ResolveBiz Services and Apps Private Limited (“Resolve”, “we”, “us” or “our”) is a pioneering, technology-powered integrated service provider with a unique model rendering human resource, payroll, Expenses, Accounting and Compliance management solutions.
Your use of the Website, application or Resolve Platform, owned and managed by Resolve, are governed by the following terms and conditions of this Agreement as applicable to the Website, application or Resolve Platform, including the applicable policies which are incorporated herein by way of reference. By mere use of the Website, application or Resolve Platform, You shall be contracting with Resolve and these Terms including the policies constitute your binding obligations with Resolve.
IF YOU ARE USING ANY SERVICE AS AN EMPLOYEE, AGENT, OR CONTRACTOR OF A COMPANY, PARTNERSHIP OR ANY OTHER ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. THE RIGHTS GRANTED UNDER THIS AGREEMENT ARE EXPRESSLY CONDITIONED UPON ACCEPTANCE BY SUCH AUTHORIZED PERSONNEL.
Services offered by Resolve are subject to the terms of our website/platform, policies [i.e. Terms of Use, Privacy Policy, Cancellation and Refund Policy etc.] (“Policies”), available at ‘https://www.resolve.com/www.resolvepayroll.com’ (“Website”). By contacting Resolve for the services or availing the services or by registering with us or by accepting this Agreement, now or in the future, you being the person or entity placing an order for or accessing the Service (“Subscriber” or “Customer” “you”, “your”, “yourself” or “user”) signify that you agree to these Terms of the Agreement (“Terms”) and the Policies.
This Agreement is effective between You and Us as of the date of Your acceptance of this Agreement. This Terms of Service (“the Agreement”), is entered into by and between Resolve and You. Resolve and Subscriber are each a “party”, and together are “parties” to this Agreement. In consideration of the terms and conditions set forth below, the parties agree as follows:
1. Definitions
1.1. “Affiliates” shall mean any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. “Agreement” means this Master Subscription Agreement, including the Service Level Agreement, Data Processing Agreement, Security Agreement, and any other exhibits, addenda, or attachments hereto, and any fully executed Order Form.
1.3. “Authorised User” shall mean an individual user for whom a user license has been purchased by Subscriber pursuant to the terms of the Invoice and this Agreement, and to whom unique user credentials have been given to access Resolve Platform. Authorised Users may include employees, individual contractors or consultants of Subscriber or Subscriber’s Affiliates or third party service providers.
1.4. “Confidential Information” shall mean all information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Resolve’s Confidential Information shall include the terms of this Agreement and all Invoices (including all non-public pricing information). Confidential Information of each party shall include (without limitation) the business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information shall not include any information that (i) is or becomes generally known to the public without breach of obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party without the use of Disclosing Party’s Confidential Information.
1.5. “Subscriber Data” means electronic data or information submitted to the Resolve Platform by Subscriber.
1.6. “Subscriber Input” means suggestions, enhancement requests, recommendations or other feedback provided by Subscriber, its Employees relating to the operation or functionality of the Resolve Platform.
1.7. “Documentation” shall mean the user manuals and documentation(s), whether in written or electronic form, provided by Resolve to the Subscriber from time to time detailing the features, functionalities and operation of the Resolve Platform.
1.8. “Employee” or “Worker” means employees, consultants, contingent workers, independent contractors, and retirees of Subscriber and its Affiliates, whether actively employed or terminated, whose business record(s) are or may be managed by the Service and for whom a subscription to the Service has been purchased in an Order Form.
1.9. “Improvements” means all improvements, updates, enhancements, error corrections, bug fixes, release notes, upgrades and changes to the Service and Documentation, as developed by Resolve and made generally available for Production use without a separate charge to Subscribers.
1.10. “Intellectual Property” or “IP” shall mean all intellectual property (whether registered or not) including but not limited to patents, designs, literary work, artistic work, audio, video, any translations, adaptations, computer programme and/or any other works, materials, software, source, executable or object code, documentation, methods, apparatus, systems and the like, any copyrightable/patentable material, trade secrets and all trademarks and trade names and any other materials that can be protected under existing or future intellectual property rights in India or any other applicable jurisdiction.
1.11. “Intellectual Property Rights” means any and all common law, statutory and other industrial property rights and intellectual property rights, including copyrights, trademarks, trade secrets, patents and other proprietary rights in the IP issued, honoured or enforceable under any applicable laws anywhere in the world, and all moral rights related thereto.
1.12. “Law” means any local, state, national and/or foreign law, treaties, and/or regulations applicable to the respective party.
1.13. “Malicious Code” means viruses, worms, time bombs, Trojan horses and other malicious code, files, scripts, agents, bots or programs.
1.14. “Order Form” means the ordering documents under which Subscriber subscribes to the Service which is fully executed pursuant to this Agreement.
1.15. “Personal Data” has the definition set forth in the Exhibit 2.
1.16. “Production” means the Subscriber’s use of or Resolve’s written verification of the availability of the Service (i) to administer Employees; (ii) to generate data for Subscriber’s books/records; or (iii) in any decision support capacity.
1.17. “Security Breach” means (i) any actual or reasonably suspected unauthorized use of, loss of, access to or disclosure of, Subscriber Data; provided that an incidental disclosure of Subscriber Data to an Authorized Party or Resolve, or incidental access to Subscriber Data by an Authorized Party or Resolve, where no reasonable suspicion exists that such disclosure or access involves theft, or is fraudulent, criminal or malicious in nature, shall not be considered a “Security Breach” for purposes of this definition, unless such incidental disclosure or incidental access triggers a notification obligation under any applicable Law and (ii) any security breach (or substantially similar term) as defined by applicable Law.
1.18. “Resolve Platform” means Resolve’s software-as-a-service applications or it’s managed payroll, accounting and compliance services as described in the Documentation and subscribed to under an Order Form.
1.19. “Non-Resolve Services” shall mean third party applications, services, software, networks, systems, websites or databases that are integrated with the Resolve Platform to interoperate with the Resolve Platform.
1.20. “Invoice” shall mean the document evidencing a subscription to Resolve Services that specifies the description of services subscribed, subscription plan, Subscription Period, number of user licenses purchased and applicable fees.
1.21. “Subscriber Data” shall mean electronic data and information submitted to and stored within the Resolve Platform by the Subscriber or an Authorized User as a result of Subscriber’s or Authorised User’s use of the Resolve Platform.
1.22. “Subscription Period(s)” shall mean, in respect of each of the Resolve Platform, the duration of validity of each fee-based subscription plan purchased by Subscriber.
1.23. “Usage Limits” shall mean the limits on use of each of the Resolve Platform corresponding to the fee-based subscription plan purchased by the Subscriber.
1.24. “Taxes” shall mean all taxes, duties, levies, imposts, fines or similar governmental assessments, including sales and use taxes, value-added taxes, goods and services taxes, excise, business, service, and other similar transactional taxes imposed by any local, state, provincial or foreign jurisdiction and include the interest and penalties thereon.
1.25. “Terms of Service” shall mean the terms and conditions available for access and use of the Resolve Platform, as modified from time to time.
2. Use of the Resolve Platform, Restrictions and Responsibilities
2.1. Rights Granted. Subject to the terms and conditions of this Agreement, Resolve will make the Resolve Platform available to Subscribers for the Subscription Period as set out in the Invoice. Resolve grants Subscriber a revocable, non-exclusive, non-transferable right and limited license to access, use and, where applicable, download the Resolve Platform during such Subscription Period for Subscriber’s internal business purposes. If the Subscriber exceeds the Usage Limits of the Resolve Platform or functionalities within the Resolve Platform, Subscriber may purchase additional quantities of the Resolve Platform by making payment(s) for such excess usage.
