Skip to content
Call +1.424.284.2574

SureMDM Hub (42Gears) 

DATA PROCESSING AGREEMENT 

  1. PREAMBLE
    1. The Parties have agreed on the following contractual terms (“Terms”) to ensure compliance with applicable data protection legislation, including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), the Digital Personal Data Protection Act, 2023 (India) (“DPDPA”) and the associated Rules, and any other applicable privacy and data protection laws, in order to safeguard the rights of data subjects (“Data Subjects”).
    2. The Terms in this Data Processing Agreement (“DPA”) regulates the relationship between You (the “Data Controller”) and 42Gears Mobility Systems Pvt. Ltd. (the “Data Processor”), with respect to the use of the SureMDM Hub product and related services provided under the applicable license agreement (the “Service Agreement”).
    3. The Data Controller, in its capacity as licensee of SureMDM Hub, determines the purposes and means of processing personal data of its End-Customers (as defined under the SureMDM Hub Terms of Service), and acknowledges that it is solely responsible for ensuring that all such processing has a valid legal basis and is carried out in compliance with applicable law.
    4. The Data Processor, in its capacity as licensor of SureMDM Hub, shall process personal data strictly in accordance with the documented instructions of the Data Controller, as necessary to provide the SureMDM Hub platform and associated services, subject to the limitations and obligations set forth herein. The Data Processor shall not be responsible for the Controller’s processing activities, nor for obtaining or maintaining consents from End-Customers or their users, which obligations remain the sole responsibility of the Data Controller.
    5. The Parties agree that these Terms take priority over any inconsistent provisions contained in other agreements between them, except where mandatory law requires otherwise. The appendices attached hereto form an integral part of this DPA.
    6. Five appendices are attached to the Terms and constitute an integral part of the Terms and this DPA.
      1. Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of Data Subject and duration of the processing.
      2. Appendix B contains the Data Controller’s conditions for the Data Processor’s use of sub-processors and a reference list of sub-processors authorized by the Data Controller.
      3. Appendix C contains the Data Controller’s instructions with regard to the processing of personal data, the minimum-security measures to be implemented by the Data Processor.
      4. Appendix D contains information pertinent to the obligations of the Data Controller.
      5. Appendix E regulates the Parties’ limitation on liability under this DPA.
    7. The Terms along with appendices must be retained in writing, including electronically, by both Parties.
  2. RIGHTS & OBLIGATIONS OF THE DATA CONTROLLER (PARTNER)
    1. The Data Controller shall ensure that all personal data processed within the SureMDM Hub platform has been collected and is processed in full compliance with applicable data protection legislation, including but not limited to GDPR, the Digital Personal Data Protection Act, 2023 (India), and any other applicable privacy and data protection laws. The Data Controller shall remain solely responsible for determining the purposes and means of such processing.
    2. The Data Controller shall obtain and maintain all necessary consents, authorizations, and notices required from End-Customers prior to the onboarding of any End-Customer or user into the SureMDM Hub. The Data Controller shall further ensure that such consents and notices are sufficient in scope to permit the lawful processing of personal data by the Data Processor in accordance with this Agreement.
    3. The Data Controller shall provide the Data Processor with documented instructions that are clear, complete, and lawful in respect of all processing activities carried out on the SureMDM Hub. The Data Processor shall be entitled to rely upon the sufficiency and lawfulness of such instructions, and the Data Controller shall bear full responsibility for any deficiencies, inaccuracies, or unlawfulness therein.
    4. The Data Controller shall be exclusively responsible for handling all communications with End-Customers and Data Subjects, including but not limited to the exercise of Data Subject rights under applicable law, responses to inquiries, complaints, or requests, and the provision of any required notices.
    5. The Data Processor shall provide reasonable assistance where technically feasible, provided that any such assistance shall be subject to reimbursement of the Data Processor’s costs by the Data Controller.
    6. The Data Controller shall indemnify, defend, and hold harmless the Data Processor from and against any and all claims, actions, damages, liabilities, penalties, or costs arising from or related to:
      1. the Data Controller’s failure to comply with applicable data protection legislation
      2. the insufficiency of legal basis for the processing of personal data by the Data Processor
      3. any instruction given by the Data Controller to the Data Processor that infringes applicable law
      4. any claim made by an End-Customer or Data Subject in connection with the Data Controller’s use of the SureMDM Hub.
    7. The Data Controller acknowledges and agrees that the Data Processor shall have no responsibility or liability for obtaining consents from End-Customers or users, for determining the scope and purpose of processing, or for responding to Data Subject requests, which obligations remain solely with the Data Controller.
  3. OBLIGATIONS OF THE DATA PROCESSOR (42GEARS)
    1. The Data Processor shall process personal data solely on the documented instructions of the Data Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law. In such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless such law prohibits such information on important grounds of public interest.
    2. The Data Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    3. The Data Processor shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, as described in Appendix C to this Agreement. The Data Controller acknowledges that the Data Processor shall have discretion in determining the specific measures implemented, provided that they meet industry standards and legal requirements.
