Back to Home

Data Processing Agreement

Last updated: May 15, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PointsGlobal ("Processor") and the educational institution using our services ("Controller") regarding the processing of personal data.

Definitions

Terms such as "Personal Data," "Processing," "Controller," "Processor," and "Data Subject" shall have the meanings given to them in applicable data protection laws, including the General Data Protection Regulation (GDPR) and India's Personal Data Protection Bill.

Scope and Purpose

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the PointsGlobal AI-powered answer evaluation system.

The purpose of the processing is to provide the services as described in the Terms of Service, including document upload, text extraction, answer comparison, scoring, and analytics features.

Controller's Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by law.

The Controller instructs the Processor to process Personal Data for the following purposes:

  • Providing the services as described in the Terms of Service
  • Processing necessary for the Processor's legitimate business operations
  • As further specified via the Controller's use of the services

Confidentiality

The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • Ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • Process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures
  • Access controls and authentication procedures
  • Regular security assessments and audits

Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors, provided that:

  • The Processor provides the Controller with information about any intended changes concerning the addition or replacement of sub-processors
  • The Controller has the opportunity to object to such changes
  • The Processor imposes data protection terms on any sub-processor it appoints that protect the Personal Data to the same standard provided for in this DPA

Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws. If the Processor receives a request from a Data Subject, it shall promptly notify the Controller.

Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach. The notification shall include:

  • A description of the nature of the breach
  • The categories and approximate number of Data Subjects concerned
  • The categories and approximate number of Personal Data records concerned
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under applicable data protection laws.

Deletion or Return of Data

Upon termination of services, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies, unless storage is required by law.

Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

International Transfers

The Processor shall not transfer Personal Data outside of India without the prior written consent of the Controller and ensuring appropriate safeguards are in place in accordance with applicable data protection laws.

Contact Information

For questions about this DPA, please contact:

Email: ritesh.jha2987@gmail.com
Address: Mumbai, Maharashtra, India, 400001