This document is an electronic record generated by a computer system in accordance with applicable law and does not require any physical or digital signatures. Please read this Data Processing Agreement carefully — it contains important information about your rights and obligations regarding the processing of personal data.

This Data Processing Agreement (“DPA” or “Agreement”) is entered into between Twor India (“Service Provider”, “we”, “us”, or “our”) and the Customer (“Customer”, “you”, or “your”) who has subscribed to the Mahaurban platform products and services via an applicable Order Form or Subscription Agreement (“Subscription”).

This DPA is to be read in conjunction with the Subscription Terms available at mahaurban.com/terms and mahaurban.in/terms, and the Privacy Policy available at mahaurban.com/privacy. It forms an integral part of the overall contractual relationship between the Parties.

The Customer and Service Provider are individually referred to as “Party” and collectively as “Parties”.

WHEREAS: The Service Provider provides a comprehensive suite of information technology products and services for the management of residential and commercial multi-dwelling units (MDUs), delivered through the Mahaurban Super-App including the Sooth Society Management platform and Mahaurban Marketplace. In performing these Services, the Service Provider shall Process Personal Data provided by the Customer. Applicable data protection laws require a contract governing such processing to be in place between the Data Controller and the Data Processor. The Parties therefore agree as set out below.

1. Introduction and Scope

1.1 This DPA forms an integral part of the Subscription Agreement and all engagement letters, addenda, schedules, exhibits, and communications incorporated therein. In the event of any conflict between the terms of this DPA and the Subscription Agreement, the terms of this DPA shall prevail solely with respect to the processing of Personal Data.

1.2 This DPA amends and replaces any provisions in the Subscription Agreement that conflict with its terms. Unless expressly stated otherwise, nothing in this DPA modifies either Party’s exclusions or limitations of liability under the Subscription Agreement. All provisions relating to liability and indemnities in the Subscription Agreement continue to apply alongside this DPA.

1.3 This DPA applies to all products and features within the Mahaurban Super-App ecosystem through which Personal Data is Processed, including:

Sooth Society Management — resident registration, visitor management, billing, community posts, guard operations, and staff management;
Mahaurban Marketplace — order processing, delivery address management, payment handling, and vendor interactions;
AI-powered features — smart reply generation, message translation, voice-to-text transcription, conversation summarisation, and semantic search;
In-app Chat and Communication — messages between residents, admins, guards, vendors, and support staff;
Shiprocket Logistics Integration — shipment processing, tracking, and carrier coordination;
Payment Gateway Integration — maintenance billing, marketplace payments, and wallet transactions;
InkaBook Social Network — SSO-linked social interactions within the verified community platform;
Mahaurban CRM — contract enquiry leads, customer relationship data, and support case management.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalised terms not defined here shall have the meanings given to them in the Subscription Agreement or the Privacy Policy.

“Affiliate” means with respect to a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with that Party, where control means the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.

“Customer” means the entity or individual that has entered into a Subscription Agreement with Twor India for the use of the Mahaurban platform products and services, and who acts as the Data Controller in relation to Personal Data Processed under this DPA.

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Data Controller is the Customer.

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. For the purposes of this DPA, the Data Processor is the Service Provider (Twor India).

“Data Protection Laws” means all applicable laws and regulations governing the protection and processing of Personal Data, including but not limited to the Information Technology Act, 2000 (India), the Information Technology (Amendment) Act, 2008, the Digital Personal Data Protection Act, 2023 (India, when in force), and any successor legislation, together with associated regulations, guidance, and codes of practice issued by relevant supervisory authorities.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates. In the context of the Mahaurban platform, this includes residents, society members, tenants, owners, guards, staff, vendors, visitors, and marketplace customers.

“Data Subject Request” means a request submitted by a Data Subject to exercise any right available to them under applicable Data Protection Laws, including the right to access, correct, amend, transfer, obtain a copy of, object to the processing of, restrict, block, or delete their Personal Data.

“Personal Data” means any information relating to an identified or identifiable natural person made available to the Service Provider in connection with the Services, including but not limited to: names, mobile numbers, email addresses, residential addresses, flat and unit numbers, household composition, visitor records, payment information, location data, device identifiers, chat messages, voice recordings, visitor photographs, and any other data through which a natural person can be directly or indirectly identified.