2.2. Usage Restrictions. Subscriber shall not and shall not permit its Authorised Users to:
- copy, modify, create derivative works or otherwise attempt to gain unauthorised access to the Resolve Platform.
- except as permitted under applicable law, attempt to disassemble, reverse engineer or decompile the Resolve Platform.
- use the Resolve Platform on behalf of any third party or include the Resolve Platform as part of service bureau or provide any business process service, unless duly authorised as a Resolve Alliance Partner.
- use the Resolve Platform in any manner that interferes with or disrupts the integrity, security or performance of the Resolve Platform, its components and the data contained therein.
- sell, resell, license, sublicense, rent, lease, transfer, assign or otherwise make the Resolve Platform available to any third-party without an Authorised User subscription.
- use the Resolve Platform to send or store material containing software viruses, worms or other harmful computer codes, files, scripts or programs.
- Upload or transmit (or attempt to upload or to transmit) any material that acts as a passive or active information collection or transmission mechanism, including without limitation, clear graphics interchange formats (“gifs”), 1×1 pixels, web bugs, cookies, or other similar devices (sometimes referred to as “spyware” or “passive collection mechanisms” or “pcms”).
- use the Resolve Platform to store or transmit any material that is unlawful, abusive, malicious, harassing, tortious, defamatory, vulgar, obscene, libellous, or violates any third party rights.
- permit direct or indirect access to or use of the Resolve Platform in a way that circumvents the Usage Limits.
- use the Resolve Platform in any manner that could damage, disable, overburden, impair or harm any server, network, computer system, or resource of Resolve.
- allow Authorised User licenses to be shared or used by more than one individual other than by way of reassigning the user license to a new user.
- remove or obscure any proprietary or other notices contained in the Resolve Platform.
- attempt to gain unauthorized access to the Resolve Platform (including features and functionality) or its related systems or network.
- use the Resolve Platform for any form of competitive or benchmarking purposes.
2.3. Subscriber Responsibilities. Subscriber shall be responsible for:
- providing accurate, current and complete information regarding the Subscriber in connection with Subscriber’s access and use of the Resolve Platform;
- Authorized Users’ compliance with the Agreement, Documentation and Invoice;
- accuracy, quality and legality of the Subscriber Data;
- means by which the Subscriber Data was acquired and Subscriber’s use of the Subscriber Data;
- using commercially reasonable efforts to prevent unauthorized access to or use of the Resolve Platform;
- using the Resolve Platform in accordance with this Agreement, Documentation and Invoice;
- all activities that occur under Subscriber’s account; and
- compliance with all applicable laws and regulations.
3. Fees and Payments
3.1. Fees: Subscriber will pay to Resolve, without any deductions, the fees set forth in the applicable Invoice. Except as otherwise specified in the Agreement, all payment obligations are non-cancellable and all amounts paid are non-refundable whether or not the Resolve Platform is actively being used. Additional charges will apply for additional purchases or usage in excess of the purchased subscription(s). All pricing terms provided for the Subscriber are confidential and Subscriber agrees not to disclose them to any third party without Resolve’s prior written authorization.
3.2. Invoicing and Payment: Payments for Subscription Period of less than one (1) year shall be made through Resolve’s online store using a credit card or online banking facilities. Manual payment options are also considered. The Subscription Period will commence only upon receipt of payment or a purchase order acceptable to Resolve. Subscriber shall be responsible for providing complete and accurate payment information to Resolve. Subscriber shall promptly update any change in the billing information. If a purchase order raised by the Subscriber is accepted by Resolve, the payment must be made by the Subscriber within fifteen (15) days from the receipt of an invoice by email, unless otherwise stated in the Invoice.
3.3. Overdue Payments: Undisputed overdue payments shall bear interest at the rate of one (1)% per month or the maximum rate allowed under applicable law as Resolve is registered as a MSME Unit. Subscriber acknowledges and accepts that non-payment of any undisputed fees within the term defined in the applicable Invoice constitutes a material breach of this Agreement and that Resolve shall have the right to: (i) block and/or suspend the access to the Resolve Platform until all such due and undisputed amounts and applicable interests, if any, have been paid; and/or (ii) terminate the Agreement as specified under Term and termination clause of this Agreement.
3.4. Payment Disputes: In the event Subscriber has any disputes with regard to the invoice raised by Resolve, then the Subscriber shall raise the same within five (5) business days from the date of receipt of invoice. Subscriber shall not be considered to have defaulted on Subscriber’s payment obligations under this Section if the Subscriber: (i) has disputed the fees in good faith in accordance with clause 3.6 and is cooperating diligently to resolve the dispute; and (ii) remits payment for any undisputed amounts in a timely manner.
3.5. Taxes: Subscriber shall be responsible for paying the Taxes in addition to the fees applicable for the Resolve Platform as specified in the Invoice. If the Subscriber is withholding Taxes, Subscriber shall pay the withholding Tax directly to the appropriate government entity and shall furnish a tax certificate to Resolve evidencing such payment within one hundred (100) days of making such payments. In the event of a failure to furnish the tax certificate within the time period specified herein, the concerned tax amount shall be fortified by Resolve.
3.6. Pricing: Resolve reserves the right to unilaterally determine and modify its pricing for the Resolve Platform. Where an Invoice is in effect, the pricing for the Resolve Platform shall remain as agreed for the term specified in such Invoice.
4. Availability and Technical Support
4.1. Resolve will make the Resolve Platform available to the Subscriber pursuant to the terms of this Agreement, applicable Invoice and Documentation. Resolve shall use commercially reasonable efforts to make the Resolve Platform available 24 hours a day, 7 days a week and honor the Uptime Commitment as per normal business standards, except during: (i) Scheduled Downtime, and (ii) Force Majeure Events.
5. Privacy and Security
5.1. Privacy: To the extent that Personal Information (as defined under the Exhibit 2) is processed by Resolve when Subscriber uses the Resolve Platform, Resolve shall comply with applicable legal requirements for privacy, data protection and confidentiality. Resolve’s processing of Personal Information will, at all times, be compliant with Exhibit 2 of this Agreement. Exhibit 2 explains how Resolve will, (i) process Personal Information; (ii) use third party service providers who process Personal Information on Resolve’s behalf; (iii) assist Subscriber to handle data subject requests; (iv) handle Security Incidents; (v) accommodate an audit request from Subscriber; (vi) ensure that its personnel maintain confidentiality and security of Personal Information; and (vii) handle return or deletion of Personal Information.
5.2. Security: Resolve has implemented and will maintain industry-standard administrative, technical, and physical safeguards to reasonably protect the security, confidentiality and integrity of the Subscriber Data as described in Exhibit 3 of this Agreement. Resolve will periodically review and update its security practices to address new and evolving security threats and to implement evolving security technologies and industry standard practices. Resolve warrants that no modification to the security practices will materially degrade the security of the Resolve Platform.
6. Proprietary Rights and Licenses
6.1. Reservation of Intellectual Property Rights: As between the Parties to this Agreement, Resolve retains all the rights, title and interest in and to the Resolve Platform and Documentation, including all related Intellectual Property Rights. Except as expressly stated herein, this Agreement does not grant any additional rights or licenses to the Subscriber in the Resolve Platform or in any intellectual property rights of Resolve. The Subscriber agrees and acknowledges that unless as provided herein this Agreement, any other use of the Resolve Platform shall constitute a material breach of this Agreement and an infringement under applicable laws. Such material breach or infringement shall cause Resolve irreparable loss and damage. Therefore, in addition to and without limitation to the rights provided herein this Agreement, Resolve shall have the right to recover damages and injunctive relief under applicable laws.
6.2. License to use Suggestion and Feedback: Subscriber grants to Resolve a fully paid-up, royalty-free, worldwide, sub-licensable, assignable, irrevocable and perpetual license to use and incorporate into the Resolve Platform any idea, suggestion for enhancement, recommendation, correction or other feedback provided by Subscriber to Resolve in connection with such Subscriber’s use of the Resolve Platform.
