Security

Security Overview

Docoholic works hard to maintain the privacy of data you entrust with us. Data you store in Docoholic products is yours. We put our security program in place to protect it, and use it only to provide the Docoholic service to you. We never share your data across customers and never sell it.

EU-GDPR & CCPA complied
Data centers - Soc 2 & ISO 27000 certified
Data Processing Agreement
Seperate Database with SSL encryption
TERMS AND CONDITIONS

MANAS FREIGHTS PVT LTD ('We,' 'Us,' 'Our' ‘DOCOHOLIC’, ‘MANAS”) and the Customer shall hereinafter be individually referred to as a "Party" and collectively as the "Parties".

RECITALS:

(A) MANAS is inter-alia engaged in the business of building information technology solutions and products in transportation, logistics, Export Import, Warehousing, Supply Chain sector. MANAS has developed the Software DOCOHOLIC (defined below).

(B) The Customer is engaged in the business of Export, Import, transport and logistics, ocean freights and custom clearance.

(C) MANAS has represented that the Software has the capability of providing the SAAS required by the Customer and based on such representation, the Customer wishes to avail the Services in relation to the Software.

(D) MANAS and the Customer now wish to enter into this Agreement in order to set out the terms and conditions on which the Customer will avail the SAAS from MANAS.

IT IS AGREED as follows:

1 DEFINITIONS AND INTERPRETATION

1.1 Definitions

Except to the extent expressly provided otherwise, in this Agreement:

1.1.1"Applicable Law" means all applicable statutes, enactments, laws, ordinances, bye-laws, rules, regulations, guidelines, policies, notifications, notices, press-notes, and/or judgments, decrees, injunctions, writs or orders of any court, statutory or regulatory authority, tribunal, board or stock exchange in any jurisdiction as may be in force and effect during the subsistence of this Agreement as may be applicable to each of the Parties respectively.

1.1.2 "Account" means an account enabling a person to access and use the SAAS, including both administrator accounts and user accounts.

1.1.3 "Agreement" means this agreement including any Schedules, and any amendments to this Agreement from time to time.

1.1.4 "Business Day" means any weekday other than a bank or public holiday in India.

1.1.5 "Charges" means the following amounts:

(a) such amounts as may be agreed in writing by the Parties from time to time.

1.1.6 “Critical Fix” critical fix release involves an urgent need to address such issues as system stability and security vulnerabilities security vulnerability, system/application stability or other functional issue.

1.1.7 "Customer Confidential Information" means any information disclosed by or on behalf of the Customer to MANAS at any time before the termination of this Agreement (whether disclosed in writing, orally or otherwise) that at the time of disclosure was marked as "confidential".

1.1.8 "Data" means all data, works and materials: uploaded to or stored on the Platform by the Customer, transmitted by the Platform at the instigation of the Customer, supplied by the Customer to MANAS for uploading to, transmission by or storage on the Platform, or generated by the Platform as a result of the use of the SAAS by the Customer.

1.1.9 "Documentation" means the documentation for operating the SAAS (including documentation for requirement gathering and the user manual as well as basic marketing material) produced by MANAS and delivered or made available by MANAS to the Customer.

1.1.10 "Effective Date" shall mean the date on which the login credentials for the Account are provided to the Customer in accordance with clause 3.1.

1.1.11 "Execution Date" shall mean the date at which this Agreement is executed.

1.1.12 "Feature Depreciation” is that a feature that appears in prior or existing versions of the SAAS Offering and is not recommended for continued use, is discontinued and/or is superseded by an alternative.

1.1.13 "Force Majeure Event" means an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of the internet or any public telecommunications network, hacker attacks, denial of service attacks, virus attack, power failure, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks, natural calamities and wars).

1.1.14 "Intellectual Property Rights" means all intellectual property rights wherever in the world, whether registrable or un-registrable, registered or unregistered, including any application or right of application for such rights (and these "intellectual property rights" include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trade marks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models, semi-conductor topography rights and rights in designs).

1.1.15 "Maintenance Services" mean the general maintenance of the Platform and SAAS, and the application of Updates and Upgrades in accordance with Part A (Maintenance SLA) of Schedule 4 (Maintenance and Support SLA).