    4. The Data Processor shall provide reasonable assistance to the Data Controller, taking into account the nature of the processing and the information available to the Data Processor, in order for the Data Controller to:
      1. respond to requests for the exercise of Data Subject rights
      2. comply with obligations relating to the security of processing
      3. conduct Data Protection Impact Assessments and prior consultations with supervisory authorities, as required under applicable law.Such assistance shall be limited to what is technically feasible and shall be subject to reimbursement of costs by the Data Controller.
    5. The Data Processor shall notify the Data Controller without undue delay becoming aware of a personal data breach affecting personal data processed on behalf of the Data Controller. Such notification shall include information reasonably available to the Data Processor at the time of notification. The Data Controller shall remain solely responsible for fulfilling any regulatory or Data Subject notification obligations arising from such breach.
    6. The Data Processor shall make available to the Data Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this Agreement and shall allow for and contribute to audits conducted by the Data Controller or another auditor mandated by the Data Controller, provided that such audits:
      1. occur no more than once in any twelve-month period
      2. are subject to sixty (60) days prior written notice, and
      3. do not unreasonably disrupt the Data Processor’s business operationsThe Data Controller shall bear all costs associated with such audits.
    7. Upon termination or expiry of the Service Agreement, the Data Processor shall, at the written election of the Data Controller and subject to applicable law, delete or return all personal data processed on behalf of the Data Controller..
  4. CONFIDENTIALITY
    1. The Data Processor shall ensure that any person acting under its authority who has access to personal data is subject to a duty of confidentiality, whether arising under contract or statute, and that such confidentiality obligation shall survive the termination of such person’s engagement.
    2. The Data Processor shall ensure that access to personal data is granted strictly on a need-to-know basis, limited to those employees, agents, or contractors who are necessary for the performance of the SureMDM Hub services, and that such individuals are informed of the confidential nature of the data.
    3. The Data Processor shall not disclose or otherwise make available personal data to any third-party, except as required for the performance of the SureMDM Hub services, permitted by the Data Controller in writing, or required by applicable law. In the event of a legal obligation to disclose personal data, the Data Processor shall, unless prohibited by law, inform the Data Controller prior to such disclosure.
    4. The Data Controller acknowledges and agrees that the Data Processor may share personal data with its authorized sub-processors, listed in Appendix B, subject always to confidentiality obligations that are no less protective than those contained in this Agreement.
    5. The Data Controller shall remain solely responsible for ensuring that any personal data provided to the Data Processor has been lawfully collected, and for communicating to End-Customers and users any disclosures that may be required under applicable law in connection with the Data Processor’s processing of personal data.
  5. SECURITY OF PROCESSING
    1. The Data Processor shall endeavour to take adequate technical and organizational measures against loss or any form of unlawful processing (including unauthorized disclosure, deterioration, alteration, or destruction of personal data) in connection with the processing of personal data undertaken through the SureMDM Hub platform, as further described in Appendix C of this Agreement.
    2. The Data Processor shall ensure that such security measures are of a reasonable level, taking into account the nature and sensitivity of the personal data processed within the SureMDM Hub, the costs related to the implementation of such measures, and the technical capabilities available to 42Gears.
    3. The Data Controller shall be solely responsible for implementing and maintaining appropriate security measures within its own environment for the secure transfer of personal data to 42Gears, including the protection of authentication credentials, devices, and systems used to access the SureMDM Hub. The Data Processor shall adopt appropriate safeguards to ensure data security during transfer of personal data back to the Controller, including (i) the measures listed in Appendix C, (ii) securing account authentication credentials for access to the SureMDM Hub, and (iii) maintaining backup procedures for Customer Data.
    4. To evaluate and ensure the continued effectiveness of the security measures, the Data Processor shall maintain ISO/IEC 27001 certification or an equivalent security standard and shall restrict its personnel from processing personal data without proper authorization (unless required to do so by applicable law). The Data Processor shall also ensure that any person authorized by the Processor to process personal data is subject to an enforceable obligation of confidentiality.
    5. The Controller acknowledges that the security measures adopted by the Data Processor are subject to technical progress and industry developments and agrees that 42Gears may update or modify its security measures from time to time, provided that such updates and modifications do not materially reduce the overall level of security of the SureMDM Hub services.
  6. USE OF SUB- PROCESSORS
    1. The Data Processor is authorized, within the framework of this Agreement, to engage the sub-processors listed in Appendix B (as may be updated from time to time) to provide certain services on its behalf in connection with the SureMDM Hub.
    2. The Data Processor shall in any event ensure that each Sub-processor is bound by a written agreement imposing obligations which are substantially similar to those agreed between the Parties under this Data Processing Agreement.
    3. A copy of such a Sub-processor agreement and subsequent amendments must at the Data Controller’s request be submitted to the Data Controller, thereby giving the Data Controller the opportunity to ensure that the same data protection obligations as set out in the Terms are imposed on the Sub-processor. Terms on business-related issues that do not affect the legal data protection content of the Sub-processor agreement are not required to be submitted to the Data Controller.