6.3. Subscriber Input: Subscriber Input is defined as any information subscriber may have provided Resolve as an idea, feature request, enhancement or bug-fix on Resolve product offerings to Resolve. Resolve shall have a royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use or incorporate into the Service any Subscriber Input. Resolve shall have no obligation to make Subscriber Input an Improvement. Subscriber shall have no obligation to provide subscriber Input.
6.4. Statistical Data Use: Resolve has exclusive rights to use the statistical data derived from the operation of the Service, including, without limitation, the number of records in the Service, the number and types of transactions, configurations, and reports processed in the Service and the performance results for the Service (the “Aggregated Data”). Nothing herein shall be construed as prohibiting Resolve from utilizing the Aggregated Data for purposes of operating Resolve’s business, provided that Resolve’s use of Aggregated Data will not reveal the identity, whether directly or indirectly, of any individual or specific data entered by any individual into the Service. In no event does the Aggregated Data include any personally identifiable information or corporate identifiable information.
6.5. Use of name: In connection with any literature of an advertising or similar nature, Resolve’s name shall not be used or quoted without the prior written permission of Resolve. Resolve may use the fact of its involvement with the Subscriber in this Agreement in its credentials, proposals and publicity material subject to applicable law and professional regulations. The Customer agrees to such use and Resolve may, on the Subscriber’s specific request, share samples of such use.
7. Confidentiality
7.1. Confidentiality Obligations: Except as otherwise permitted in writing by the Disclosing Party, the Receiving Party shall (i) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) not to disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) limit access to Confidential Information of the Disclosing Party to those of its employees, contractors and agents who need such access for the purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those contained herein. Any exchange of Confidential Information prior to the execution of this Agreement shall continue to be governed by any non-disclosure agreement executed by and between the parties and not the terms of this Agreement. All copies of Confidential Information, regardless of form, shall, at the discretion of the Disclosing Party, either be destroyed or returned to the Disclosing Party, promptly upon the earlier of: (i) Disclosing Party’s written request, or (ii) expiration or termination of this Agreement for any reason.
7.2. Compelled Disclosure: The Receiving Party may disclose Confidential Information of the Disclosing Party (i) as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction; or (ii) as reasonably necessary to comply with any applicable law or regulation; or (iii) as necessary to establish the rights of the Receiving Party, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. Any such disclosure shall be limited to only what is required and shall be subject to the confidentiality obligations to the extent reasonably practicable.
8. Representations, Warranties and Disclaimers
8.1. Mutual Representation: Each party represents and warrants to the other party that it is duly organized and validly existing under the laws of the state of its incorporation and has full corporate power and authority, and is duly authorized, to enter into the Agreement and to carry out the provisions thereof.
8.2. Warranty by Resolve: Resolve warrants that during an applicable Subscription Period (i) the Resolve Platform will perform materially in accordance with the Documentation when Subscriber uses the Resolve Platform in accordance with such Documentation; (ii) Resolve will, at a minimum, implement safeguards for protection of the security, confidentiality and integrity of Subscriber Data, as set forth in DPA of this Agreement; (iii) Resolve will not materially decrease the overall functionality of the Resolve Platform. In case of any breach of warranty listed in this Section, the Subscriber shall be entitled to sole and exclusive remedies against Resolve as described in Sections 11.2. and 11.3. of this Agreement.
8.3. Warranty Disclaimer: Subscriber understands and agrees that the use of the Resolve Platform is at subscriber’s sole risk. Except as expressly provided herein, Resolve Platform is provided on an “as is” and “as available” basis, without any warranties of any kind. Except for warranties specified in this agreement, Resolve disclaims warranties of all kinds, including, but not limited to, the implied warranties of merchantability, title, fitness for a particular purpose, and non-infringement. Resolve further disclaims warranties that the Resolve Platform will be uninterrupted, timely, secure, error-free or free from viruses or other malicious software. No advice or information obtained by subscriber from Resolve or from any third party shall create any warranty not expressly stated in this agreement. The foregoing exclusions and limitations shall apply to the maximum extent permitted by applicable law, even if remedy fails its essential purpose.
9. Indemnification
Indemnification by Resolve
9.1. Resolve shall defend Subscriber, at Resolve’s expense, from claims, demands, suits, or proceedings made or brought against Subscriber by a third party (“Claims”) alleging that the use of the Resolve Platform as contemplated hereunder infringes such third party’s Intellectual Property Rights and shall indemnify and hold Subscriber harmless against any loss, damage or costs finally awarded or entered into in settlement (including, without limitation, reasonable attorneys’ fees) (collectively, “Losses”); provided that Subscriber: (a) promptly gives written notice of the Claim to Resolve (although a delay of notice will not relieve Resolve of its obligations under this section except to the extent that Resolve is prejudiced by such delay); (b) gives Resolve sole control of the defense and settlement of the Claim (although Resolve may not settle any Claim unless it unconditionally releases Subscriber of all liability); and (c) provides to Resolve, at Resolve’s cost, all reasonable assistance. Resolve shall have no liability for Claims or Losses to the extent arising from: (d) modification of the Resolve Platform by anyone other than Resolve; (e) use of the Resolve Platform in a manner inconsistent with the Agreement or Documentation; or (f) use of the Resolve Platform in combination with any other product or service not provided by Resolve. If Subscriber is enjoined from using the Resolve Platform or Resolve reasonably believes it will be enjoined, Resolve shall have the right, at its sole option, to obtain for Subscriber the right to continue use of the Resolve Platform or to replace or modify the Resolve Platform so that it is no longer infringing. If neither of the foregoing options is reasonably available to Resolve, then the Agreement may be terminated at either party’s option and Resolve’s sole liability, in addition to the indemnification obligations herein, shall be to refund any prepaid fees for the Resolve Platform that was to be provided after the effective date of termination.
Indemnification by the Subscriber
9.2. Subscriber agrees to indemnify and hold harmless Resolve, its directors, officers, employees, affiliates, agents and representatives from and against, including but not limited to, any and all claims, damages, liabilities, fines, penalties, costs and expenses (including reasonable attorneys’ fees) to which Resolve may be subjected as a result of Subscriber’s, its employee’s or agent’s (i) business operations, including, without limitation, Subscriber employee claims, (ii) any act or omission to act which constitutes a breach of this Agreement, or (iii) performance hereunder in a manner that is negligent, grossly negligent, reckless, or improper.
9.3. Subscriber recognizes that Resolve will be irreparably harmed by a violation of Subscriber’s confidentiality, non-use or other obligations hereunder. Therefore, in addition to any other available remedies, Resolve is entitled to an injunction or other decree of specific performance with respect to any violation thereof by Subscriber.
10. Limitation of Liability
Under no circumstances and under no legal theory, whether tort, contract, product liability, negligence or otherwise, shall Resolve or its affiliates be liable to you or any other affiliate or third party for any lost profits, lost sales or lost revenue, loss of data, business interruption, loss of goodwill or for any indirect, special, incidental, exemplary, consequential or punitive damages, even if a party or its affiliates have been advised of the possibility of such damages. In no event shall the liability of either party to the other party or its affiliates, for any claim or action arising out of this agreement, exceed the value of 10% of aggregate of all amounts paid by the Subscriber to Resolve in the twelve (12) months preceding the first event giving rise to such claim or action. The limitations specified herein will not limit Subscriber’s obligation to pay fees in accordance with this agreement.
11. Term and Termination
11.1. Term: The term of this Agreement shall commence on the Effective Date and shall thereafter continue for the duration of the Subscription Period of the relevant Invoice, unless terminated in accordance with the provisions of this Section. Except as otherwise specified in the Agreement or Invoice, subscriptions will automatically renew for additional terms equivalent to the expiring Subscription Period.