1.1.16 "MANAS Confidential Information" means any information disclosed by or on behalf of the MANAS the Customer at any time before the termination of this Agreement (whether disclosed in writing, orally or otherwise) that at the time of disclosure:

(i) was marked as "confidential"; or

(ii) should have been reasonably understood by the Customer to be confidential.

1.1.17 "Personal Data" shall mean sensitive personal data or information as defined under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

1.1.18 "Platform" means the platform managed and owned by MANAS and used by MANAS as ‘DOCOHOLIC’ to provide the SAAS, including the application and database software for the SAAS, the system and server software used to provide the SAAS, and the computer hardware on which that application, database, system and server software is installed.

1.1.19 "Release" means, in respect of an Update or Upgrade or Critical Fix, the release of that Update or Upgrade or Critical Fix (as the case may be) to the customers of MANAS generally (and "Released" shall be construed accordingly).

1.1.20 "Schedule" means any schedule attached to the main body of this Agreement.

1.1.21 "Services" mean any services that MANAS provides to the Customer, or has an obligation to provide to the Customer, under this Agreement, including the Implementation, SAAS, Maintenance Services and Support Services.

1.1.22 "SAAS" means the software as a service, which will be made available by MANAS to the Customer as a service via the internet in accordance with this Agreement.

1.1.23 "SAAS Specification" means the specification for the Platform and the SAAS set out in Schedule 1 (SAAS Particulars) and in the Documentation.

1.1.24 "Support Services" mean support in relation to the use of, and the identification and resolution of errors in the SAAS in accordance with Part B (Support SLA) of Schedule 4 (Maintenance and Support SLA), but shall not include the provision of training or re-training services, which shall be provided on chargeable per-man-day basis.

1.1.25 "Supported Web Browser" means the current release from time to time of Google Chrome or any other web browser that MANAS agrees in writing shall be supported.

1.1.26 "Software" means the transport and logistics software named “Docoholic” and owned by MANAS and provided to the Customer for use on subscription model as provided under this Agreement.

1.1.27 "Tax" (including with correlative meaning, the term "Taxes") means any and all taxes, assessments and other charges, duties, impositions and similar liabilities imposed by any Taxation Authority, including taxes based upon or measured by gross receipts, income, profits, services, sales and value added, withholding, payroll, excise and property taxes, together with all interest, penalties and additions imposed with respect to such amounts.

1.1.28 "Taxation Authority" means any taxing or other authority (whether within or outside India) competent to impose, administer or collect any Taxes.

1.1.29 "Update" means a hotfix, patch or minor version update to the Software.

1.1.30 "Upgrade" means a major version upgrade of the Software.

1.2Interpretation

In this Agreement, unless the context requires otherwise:

(a) words denoting persons include individuals/natural persons, bodies corporate and unincorporated associations of persons;

(b) a reference to a recital, clause or Schedule is a reference to a recital, clause or Schedule of or to this Agreement;

(c) the Schedules form part of this Agreement;

(d) the headings in this Agreement do not affect its interpretation;

(e) references to an individual/a natural person include his estate and personal representatives;

(f) the words including and include shall mean including without limitation and include without limitation, respectively;

p>

(g) any reference importing a gender includes the other genders;

(h) any reference to INR is to Indian rupees;

(i) any notice, waiver or amendment shall be ef

fective only when made in writing;

(j) any reference to writing includes emails, typing, printing, lithography and photography;

(k) any reference to a document is to that document as amended, varied or novated from time to time otherwise than in breach of this Agreement or that document;

(l) any reference to a company includes any company, corporation or other body corporate wheresoever incorporated; and

(m) any reference to a company or firm includes any company or firm in succession to all, or substantially all, of the business of that company or firm.

2 TERM

2.1 This Agreement shall come into force upon the Execution Date, and shall continue in force until terminated in accordance with this Agreement.

3 SOFTWARE AS A SERVICE (SAAS)

3.1 MANAS shall create an Account for the Customer and shall provide to the Customer, login details for that Account on the Effective Date, which shall be not later than 7 days from the Execution Date.

3.2 MANAS hereby grants to the Customer a right to use the Software, as updated from time to time, by means of a Supported Web Browser for the internal business purposes of the Customer in accordance with the Documentation, during the Term.

