related to the breach of confidentiality, integrity, or availability of Personal Data.

Service Provider’s Obligations

• Purpose of Processing: The Service Provider shall process Personal Data exclusively for the provision of services to GCA and in accordance with the terms of this Addendum. Under no circumstances shall the Service Provider use the Personal Data for any purpose not explicitly authorized by GCA or outside the scope of providing agreed services.
• No Sale of Personal Data: The Service Provider shall not sell, rent, or exchange Personal Data for any monetary or other valuable consideration. The Service Provider is strictly prohibited from processing Personal Data for any purpose other than fulfilling the contractual obligations to GCA.
• Authorized Disclosures: The Service Provider may disclose Personal Data to its affiliates, sub-processors, or third parties (collectively “Authorized Parties”) solely to the extent necessary for the performance of the services. The Service Provider shall ensure that these Authorized Parties are bound by confidentiality and data protection obligations no less stringent than those contained in this Addendum.
• Assistance with Consumer Requests: In the event of receiving a request from a Data Subject related to their Personal Data, the Service Provider shall immediately notify GCA and shall not respond to the request without written approval from GCA. The Service Provider shall assist GCA in fulfilling its obligations to respond to requests under applicable privacy laws within the required time frame.
• Retention of Personal Data: The Service Provider shall retain Personal Data only for as long as necessary to fulfill its obligations under the agreement or as required by law. Upon termination of the Addendum or upon GCA's written request, the Service Provider will return or securely delete all Personal Data.
• Confidentiality and Security: The Service Provider shall treat all Personal Data as confidential and shall implement reasonable security measures to protect it from unauthorized access, use, or disclosure. These measures shall comply with applicable legal requirements, including those specified in relevant security guidelines, such as the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Security and Incident Response

• Security Incident Notification: In the event of a Security Incident, the Service Provider shall notify GCA without undue delay and, in any event, no later than 48 hours after becoming aware of the incident. The notification shall include details regarding the nature of the incident, the potential impact, and the corrective actions taken by the Service Provider to mitigate any potential harm.
• Incident Management and Remediation: In the event of a breach of Personal Data, the Service Provider shall cooperate fully with GCA in providing necessary support for any remedial actions required under applicable data protection laws, including assisting with any notifications to affected Data Subjects, regulators, or other relevant parties.

Regulatory Compliance

• Cooperation with Regulators: The Service Provider agrees to cooperate with GCA in responding to inquiries or investigations by any regulatory body having jurisdiction over the processing of Personal Data under this Addendum.
• Disclosure to Law Enforcement: If required by law, the Service Provider may disclose Personal Data to law enforcement or other governmental authorities, provided that prior notification is given to GCA, unless prohibited by law.

Audit Rights

• Audits and Inspections: Upon GCA’s written request, the Service Provider grants GCA or its designated third-party auditor the right to perform an audit of the Service Provider’s data processing activities to assess compliance with this Addendum and applicable privacy laws. The Service Provider shall cooperate fully and make available all records, facilities, and systems necessary for such audits.

Indemnification

• The Service Provider agrees to indemnify, defend, and hold harmless GCA, its affiliates, officers, employees, and agents from any third-party claims, damages, or legal actions arising out of or in connection with the Service Provider’s failure to comply with the terms of this Addendum, including any breach of applicable data protection laws.

Termination and Survival

• Termination: GCA may terminate this Addendum immediately upon written notice if the Service Provider breaches any of its obligations under this Addendum. Upon termination, the Service Provider shall immediately cease all processing of Personal Data and return or securely delete the data as instructed by GCA.
• Survival: The obligations regarding the confidentiality and security of Personal Data, as well as any indemnification obligations, shall survive the termination or expiration of this Addendum.

General Provisions

• Governing Law: This Addendum shall be governed by and construed in accordance with the laws of the United States and India, without regard to their conflict of laws principles. Any disputes arising out of or in connection with this Addendum shall be resolved in the competent courts of the respective jurisdiction of the Parties.
• Severability: If any provision of this Addendum is deemed invalid or unenforceable by a court of competent jurisdiction, such provision shall be modified to the extent necessary to make it enforceable, and the remainder of the Addendum shall remain in full force and effect.
• Entire Agreement: This Addendum, along with the main Service Agreement between the Parties, constitutes the entire agreement between the Parties with respect to the processing of Personal Data. Any amendments to this Addendum must be made in writing and agreed upon by both Parties.

Exhibit A: CCPA ADDENDUM

This CCPA Addendum applies to the extent that the Service Provider processes Personal Data that falls within the scope of the California Consumer Privacy Act (CCPA) of 2018.

• No Sale of Personal Information: The Service Provider agrees not to sell or share any Personal Information collected in connection with the services provided under this Addendum, except as expressly permitted by the CCPA.
• Business Purpose: GCA is disclosing Personal Information to the Service Provider solely for the limited and specific business purposes of providing services as outlined in the main Service Agreement.
• Retention and Use: The Service Provider shall not retain, use, or disclose Personal Information for any purpose other than the specified business purpose, and shall not use Personal Information for any commercial purpose outside the scope of the direct business relationship with GCA.
• CCPA Compliance: The Service Provider agrees to comply with all relevant sections of the CCPA and to cooperate with GCA in responding to consumer requests for access, deletion, and other rights under the CCPA.

By entering into this DPA, GCA and Client acknowledges their responsibility to protect Company and Consumer Personal Information in accordance with the privacy laws of both the United States and India, providing a transparent and compliant framework for the processing of personal data as part of its services.

                                                                                                                                                                                     - (Automatically updated on the final working day of each month for accuracy.)