11.2. Termination for cause: A party may terminate this Agreement for cause: (i) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of the creditors.
11.3. Termination by Resolve: Resolve shall be entitled to terminate this Agreement forthwith upon giving written notice of thirty (30 days) to the subscriber if it: (i) enters an agreement with creditors without authorization Resolve and/or steps have been taken for its winding up (other than for the purposes of bona fide reconstruction); (ii) has reasonable grounds to suspect that it has participated in illegal practices and/or acts or been charged in a court of law acts in a manner prejudicial to the interests of Resolve; (iii) commits misconduct, fraudulent, dishonest, undisciplined conduct or breach of integrity or embezzlement or misappropriation or misuse or causing damage to the Software and other property of Resolve; (iv) misrepresents, makes false statements and breaches the representations and warranties under the Agreement; and (v) ceases or threatens to cease to carry on business.
11.4. Termination for Convenience: Notwithstanding any other provision in this Agreement, Resolve shall at its absolute discretion be entitled to terminate this Agreement without provision of reasons by giving at least 30 (thirty) days prior written notice to the other Party.
11.5. Refund: Upon termination for cause by Subscriber, Resolve shall refund Subscriber any prepaid fees covering the unused portion of the Subscription Period. Upon any termination for cause by Resolve, Subscriber shall expedite all payments due to Resolve and in no event will termination of this Agreement relieve Subscriber of its obligation to pay any fees due to Resolve. Notwithstanding anything contained herein, in the event Subscriber terminates the Agreement except as mentioned in Section 11.2 of the Agreement, Resolve is under no obligation to refund the fees paid by the Subscriber.
11.6. Retrieval of Subscriber Data: Upon Subscriber’s written request made on or prior to expiration or termination of the Agreement, Resolve will give Subscriber limited access to the Resolve Platform for a period of up to thirty (30) days, at no additional cost, solely for purposes of retrieving Subscriber Data. Subject to such thirty day period and Resolve’s legal obligations, Resolve has no obligation to maintain or provide any Subscriber Data and may, unless legally prohibited, delete Subscriber Data; provided, however, that Resolve will not be required to remove copies of the Subscriber Data from its backup media and servers until such time as the backup copies are scheduled to be deleted.
11.7. Surviving Provisions: Sections “Confidentiality,” “Fees and Payments,” “Warranty Disclaimers,” “Limitation of Liability,” “Indemnification,” “Termination,” “Surviving Provisions” and “General” shall survive termination of this Agreement.
12. General
12.1. Applicability of Terms of Service: Subscriber understands that, in addition to the terms of this Agreement, Resolve’s Terms of Service will apply to Subscriber’s access and use of the Resolve Platform. In the event of any conflict between this Agreement and the Terms of Service, the terms of this Agreement shall prevail.
12.2. Entire Agreement: This Agreement, including the Exhibits attached hereto and the Terms of Service, constitute the entire agreement between the parties with respect to the subject matter of this Agreement and supersedes any and all prior and contemporaneous agreements, negotiations, correspondence, understandings and communications between the parties, whether written or oral, concerning the subject matter hereof.
12.3. Amendment: No changes, modifications or amendment of any nature made to this Agreement shall be valid unless evidenced in writing and signed for and on behalf of both parties by the respective authorized representatives.
12.4. Governing Law and Jurisdiction: This Agreement shall be governed by and construed strictly in accordance with the laws of India (excluding the rules governing conflict of laws). Any dispute arising out of or resulting from this Agreement shall be subject to the exclusive jurisdiction of courts in Bangalore, India to the exclusion of all other courts.
12.5. Notices: All notices required under this Agreement shall be in writing and shall be sent to the respective address set forth below. Any such notice may be delivered by hand, by overnight courier, by registered post or certified mail with return receipt requested, or by electronic mail to the person to whom such notice is to be sent as per the terms of this Agreement. Such notice shall be deemed to have been received: (i) by hand delivery, at the time of delivery; (ii) by overnight courier, on the succeeding business day; (iii) by registered post or certified mail, on the date marked in proof of receipt; and (v) by electronic mail, when sent. All notices shall be sent to support@Resolveindia.com.
12.6. Relationship of the Parties: The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Neither party shall have the power to bind the other or incur obligations on the other party’s behalf without the other party’s written consent.
12.7. Assignment: Neither party shall assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (which consent shall not be unreasonably withheld). . Any attempt by a party to assign its rights or obligations under this Agreement other than as permitted by this section shall be void and of no effect. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.
12.8. Affairs of the Parties: It has been explicitly agreed between the Parties that at any time within the term of this Agreement, the Subscriber undergoes one of the following including the sale of the company/entity, then the Subscriber shall have the sole unconditional rights, among others, to: Change in the management; Change in the corporate name or brand name or trademark; Restructuring; Acquisition and merger; Any Private Equity or Loan infusion into the Party. RESOLVE will not interfere or raise any objections in or under the above circumstances, provided that the Subscriber shall ensure that the rights of RESOLVE under this Agreement are not adversely affected or curtailed by virtue of such an event. The existence of the Agreement or/and rights of RESOLVE under this Agreement shall not be affected in any manner and the Subscriber shall ensure the same terms and conditions are carried through the Term of the Agreement. If the Agreement terminates or any rights of RESOLVE are adversely effected due to any of the above circumstances as laid down under this clause above, then the defaulting party, i.e., the Subscriber shall indemnify RESOLVE and compensate it from any loss or expenditure that RESOLVE incurs.
12.9. No Third Party Beneficiaries: The provisions of this Agreement shall be binding and inure solely to the benefit of the parties, their successors, and permitted assigns. Nothing herein, whether express or implied, will confer any right, benefit or remedy upon any person or entity other than the parties, their successors and permitted assigns.
12.10. Force Majeure: No Party shall be liable to the other if, and to the extent, that the performance or delay in performance of any of its obligations under this Agreement is prevented, restricted, delayed or interfered with, due to circumstances beyond the reasonable control of such Party, including but not limited to, Government legislations, fires, floods, explosions, epidemics, accidents, acts of God, wars, riots, strikes, lockouts, or other concerted acts of workmen, acts of Government. The Party claiming an event of force majeure shall promptly notify the other Party in writing and provide full particulars of the cause or event and the date of first occurrence thereof, as soon as possible after the event and also keep the other Party informed of any further developments. The Party so affected shall use its best efforts to remove the cause of non-performance, and the Parties shall resume performance as soon as such cause is removed.
12.11. Severability: Any provision of this Agreement, which is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof or affecting the validity or enforceability of such provision in any other jurisdiction. Accordingly, this Agreement shall be construed as if such portion had not been inserted and the remaining provisions of this Agreement shall remain in full force and effect.
12.12. Waiver: Except as otherwise provided in this Agreement, failure on the part of either Party to exercise any right hereunder or to insist upon strict compliance by the other Party with any of the terms, covenants or conditions hereof shall not be deemed a waiver of such right, term, covenant or condition.
12.13. Interpretation
No provision of this Agreement shall be construed against one party by reason of being deemed the “author” of the Agreement. The headings used in this Agreement are for convenience only and shall not affect the interpretation of the terms of this Agreement.
12.14. Specific terms of use for payment automation services – refer exhibit 4
Exhibit 1
SERVICE LEVEL AVAILABILITY
This Exhibit documents Resolve’s Service Level Availability Policy (“SLA”) with its Subscribers. Capitalized terms, unless otherwise defined herein, shall have the same meaning as in the Master Subscription Agreement.
1. Definitions
“Downtime” shall mean inability to access Resolve Platform due to a Qualifying Fault. Downtime is measured based on availability of the Resolve Platform as measured by Resolve’s monitoring tools.