“Processing or Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction.

“Security Incident” means any confirmed or suspected personal data breach or security incident that has resulted, or is reasonably likely to result, in any accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure of, or access to Personal Data, or any other incident that has the potential to harm the Customer’s business, customers, employees, systems, or reputation.

“Subcontractor” means any third-party subcontractor engaged by or on behalf of the Service Provider that will Process Personal Data as part of the performance of the Services, including cloud infrastructure providers, payment processors, logistics partners, mapping service providers, SMS gateways, push notification services, and AI model infrastructure providers.

“Subscription Agreement” means the agreement between the Customer and Twor India governing the Customer’s use of the Mahaurban platform products and services, including the Terms and Conditions, Order Form, and any supplementary agreements.

“Services” means all products, features, and functions provided by Twor India through the Mahaurban platform, as described in the Subscription Agreement and Section 1.3 of this DPA.

3. Roles of the Parties

3.1 The Parties acknowledge and agree that in relation to the Processing of Personal Data under this DPA:

the Customer is the Data Controller and determines the purposes and means of Processing;
the Service Provider (Twor India) is the Data Processor and Processes Personal Data solely on the Customer’s behalf and in accordance with the Customer’s instructions.

3.2 The Data Controller (Customer) agrees and undertakes to:

obtain, maintain, and document all necessary consents and authorisations from Data Subjects for the collection and Processing of their Personal Data on the Platform;
ensure that any instructions it provides to the Service Provider regarding Processing are lawful and compliant with applicable Data Protection Laws;
fulfil all Controller obligations under applicable Data Protection Laws, including providing appropriate privacy notices to Data Subjects;
ensure that Personal Data shared with the Service Provider is accurate, current, and limited to what is necessary for the provision of the Services.

3.3 Nothing in this DPA shall be interpreted to make the Service Provider a Data Controller in respect of any Personal Data Processed under this DPA, except where the Service Provider independently determines the purposes and means of any Processing for its own business purposes (such as security, fraud prevention, or service improvement), in which case the Service Provider acts as a Data Controller solely for those specific purposes.

4. Service Provider’s Processing Obligations

4.1 Instructions: The Service Provider shall Process Personal Data only on the Customer’s documented instructions and solely for the purpose of performing the Services as described in this DPA and the Subscription Agreement. The Service Provider shall treat all Personal Data as Confidential Information in accordance with the confidentiality provisions of the Subscription Agreement.

4.2 Lawful Processing: The Service Provider shall ensure that its Processing of Personal Data complies with applicable Data Protection Laws. The Service Provider shall not perform the Services in any manner that would cause the Customer to be in violation of its obligations under Data Protection Laws.

4.3 Notification of Unlawful Instructions: The Service Provider shall promptly notify the Customer in writing if, in the Service Provider’s reasonable opinion, any instruction from the Customer would constitute a violation of applicable Data Protection Laws. In such circumstances, the Service Provider is entitled to suspend compliance with the relevant instruction pending resolution, without this constituting a breach of this DPA.

4.4 No Sale or Commercial Exploitation: The Service Provider shall not sell, rent, lease, or otherwise commercially exploit Personal Data. Personal Data shall be used exclusively for the purpose of delivering the Services to the Customer.

4.5 Confidentiality: The Service Provider shall ensure that all personnel and Subcontractors who have access to Personal Data are bound by appropriate confidentiality obligations that survive termination of their engagement with the Service Provider.

5. Purpose, Categories of Personal Data, and Data Subjects

5.1 Purpose of Processing

The primary purpose of Processing Personal Data under this DPA is the performance of the Services pursuant to the Subscription Agreement. Specific processing activities include:

user registration, authentication, and account management;
society resident onboarding, approval, and profile management;
visitor entry and exit logging by society guards;
maintenance billing, payment processing, and financial record management;
order placement, fulfilment, delivery, and tracking on the Mahaurban Marketplace;
in-app messaging, community posts, and notification delivery;
AI-assisted features including message translation, smart replies, voice-to-text, and summarisation;
logistics coordination and shipment processing through third-party carriers;
customer support query resolution and complaint management;
fraud detection, security monitoring, and platform integrity maintenance;
analytics and performance monitoring to improve platform functionality.

