This Data Protection Addendum (“Addendum”), dated 15th Dec 2024, and effective as of the
Addendum Effect Date (as defined below), forms part of the Terms of Service (“Terms”) between (i)
Capital Record Centre Pvt. Ltd.and (ii) User each being a “Party” and together the “Parties”.
The Parties hereby agree that the terms and conditions set out below shall be added as an
Addendum to the Terms and references in this Addendum to the Terms are to the Terms as
amended by, and including, this Addendum.

  1. Definitions
    1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms
    shall be construed accordingly:
    o (a)”Addendum Effective Date” has the meaning given to it in section 2;
    o (b)”Affiliate” means an entity that owns or controls, is owned or controlled by or is
    or under common control or ownership with either Client or Capital Record Centre
    Pvt. Ltd. (as the context allows), where control is defined as the possession, directly
    or indirectly, of the power to direct or cause the direction of the management and
    policies of an entity, whether through ownership of voting securities, by contract or
    otherwise;
    o (c)”Client Personal Data” means any Personal Data Processed by Capital Record
    Centre Pvt. Ltd. (i) on behalf of Client (including for the sake of clarity, any Client
    Affiliate), or (ii) otherwise Processed by Capital Record Centre Pvt. Ltd., in each case
    pursuant to or in connection with instructions given by Client in writing, consistent
    with the Terms;
    o (d)”Controller to Processor s” means the Standard Contractual Clauses (processors)
    for the purposes of Article 26(2) of Directive 95/46/EC set out in Decision
    2010/87/EC as the same are revised or updated from time to time by the European
    Commission;
    o (e)”Data Protection Laws” means (i) Directive 95/46/EC and, from May 25, 2018,
    Regulation (EU) 2016/679 (“GDPR”) together with applicable legislation
    implementing or supplementing the same or otherwise relating to the processing of
    Personal Data of natural persons, and (ii) to the extent not included in sub-clause (i),
    the Data Protection Act 1998 of the United Kingdom, as amended from time to time,
    and including any substantially similar legislation that replaces the DPA 1998;
    o (f)”Privacy Shield” means the EU-US Privacy Shield Framework; and
    o (g)”Services” means the services to be supplied by Capital Record Centre Pvt. Ltd.to
    Client or Client Affiliates pursuant to the Terms.

1.2 The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process”,
“Processor” and “Supervisory Authority” have the same meanings as described in applicable Data
Protection Laws and cognate terms shall be construed accordingly.
1.3 Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to
them in the Terms.