    4. The Data Processor agrees (i) to provide the Partner with at least fifteen (15) days prior notice of the appointment of a new Sub-processor or the replacement of an existing Sub-processor to process personal data; and (ii) if the Partner objects to such new Sub-processor on reasonable and documented data protection grounds within thirty (30) days of receiving the notice, to discuss those concerns with the Partner in good faith with a view to achieving a resolution. In the event that the Parties are unable to reach such a resolution, the Partner may terminate the affected services in accordance with the Service Agreement at no additional cost.
    5. The Data Processor shall not subcontract any of its processing operations regarding the Partner’s personal data without the prior written consent of the Partner, provided that such consent shall not be unreasonably withheld in the case of a reasonable request.
    6. The Data Processor shall only subcontract its processing operations regarding personal data by way of a written agreement between the Data Processor and the Sub-processor, which shall reflect obligations no less protective than those imposed on the Data Processor under this Data Processing Agreement.
  7. INTERNATIONAL TRANSFERS
    1. The Data Processor uses reputed cloud service providers to host the SureMDM Hub services. Information regarding the locations of such data centres is available in the Data Processor’s Privacy Notice published at: https://www.42gears.com/trust-center/privacy/privacy-policy/
    2. Subject to Section 7.3, the Partner acknowledges and agrees that the Data Processor may transfer and process personal data to and in the United States and in any other country where the Data Processor, its Affiliates, or its authorized sub-processors maintain data processing operations. The Data Processor shall ensure that all such transfers are made in compliance with applicable data protection requirements and this Agreement.
    3. European Data Transfers: To the extent that the Data Processor is the recipient of personal data originating in the European Economic Area, Switzerland, or the United Kingdom, and such data is transferred to a country not recognized as providing an adequate level of protection, the Parties agree that:
      1. The Data Processor shall process such data in compliance with the Standard Contractual Clauses (“SCCs”) for Controller-to-Processor transfers, adopted by the European Commission under Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. For the purposes of the SCCs, the Data Controller shall be deemed the “data exporter” and the Data Processor shall be the “data importer.”
      2. If the Data Processor adopts an alternative or successor transfer mechanism that is recognized as valid under applicable law, such mechanism shall apply in place of the SCCs.
    4. Alternative Transfer Mechanisms: If, at any time, a court of competent jurisdiction or supervisory authority determines that the mechanisms relied upon under this Agreement cannot be lawfully used, the Data Processor shall be entitled to implement additional or alternative measures reasonably required to ensure lawful transfers.
    5. Jurisdiction-Specific Transfers: Where required by local data protection laws in other jurisdictions, including but not limited to the Australian Privacy Law, South Africa’s Protection of Personal Information Act (POPIA), Brazil’s Lei Geral de Proteção de Dados (LGPD), Singapore’s Personal Data Protection Act (PDPA), or India’s Digital Personal Data Protection Act, the Data Processor shall ensure that transfers are conducted using safeguards recognized under the respective legislation applicable.
    6. If, during the term of this Agreement, the Data Processor establishes that the instructions of the Data Controller concerning cross-border transfers are unlawful or inconsistent with applicable legislation, the Data Processor shall, without undue delay, notify the Partner and await further instructions before proceeding.
  8. ASSISTANCE TO Controller
    1. The Data Processor shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance to the Partner in ensuring compliance with its obligations in respect of personal data processed through the SureMDM Hub.
    2. Such assistance may include, where applicable and technically feasible:
      1. support in responding to requests from data subjects seeking to exercise their rights under applicable data protection laws
      2. support in implementing appropriate technical and organizational measures to ensure the security of processing
      3. support in conducting Data Protection Impact Assessments
      4. support in consultations with supervisory authorities, to the extent required
    3. Any assistance provided by the Data Processor pursuant to this Section shall be limited to what is reasonably possible given the nature of the SureMDM Hub and the information available to the Data Processor.
    4. The Partner acknowledges and agrees that it remains solely responsible for the handling of Data Subject requests, the conduct of Data Protection Impact Assessments, and all related regulatory interactions. The Data Processor shall provide assistance only where such assistance is expressly requested and only to the extent that such assistance does not unreasonably interfere with the Data Processor’s business operations.
    5. Where the provision of assistance requires resources or actions beyond the standard operation of the SureMDM Hub, the Data Processor shall be entitled to charge the Partner for such assistance at reasonable rates, unless otherwise agreed in writing.
  9. NOTIFICATION OF PERSONAL DATA BREACH
    1. If the Data Processor becomes aware of an incident involving the accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure of, or access to personal data processed on behalf of the Partner (“Security Incident”), the Data Processor shall notify the Data Controller without undue delay and, where required by law, not later than seventy-two (72) hours after becoming aware of the Security Incident.
    2. If the Data Controller becomes aware of any unusual activity, anomaly, or other event that may indicate a potential or actual Security Incident affecting personal data processed within the SureMDM Hub, the Controller shall promptly inform the Data Processor to enable the Data Processor to investigate, mitigate, and take corrective measures as required.