5.2 Categories of Personal Data Processed

The Service Provider shall Process the following categories of Personal Data as necessary for the Services:

Identity Data: full name, date of birth, gender, profile photograph;
Contact Data: mobile number, email address, residential address, flat/unit number, society name;
Household Data: household member names, relationships, ages, and mobile numbers;
Financial Data: payment card details (tokenised — full card numbers not stored by Twor India), transaction records, billing history, wallet balances;
Location Data: GPS coordinates, delivery addresses, IP-derived location;
Visitor Data: visitor names, photographs, vehicle registration numbers, entry/exit timestamps;
Communication Data: chat messages, community posts, support interactions, voice recordings;
Technical Data: device identifiers, IP addresses, browser type, operating system, app version, crash reports;
Behavioural Data: usage patterns, feature interactions, session data, click-stream information.

5.3 Categories of Data Subjects

The Data Subjects whose Personal Data may be Processed under this DPA include:

Society residents, owners, and tenants registered on the Sooth platform;
Family members and household occupants of registered society members;
Society administrators, staff members, and guards;
Visitors to registered societies whose entry is logged through the visitor management system;
Vendors, merchants, restaurants, and service providers listed on the Mahaurban Marketplace;
Delivery partners and logistics personnel;
Marketplace customers placing orders through the Mahaurban platform;
Individuals submitting contract enquiries through the Mahaurban CRM.

6. Ownership of Personal Data

6.1 All Personal Data supplied by the Customer to the Service Provider shall at all times remain the sole property of the Customer. Nothing contained in this DPA shall vest any ownership or proprietary rights in Personal Data in the Service Provider.

6.2 The Service Provider acknowledges that its relationship with Personal Data is that of a custodian acting under the Customer’s instructions, and not that of an owner or independent controller of such data, except as expressly set out in Section 3.3 of this DPA.

6.3 The Service Provider shall not acquire any licence, right, title, or interest in or to the Personal Data beyond what is strictly necessary for the performance of the Services under this DPA.

7. Limitation on Disclosure

7.1 Other than as expressly permitted by the Subscription Agreement or required by law, the Service Provider shall not disclose Personal Data to any third party without the Customer’s prior written consent.

7.2 The Service Provider may disclose Personal Data to the following categories of recipients without requiring separate written consent for each disclosure, where such disclosure is necessary for the performance of the Services:

Subcontractors listed or approved under Section 10 of this DPA;
regulatory authorities, law enforcement, or government bodies, where required by applicable law, court order, or written direction from a statutory authority;
payment processors and acquiring banks for the purpose of processing financial transactions;
logistics and delivery partners for the purpose of order fulfilment and shipment tracking.

7.3 Where the Service Provider is legally compelled to disclose Personal Data by a regulatory body or statutory authority without the Customer’s consent, the Service Provider shall, to the extent permitted by law, notify the Customer promptly before making such disclosure and shall disclose only the minimum Personal Data required to satisfy the legal obligation.

8. Data Subject Rights, Complaints, and Requests

8.1 Data Subject Requests

The Service Provider shall, to the extent permitted by law, promptly notify the Customer upon receipt of any Data Subject Request relating to Personal Data Processed under this DPA. The Service Provider shall not respond to any such Data Subject Request without the Customer’s prior written instructions, except where required to do so by applicable law.

The Service Provider shall provide appropriate technical and organisational assistance to enable the Customer to fulfil its obligations to Data Subjects under Data Protection Laws in relation to Data Subject Requests, including:

access requests and the provision of copies of Personal Data;
correction or rectification of inaccurate or incomplete Personal Data;
erasure or deletion of Personal Data, subject to legal retention obligations;
restriction of Processing pending resolution of a Data Subject Request;
portability of Personal Data in a structured, machine-readable format;
objection to specific Processing activities.