  1. Formation of this Addendum
    This Addendum is deemed agreed by the Parties, and comes into effect, on the “Addendum
    Effective Date”, being the later of (i) the date that this Addendum is accepted by Client; and (ii)
    Capital Record Centre Pvt. Ltd..
  2. Roles of the Parties
    The Parties acknowledge and agree that with regard to the Processing of Client Personal Data, and
    as more fully described in Annex 1 hereto, Client acts as a Controller and Capital Record Centre Pvt.
    Ltd.acts as a Processor (as defined in section 5.2.4 below).
    The Parties expressly agree that Client shall be solely responsible for ensuring timely
    communications to Client’s Affiliates or the relevant Controller(s) who receive the Services, insofar
    as such communications may be required or useful in light of applicable Data Protection Laws to
    enable Client’s Affiliates or the relevant Controller(s) to comply with such Laws.
  3. Description of Personal Data Processing
    In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the details of
    the Processing of the Client Personal Data to be Processed by Capital Record Centre Pvt. Ltd.
    pursuant to this Addendum, as required by Article 28(3) of the GDPR. Either Party may make
    reasonable amendments to Annex 1 by written notice to the other Party and as reasonably
    necessary to meet those requirements. Annex 1 does not create any obligation or rights for any
    Party.
  4. Data Processing Terms
    5.1
    Client shall comply with all applicable Data Protection Laws in connection with the performance of
    this Addendum. As between the Parties, Client shall be solely responsible for compliance with
    applicable Data Protection Laws regarding the collection of and transfer to Capital Record Centre
    Pvt. Ltd.of Client Personal Data. Client agrees not to provide Capital Record Centre Pvt. Ltd.with any
    data concerning a natural person’s health, religion or any special categories of data as defined in
    Article 9 of the GDPR.
    5.2
    Capital Record Centre Pvt. Ltd. shall comply with all applicable Data Protection Laws in the
    Processing of Client Personal Data and Capital Record Centre Pvt. Ltd. shall:
    5.2.1
    process the Client Personal Data relating to the categories of Data Subjects for the purposes of the
    Terms and for the specific purposes in each case as set out in Annex 1 to this Addendum and
    otherwise solely on the documented instructions of Client, for the purposes of providing the Services
    and as otherwise necessary to perform its obligations under the Terms including with regard to
    transfers of Client Personal Data to a third country outside to an international organization; Capital
    Record Centre Pvt. Ltd.shall immediately inform Client if, in Capital Record Centre Pvt. Ltd.’s
    opinion, an instruction infringes applicable Data Protection Laws;
    5.2.2
    ensure that persons authorized to process the Client Personal Data have committed themselves to
    confidentiality or are under an appropriate statutory obligation of confidentiality.
    5.2.3
    implement and maintain the technical and organizational measures set out in the Terms and, taking
    into account the state of the art, the costs of implementation and the nature, scope, context and
    purposes of Processing as well as the risk of varying likelihood and severity for the rights and
    freedoms of natural persons, implement any further appropriate technical and organizational
    measures necessary to ensure a level of security appropriate to the risk of the Processing of Client
    Personal Data as per following:
    (a) pseudonymization and encryption of Client Personal Data;
    (b) ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and
    services that process Client Personal Data;
    (c) restoring availability and access to Client Personal Data in a timely manner in the event of a
    physical or technical incident; and
    (d) regularly testing, assessing and evaluating the effectiveness of technical and organizational
    measures for ensuring the security of the processing of the Client Personal Data.
    Any amendment to such agreed measures that is necessitated by Client shall be dealt with via an
    agreed change control process between Capital Record Centre Pvt. Ltd.and Client;
    5.2.4
    Client (on behalf of the relevant Controller(s), as applicable), hereby expressly and specifically
    authorizes Capital Record Centre Pvt. Ltd.to engage another Processor to Process the Client
    Personal Data (“Other Processor”), and specifically the Other Processors listed in Annex 2 hereto,
    subject to Capital Record Centre Pvt. Ltd.’s:
    (a)
    notifying Client of any intended changes to its use of Other Processors listed in Annex 2 by emailing
    notice of the intended change to Client;
    (b)including data protection obligations in its contract with each Other Processor that are materially
    the same as those set out in this Addendum; and
    (c) remaining liable to the Client for any failure by each Other Processor to fulfill its obligations in
    relation to the Processing of the Client Personal Data.
    In relation to any notice received under section 5.2.4 a., the Client shall have a period of 30 (thirty)
    days from the date of the notice to inform Capital Record Centre Pvt. Ltd.in writing of any
    reasonable objection to the use of that Other Processor. The parties will then, for a period of no
    more than 30 (thirty) days from the date of the Client’s objection, work together in good faith to
    attempt to find a commercially reasonable solution for the Client which avoids the use of the
    objected-to Other Processor. Where no such solution can be found, either Party may
    (notwithstanding anything to the contrary in the Terms) terminate the relevant Services immediately
    on written notice to the other Party, without damages, penalty or indemnification whatsoever;
    5.2.5
    to the extent legally permissible, promptly notify Client of any communication from a Data Subject
    regarding the Processing of Client Personal Data, or any other communication (including from a
    Supervisory Authority) relating to any obligation under the applicable Data Protection Laws in
    respect of the Client Personal Data and, taking into account the nature of the Processing, assist
    Client (or the relevant Controller) by appropriate technical and organizational measures, insofar as
    this is possible, for the fulfillment of Client’s, Client’s Affiliates’ or the relevant Controller(s)’
    obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III
    GDPR; Client agrees to pay Capital Record Centre Pvt. Ltd. for time and for out of pocket expenses
    incurred by Capital Record Centre Pvt. Ltd.in connection with the performance of its obligations
    under this Section 5.2.5;
    5.2.6
    Upon Capital Record Centre Pvt. Ltd.’s becoming aware of a Personal Data Breach involving Client
    Personal Data, notify Client without undue delay, of any Personal Data Breach involving Client
    Personal Data, such notice to include all information reasonably required by Client (or the relevant
    Controller) to comply with its obligations under the applicable Data Protection Laws;
    5.2.7
    to the extent required by the applicable Data Protection Laws, provide reasonable assistance to
    Client, Client’s Affiliates’ or the relevant Controller(s)’ with its obligations pursuant to Articles 32 to
    36 of the GDPR taking into account the nature of the Processing and information available to Capital
    Record Centre Pvt. Ltd.; Client agrees to pay Capital Record Centre Pvt. Ltd. for time and for out of
    pocket expenses incurred by Capital Record Centre Pvt. Ltd. in connection with any assistance
    provided in connection with Articles 35 and 36 of the GDPR;
    5.2.8
    cease Processing the Client Personal Data upon the termination or expiry of the Terms, and at option
    of Client, Client’s Affiliates or the relevant Controller(s) either return or delete (including by ensuring
    such data is in non-readable format) all copies of the Client Personal Data Processed by Capital
    Record Centre Pvt. Ltd., unless (and solely to the extent and for such period as) Country law requires
    storage of the Personal Data. Notwithstanding the foregoing or anything to the contrary contained
    herein, Capital Record Centre Pvt. Ltd. may retain Personal Data and shall have no obligation to
    return Personal Data to the extent required by applicable laws or regulations obligations. Any such
    Personal Data retained shall remain subject to the obligations of confidentiality set forth in the
    Terms; and
    5.2.9
    make available to Client all information necessary to demonstrate compliance with this Addendum
    and allow for and contribute to audits, including inspections, by Client, or an auditor mandated by
    Client. For the purposes of demonstrating compliance with this Addendum under this section 5.2.9,
    the Parties agree that once per year during the term of the Terms, Capital Record Centre Pvt. Ltd.
    will provide to Client, on reasonable notice, responses to cybersecurity and other assessments.
    Client agrees to pay Capital Record Centre Pvt. Ltd. for time and for out of pocket expenses incurred
    by Capital Record Centre Pvt. Ltd. in connection with assistance provided in connection with such
    audits, responses to cybersecurity and other assessments.
  5. Transfers
    Capital Record Centre Pvt. Ltd. is certified to Information Security Management as per ISO
    27001:2013. Capital Record Centre Pvt. Ltd. shall notify Client in writing without undue delay if it
    can no longer comply with its obligations under the Privacy compliance, and, in such a case, Capital
    Record Centre Pvt. Ltd. will have the option of (i) promptly taking reasonable steps to remediate any
    non-compliance with applicable obligations under this Addendum, or (ii) engaging in a good faith
    dialogue with Client to determine a new data transfer mechanism to carry out the purposes of the
    Terms. Capital Record Centre Pvt. Ltd.acts as a Processor with respect to Personal Data received
    pursuant to a data transfer.
    In the event the Privacy Compliance is invalidated, Client and each Client Affiliate (on behalf of the
    relevant Controller(s), as the case may be), if applicable (as “data exporter”) and Capital Record
    Centre Pvt. Ltd. (as “data importer”), with effect from the commencement of the relevant transfer,
    shall enter into the Controller to Processor SCCs (mutatis mutandis, as the case may be) in respect of
    any transfer (or onward transfer) from Client or Client Affiliate to Capital Record Centre Pvt. Ltd.,
    where such transfer would otherwise be prohibited by applicable Data Protection Laws or by the
    terms of data transfer agreements put in place to address applicable Data Protection Laws. Appendix
    1 to the Controller to Processor SCCs shall be deemed to be prepopulated with the relevant sections
    of Annex 1 to this Addendum and the processing operations are deemed to be those described in
    the Terms. Appendix 2 to the Controller to Processor SCCs shall be deemed to be prepopulated with
    the following “Taking into account the state of the art, the costs of implementation and the nature,
    scope, context and purposes of processing as well as the risk of varying likelihood for the rights and
    freedoms of natural persons, Capital Record Centre Pvt. Ltd. shall implement appropriate technical
    and organizational measures as set forth in the Addendum.”
  6. Precedence
    The provisions of this Addendum are supplemental to the provisions of the Terms. In the event of
    any inconsistency between the provisions of this Addendum and the provisions of the Terms, the
    provisions of this Addendum shall prevail.
  7. Indemnity
    To the extent permissible by law, Client shall indemnify and hold harmless Capital Record Centre Pvt.
    Ltd. against all (i) losses, (ii) third party claims, (iii) administrative fines and (iv) costs and expenses
    (including, without limitation, reasonable legal, investigatory and consultancy fees and expenses)
    reasonably incurred in relation to (i), (ii) or iii), suffered by Capital Record Centre Pvt. Ltd. and that
    arise from any breach by Client of this Addendum or of its obligations under applicable Data
    Protection Laws.
  8. Severability
    The Parties agree that, if any section or sub-section of this Addendum is held by any court or
    competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable
    any other section of this Addendum.
  9. Others
    The organization ensures that the contract to process PII addresses the organization’s role in
    providing assistance with the customer’s obligations.