    3. Upon notification of a Security Incident by either Party, the Data Processor shall promptly investigate the matter and provide the Data Controller with information reasonably available to it, to enable the Controller to meet its legal obligations to notify supervisory authorities or affected data subjects, where applicable. The Data Processor shall endeavour to ensure that the information provided is complete, accurate, and timely, based on the facts known at the time.
    4. In the event of a Security Incident, the Data Processor shall take appropriate measures to mitigate its consequences and to prevent recurrence.
    5. The Data Processor shall reasonably cooperate with the Data Controller in connection with the Partner’s legal obligations arising from a Security Incident, including obligations to notify supervisory authorities or data subjects. Such cooperation shall not be construed as an admission of fault or liability by the Data Processor.
    6. Notification of Security Incidents shall be delivered to one or more of the Controller’s designated contacts by means selected by the Data Processor, including e-mail. The Partner is solely responsible for maintaining accurate and up-to-date contact information for its designated contacts and ensuring secure receipt of notifications.
    7. The obligations in this Section shall not apply to Security Incidents caused by the acts or omissions of the Data Controller or its users. In such cases, the Data Processor may, at its discretion, notify the Controller upon becoming aware of the incident.
  10. ERASURE & RETURN OF DATA
    Upon request by the Data Controller or at the termination of the personal data processing services, the Data Processor is under the obligation to either return or erase all the personal data to the Data Controller and delete existing copies in accordance with its retention policy unless a domestic law requires storage of the personal data. The Data Processor shall, upon the Data Controller’s request, provide a written certification confirming such deletion or return of personal data.
  11. AUDIT & INSPECTION
    1. The Data Controller agrees that its right to audit the Data Processor may be satisfied primarily by the Data Processor presenting valid certifications, reports, or extracts from independent auditors, including IT security assessments, data protection audits, or certifications from recognized third parties.
    2. Where such attestations, certifications, or reports are insufficient to meet an audit obligation under applicable data protection laws, the Controller may appoint an independent third-party auditor, subject to the Data Processor’s prior written approval, to conduct an audit. Any such auditor must be suitably qualified, independent, and bound by confidentiality obligations.
    3. Any audit or inspection shall be conducted upon at least thirty (30) days’ prior written notice, shall not occur more than once in any twelve (12) month period, and shall be carried out in a manner that does not unreasonably interfere with the Data Processor’s business operations. The Partner shall bear all costs of any audit or inspection it requests.
    4. The Data Processor reserves the right to object to an auditor proposed by the Partner if, in the Data Processor’s reasonable opinion, the auditor is not suitably qualified or independent, is a competitor of the Data Processor, or is otherwise manifestly unsuitable. In such cases, the Partner shall appoint another auditor or conduct the audit itself.
    5. Nothing in this Agreement shall require the Data Processor to disclose or provide access to:
      1.  data of other customers or partners of the Data Processor
      2.  the Data Processor’s internal accounting or financial information
      3.  trade secrets of the Data Processor
      4.  information which, in the Data Processor’s reasonable opinion, could compromise the security of its systems or facilities
      5.  information that may cause the Data Processor to breach its confidentiality or data protection obligations owed to third parties.
    6. The Data Controller acknowledges that the Data Processor operates a shared cloud-based Hub environment. Accordingly, the Data Processor shall be entitled to reasonably adapt the scope of any on-site audit to ensure that the confidentiality, security, and availability of other customers’ data and services are not affected.
    7. The Data Processor undertakes to reasonably cooperate with supervisory authorities in connection with any audits or inspections they require.
  12. TERM & TERMINATION
    1. This Data Processing Agreement shall commence on the Effective Date and shall remain in force for as long as the Data Processor processes personal data on behalf of the Partner in connection with the Partner’s use of the SureMDM Hub.
    2. This Data Processing Agreement shall automatically terminate upon the termination or expiry of the underlying Agreement between the Parties governing the Partner’s use of the SureMDM Hub, unless otherwise expressly agreed in writing.
    3. Upon termination or expiry of this Data Processing Agreement, the Data Processor shall, at the choice of the Controller, either return all personal data to the Partner or securely delete such data, except to the extent that retention of the personal data is required by applicable law or is necessary for the establishment, exercise, or defense of legal claims.
    4. The Data Controller acknowledges and agrees that the Data Processor may retain limited copies of personal data for backup, archival, billing, fraud prevention, dispute resolution, or compliance purposes, provided that such data remains subject to the confidentiality and security obligations set forth in this Agreement.
    5. Termination of this Data Processing Agreement shall not relieve either Party of obligations which by their nature are intended to survive termination, including confidentiality, liability limitations, and data protection obligations with respect to personal data retained.
  13. CONTACT POINTS
    The Parties may contact each other using the following contacts/contact points:The Parties shall be under obligation continuously to inform each other of changes to contacts/contact points.
    Name: Prakash Gupta
    Position: CTO
    E-mail: legal@42gears.com
    (Data Controller)