The Service Provider shall comply with any applicable deadlines imposed by Data Protection Laws for responding to Data Subject Requests, and shall notify the Customer sufficiently in advance to allow the Customer to meet those deadlines.

8.2 Other Complaints and Regulatory Requests

The Service Provider shall, to the extent permitted by law, promptly notify the Customer upon receipt of any complaint, notice, or regulatory inquiry relating to the Customer’s obligations under Data Protection Laws or to Personal Data Processed under this DPA.

The Service Provider shall provide such co-operation and assistance as the Customer may reasonably request in relation to any such complaint or regulatory request, including preparing and submitting responses, providing documentation, and implementing corrective measures.

In the event that the Customer fails to respond to a statutory authority’s or regulatory body’s written order within the prescribed timeframe, and the Service Provider receives a direct written order from such authority requiring disclosure of Personal Data, the Service Provider shall be entitled to comply with such order to the minimum extent required, and shall notify the Customer as soon as reasonably practicable after making such disclosure.

9. Service Provider Personnel

9.1 Confidentiality Obligations: The Service Provider shall ensure that all personnel engaged in the Processing of Personal Data under this DPA are:

informed of the confidential nature of the Personal Data and their obligations in respect of it;
required to execute written confidentiality agreements that survive termination of their engagement;
provided with appropriate training on data protection obligations, security practices, and incident response procedures;
granted access to Personal Data only on a strict need-to-know basis proportionate to their role.

9.2 Access Controls: The Service Provider shall maintain appropriate role-based access controls to ensure that Personal Data is accessible only to those personnel who require access for the performance of the Services. Access logs shall be maintained and reviewed regularly.

9.3 Background Checks: To the extent permitted by applicable law, the Service Provider shall conduct appropriate vetting of personnel who have regular access to Personal Data.

9.4 Personnel Departure: Upon termination of a personnel member’s engagement, the Service Provider shall immediately revoke that person’s access to systems containing Personal Data.

10. Subcontractors

10.1 Approved Subcontractors

The Customer hereby grants general authorisation to the Service Provider to engage the following categories of Subcontractors for the performance of the Services. The Service Provider currently uses Subcontractors in the following categories:

Cloud Infrastructure Providers: for hosting servers, databases, and application infrastructure;
Payment Gateway Providers: for secure processing of online payments and transactions;
Logistics Partners (including Shiprocket): for order fulfilment, shipment processing, and delivery tracking;
Mapping and Geolocation Services (including Google Maps Platform): for location-based features, route mapping, and delivery address geocoding;
Push Notification and SMS Services (including Firebase): for transactional and promotional notifications;
AI and Machine Learning Infrastructure: for powering smart reply, translation, transcription, and search features;
Customer Support Tools: for managing support tickets and customer service interactions;
Analytics Services: for aggregated, anonymised platform usage analysis.

The Service Provider shall maintain an up-to-date list of Subcontractors and shall make this list available to the Customer upon request.

10.2 New Subcontractors

Before appointing any new Subcontractor that will Process Personal Data, the Service Provider shall notify the Customer with reasonable advance notice (not less than 14 days where practicable) and provide sufficient information to allow the Customer to assess the impact on data protection. If the Customer objects to the appointment on reasonable data protection grounds, the Parties shall attempt to resolve the objection in good faith. If no resolution is reached, the Customer may terminate the affected Services by providing 30 days written notice.

10.3 Subcontractor Obligations

The Service Provider shall ensure that all Subcontractors who Process Personal Data are bound by written agreements that impose data protection obligations at least equivalent to those set out in this DPA. The Service Provider remains fully responsible and liable for the acts, omissions, and defaults of its Subcontractors as if they were the Service Provider’s own acts, omissions, and defaults.

