Data Processing Agreement

Preamble — Background and Purpose

This Data Processing Agreement ("DPA" or "Agreement") governs how Rentablez Software Pvt. Ltd. ("Rentablez", "we", "us") processes personal and business data on behalf of the Customer ("you", "your company") in connection with the Rentablez rental management software platform.

This Agreement is entered into between Rentablez as the Data Processor and the Customer as the Data Controller. Rentablez acts solely on the documented instructions of the Customer and does not process Customer Data for its own purposes.

This DPA forms part of, and supplements, the main Subscription Agreement or Terms of Service between the parties. In the event of conflict, this DPA shall take precedence on matters of data protection.

1. Definitions

For the purpose of this Agreement, the following terms shall have the meanings set out below:

• "Customer Data" means all data — including personal data, business records, customer information, booking records, financial data, vehicle/asset data, and any other information — uploaded to or processed through the Rentablez platform by the Customer.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Indian and international data protection laws, including India's Digital Personal Data Protection Act, 2023 (DPDP Act).
• "Processing" means any operation performed on Customer Data, including collection, storage, retrieval, use, disclosure, or deletion.
• "Data Controller" means the Customer, who determines the purposes and means of Processing Customer Data.
• "Data Processor" means Rentablez, which processes Customer Data on behalf of the Data Controller.
• "Sub-Processor" means any third-party service provider engaged by Rentablez that processes Customer Data (e.g., cloud hosting providers).
• "Security Incident" or "Data Breach" means any unauthorised access, disclosure, loss, or destruction of Customer Data.

2. Rentablez's Core Data Protection Commitment

Rentablez makes the following binding commitments to the Customer regarding Customer Data:

3. Scope and Purpose of Data Processing

Rentablez shall process Customer Data solely for the following documented purposes:

• Providing, operating, and maintaining the Rentablez rental management software and associated features.
• Enabling the Customer to manage bookings, assets, customers, invoicing, maintenance, and reporting through the platform.
• Providing technical support and resolving issues reported by the Customer.
• Sending system notifications, alerts, and service communications directly related to the Customer's account.
• Complying with legal obligations applicable to Rentablez as a software service provider.

Rentablez shall not process Customer Data for any other purpose without explicit written consent from the Customer.

4. Types of Customer Data Processed

In the course of providing the software service, Rentablez may process the following categories of data on behalf of the Customer:

• Customer's end-customer data: names, contact numbers, email addresses, identification details (e.g., driving licence for EV rentals).
• Booking and transaction records: rental dates, durations, pricing, payment status.
• Fleet and asset data: vehicle details, availability status, maintenance records.
• Business financial data: invoices, payments, revenue records.
• User account credentials: usernames and hashed (encrypted) passwords of the Customer's staff accounts.

Rentablez does not intentionally collect sensitive personal data (such as biometric data or health records) and the Customer should avoid uploading such data unless essential.

5. Security Measures

Rentablez implements appropriate technical and organisational security measures to protect Customer Data, including but not limited to:

• Encryption of data in transit using TLS (Transport Layer Security).
• Encryption of data at rest on cloud infrastructure.
• Role-based access controls ensuring only authorised Rentablez personnel can access Customer Data, and only when necessary.
• Regular security testing and vulnerability assessments.
• Secure hosting on reputable cloud infrastructure (AWS / Google Cloud) with 99.9% uptime SLA.
• Audit logs for any internal access to Customer Data.
• Employee confidentiality obligations covering all Rentablez staff.

6. Sub-Processors

Rentablez may engage the following categories of trusted sub-processors to deliver the service. All sub-processors are bound by data protection obligations no less stringent than this Agreement:

• Cloud hosting providers (e.g., Amazon Web Services, Google Cloud Platform) — for infrastructure and storage.
• Payment gateway providers — solely for processing payments if integrated by the Customer.
• Email/SMS notification services — solely for delivering system-generated alerts to the Customer.

Rentablez will notify the Customer of any significant change in sub-processors that may affect the security of Customer Data, providing a minimum of 30 days' notice where possible.

7. Data Retention and Deletion

Rentablez retains Customer Data only for as long as the subscription is active and as required by applicable law. Upon termination or expiry of the subscription:

• The Customer may export all their data from the platform within 30 days of account closure.
• Rentablez shall delete all Customer Data from its active systems within 60 days of subscription termination.
• Backup copies of Customer Data (held for disaster recovery purposes) shall be purged within 90 days of subscription termination.
• Rentablez shall provide written confirmation of deletion upon request.

Data may be retained beyond these periods only if required by Indian law or a lawful order from a competent authority.

8. Data Breach Notification

In the event Rentablez becomes aware of a confirmed Security Incident affecting Customer Data, Rentablez shall:

• Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the incident.
• Provide the Customer with details of the nature of the breach, data categories affected, likely consequences, and remedial measures taken.
• Cooperate fully with the Customer in investigating and managing the incident.
• Take immediate steps to contain, mitigate, and remediate the breach.

9. Customer Rights and Responsibilities

The Customer, as Data Controller, retains the following rights:

• Right to issue documented instructions to Rentablez regarding the Processing of Customer Data.
• Right to audit Rentablez's data processing practices upon reasonable notice (annually or following a Security Incident).
• Right to request deletion, correction, or export of Customer Data at any time.
• Right to object to any Processing activity not covered by this Agreement.

The Customer is responsible for:

• Ensuring they have the legal right to upload and process data on behalf of their own customers.
• Informing their own end-customers about the use of a third-party software platform for data processing, where required by applicable law.
• Maintaining the security of their own login credentials and access rights.

10. Legal Compliance

Rentablez processes Customer Data in compliance with applicable data protection laws, including:

• India's Digital Personal Data Protection Act, 2023 (DPDP Act).
• Information Technology Act, 2000 and the IT (Amendment) Act, 2008.
• Any other applicable local or sectoral data protection regulations.

Where Customer Data includes personal data of individuals located in other jurisdictions (e.g., EU citizens under GDPR), Rentablez shall cooperate with the Customer to implement appropriate safeguards for such cross-border transfers.

11. Confidentiality

Rentablez shall treat all Customer Data as strictly confidential. Rentablez shall ensure that:

• Only authorised personnel who need access to Customer Data for the purpose of delivering the service are granted such access.
• All Rentablez employees and contractors with access to Customer Data are bound by written confidentiality obligations.
• Customer Data shall not be disclosed to any third party except as expressly permitted under this Agreement or required by law.

12. Limitation of Liability

Rentablez's total liability to the Customer under this Agreement for any data protection breach shall not exceed the total fees paid by the Customer to Rentablez in the twelve (12) months preceding the event giving rise to the claim, unless the breach is a result of Rentablez's gross negligence or willful misconduct.

Rentablez shall not be liable for breaches arising from the Customer's failure to maintain adequate security of their own account credentials or systems.

13. Governing Law and Disputes

This Agreement shall be governed by the laws of India. Any dispute arising out of or in connection with this Agreement shall first be attempted to be resolved amicably between the parties.

If not resolved within 30 days of written notice, disputes shall be subject to the exclusive jurisdiction of the courts of Bangalore, Karnataka, India.

14. Amendments

Rentablez may update this Agreement periodically to reflect changes in law, technology, or business practices. The Customer will be notified of material changes at least 30 days in advance via email or in-platform notification.

Continued use of the Rentablez platform after the effective date of any amendments constitutes acceptance of the revised Agreement.