APPENDICES 

APPENDIX A: INFORMATION ABOUT THE PROCESSING 

This Appendix contains the details of the processing of personal data by the Data Processor on behalf of the Partner in connection with the SureMDM Hub. The Parties acknowledge that the following constitutes the scope and limits of the processing: 

  1. Purpose and Nature of the Processing The Data Processor shall process personal data solely for the purpose of providing the SureMDM Hub services, including but not limited to device enrolment, configuration, monitoring, reporting, support, and related administrative functions, as instructed by the Partner (Data Controller). The processing shall consist of collection, storage, transmission, access, and deletion of personal data strictly as required to deliver the services.
  2. Categories of Data Subjects
    The personal data processed may relate to the following categories of data subjects as determined by the Partner:

    • Employees and contractors of the Partner
    • End-customers or users of the Partner who are onboarded into the SureMDM Hub
    • Any other individuals whose personal data is entered into the SureMDM Hub at the Partner’s discretion. 
    • SureMDM customers who are willing to come under their chosen Partner.
  3. Types of Personal Data 
    • dentification data: First name, last name, work e-mail address, password Organizational data: Company name 
    • Authentication data: User ID, account credentials 
    • Device and system data: Device ID, device type, operating system version, device configurations, network identifiers 
    • Usage data: Activity logs, feature use records 
    • Support and communication data: Intercom queries, chat transcripts, IP address, technical logs generated during support interactionsSpecial categories of data are not intended to be processed within the SureMDM Hub. Any such processing shall occur only if explicitly inputted by the Partner and shall remain the sole responsibility of the Partner.
  4. Duration of the Processing
    The Data Processor shall process the personal data for the duration of the Agreement between the Parties, unless a longer retention is required by applicable law or permitted for purposes of compliance, dispute resolution, or legitimate business needs, as specified in the main Agreement.