11. Technical and Organisational Security Measures

11.1 Service Provider Measures: The Service Provider shall implement and maintain appropriate technical and organisational measures to ensure the security, confidentiality, integrity, availability, and resilience of systems used for Processing Personal Data, and to protect against unauthorised or unlawful Processing, accidental loss, destruction, damage, or disclosure. These measures shall include, at a minimum:

HTTPS/TLS encryption for all data transmitted between user devices and the Service Provider’s servers;
encryption of Personal Data at rest, including sensitive fields such as passwords and payment tokens;
PCI-DSS compliant payment processing infrastructure for all financial transactions — full payment card numbers are not stored by Twor India;
role-based access controls limiting access to Personal Data on a strict need-to-know basis;
OTP-based multi-factor authentication for platform account access;
regular security vulnerability assessments and penetration testing;
intrusion detection and monitoring systems for unauthorised access attempts;
secure software development lifecycle (SDLC) practices including code review and dependency scanning;
regular backup of Personal Data with tested recovery procedures;
physical security measures for any on-premises infrastructure.

11.2 Customer Measures: The Customer agrees to implement appropriate technical and organisational measures on its side to:

comply with all applicable Data Protection Laws for the time being in force;
implement data protection principles including data minimisation, purpose limitation, and storage limitation;
minimise risks to the rights and freedoms of Data Subjects arising from its use of the Services;
ensure that Society Admins and authorised users are trained on their responsibilities regarding personal data accessed through the platform;
promptly notify the Service Provider of any security vulnerability or suspected Security Incident identified on the Customer’s side.

11.3 The Service Provider shall review its security measures no less than annually and update them as necessary to reflect changes in risk, technology, and applicable law. The Service Provider shall make information about its security measures available to the Customer upon reasonable written request.

12. Security Incident Management and Breach Notification

12.1 Notification Timeline: The Service Provider shall notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Security Incident involving Personal Data Processed under this DPA. Where notification within 72 hours is not possible, the Service Provider shall provide an initial notification within that period and supplement it with additional information as soon as it becomes available.

12.2 Content of Notification: The Service Provider’s notification of a Security Incident shall include, to the extent known at the time of notification:

a description of the nature of the Security Incident, including the categories and approximate number of Data Subjects affected;
the categories and approximate number of Personal Data records involved;
the likely consequences of the Security Incident for affected Data Subjects and the Customer;
the measures taken or proposed to address the Security Incident, including steps to mitigate its effects and prevent recurrence;
the name and contact details of the Service Provider’s data protection contact point;
whether any regulatory authority, affected Data Subjects, or the media have been informed or are aware of the Security Incident.

12.3 Cooperation: Following notification, the Service Provider shall provide all cooperation, information, and assistance reasonably requested by the Customer in respect of the Security Incident, including assistance in complying with any mandatory breach notification obligations owed by the Customer to regulatory authorities or Data Subjects under applicable Data Protection Laws.

12.4 Remediation: The Service Provider shall take all reasonable steps to contain, investigate, and remediate the Security Incident as promptly as practicable, and shall keep the Customer informed of the progress of its investigation and remediation efforts.

12.5 Non-Admission: The Service Provider’s notification of a Security Incident shall not be construed as an admission of fault, negligence, or liability by the Service Provider.

13. Audit Rights and Compliance Demonstrations

13.1 Upon the Customer’s reasonable written request (and not more than once per 12-month period unless a Security Incident has occurred), the Service Provider shall:

make available all information reasonably necessary to demonstrate compliance with this DPA;
allow for and contribute to audits and inspections conducted by the Customer or an independent auditor appointed by the Customer;
provide access to relevant documentation, policies, procedures, logs, and records relating to the Processing of Personal Data.

13.2 Any audit shall be conducted:

with reasonable advance written notice of not less than 30 days;
during normal business hours and with minimum disruption to the Service Provider’s operations;
subject to appropriate confidentiality obligations binding the Customer and any appointed auditor;
at the Customer’s cost, unless the audit reveals a material breach of this DPA by the Service Provider, in which case the Service Provider shall bear the reasonable costs of the audit.

13.3 The Service Provider may satisfy its audit obligations by providing current third-party audit certifications (such as ISO 27001 or SOC 2 Type II reports) or other equivalent evidence of compliance, where the Customer agrees to accept such certifications in lieu of a direct audit.

14. Notifications and Regulatory Communications

14.1 Each Party undertakes to notify the other Party promptly upon receiving any complaint, notice, inquiry, or communication from any individual, supervisory authority, regulatory body, or government body that relates directly or indirectly to the Processing of Personal Data under this DPA.