“Qualifying Fault” shall mean and include server side errors and reachability errors attributable to the Resolve Platform.
“Downtime Period” shall mean eight business hours or more consecutive minutes of Downtime.
“Monthly Uptime” shall mean total number of hours in a calendar month minus the number of business hours of Downtime suffered from all Downtime Periods in a calendar month.
“Monthly Uptime Percentage” shall mean the percentage calculated by dividing Monthly Uptime by the total number of hours in a calendar month.
“Scheduled Downtime” shall mean unavailability of the Resolve Platform about which Subscriber is informed at least forty eight (48) hours in advance. A Schedule Downtime will not constitute a Qualifying Fault.
2. Service availability
Resolve Platform will have a Monthly Uptime as per industry standards.
3. Resolve Platform Updates
Periodically, Resolve introduces new features in the Resolve Platform with enhanced functionality. Features and functionality will be made available as part of a major feature release (“Feature Release”) or as part of weekly service updates (“Service Updates”).
4. Resolve Support Scope
Resolve will support functionality that is delivered by Resolve as part of the Resolve Platform. For all other functionality, and/or issues or errors in the Resolve Platform caused by issues, errors and/or changes in Subscriber’s information systems, customizations, and/or third-party products or services, Resolve may assist Subscriber and its third-party providers in diagnosing and resolving issues or errors but Subscriber acknowledges that these matters are outside of Resolve’s support obligations. Failure to meet obligations or commitments under this SLA that are attributable to (i) Subscriber’s acts or omissions; and (ii) force majeure events shall be excused.
6. Issue Submission and Reporting
Subscriber’s Named Support Contacts may submit cases to Resolve Support via the Resolve Support Portal. Named Support Contacts must be trained on the Resolve Platform. Each case will be assigned a unique case number. Resolve will respond to each case in accordance with this SLA and will work diligently toward resolution of the issue taking into consideration its severity and impact on the Subscriber’s business operations. Actual resolution time will depend on the nature of the case and the resolution itself. A resolution may consist of a fix, workaround, delivery of information or other reasonable solution to the issue. Case reporting is available on demand via the Resolve Support Portal.
7. Severity level determination
Subscriber shall reasonably self-diagnose each support issue and recommend to Resolve an appropriate Severity Level designation. Resolve shall validate Subscriber’s Severity Level designation or notify Subscriber of the change in the Severity Level designation to a higher or lower level with justification. The following definition shall be used in determination of severity level:
- Severity Level 1 – Description: This Problem Severity Level is associated with: the software, as a whole, is non-functional or is not accessible; unauthorized exposure of all or part of the client’s data; or loss or corruption of all or part of the client’s data.
- Severity Level 2 – Description: This Problem Severity Level is associated with significant and / or ongoing interruption of an authorized user’s use of a critical function of the software and for which no acceptable work-around is available.
- Severity Level 3 – Description: This Problem Severity Level is associated with: a minor and/or limited interruption of an authorized user’s use of a non-critical function of the software; or, problems which are not included in Problem Severity Levels 1 or 2.
- Severity Level 4 – Description: This Problem Severity Level is associated with: general questions about the software; or, configuration changes that have been previously agreed to be in scope by the client.
8. Response and resolution
Response, Problem Determination and Resolution/Restoration/Work-around Timeframe as per industry standards.
9. Exclusions
The SLA does not apply to any performance and availability issues:
- caused by factors outside of Resolve’s reasonable control;
- that resulted from any actions or inactions of Subscriber; or
- that resulted from Subscriber’s equipment and/or third party equipment that are not within Resolve’s reasonable control.
Exhibit 2
Data Processing Agreement
Digital Personal Data Protection Act 2023
Your use of the Website, application or Resolve Platform, owned and managed by Resolve, are governed by the following terms and conditions of this Agreement as applicable to the Website, application or Resolve Platform, including the applicable policies which are incorporated herein by way of reference. By mere use of the Website, application or Resolve Platform, You shall be contracting with Resolve and these terms and conditions including the policies constitute your binding obligations with Resolve.
This Agreement is hereby executed and enforceable between:
Customer/Partner (Hereinafter referred to as “Data Fiducary”)
AND
ResolveBiz Services and Apps Private Limited, a company incorporated as per Indian Companies Act, 2013 (Hereinafter referred to as the “Data Processor” or “Resolve”)
Data Fiducary and Data Processor may be referred to as “Party” individually and “Parties” collectively in this DPA.
WHEREAS
- The Data Fiducary Controller is, for the purpose of this DPA, a data controller as provided under Section 2(i) of the DPDP Act 2023.
- The Data Fiducary wishes to obtain certain services from the Data Processor in light of which it will share certain information/data/material which shall require processing compliances with the DPDP Act by both Parties.
- Therefore, the Parties have agreed to enter into this DPA which contains the relevant DPDP Regulation clauses to be followed by the Parties who signed the Subscription Services with Resolve.
Therefore, In consideration of the mutual obligations set out in this DPA, the parties agree as follows:
This DPA details the roles of both Parties set forth in the DPDP Act.
This DPA is applicable for below Clauses
- If the Customer entity signing this DPA is also a party to the MSA, then this DPA shall form an integral part of such MSA.
- If the Customer entity signing this DPA has executed an Order Form with Resolve, or its Affiliate pursuant to the relevant agreement, but is not by itself a party to the Agreement, then this DPA is an addendum to that Order Form and/or applicable renewal Order Forms.
- If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.
- If the Customer entity signing the DPA is not a party to an Order Form nor a Master Subscription Agreement directly with Resolve, but is instead a customer indirectly via an authorized reseller of Resolve, services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required. This DPA shall not replace any comparable or additional rights relating to Processing of Customer Data contained in Customer’s Agreement (including any existing data processing addendum to the Agreement).
The Data Fiducary and Resolve, each warrant that they are and will continue to adhere to DPDP Act and shall perform their obligations under this DPA in accordance with the provisions of the DPDP Act from time to time in force.
The parties acknowledge that for the purposes of DPDP, that the Customer/Partner is the Data Controller for the Personal Data (Personal Data of Customer’s Employees or the Customer’s Customer or Contractor as applicable) and the performance of the services will require the processing of Personal Data by Resolve, for the Data Controller.
The parties acknowledge that for the purposes of DPDP Regulations:
- Resolve, shall be processing the personal data provided by Data Fiducary that is limited to Name, Phone, E-Mail and Job Title for the escalation and communication that is used to send notifications/ alerts during the business operations to the Data Subjects whose personal data is shared by the Data Fiducary
- Resolve, implements controls to undertake Consent from Users of the platform without disrupting Customer’s Operations. The Data Fiducary is responsible for ensuring the respective customers and users accept the user consent.
- Resolve, may use various software tools/Cloud Services for storing such Personal Data in their repositories which is vetted as per the conditions of the DPDP Regulations.
- Resolve, may use or store the Personal Data for retracting any reference to the Data Subject, as mentioned in their Privacy Policy, if it is required in future even after expiry of the agreement for identifying or tracing any alerts/ notifications sent to the Data Subject.
- The Customer/Partner shall be responsible to notify and undertake Consent from their Employees/ Customers/ Contractors on how the Personal Data is processed by Resolve, and their Data Sub-Processor, without which compliance to DPDP Regulation by the Data Fiducary/Resolve, /Data Sub Processor would be difficult.
- Resolve, shall bring to the Customer’s /Partner’s attention if they find a Personal Data Breach in their or their Data Sub-Processor environment that has impacted any form of Personal Data stored by either or both parties.
Resolve’s Obligations
- Resolve shall not process Personal Data (Personal Data collected from the Data Fiducary) other than for the purposes of the processing which are documented in the Agreement.