APPENDIX B: AUTHORIZED SUB- PROCESSORS 

LIST OF SUB-PROCESSORS 

  1. The Data Processor’s use of Sub-processors
    The Data Controller agrees to give its general authorization for the Data Processor to engage Sub-processor (s) to fulfil its contractual obligations towards the Data Controller under this DPA and the Service Agreement. Sub-processors may be used for the purpose of providing certain mutually agreed deliverables.
  2. Prior Notice for the Authorization of Sub-processors
    The Data Processor is obligated to inform the Data Controller before engaging a new Sub-processor to carry out processing activities on behalf of the Data Processor.
  3. The Controller has authorized the use of the sub-processors listed here in the link https://www.42gears.com/trust-center/legal/list-of-sub-processors/
    42Gears engage third parties to support the services. These third parties assist us in providing information, products, or services to the customers.

APPENDIX C: SECURITY MEASURES/ INSTRUCTIONS PERTAINING TO PERSONAL DATA 

  1. General Instructions
    The Data Processor (42Gears) shall process personal data strictly in accordance with the documented instructions of the Data Controller (Partner) and as required under applicable data protection laws. No processing shall take place outside the scope of the Service Agreement and this Data Processing Agreement, unless mandated by applicable law.
  2. Security of Processing
    Taking into account the nature of the data processed through the SureMDM Hub and the risks identified in the DPIA, the Data Processor shall implement the following technical and organizational measures to ensure the confidentiality, integrity, availability, and resilience of processing systems:

    1. Access Control & Authentication: Multi-factor authentication for administrative access; role-based access controls; strict user provisioning and de-provisioning procedures
    2. Encryption: Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256) within AWS regions (US, EMEA, India)
    3. Logging & Monitoring: Continuous monitoring of login events, device logs, and system activity. IP addresses, browser information, and device identifiers shall be logged for audit and security purposes
    4. Network Security: Deployment of firewalls, intrusion detection and prevention systems, and regular vulnerability scanning
    5. Endpoint & Application Security: Use of anti-malware, patch management, and secure software development lifecycle (SSDLC) practices
    6. Physical Security: Reliance on AWS data centers’ ISO 27001/27017/27018 certified physical security controls
    7. Business Continuity & Recovery: Daily backups, redundancy across AWS regions, and tested disaster recovery procedures to restore availability of personal data in a timely manner
  3. Storage and Erasure
    Personal data shall be stored only in AWS regions (US, EMEA, India) as instructed by the Controller. Upon termination of services, all personal data shall be deleted or returned in accordance with Clause 10 of this Agreement, unless retention is required under applicable law.
  4. International Transfers
    Data shall not be transferred outside approved AWS regions without the prior written authorization of the Controller. Where transfers are necessary, they shall be safeguarded by appropriate transfer mechanisms such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) or such other mechanisms as required by applicable data protection laws.
  5. Sub-Processor Oversight
    The Data Processor shall ensure that all authorized sub-processors implement security measures equivalent to those contained in this Appendix. The Data Processor shall remain fully liable to the Data Controller for any acts or omissions of its sub-processors.
  6. Testing and Audit
    Regular penetration testing, security audits, and vulnerability assessments shall be performed.The Controller may conduct audits or request certifications and summaries of security testing upon reasonable notice.
  7. Staff Training & Confidentiality
    All personnel with access to personal data shall be bound by confidentiality obligations and undergo annual data protection and cybersecurity training.