14.2 The Parties shall cooperate in good faith to address any such communication and to fulfil any obligations that may arise from it under applicable Data Protection Laws.

14.3 All notices under this DPA shall be in writing and shall be delivered by:

registered mail to the Party’s registered address;
personal delivery;
recognised courier service; or
email to legal@tworindia.com (for Twor India) or to the Customer’s registered contact email address.

Notices delivered by registered mail or courier shall be deemed received two (2) business days after dispatch. Notices delivered by personal delivery or email shall be deemed received on the date of delivery or transmission.

15. Deletion or Return of Personal Data

15.1 Upon the termination or expiry of the Subscription, or upon the Customer’s written request during the Subscription term, the Service Provider shall, within a reasonable period (not to exceed 60 days):

securely delete or permanently anonymise all Personal Data that is in the Service Provider’s possession or control and that is not required to be retained under applicable law; and
make available to the Customer, in a standard machine-readable format, any Personal Data that the Customer requests to retrieve prior to deletion.

15.2 The Service Provider shall certify in writing to the Customer upon completion of the deletion or return process, confirming that all Personal Data has been handled in accordance with this Section.

15.3 The Service Provider may retain Personal Data beyond the period specified in Section 15.1 to the extent required by applicable law, court order, or regulatory obligation. In such cases, the retained data shall continue to be subject to the confidentiality and security obligations of this DPA, and the Service Provider shall notify the Customer of the nature and duration of any required retention.

15.4 The Service Provider may retain aggregated or anonymised data derived from Personal Data (from which individual Data Subjects cannot be identified) for business analytics and platform improvement purposes, without limitation.

16. Payment Gateway Integration Terms

Twor India integrates third-party Payment Gateways into its Products to enable Associations (societies, property managers, and organisations subscribing to the Mahaurban platform) to collect payments from residents, tenants, vendors, and marketplace customers. The following terms govern the use of the Payment Gateway functionality within the Mahaurban platform.

16.1 Definitions for this Section

For the purposes of this Section 16:

“Association” or “Society” means the entity subscribing to the Mahaurban platform, including residential societies, commercial complexes, property builders, and facility management companies.
“Payment Gateway” means any third-party payment gateway integrated into the Mahaurban platform, including UPI payment rails, credit/debit card processing networks, net banking gateways, and digital wallet interfaces.
“Payment Gateway User” means any person holding a valid credit card, debit card, UPI ID, net banking account, or digital wallet who makes payments through the Payment Gateway on the Mahaurban platform.
“Issuing Bank” means the bank or financial institution that issued the payment instrument used by the Payment Gateway User.
“Card Associations” means Mastercard, Visa, Rupay, Diners, American Express, and other card networks that authorise and enable card transactions.

16.2 Description of Service

Twor India integrates third-party Payment Gateways into its Products to facilitate the collection of dues, maintenance charges, marketplace payments, and other fees by Associations from Payment Gateway Users. In this capacity, Twor India acts as a technology platform and Online Collection Agent facilitating the payment transaction. Twor India is not a payment service provider, bank, or financial institution.

16.3 Covenants of the Association

By activating Payment Gateway functionality on the Mahaurban platform, the Association agrees to the following covenants:

The Association shall ensure that all charges levied against Payment Gateway Users are valid, properly authorised, and supported by appropriate documentation (including bye-laws, membership records, service agreements, and payment notices) to substantiate such charges.

The Association shall not input payment card details, net banking credentials, or UPI information on behalf of a Payment Gateway User. All payment information must be entered directly by the Payment Gateway User.

Twor India shall not be a party to any agreement between the Association and Payment Gateway Users. All contractual relationships regarding the services for which payment is being collected are solely between the Association and the Payment Gateway User.

The Association shall ensure that all licences, registrations, and legal authorisations required to collect the relevant charges and taxes from Payment Gateway Users are in full force and effect at all times.

