Master Services Agreement & Data Processing Addendum

MASTER SERVICES AGREEMENT (MSA)

INCLUDING DATA PROCESSING ADDENDUM (MSA + DPA)

This Master Services Agreement (“Agreement”) is entered into by and between:

Valueance Technology Solutions LLP, a limited liability partnership incorporated under the laws of India, having its registered office at 201, Skyee 66, Shivshankar Girija Society, NIBM Undri Road, Pune - 411048, operating the SaaS payroll platform PayComply (“Service Provider”, “Data Processor”),

AND

The subscribing organization (“Subscriber” or “Customer” or “Data Fiduciary”) accepting this Agreement electronically or otherwise.

WHEREAS, collectively referred to as “Parties” and individually as a “Party”.

WHEREAS, the “Subscriber” or “Customer” or “Data Fiduciary” acknowledge that this Agreement, Platform records, payroll reports and other communications maintained electronically constitute valid electronic records and electronic contracts under the Information Technology Act, 2000 and shall be legally enforceable.

1. DEFINITIONS

1.1 “Platform” means the SaaS payroll processing solution branded as PayComply, operated by Valueance Technology Solutions LLP.

1.2 “Personal Data”, “Sensitive Personal Data”, “Data Principal”, “Data Fiduciary”, “Data Processor” and “Personal Data Breach” shall have the meanings assigned under the Digital Personal Data Protection Act, 2023 (“DPDP Act”).

1.3 “Customer Data” or “Subscriber Data” means all data uploaded, stored, processed or transmitted by the Customer or its authorized users through the Platform, including employee payroll data.

1.4 “Sub-Processor” means any third party engaged by PayComply to process Customer Personal Data on its behalf.

2. SCOPE OF SERVICES

2.1 PayComply shall provide the Subscriber access to the Platform for payroll processing and related services, as per the selected subscription plan.

2.2 The Platform may be used by:

(a) Direct employers processing payroll for their employees; or
(b) Third-party payroll service providers processing payroll on behalf of their client organizations.

3. DATA PROTECTION & PROCESSING (DPA)

This Section constitutes the Data Processing Addendum (“DPA”) between the Parties and forms an integral part of this Agreement. In the event of any conflict between the terms of this Section 3 and other provisions of the Agreement, this Section 3 shall prevail with respect to the processing of Personal Data.

3.1 Roles of the Parties

The Subscriber acts as the Data Fiduciary under the DPDP Act.
PayComply acts as a Data Processor / Sub-Processor, processing Personal Data solely on documented instructions of the Customer.

3.2 Purpose Limitation

PayComply shall process Personal Data only for:

Payroll computation and compliance
Statutory reporting
Platform security, support, and audit requirements and for no other purpose.

3.3 Lawful Basis & Consent

The Subscriber represents and warrants that it has obtained all necessary consents and authorizations from Data Principals for lawful processing of Personal Data through the Platform.

3.4 Security Measures (ISO 27001 / SOC 2 Aligned)

PayComply maintains a documented information security program aligned with ISO/IEC 27001 and SOC 2 Type II principles, including:

AES-256 encryption of Personal Data at rest
Encryption in transit using industry-standard TLS
Role-based access control and least-privilege enforcement
Secure key management practices
Audit logging and monitoring of system activity
Periodic vulnerability assessments and access reviews

3.5 Confidentiality

PayComply shall ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.

3.6 Sub-Processing

(i). The Subscriber authorizes PayComply to engage Sub-Processors as necessary to deliver the Services.
(ii). PayComply shall:

Enter into written agreements with Sub-Processors imposing data protection obligations no less protective than this Agreement
Maintain a Sub-Processor Disclosure Schedule (Schedule B)

3.7 Data Principal Rights Assistance

PayComply shall reasonably assist the Subscriber in fulfilling requests from Data Principals under Sections 11-13 of the DPDP Act, to the extent legally permissible.

3.8 Personal Data Breach Notification

PayComply shall notify the Subscriber without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data and provide relevant details to support statutory reporting. A Personal Data Breach includes any unauthorized access, disclosure, alteration or destruction of data, including incidents covered under the Information Technology Act, 2000.

3.9 Data Retention & Deletion

Upon termination of the Agreement:

Personal Data shall be returned or securely deleted, unless retention is required under applicable law.
Deletion shall be performed using industry-standard secure deletion methods.

3.10 Sub-Processor Governance

Sub-Processor engagement and change control shall be governed by Annexure A - Schedule B.

4. PRIVACY NOTICE INCORPORATION

The Payroll Privacy & Information Security Notice published by Valueance Technology Solutions LLP for PayComply, as updated from time to time and made available on the Platform, is incorporated by reference.

In the event of conflict, this Agreement and its Annexures shall prevail.