3.3 The right to use the Software by the the Customer under clause 3.2 is subject to the following limitations:

(a) the Software may only be used by the officers and employees of the Customer;

(b) the Software may only be used by the named users identified in Schedule 1 ((SAAS Particulars), providing that the Customer may change, add or remove a designated named user in accordance with the procedure set out therein; and

(c) the Software must not be used at any point in time by more than the number of named users specified in Schedule 1 (SAAS Particulars), providing that the Customer may add or remove named user in accordance with the procedure set out therein.

3.4 Except to the extent expressly permitted in this Agreement, the Software are subject to the following prohibitions:

(a) the Customer must not sub-license its right to access and use the Software;

(b) the Customer must not permit any unauthorised person to access or use the Software;

(c) the Customer must not republish or redistribute any content or material from the Software; and

(d) the Customer must not make any alteration to the Platform, except as permitted by the Documentation.

3.5 The Customer shall use reasonable endeavours, including reasonable security measures relating to administrator Account access details, to ensure that no unauthorised person may gain access to SAAS using an administrator Account.

3.6 MANAS shall use reasonable endeavours to maintain the availability of the SAAS to the Customer at the gateway between the public internet and the network of the hosting services provider for the SAAS, and guarantees 98% availability, subject to clause 3.7 below.

3.7 For the avoidance of doubt, downtime caused directly or indirectly by any of the following shall not be considered a breach of this Agreement:

(a) a Force Majeure Event;

(b) a fault or failure of the internet or any public telecommunications network;

(c) a fault or failure of the Customer's computer systems or networks;

(d) any breach by the Customer of this Agreement; or

(e) scheduled maintenance carried out in accordance with this Agreement.

3.8 The Customer must comply with Schedule 2 (Acceptable Use Policy), and must ensure that all persons using the SAAS with the authority of the Customer or by means of an administrator Account comply with Schedule 2 (Acceptable Use Policy).

3.9 The Customer must not use the SAAS in any way that causes, or may cause, damage to the SAAS or Platform or impairment of the availability or accessibility of the SAAS.

3.10 The Customer must not use the SAAS:

(a) in any way that is unlawful, illegal, fraudulent or harmful; or

(b) in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.

3.11 For the avoidance of doubt, the Customer has no right to access the software code (including object code, intermediate code and source code) of the Platform, either during or after the Term.

3.12 MANAS may suspend the provision of the SAAS, if any amount due to be paid by the Customer to MANAS under this Agreement is overdue by more than 15 (fifteen) days' from the date on which was amount was due to be payable.

3.13 The Customer acknowledges that the Software and the SAAS are not customisable. The Customer may provide feedback to MANAS requesting for customization/additional features in the Software and/or the SAAS. MANAS may, in its sole discretion, incorporate such customization/additional features in subsequent Updates or Upgrades.

3.14 MANAS will make commercially reasonable efforts to post notices of any Feature Deprecation one quarter in advance and reserves the right to deprecate, modify, or remove any features from any of the Software without prior notice.

4 IMPLEMENTATION OF SOFTWARE

4.1 MANAS shall install and implement the Software which shall be not later than 7 days from the Execution Date.

5 MAINTENANCE AND SUPPORT SERVICES

5.1 MANAS shall provide the Maintenance Services and Support Services to the Customer during the Term in accordance with Schedule 3. (Maintenance and Support SLA).

5.2 The Maintenance Services and Support Services shall be provided by MANAS to the Customer off-site, i.e., on call or remotely.

5.3 MANAS shall make available to the Customer a helpdesk in accordance with the provisions of this Agreement. The Customer may use the helpdesk for the purposes of requesting and, where applicable, receiving the Maintenance Services and/or Support Services; and the Customer must not use the helpdesk for any other purpose. MANAS shall respond promptly to all requests for Maintenance Services and/or and Support Services made by the Customer through the helpdesk.

5.4 In the event the Customer requires MANAS to provide any Maintenance Services and/or and Support Services (including training or re-training) on-site, i.e., at the premises of the Customer, the Customer shall be liable to pay Charges to MANAS for the time spent by MANAS’ personnel performing such Maintenance Services and/or and Support Services.

5.5 MANAS shall where practicable give to the Customer as per notification mentioned in maintenance and support SLA in Schedule 3 Business Days' prior written notice of scheduled Maintenance Services and/or and Support Services that are likely to affect the availability of the SAAS or are likely to have a material negative impact upon the SAAS, without prejudice to MANAS other notice obligations under this Agreement.