- Resolve warrants to the Data Fiducary (Customer/Partner) to comply with below:
- Resolve shall fully comply with the provisions of DPDP Regulations in carrying out its obligations under this DPA.
- It has all provisions for data protection necessary for carrying out of its obligations under this agreement and shall maintain such provisions throughout the term.
- Resolve shall adopt and maintain appropriate technical and organizational measures to ensure Personal Data is kept secure throughout the data life cycle, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, and take such precautions as are necessary to ensure the integrity of Personal Data and to prevent any Personal Data Breach.
- Resolve shall appoint, transfer or transmit the Personal Data to Data Sub-Processors only after they have received express written permission of the Data Fiducary.
- Resolve shall ensure that the Data Sub-Processors process the Personal Data (Personal Data collected from the Data Controller) as per the instructions provided by Resolve, in accordance with the requirements of DPDP Act.
- Resolve shall not collect Personal Data (Personal Data collected from the Data Fiducary), more than that is required to Resolve, for Processing.
- Resolve shall not appoint any other Data Sub-Processor/ Third Party for processing Personal Data (Personal Data collected from the Data Fiducary) that does not meet the requirements of DPDP regulations.
- Resolve shall allow Data Principals to keep contents of their Personal Data (Personal Data collected from the Data Fiducary) accurate.
- On reasonable written notice by the Data Fiducary, Resolve shall make available to the Data Fiducary all such information as is necessary to demonstrate Resolve’s compliance with DPDP Regulations, including where such information is requested as part of an audit/assessment/compliance check.
- On termination of the Agreement, at the Data Fiducary’s sole written requisition, Resolve shall provide all Personal Data (Personal Data collected from the Data Fiducary) to the Data Fiducary and shall provide reasonable evidence of erasure.
- Resolve shall keep the records of the Processing activities that are carried out on behalf of Data Fiducary.
- Resolve shall assist the Fiducary in meeting its DPDP obligations to notify the Personal Data Breaches to the Data Protection Board of India along with the process and information required to be submitted for the same.
- Resolve shall not use the Personal Data (Personal Data collected from the Data Fiducary) for activities like analytics and profiling unless required for business operations to provide subscribed services.
- Customer Data Incident Management: Resolve maintains security incident management policies and procedures specified in the Security Policy on the website and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Resolve, or its Sub-processors of which Resolve, becomes aware (a “Customer Data Incident”). Resolve shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Resolve deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Resolve’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
- Resolve shall immediately notify the Data Fiducary with full details of:
- Any Personal Data Breach in relation to this Agreement;
- Processing of Personal Data (Personal Data collected from the Data Fiducary) which are contrary to or would require it to act in a way contrary to DPDP regulations;
- Any request received (including from an individual or the Supervisory Authority) to disclose any Personal Data.
- Return and Erasure of Customer Data: – Resolve has made provision for retrieval of customer data from the platform by authorization, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Retention Policies.
- Nothing in this Agreement shall relieve Resolve of its own direct responsibilities and liabilities under DPDP Regulations.
- The Clauses in this document shall be governed by the laws of India in which the data processing is established.
- In assessing the appropriate level of security, Resolve shall conduct DPIA (Data Protection Impact Assessment) on a periodic basis to evaluate the risks that are presented by processing, from a Personal Data Breach.
Appendix 1
This Appendix forms part of the DPA covering Information Security of the Platform and Operations. Description of the technical and organizational security measures implemented by Resolve, in accordance with Data Processing Agreement.
Resolve currently observes the security practices described in this Appendix 1. Notwithstanding any provision to the contrary otherwise agreed to by data controller, Resolve may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
Access Control
- Preventing Unauthorized Product Access
- Outsourced processing: Resolve hosts its Service in a Colocation and outsourced cloud infrastructure providers. Resolve maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement.
- Physical and environmental security: Resolve hosts its product infrastructure with multi-tenant, outsourced infrastructure providers.
- Authentication: Resolve implemented a unified password policy for its Platform. Customers who interact with the platform via the user interface must authenticate before accessing their data. Resolve also has a provision for integrating with various single sign-on tools or use Resolve’s authentication mechanisms.
- Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Resolve’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against role-based access policies defined by the Customer.
- Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through any other authorized process or method.
- Preventing Unauthorized Product Use
- Resolve implements standard access controls and detection capabilities for the internal networks that support its products.
- Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The control measures are implemented by security group assignment, and traditional firewall rules.
- Intrusion detection and prevention: Resolve implemented Firewalls designed to identify and prevent attacks against publicly available network services. A regular VA and PT assessment is carried out to proactively identify any threats and remediate as required.
- Static code analysis: Security reviews of code stored in Resolve’s source code repositories are performed, checking for coding best practices and identifiable software flaws.
- Limitations of Privilege & Authorization Requirements
- Product access: An authorized group of Resolve’s employees and Technology Service Providers have access to the Platform and to customer data via controlled interfaces. The intent of providing access to an authorized employee/personnel is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through a Service request process for all requests for access. Employees/authorized personnel are granted access by role and responsibility. Employee/Personnel roles are reviewed at least once every six months as part of Internal Security Audit.
- Product access: All Resolve employees undergo a third-party background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
Data Transfer Controls
- In-transit: Resolve makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its logins. Data is transmitted between systems in same geographical regions.
- At-rest: Resolve stores user passwords following policies that follow industry standard practices for security. Resolve has implemented technologies to ensure that stored data is encrypted at rest.
Data Input
- Detection: Resolve has designed internal monitoring and management systems to log information about the system behavior, traffic received, system authentication, and other application requests. Internal systems alert appropriate Platform Support Groups of malicious, unintended, or anomalous activities. Resolve has established support process and personnel for security, operations to respond to various incidents.
- Response and tracking: Resolve maintains a record of known security incidents that includes description, dates and times, priority and remediation process. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Resolve will take appropriate steps to minimize Product and Customer damage or unauthorized disclosure.
- Communication: If Resolve becomes aware of unlawful access to Customer data stored within its products, Resolve will:
- notify the affected Customers of the incident
- provide a description of the steps taken to resolve the incident; and
- provide status updates to the Customer contact, as Resolve deems necessary. Notification(s) of incidents, if any, shall be delivered to one or more of the Customer’s contacts in a form Resolve selects, which may include via email through Customer Support.
Availability Control
- Infrastructure availability: Resolve is obligated to provide a minimum uptime for the Platform as per industry standards. The providers maintain a minimum of N+1 redundancy to power, network, and other Services in the Colo.
- Fault tolerance: Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple systems. Resolve maintains an Active-Active set-up for disaster recovery to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Resolve’s operations in maintaining and updating the product applications and backend while limiting downtime.
Audits and Certification
Resolve is in the process of being certified for ISO 27001:2013 and is preparing to be assessed in compliance with the controls stipulated in SOC 2 Type II.
Appendix 2
Definitions:
- Personal Data: Personal Data means any information relating to an identified or identifiable natural person (‘Data Principal’). The following data, often used for the express purpose of distinguishing individual identity, can be classified as Personal Data:
- Name
- Identification Number
- Location data
- An online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a Natural Person.
- IP Address
- Cookie Identifiers
- Radio Frequency ID (RF ID) tags
- Natural Person/Data Subject: An identifiable Natural Person/Data Principal is one who can be identified, directly or indirectly, by reference to his/her Personal Data.
- Processing: Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data by automated means, such as:
- Collection
- Recording
- Organisation
- Structuring
- Storage
- Adaptation or alteration
- Retrieval/Downloading data
- Consultation
- Use
- Disclosure by transmission
- Dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
- Data Fiducary: Data Fiducary means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- Data Processor: Data Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Fiducary.
- Data Sub-Processor: Data Sub-Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of Data Processor.
- DPDP: The Digital Personal Data Protection Act, 2023 is a legal framework that sets guidelines for the collection and processing of Personal Data of individuals in India.
- Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- Personal Data Breach: Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- Consent: Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the Data Principal.
- Supervisory Authority: Supervisory authority means an independent public authority which is established under the DPDP Act as The Data Protection Board of India. Supervisory Authority Concerned means a Supervisory Authority which is concerned by the processing of personal data because:
- The Data Fiducary or processor is established in the territory of India.
- Data Principals residing in India under the DPDP regulations are substantially affected or likely to be substantially affected by the processing; or
- A complaint has been lodged with the Data protection Board of India.
Exhibit 3
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Resolve has established, and will maintain at a minimum, an information security management system that includes the following:
- Security Governance
- A governance framework that supports relevant aspects of information security through appropriate policies and standards.
- Formal documentation of the roles and responsibilities of employees with respect to governance of Information Security within Resolve that are communicated by the management to employees.
- An information security program in accordance with the international standard ISO 27001 that includes technical, organizational and physical security measures in order to protect Personal Information against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction.
- Formally documented information security policy, data privacy policy and other policies that are communicated periodically to employees responsible for the design, implementation and maintenance of security and privacy controls. The policies will be reviewed annually to keep them up-to-date.
- Compliance with industry standard security measures as described at https://www.Resolveindia.com OR Resolvepayroll.com/compliance.html.
- Risk Management
- Annual risk assessment, to prioritize mitigation of identified risks.
- Established internal audit requirements and periodical audits on information systems and processes at planned intervals.
- Assessment of the design and operating effectiveness of controls against the established control framework through which corrective actions related to identified deficiencies will be tracked to resolution.
- Human Resources Security
- Background verification of all employees having access to confidential data that includes verification of criminal records, previous employment records if any, and educational background.
- Signing of confidentiality agreement and acceptable use policy by employees upon their employment with clauses on protection of confidential information.
- Training on security and privacy awareness including training on Resolve’s policies, standards and relevant technologies along with maintenance and retention of training completion records.
- Employees will be required to adhere to the information security policies and procedures. Disciplinary process for non adherence will be defined and communicated.
- Identity and Access management of Resolve Personnel
- Creation of unique identifiers for employees to access information systems and prohibition of sharing user accounts among employees
- User authentication to information systems protected by passwords that meet Resolve’s password policy requirements derived based on NIST SP 800-63B standards.
- Strong password configurations that include i) 8 character minimum length; ii) non dictionary words and iii) screening of passwords against list of known compromised passwords.
- Mandatory Two factor authentication for access to information systems involving confidential data.
- Secure remote access to the corporate network provisioned via SSL VPN with strong encryption and two factor authentication.
- Adherence to the principles of least privilege and need-to-know and need-to-use basis for access control.
- Approval mechanism from appropriate personnel to provide access to information systems.
- Revocation of access that is no longer required in the event of termination or role change.
- Recording of approval, assignment, alteration and withdrawal of access rights.
- User access reviews on a half yearly basis and corrective actions whenever necessary.
- Restrictions on administrative access to Personal Information and provision of access on a strictly need-to-know basis along with implementation of access-control measures such as mandatory two factor authentication.
- Asset Management
- Inventory maintenance of assets associated with information processing. Owners are assigned for each asset and rules for acceptable use of assets are defined. Assets assigned to employees are returned in the event of termination or role change.
- Capacity management policies through which resources are continuously monitored and projections are made for future requirements.
- Determined procedures in accordance with industry best practices for the reuse, secure disposal and destruction of electronic media to ensure that the data is rendered unreadable and unrecoverable.
- Disposal of unusable devices by verified and authorized vendors which includes storing of such devices in a secure location until disposal, formatting any information contained in the devices before disposal, degaussing and physical destruction of failed hard drives using shredder and crypto-erasing and shredding of failed SSDs.
- Physical Security
- Physical access to Resolve’s data center is highly restricted and requires prior management approval. The data centers are housed in facilities that require electronic card key access. Additional two-factor authentication and biometric authentication are required to enter the data center premises and there is continuous monitoring of CCTV cameras and alarm systems.
- Control of physical access to Resolve’s development facilities are adequately secured.
- Defined visitor management process to authorize visitor entries and maintenance of access records of visitors.
- Revocation of physical access to employees in the event of termination of employment or role change.
- Network Security and Operations
- A dedicated Network Operations Center (NOC), which operates 24×7 monitoring the infrastructure health.
- Establishment and implementation of firewall rules in accordance to identified security requirements and business justifications.
- Review of firewall rules on a quarterly basis to ensure that legacy rules are removed and active rules are configured correctly.
- Establishment and maintenance of appropriate network segmentation, that includes use of virtual local area networks (VLANS) where appropriate, to restrict access to systems storing confidential data with a data storage layer that is designed to be not directly accessible from the Internet.
- Clear separation of production, development and integration environments to ensure that production data is not replicated or used in non-production environments for testing purposes.
- Management of access to production environments by a central directory and authentication for such access using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Access to the production environment is facilitated through a separate network with strict rules.
- Deployment of DDOS mitigation capabilities from well established service providers to prevent volumetric attacks and to keep the applications available and performing.
Secure Software Development
- Well defined security process that is implemented and monitored throughout the SDLC taking into consideration confidentiality, availability and integrity requirements.
- Implementation of secure software development policies, procedures, and standards that are aligned to industry standard practices such as OWASP, CSA, CWE/SANS including secure design review, secure coding practices, risk based testing and remediation requirements.
- Training on secure coding principles and industry standards to personnel involved in the development and coding of products.
- “Secure by design” approach by incorporating security risk assessments and Threat modeling in the planning and analysis phase of SDLC and review of the design to prevent new threats.
- Examination of Source code changes for potential security issues using Resolve’s proprietary SAST (static code analysis) tools and manual review process before deployment.
- Web Application Firewall (WAF) layer that is embedded in all web applications for protection against Open Web Application Security Project (OWASP) threats, including SQL injections, Cross-site scripting (XSS) and remote file inclusions.
- Maintenance of inventory of third party software that gets bundled in the products/services.
- Alerts on potential security vulnerabilities in the third party software by Resolve’s proprietory SCA(Software Composition Analysis) that is reviewed periodically to check its applicability and impact and to take steps to upgrade third party software to the latest version.
- Appropriate checking and elimination procedures to ensure that the service is not affected by malware/viruses during development, maintenance and operation.
- Appropriate security controls to ensure the confidentiality, integrity and availability of the CI/CD pipeline in the software development environment used to develop, deploy, and support the products.
- Maintenance of clear distinction between the development, QA and production environments.
Data Security and Management
- Information classification scheme with data handling guidelines related to access control, physical and electronic storage, and electronic transfer.
- Logical separation of each subscriber’s service data from other subscriber’ data by distributing and maintaining separate logical cloud space for each subscriber.
- Deletion of data from active database upon termination of Resolve Platforms by the subscriber (clean-up occurs once in every 6 months), deletion of backup data within 3 months of deletion from active database and termination of accounts that remain unpaid and inactive for a continuous period of 120 days by giving prior notice to the subscriber.
Encryption
- Use of transport encryption for information that traverses across networks outside of the direct control of Resolve including, but not limited to the Internet, Wi-Fi and mobile phone networks.
- Encryption of data transmission to Resolve Platforms are made using TLS 1.2/TLS1.3 protocols, with latest and strong ciphers like AES_CBC/AES_GCM 256 bit/128 bit keys, authentication of message using SHA2 and use of ECDHE_RSA as the key exchange mechanism.
- Encryption of sensitive Personal Information at rest using 256-bit Advanced Encryption Standard (AES). (The data that is encrypted at rest varies specific to Resolve Platforms and also options are provided where the subscriber defines the fields to encrypt depending on their business need and data sensitivity).