5. CUSTOMER / SUBSCRIBER OBLIGATIONS

The Customer / Subscriber shall:

Ensure accuracy and legality of uploaded data.
Restrict access to authorized users only.
Use the Platform in compliance with applicable laws
Notify PayComply of any unauthorized access or misuse

6. AUDIT & COMPLIANCE

(a). PayComply shall make available reasonable information necessary to demonstrate compliance with this Agreement.
(b). Subscriber / Customer audits shall be subject to reasonable notice, confidentiality, and non-disruption requirements.

7. INTELLECTUAL PROPERTY

All intellectual property rights in the Platform remain exclusively with Valueance Technology Solutions LLP. No rights are transferred except limited usage rights.

8. LIMITATION OF LIABILITY

Except for willful misconduct or statutory liability:

(a). PayComply's aggregate liability shall be limited to fees paid in the preceding 12 months.
(b). No indirect or consequential damages shall be liable.

9. INDEMNITY

Each party shall indemnify the other against claims arising from:

(a). Breach of this Agreement.
(b). Violation of applicable data protection laws.
(c). Unauthorized data processing

10. TERM & TERMINATION

(a). This Agreement commences upon acceptance and continues until terminated.
(b). Either party may terminate for material breach with notice and cure period.

11. FORCE MAJEURE

(a). Neither Party shall be liable for any delay or failure in performance due to causes beyond its reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, labour disputes, governmental action, or internet or telecommunications failures.
(b). The affected Party shall notify the other Party of the occurrence of such event and use reasonable efforts to mitigate its effects.

12. SURVIVAL

The provisions relating to data protection, confidentiality, information security, audit rights, breach notification, limitation of liability, indemnity, governing law, and any obligations which by their nature are intended to survive termination, including Annexure A (Data Processing Addendum) and its Schedules, shall survive the termination or expiry of this Agreement.

13. MISCELLANEOUS / GENERAL PROVISIONS

(a). GOVERNING LAW

This Agreement shall be governed by the laws of India, with exclusive jurisdiction of courts at Pune, Maharashtra, India.

(b). CONFLICT & PRECEDENCE

In the event of any conflict or inconsistency between the terms of this Agreement, any Order Form, Annexure A (Data Processing Addendum), its Schedules, or any policies or notices referenced herein, the following order of precedence shall apply:

(a) the Master Services Agreement;
(b) Annexure A (Data Processing Addendum), including its Schedules;
(c) the applicable Order Form; and
(d) any policies or notices published on the Platform, including the Payroll Privacy & Information Security Notice.

Notwithstanding the foregoing, with respect to the processing of Personal Data, Annexure A shall prevail to the extent required by applicable data protection laws.

ANNEXURE A - DATA PROCESSING ADDENDUM (DPA)

“This Annexure A and its Schedules form an integral part of the Master Services Agreement and shall survive termination.”

This Data Processing Addendum (“Addendum”) forms an integral part of the Master Services Agreement (“Agreement”) between the Customer and PayComply. This Addendum governs the Processing of Personal Data by PayComply on behalf of the Customer in connection with the Services provided under the Agreement.

Schedule A - Data Processing Details

1. Categories of Data Principals

PayComply processes Personal Data relating to the following categories of Data Principals:

Employees of the Subscriber / Customer
Contractual workers and consultants engaged by the Subscriber / Customer
Authorized payroll administrators and HR users of the Subscriber / Customer

2. Categories of Personal Data Processed

Subject to the Subscriber's configuration of the Platform and applicable law, PayComply may process the following categories of Personal Data, including but not limited to, strictly for the purposes described in this Schedule A:

a. Identity & Employment Data- Full name, Employee ID/Code, Gender, Date Of Birth, Marital Status, Differntly Abbled Status, Educational Qualification, Experience Details, Department, designation.
b. Contact Information- Email address, Mobile number, Residential address, Parents & Spouse Name.
c. Statutory & Compliance Data- Permanent Account Number (PAN), Universal Account Number (UAN), ESIC number, Tax identifiers as required by law.
d. Financial & Payroll Data- Salary components, Bank account details, Deductions and benefits, Payslip information.
e. System & Audit Data- User access logs, Activity timestamps, IP addresses (for security monitoring)

PayComply does not intentionally collect or process Personal Data beyond what is necessary to provide the Services.

3. Purpose of Processing

Personal Data is processed strictly for the following purposes:

Payroll computation and salary disbursement
Statutory compliance (e.g., tax, PF, ESIC filings)
Payslip generation and employee self-service
Payroll audits, reporting, and reconciliation
Platform security, access control, and fraud prevention

4. Nature of Processing Activities

Processing activities include:

Collection of data through encrypted transmission
Encryption and secure storage
Retrieval and display to authorized users
Transmission to statutory systems or banking interfaces (where applicable)
Archival and secure deletion

5. Data Retention & Deletion

Active employee data is retained for the duration of the Customer's subscription.
Post-termination data is retained as required under applicable Indian laws.
Upon expiry of retention obligations, data is securely deleted or anonymized.
Deletion is performed using industry-standard secure deletion practices.