The Association assures and guarantees to Twor India, the Card Associations, and Acquiring Banks that it shall comply with all applicable rules, standards, and guidelines. The Association further confirms that the Payment Gateway shall not be used for the collection of payments related to any of the following prohibited categories:

Adult content, pornography, or escort services;
Alcohol, tobacco, or related products;
Illegal drugs, controlled substances, or drug paraphernalia;
Gambling, lottery tickets, or online gaming memberships;
Counterfeit goods, replicas, or unauthorised brand merchandise;
Firearms, ammunition, weapons, or explosive devices;
Stolen property or goods with removed or altered identification;
Prescription medicines or medical devices without valid authorisation;
Pornographic materials involving minors (child exploitation material);
Hacking tools, malware, or materials enabling unauthorised system access;
Bulk email lists or spam marketing tools;
Multi-level marketing or pyramid scheme collection fees;
Human body parts, organs, or bodily fluids;
Endangered species, animals, or protected biological material;
Securities, stocks, bonds, or financial instruments;
Government IDs, passports, licences, or official documents (counterfeit or otherwise);
Any product or service that is unlawful under applicable Indian law or the laws of the jurisdiction in which the Association operates.

The Association confirms that in the event of any violation of Card Association or Acquiring Bank rules resulting in a penalty being imposed on Twor India, the Association shall promptly pay to Twor India the amount of any such penalty or fine without demur, protest, or delay.

16.4 Disputes Regarding Services

Twor India, the Payment Gateway providers, and the Acquiring Banks shall not be responsible for the quality of services provided by the Association to Payment Gateway Users, nor for any non-delivery or delay in delivery of services. All disputes between the Association and Payment Gateway Users regarding service quality, non-delivery, or other matters shall be resolved directly between those parties. Twor India, Payment Gateway providers, and Acquiring Banks shall not be parties to such disputes.

16.5 Charge-Back Liability

The Association accepts full liability for any charge-back claims arising from payments collected through the Payment Gateway. Examples of situations that may give rise to charge-back liability include:

A Payment Gateway User disputes a charge on the grounds that it was unauthorised, incorrect, or not supported by adequate documentation maintained by the Association;
A Payment Gateway User’s payment instrument is found to have been used without authorisation (e.g., stolen card), resulting in reversal of the payment by the Issuing Bank or Card Association.

In each such case, the Association is solely responsible for promptly refunding the charge-back amount and for maintaining sufficient documentation to contest disputed transactions.

16.6 No Warranty

Twor India, Acquiring Banks, and Payment Gateway providers disclaim all warranties, express or implied, regarding the Payment Gateway service, including warranties of merchantability and fitness for a particular purpose. The Association acknowledges that the Payment Gateway service may be subject to interruption, error, or discontinuation by Acquiring Banks or facility providers at any time and for any reason. Twor India’s sole obligation in the event of a service interruption shall be to use commercially reasonable efforts to restore the service as soon as practicable. Twor India shall not be liable for any amounts due from Payment Gateway Users to the Association, applicable taxes, or government levies.

16.7 Transaction Limits

Twor India, Payment Gateway providers, and Acquiring Banks reserve the right to impose limits on the number, frequency, or value of transactions that may be processed through the Payment Gateway, and to refuse transactions from Payment Gateway Users with a history of questionable charges or fraud.

16.8 Payment Gateway Indemnity

The Association hereby agrees to indemnify, defend, and hold harmless Twor India, Payment Gateway providers, Facility Providers, and Acquiring Banks from and against all actions, claims, liabilities, penalties, costs (including reasonable legal fees), damages, losses, and expenses arising directly or indirectly from:

any breach by the Association of its undertakings, covenants, or obligations under this Section 16;
any claim or proceeding by a Payment Gateway User against Twor India arising from services offered by the Association;
any act, neglect, or default of the Association or its agents or employees;
any charge-back claim or penalty arising from the Association’s use of the Payment Gateway in violation of applicable rules or standards.