5.6 MANAS may suspend the provision of the Maintenance Services and/or Support Services if any amount due to be paid by the Customer to MANAS under this Agreement is overdue by more than 15 (fifteen) days' from the date on which was amount was due to be payable.

6 DATA

6.1 MANAS shall have the right to use the Data to the extent reasonably required for the performance of MANAS’ obligations under this Agreement, together with the right to sub-license these rights to its hosting, connectivity and telecommunications service providers to the extent reasonably required for the performance of MANAS obligations and the exercise of MANAS rights under this Agreement.

6.2 MANAS shall create a back-up copy of the Data at least daily, shall ensure that each such copy is sufficient to enable MANAS to restore SAAS to the state they were in at the time the back-up was taken, and shall retain and securely store each such copy for a minimum period of 7 (seven) days. MANAS shall have the right to remove or destroy such back-up copies if they are more than 7 (seven) days old.

7 INTELLECTUAL PROPERTY

7.1 Nothing in this Agreement shall operate to assign or transfer any Intellectual Property Rights from MANAS to the Customer, or from the Customer to MANAS.

7.2 MANAS represents that it has developed the Software and is the legal and absolute owner of the Software and/or SAAS and owns any and all Intellectual Property Rights in the Software and/or SAAS, free of any infringement on the Intellectual Property Rights or other rights of any third party.

8 CHARGES

8.1 The Customer shall pay the Charges to MANAS in accordance with this Agreement.

8.2 All amounts stated in or in relation to this Agreement are, unless the context requires otherwise, stated exclusive of any applicable Taxes, which will be added to those amounts and payable by the Customer to MANAS.

8.3 MANAS shall have the right to use any third party software for Implementation and Maintenance Services and/or Support Services during the Term of this Agreement. Further, in the event of an increase in the costs due to any upgradation or change in policy for such third party software, such increased costs shall be borne by the Customer at actuals upon MANAS providing a written evidence for the same. However, such an increase should not be more than 5%.

8.4 MANAS FREIGHTS PVT LTDshall not vary any element of the Charges without the mutual consent of the Customer.

9 PAYMENTS

9.1 The Charges under this Agreement shall commence from the Effective Date.

9.2 MANAS shall issue invoices for the Charges in accordance with Schedule 4 (Payment Schedule) to the Customer by 1st of every month for the SAAS provided for the preceding month.

9.3 The Customer must pay the Charges to MANAS within the period of 7 (Seven) days following the issue of an invoice in accordance with this clause 10 (Payments).

9.4 The Customer must pay the Charges by [debit card, credit card, direct debit, standing instructions, bank transfer or cheque] (using such payment details as are notified by MANAS to the Customer from time to time).

9.5 If the Customer does not pay any amount properly due to MANAS under this Agreement, MANAS may charge the Customer interest on the overdue amount at the rate of 18% per annum (which interest will accrue daily until the date of actual payment and be compounded at the end of each named calendar month).

10 MANAS FREIGHTS PVT LTD'S CONFIDENTIALITY OBLIGATIONS

10.1 MANAS must:

(a) keep the Customer Confidential Information strictly confidential;

(b) not disclose the Customer Confidential Information to any person without the Customer's prior written consent, and then only under conditions of confidentiality approved in writing by the Customer;

(c) use the same degree of care to protect the confidentiality of the Customer Confidential Information as MANAS uses to protect MANAS Confidential Information of a similar nature, being at least a reasonable degree of care;

(d) act in good faith at all times in relation to the Customer Confidential Information; and

(e) not use any of the Customer Confidential Information for any purpose other than performance of its obligations under this Agreement ("Permitted Purpose").

10.2 Notwithstanding clause 10.1 above, MANAS may disclose the Customer Confidential Information to MANAS ' officers, employees, professional advisers, insurers, agents and subcontractors who have a need to know for the Permitted Purpose of this Agreement and MANAS certifies that such persons have previously agreed, either as a condition to employment or in order to obtain the Customer Confidential Information, to be bound by terms and conditions substantially similar to those as provided herein.

10.3 This clause 10 (MANAS FREIGHTS PVT LTD' Confidentiality Obligations) imposes no obligations upon MANAS with respect to Customer Confidential Information that:

(a) is known to MANAS before disclosure under this Agreement and is not subject to any other obligation of confidentiality;

(b) is or becomes publicly known through no act or default of MANAS; or

(c) is obtained by MANAS from a third party in circumstances where MANAS has no reason to believe that there has been a breach of an obligation of confidentiality.