- Irreversible industry standard algorithm (bcrypt) will be used to hash and store the passwords of Resolve Platforms with randomly generated per user salt added to the input.
- Resolve’s in-house Key Management Service (KMS) to own and maintain encryption keys that includes additional layer of security by encrypting the data encryption keys using master keys.
- Separation of master keys and data encryption keys by physically storing them in different servers with limited access.
Change Management
- A change management policy that governs changes in all components of the service environment whereby all changes are planned, tested, reviewed and authorized before implementation into production.
- Assessment of the potential impacts, including information security and privacy impacts of the changes.
- Documented fall-back mechanisms including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events.
- Notification to subscriber of any changes that may affect subscribers in an adverse manner.
Configuration Management
- Implementation of security hardening and baseline configuration standards in accordance with industry standards that are reviewed and updated periodically.
- Predefined OS images with security baselines are used to build systems in development and production.
- Hardening standards including (i) ensuring that unnecessary features, services, components, files, protocols and ports are removed from the production environment; and (ii) removing unnecessary user logins and disabling or changing default passwords.
- Approval from the appropriate personnel to install any software package in the production environment.
Vulnerability Management
- Vulnerability management plan designed to (i) identify promptly, prevent, investigate, and mitigate any cyber security vulnerabilities; (ii) analyze the vulnerability; (iii) perform recovery actions to remedy the impact.
- Vulnerability assessments using automated scanners performed periodically on Resolve’s internet facing systems.
- Application penetration testing by Resolve’s in house security personnel performed annually in accordance to defined test methodologies.
- Review of identified issues from vulnerability assessments and penetration testing, determination of its applicability, impact and priority and rectification in accordance with the SLA definition: High level vulnerabilities within 7 calendar days of discovery, Medium level vulnerabilities within 30 calendar days of discovery and Low level vulnerabilities within 60 calendar days of discovery.
- Monitoring known vulnerabilities from common sources such as OWASP, CVE, NVD and other vendor security lists and installation of security relevant patches to product and/or supporting systems in accordance with Resolve’s patch management policy.
- Antivirus deployment by running the current version of industry standard anti-virus software as a part of which signature definitions are updated periodically within 24 hours of release, real time scans are enabled and alerts are reviewed and resolved by appropriate personnel.
Security Logging and Monitoring
- Use of centralized logging solution to aggregate and correlate events from various components including network devices, servers and applications.
- Maintenance of audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events and retention of logs in accordance with applicable policies and regulations.
- Host and application intrusion detection (IDS) technology to facilitate timely detection, investigation and response to incidents.
- Restrictions on physical and logical access of logs by authorized personnel.
Business continuity and Disaster recovery
- Disaster recovery and business continuity plans and processes (i) to ensure continuous availability of the services in case of any disaster; (ii) to provide an effective and accurate recovery.
- Annual review of business continuity plan to evaluate its adequacy & effectiveness.
- Redundancy mechanisms to eliminate single point of failure consisting of (i) dual or multiple circuits, switches, networks or other necessary devices; and (ii) storing of application data in a resilient storage that is replicated in near real time across data centers.
- Taking periodic backups (incremental backups every day and weekly full backups) and storing them in an encrypted format in the same datacenter.
- Retention of backups for a period of three months and testing recovery of backups at planned intervals.
- SLA for service availability is accordance to industry standards uptime as a part of which real time availability can be viewed in https://status.Resolveindia.com OR resolvepayroll.com.
Incident Management
- An incident response plan and program containing procedures that are to be followed in the event of an information security incident.
- Dedicated email (incidents@Resolve.com) to which external parties can report security incidents and creating awareness among employees to report any potential security incident or weakness on time without any delay.
- Tracking of security incidents, fixing of such incidents through appropriate actions, maintenance of such records in the incident registry and implementation of controls to prevent recurrence of similar incidents.
- Incident management procedures that lays down the steps for notifying the client, and other stakeholders in a timely manner in accordance with breach notification obligations.
- Implementation of appropriate forensic procedures including chain of custody for collection, retention, and presentation of evidence in the event of an information security incident likely to result in a legal action.
Third-Party Vendor Management
- Vendor management policy through which Resolve evaluates and qualifies third party vendors as a part of which new vendors are onboarded only after understanding their processes and performing risk assessments.
- Execution of agreements with vendors that require vendors to adhere to confidentiality, availability, and integrity commitments in order to maintain Resolve’s security stance.
- Execution of agreements with vendors that require vendors to adhere to confidentiality, availability, and integrity commitments in order to maintain Resolve’s security stance.
Exhibit 4
Specific terms of use for payment automation services
This document/agreement/understanding is a computer-generated electronic record published in terms of Rule 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (amended from time to time) read with Information Technology Act, 2000 (amended from time to time) and does not require any physical or digital signatures.
- You agree that your use of any value-added service shall be construed as a consent to any additional fees which may be levied by Resolve on such additional Service or value-added service.
- You agree that the fees shall be charged according to the manner, rates and frequency determined by Resolve. Resolve reserves the right to update the amount of the Fees at any point of time.
- Fees are exclusive of applicable taxes and Resolve will charge such applicable taxes on the fees from time to time. You agree that any statutory variations in applicable taxes during the subsistence of these Terms shall be borne by You.
- For fees deducted upfront before provision of the specific Service, it is agreed that if You deposit applicable taxes under Section 194J of the Income Tax Act, 1961 (in respect of invoices received by You) and furnish to Resolve Form 16-A in respect of such taxes paid, then Resolve shall reimburse to You, on a quarterly basis, the amount in respect of such taxes paid. In all other cases, with respect to invoices received by You, at the time of payment of the Fees, You will withhold applicable taxes under Section 194J of the Income Tax Act, 1961 (in case LTDC is provided as per the LTDC issued). You shall deposit the withheld taxes with the government treasury, file the statutorily mandated returns and furnish the requisite tax deduction certificate (Form 16-A) to Resolve within the timelines prescribed so as to enable Resolve to obtain full credit for the taxes deducted at source.
- You understand that the sender account name being reflected in the receivers’ bank transfer will be ‘ResolveBiz Services and Apps Private Limited’.
- You shall be solely responsible for any incorrect transaction or transaction processed for any reason other than the intended use from Resolve. Resolve will process transactions on your behalf in good faith.
- If Resolve is intimated, by a Facility Provider, that a customer has reported an unauthorized debit of the customer’s Payment Instrument (“ Fraudulent Transaction ”), then in addition to its rights under Clause 1T&6 of the General Terms of Use, Resolve shall be entitled to suspend settlements to You during the pendency of inquiries, investigations and resolution thereof by the Facility Providers.
- You shall be responsible to do reconciliation on a daily basis for all the transactions processed. In case of discrepancies, You shall report to Resolve regarding such discrepancy within three (3) working days. However, if any reconciliation issue is highlighted by You to Resolve after three (3) working days from the transaction date, Resolve shall not be responsible or liable in any way whatsoever in case such queries and/or concerns are not resolved.
- You shall be solely responsible for updating Your GST registration number with Resolve before Resolve generates the invoice and shall also submit the GST certificate as part of KYC. Resolve will raise a GST tax invoice and report the transactions in the GST returns based on the information provided by You. The GST returns will be filed as per the statutory timelines, to enable You to avail appropriate input tax credit. Resolve shall not be responsible for any mistake and or misrepresentation by You in updating the GST number and other particulars as per the GST certificate. Further, any liability raised on Resolve by the GST authorities due to incorrect information provided by You or deliberate withholding of any statutory information by You shall be recovered by Resolve from You.
- We will raise invoices in respect of fees charged for Services provided. Any dispute in respect of an invoice must be communicated by You to Us via a notice no later than ten (10) days from the date of the invoice. Resolve shall use good faith efforts to reconcile any reasonably disputed amounts.