16.9 Termination of Payment Gateway Access

Twor India may terminate or suspend the Association’s access to the Payment Gateway in the following circumstances:

Termination for Breach: upon 30 days written notice, if the Association commits a material breach of any term of this Section 16;
Immediate Termination: without notice or liability, if Twor India, the Acquiring Bank, or a Facility Provider determines that the Association is using the Payment Gateway in furtherance of any illegal activity or in violation of any applicable law or regulation, or if any of them becomes subject to a civil or criminal action or investigation as a consequence of the Association’s use of the Payment Gateway;
Termination by Notice: either Party may terminate the Payment Gateway service by providing 30 days written notice to the other Party.

17. Liability

17.1 The liability of each Party under this DPA is subject to the limitations of liability set out in the Subscription Agreement, which are incorporated herein by reference. Where applicable Data Protection Laws prohibit or limit the restriction of liability to Data Subjects arising from third-party beneficiary provisions of applicable data transfer mechanisms, those restrictions shall not apply to the extent of such prohibition.

17.2 Neither Party shall be liable to the other under this DPA for any indirect, consequential, special, or punitive loss or damage, including loss of profits, loss of data, or loss of business opportunity, except to the extent such loss results from a wilful breach of this DPA or from gross negligence.

17.3 Nothing in this DPA limits or excludes either Party’s liability for death or personal injury caused by negligence, fraud, or fraudulent misrepresentation, or any liability that cannot be limited under applicable law.

18. Term and Termination

18.1 This DPA shall commence on the effective date of the Customer’s Subscription Agreement and shall remain in force for the duration of the Subscription, including any renewals or extensions thereof.

18.2 This DPA shall automatically terminate upon the expiry or termination of the Subscription Agreement for any reason.

18.3 The obligations of the Service Provider with respect to confidentiality, security, and deletion of Personal Data under this DPA shall survive termination of the Subscription Agreement for as long as the Service Provider retains any Personal Data.

18.4 Sections 6 (Ownership), 7 (Limitation on Disclosure), 12 (Security Incident Management), 15 (Deletion), 17 (Liability), and 19 (General Provisions) shall survive termination of this DPA.

19. General Provisions

19.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of India. Disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution mechanism specified in the Subscription Agreement.

19.2 Dispute Resolution

Any dispute arising out of or relating to this DPA shall first be subject to good-faith negotiation between the Parties for a period of 30 days from written notice of the dispute. If unresolved, the dispute shall be referred to the dispute resolution mechanism specified in the Subscription Agreement, which includes the jurisdiction of the courts of Bangalore, Karnataka, India for Indian-resident Customers, and DIFC arbitration for non-Indian-resident Customers.

19.3 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, it shall be modified to the minimum extent necessary to make it valid and enforceable. All other provisions of this DPA shall remain in full force and effect.

19.4 Waiver

No waiver by either Party of any breach or default of any provision of this DPA shall be deemed a waiver of any subsequent breach or default. All waivers must be made in writing and signed by an authorised representative of the waiving Party.

19.5 Entire Agreement

This DPA, together with the Subscription Agreement, Privacy Policy, and any schedules or addenda incorporated herein, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data and supersedes all prior discussions, negotiations, representations, or agreements on the same subject matter. No amendment to this DPA shall be effective unless made in writing and accepted by both Parties.

19.6 Assignment

The Customer may not assign or transfer its rights or obligations under this DPA without the prior written consent of the Service Provider. The Service Provider may assign this DPA in connection with a merger, acquisition, or restructuring, provided it notifies the Customer in advance and the assignee assumes all obligations under this DPA.

19.7 No Agency

Nothing in this DPA shall be construed to create a partnership, joint venture, agency, employment, or franchise relationship between the Parties. Each Party is an independent contractor.

19.8 Language

This DPA is executed in the English language. In the event of any conflict between this DPA and any translation thereof, the English language version shall prevail.

20. Contact Details

For all matters relating to this Data Processing Agreement, data protection enquiries, or exercise of Data Subject rights, please contact:

Twor India — Legal & Data Protection

Email: legal@tworindia.com

Platform Support: support@mahaurban.com

Society Support: support@mahaurban.in

Website: www.mahaurban.com | www.mahaurban.in

By subscribing to Mahaurban platform products and services, the Customer acknowledges that it has read, understood, and agreed to the terms of this Data Processing Agreement.

mahaurban.com | mahaurban.in