10.4 The restrictions in this clause 10 (MANAS’ Confidentiality Obligations) do not apply to the extent that any Customer Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request., However, MANAS agrees to provide the Customer with notice of any such requirement as is reasonably practicable prior to disclosing any information and to take all steps reasonably requested by the Customer to resist such disclosure or to seek confidential treatment of the Confidential Information in whole or in part.

10.5 MANAS hereby acknowledge that damages may not be an adequate remedy for any breach of this clause 10 and the Customer will therefore be entitled to apply for injunctive relief from any court of competent jurisdiction to restrain any breach or threatened breach of this clause 10.

10.6 The provisions of this clause 10 (MANAS Confidentiality Obligations) shall continue in force for a period of 2 (two) years following the termination of this Agreement, at the end of which period they will cease to have effect.

11 CUSTOMER'S CONFIDENTIALITY OBLIGATIONS

11.1 The Customer must:

(a) keep the MANAS Confidential Information strictly confidential;

(b) not disclose MANAS Confidential Information to any person without MANAS prior written consent, and then only under conditions of confidentiality approved in writing by MANAS;

(c) use the same degree of care to protect the confidentiality of MANAS Confidential Information as the Customer uses to protect Customer’s Confidential Information of a similar nature, being at least a reasonable degree of care;

(d) act in good faith at all times in relation to the MANAS Confidential Information; and

(e) not use any of the MANAS Confidential Information for any purpose other than performance of its obligations under this Agreement ("Permitted Purpose").

11.2 Notwithstanding clause 11.1 above, the Customer may disclose the MANAS Confidential Information to Customer’s officers, employees, professional advisers, insurers, agents and subcontractors in order to perform its obligations under this Agreement and the Customer certifies that such persons have previously agreed, either as a condition to employment or in order to obtain the Customer Confidential Information, to be bound by terms and conditions substantially similar to those as provided herein

11.3 This clause 11 (Customer’s Confidentiality Obligations) imposes no obligations upon Customer with respect to MANAS Confidential Information that:

(a) is known to Customer before disclosure under this Agreement and is not subject to any other obligation of confidentiality;

(b) is or becomes publicly known through no act or default of Customer; or

(c) is obtained by Customer from a third party in circumstances where Customer has no reason to believe that there has been a breach of an obligation of confidentiality.

11.4 The restrictions in this clause 11 (Customer’s Confidentiality Obligations) do not apply to the extent that any MANAS Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the stock of Customer on any recognised stock exchange.

11.5 The provisions of this clause 11 (Customer’s Confidentiality Obligations) shall continue in force for a period of 2 (two) years following the termination of this Agreement, at the end of which period they will cease to have effect.

14.RETURN OF CONFIDENTIAL INFORMATION

Immediately upon receiving the written request by either Party at any time, the other Party will return to such Party all of such Party’s Confidential Information and all documents or media containing any such Party’s Confidential Information and any and all copies or extracts thereof, save that where such Party’s Confidential Information is a form incapable of return or has been copied or transcribed into another document, it shall be destroyed or erased, as appropriate.

15. GENERAL DISCLOSURES

15.1 The Customer acknowledges and agrees that no representation or warranty, express or implied, is or will be made, and no responsibility or liability is or will be accepted by MANAS, or by any of its respective directors, officers, employees, agents or advisers, as to, or in relation to, the accuracy of completeness of any of MANAS Confidential Information made available to the Customer or its advisers; it is responsible for making its own evaluation of such MANAS Confidential Information.

15.2 The failure of either party to enforce its rights under this Agreement at any time for any period shall not be construed as a waiver of such rights.