APPENDIX D: OBLIGATIONS OF THE CONTROLLER 

  1. The Controller shall comply with the terms of the SureMDM Hub T&C’s, this DPA, and all Applicable Privacy Laws in connection with its use of the SureMDM Hub Services. The Controller is responsible for ensuring that its instructions to the Processor are lawful and compatible with applicable data protection requirements. 
  2. Prior to any processing of Controller Personal Data by the Processor under this DPA, the Controller shall:
    • Provide appropriate information to data subjects regarding the collection, use, and disclosure of their personal data, including the involvement of 42Gears as a Processor of such data, and 
    • Obtain all necessary consents or establish another valid legal basis for processing, in accordance with Applicable Privacy Laws, before disclosing any personal data to the Processor. 
    • The Controller represents and warrants that it has obtained all such consents and/or identified a valid legal basis prior to transferring Controller Personal Data to the Processor.
  3. Under Applicable Privacy Laws, individuals may have rights in relation to their personal data, including the rights of access, correction, updating, deletion, disclosure, restriction, portability, objection, and withdrawal of consent. The Controller, as the entity with primary responsibility under Applicable Privacy Laws, shall be responsible for:
    • Responding to any request from a Data Subject to exercise their rights (“Data Subject Request”) and 
    • Ensuring that such requests are addressed within the timelines prescribed by law.The Processor shall, in accordance with Clause 8 of this DPA, provide reasonable assistance to the Controller in fulfilling such requests, to the extent the request relates to personal data processed by the Processor on behalf of the Controller.
  4. If the Controller is subject to additional data protection or industry-specific legal or regulatory restrictions beyond those covered by this DPA (including, but not limited to, jurisdictional requirements such as data localization or record-specific retention rules), the Controller shall:
    • Notify the Processor in writing of such requirements, and
    • Bear any additional costs reasonably incurred by the Processor in adapting its processing activities to comply with such requirements.
  5. The Controller represents and warrants that:
    • It has the authority, legal basis, and express consent (where applicable) to provide Controller Personal Data to the Processor for processing under this DPA The content, nature, and scope of the personal data provided do not infringe Applicable Privacy Laws or the rights of data subjects, and 
    • No unlawful or infringing personal data will be submitted to the Processor via the SureMDM Hub Services.

      The Controller indemnifies and holds the Processor harmless from any claims, damages, penalties, or liabilities arising from the Controller’s failure to obtain valid consent or a lawful basis for processing.
  6. The Controller shall not provide (or cause to be provided) any special categories of personal data or other Sensitive Data to the Processor for processing under this Agreement. The Processor shall have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise.For clarity, this DPA does not apply to Sensitive Data provided in breach of this clause, and the Controller shall indemnify the Processor for any resulting claims or liabilities.

APPENDIX E: LIMITATIONS OF LIABILITY 

  1. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Data Processing Agreement (“DPA”), the Agreement, and all DPAs between Authorized Affiliates and 42Gears relating to the SureMDM Hub Services, whether in contract, tort or under any other theory of liability, shall be subject to the “Limitation of Liability” section of the principal Agreement. 
  2. Any reference in such a section to the liability of a Party shall mean the aggregate liability of that Party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, 42Gears’ total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to this Agreement and all DPAs shall apply in the aggregate and shall not be applied individually and severally to each Customer or Authorized Affiliate. 
  3. The Controller shall indemnify and hold harmless the Processor (42Gears) and its Affiliates from any liability, losses, claims, penalties, damages, costs and expenses of any nature imposed by a Supervisory Authority, or arising from claims, actions, proceedings, or settlements, to the extent such liability results from:
    • The Controller’s breach or non-compliance with this DPA 
    • The Controller’s failure to comply with applicable Data Protection Laws and Regulations.Where such claims or proceedings arise, the Processor shall:
    • Promptly notify the Controller of any claim, investigation or other circumstances that may give rise to liability 
    • Act and communicate with the Supervisory Authority only in consultation with, and as reasonably directed by, the Controller 
    • Cooperate in the settlement of the claim, at the Controller’s cost.
  4. Except as specifically provided in the Standard Contractual Clauses (where applicable), 42Gears and all of its Affiliates’ and subsidiaries’ liability, taken together in the aggregate, arising out of or related to this DPA, including any indemnification obligations, is subject to the “Limitation of Liability” section of the SureMDM Hub Terms and Conditions (T&C’s).This includes, without limitation, liability arising in connection with:
    • The provision of SureMDM Hub Services in a multi-tenant SaaS environment
    • Data hosting and processing within AWS regions (US, EMEA, India, etc)
    • The use of approved Sub-processors
    • Any technical or organizational security measures applied under Appendix C
  5. For clarity, any claims made against 42Gears or its Affiliates under or in connection with this DPA (including, where applicable, the Standard Contractual Clauses) shall be brought solely by the Customer entity that is party to the Agreement. No other Customer Affiliate shall have independent standing to bring claims against the Processor under this DPA.

Version 1.0 | Release Date: November 25, 2025