5. Special Instructions from Customer

Processing is carried out solely based on documented instructions provided by the Subscriber through the Platform configuration or written agreement.

Schedule B - Sub-Processor Disclosure & Change Control

“The Sub-Processor Disclosure Schedule and Change Control provisions together constitute Schedule B and shall be read harmoniously.”

Part 1: - Sub-Processor Disclosure Schedule

PayComply engages the following categories of Sub-Processors to deliver the Services.

Sub-Processor Category	Purpose	Processing Location
Cloud Infrastructure Provider	Hosting, storage, backups	India / Other approved regions
Managed Database Services	Secure data storage & availability	India / Other approved regions
Email Notification Provider	Payslip & system notifications	India / Other approved regions
SMS Gateway Provider	OTPs, alerts, notifications	India
Monitoring & Logging Tools	Security monitoring and incident detection	India / Other approved regions

Sub-Processor Safeguards

All Sub-Processors are engaged under written agreements
Contracts impose data protection and confidentiality obligations no less protective than this DPA
Sub-Processors are prohibited from using data for their own purposes

Sub-Processor Updates

PayComply may update this Schedule from time to time and shall notify Customers of material changes through reasonable means.

Part 2: - Sub-Processor Change Control

2.1. General Authorization

The Customer hereby provides general authorization for PayComply to engage Sub-Processors for the purpose of providing the Services, subject to the safeguards set forth in this Annexure A.

2.2. Notification of Changes

PayComply shall notify the Customer of any material addition or replacement of Sub-Processors by one or more of the following means:

Posting an updated Sub-Processor Disclosure Schedule on the Platform; or
Providing notice through the Customer's registered administrative contact; or
Other reasonable electronic communication.

Such notice shall be provided within a commercially reasonable time prior to the Sub-Processor commencing processing of Personal Data, where practicable.

2.3. Objection Mechanism

2.3.1 Right to Object

The Customer may object to a newly appointed Sub-Processor solely on reasonable and documented data protection grounds, by providing written notice to PayComply within fifteen (15) days of receiving the notification.

2.3.2 Required Details - Any objection must include:

The specific Sub-Processor being objected to; and
A clear explanation of the data protection risk alleged.

General commercial objections shall not constitute valid grounds.

2.4. Resolution Options

Upon receipt of a valid objection, PayComply shall, acting in good faith, take one of the following actions:

Provide additional information or safeguards to address the Subscriber's concerns;
Use commercially reasonable efforts to provide an alternative Sub-Processor; or
Where no reasonable alternative exists, allow the Subscriber to terminate the affected Services without penalty.

2.5. No Retroactive Impact

Changes to Sub-Processors shall not affect:

Existing data protection obligations under this Agreement; or
PayComply's responsibility for the acts and omissions of Sub-Processors.

PayComply shall remain fully liable for Sub-Processors' compliance with this DPA.

2.6. Emergency or Mandatory Changes

In the event of:

Security incidents;
Service availability risks; or
Legal or regulatory requirements,

PayComply may engage a Sub-Processor without prior notice, provided that the Customer is notified as soon as reasonably practicable thereafter.

2.7. Deemed Acceptance

If the Customer does not raise an objection within the applicable notice period, the Customer shall be deemed to have accepted the updated Sub-Processor.

2.8. Schedule Maintenance

The most current version of Schedule B - Sub-Processor Disclosure shall be made available by PayComply and shall supersede prior versions upon notice.

Schedule C - Security Measures & Enterprise Fallback Clauses

Part 1: - Technical & Organizational Security Measures

PayComply implements and maintains reasonable security practices and procedures, including administrative, technical, and physical safeguards, in accordance with applicable law, including the Information Technology Act, 2000 and associated rules. PayComply maintains an information security program aligned with ISO/IEC 27001 and SOC 2 Type II principles, including:

1. Encryption

AES-256 encryption for data at rest
TLS-based encryption for data in transit
Secure cryptographic key management

2. Access Control

Role-based access control (RBAC)
Least-privilege access enforcement
Segregation of customer environments

3. Authentication & Authorization

Token-based authentication (JWT)
Session management and expiry controls

4. Monitoring & Logging

System access logging
Audit trails for administrative actions
Continuous monitoring for anomalies

5. Secure Development Practices

Secure SDLC processes
Code reviews and vulnerability assessments
Controlled deployment pipelines

6. Incident Management

Documented incident response procedures
Breach identification and containment protocols
Customer notification without undue delay

Part 2: - Enterprise Negotiation Fallback Clauses

Unless otherwise expressly agreed:

Audits may be conducted no more than once annually, subject to reasonable notice
Breach notifications shall be provided without undue delay after confirmation
Liability caps apply mutually and are limited to fees paid in the preceding 12 months
Sub-Processor changes require notice, not prior written consent
Assistance with Data Principal requests is limited to commercially reasonable efforts

Last Updated: 10-October-2025

✶