The Agreement considers following and follows:
a. Privacy by Design and default
b. Achieving Security of Processing
c. Notification of breaches involving PII to a Supervisory authority
d. Notification of breaches involving PII to Customers and PII Principals
e. Conducting Privacy Impact Assessment
f. Assurance of Assistance by the PII Processors if prior consultations with relevant PII Protection
authorities are needed.
g. Capital Record Centre Pvt. Ltd. shall inform the customer if in its opinion a processing instruction
infringes applicable legislation or regulation.
h. The organization does not use PII processed under a contract for the purposes of Marketing and
Advertising
i. Coordinate with Clients for helping Audit the systems. The organization provides the customer
with the appropriate information so that it can demonstrate compliance with their obligations
j. Capital Record Centre Pvt. Ltd. shall use AWS as sub processors with Security and Privacy
requirements full filled.
k. The organization shall comply with all statutory and regulatory requirements, ISO 27001:2013, ISO
27701:2019 and EU GDPR requirements.
l. The Data shall be deleted or de-identified after the processing is complete (This is after the
retention period selected is complete).
m. Capital Record Centre Pvt. Ltd. shall inform 24 hours in advance to clients in case of any legally
binding requests for disclosure of PII.
n. For Access, Correction and/or Erasure of PII of Data subjects can be done by contacting the
Data Protection Officer (DPO) below. Also for raising concerns and/or any complaints related
with PII that can be done by contacting the Data Protection Officer below:


Name: Mr. Yashpal
Email ID: system.admin@cbsl-india.com

Annex 1: Description of Processing of Client Personal Data


This Annex includes certain details of the Processing of Client Personal Data as required by
Article 28(3) GDPR and, as applicable, Controller to Processor SCC.
Subject matter and duration of the Processing of the Personal Data
The subject matter and duration of the Processing of the Client Personal Data are set out
in Section 2 of the Terms.
The nature and purpose of the Processing of the Personal Data
Due diligence and Background Verification of Organization and Individuals.
The categories of Data Subject to whom the Client Personal Data relates

  • Employees and Contractors of Clients.
    The types of Client Personal Data to be Processed
    Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language,
    Phone, Related person, Related URL, User ID, Username
    Special categories of data
    None
    The obligations and rights of Client
    The obligations and rights of Client are set out in the Terms and this Addendum.
    Data exporter (as applicable)
    The data exporter is: Client of Capital Record Centre Pvt. Ltd. that uses the Services
    Data importer (as applicable)
    The data importer is: PIPL, a company that provides services to the client, which
    requires receiving the Client’s query data
    Processing operations (as applicable)
    The personal data transferred will be subject to the following basic processing activities:
    The provision of Capital Record Centre Pvt. Ltd. Limited to Client for Due Dillegence and
    Background Verification as per Client requirements.