16. NON SOLICITATION

16.1 The Customer agrees that during the Term of this Agreement and for a 12 (twelve) month period following the termination of the Term of this Agreement for any reason, the Customer will not, without the prior written consent of MANAS, directly or indirectly:

in any capacity (a) solicit or attempt to solicit from MANAS, any person who is a director, officer, manager, principal, employee, agent or consultant of MANAS or cause any such person to terminate their employment with MANAS at any time;(b) hire or engage in any capacity any person who is or was a director, officer, manager, principal, employee, agent or consultant of MANAS during the twelve months prior to the date of termination of the Customer's engagement; or(c) interfere or attempt to interfere with MANAS relationship with any director, officer, manager, principal employee, agent or consultant of MANAS in any capacity (a) canvas, solicit, divert, or take away (or attempt to canvas, solicit, divert or take away) any clients or prospective clients of MANAS; (b) provide Services for any clients or prospective clients of MANAS; or (c) interfere with MANAS relationship with any client or prospective client or counterparties (including, without limitation, any equipment vendors, brokers, banks, investment banks and other advisors with whom MANAS contracts).

17.REPRESENTATIONS & WARRANTIES

17.1 MANAS warrants to the Customer that it:

(a) has the legal right and authority to enter into this Agreement and to perform its obligations under this Agreement;

(b) will comply with all applicable legal and regulatory requirements applying to the exercise of MANAS rights and the fulfilment of MANAS obligations under this Agreement;

(c) has or has had access to all necessary know-how, expertise and experience to perform its obligations under this Agreement; and

(d) At the Execution Date, there is no action or proceeding pending or, in so far as it knows or ought to know, threatened in writing against it before any court, administrative agency or other tribunal that: (i) could impact upon its power, right and authority to enter into this Agreement or to perform its obligations under the Agreement.

17.2 The Customer warrants to MANAS that it has the legal right and authority to enter into this Agreement and to perform its obligations under this Agreement.

17.3 At the Execution Date, MANAS represents and warrants that they are the legal owner of the Software, free of any infringement on the Intellectual Property rights or other rights of any third party.

18. ACKNOWLEDGEMENTS AND WARRANTY LIMITATIONS

18.1 The Customer acknowledges that the Software is never wholly free from defects, errors and bugs; and subject to the other provisions of this Agreement, MANAS gives no warranty or representation that the Software or the SAAS will be wholly free from defects, errors and bugs.

18.2 The Customer acknowledges that the Software is never entirely free from security vulnerabilities; and subject to the other provisions of this Agreement, MANAS gives no warranty or representation that the Software or the SAAS will be entirely secure.

18.3 The Customer acknowledges that the SAAS is designed to be compatible only with that software and those systems specified as compatible in the SAAS Specification; and MANAS does not warrant or represent that the Software or the SAAS will be compatible with any other software or systems.

18.4 The Customer acknowledges that MANAS will not provide any legal, financial, accountancy or taxation advice under this Agreement or in relation to the SAAS; and, except to the extent expressly provided otherwise in this Agreement, MANAS does not warrant or represent that the Software or the SAAS or the use of the Software or the SAAS by the Customer will not give rise to any legal liability on the part of the Customer or any other person.

19. INDEMNITY, LIMITATIONS AND EXCLUSIONS OF LIABILITY

19.1 The following provisions of this Clause 19 set out provisions relating to indemnity and the total liability of MANAS with respect of any act, omission or breach of MANAS obligations arising under or in connection with this Agreement.

19.2 MANAS (“Indemnifying Party”) hereby undertakes and agrees to defend, indemnify and hold harmless the Customer (“Indemnified Party”) from and against any losses, costs, damages, expenses, charges or claims or fees (including reasonable legal costs or fees), which the Indemnified Party might incur/suffer as a result of:

(i) the wilful misconduct, negligence, misfeasance of the Indemnifying Party and its directors, officers employees in the provision of the SAAS hereunder;

(ii) breach of any of the terms, conditions, declarations, representations, obligations, undertakings and warranties contained in this Agreement, on part of the Indemnifying Party or its directors, officers employees, agents and representatives;

(iii) breach of any of the Confidential and Intellectual Property obligation under this Agreement; and

(iv) against any threatened or actual third party claim against the Indemnified Party in which negligence, misfeasance wilful misconduct, breach of any of the terms, conditions, declarations, representations, obligations, undertakings and warranties of the Indemnifying Party (including its respective directors, officers and employees) is alleged. The indemnity provisions provided herein above shall be the sole monetary remedy available to the indemnified party.

19.3 Neither Party shall be liable to the other Party in respect of:

(a) any loss of profits or anticipated savings;

(b) any loss of revenue or income;

(c) any loss of use or production;

(d) any loss of business, contracts

or opportunities;

(e) any special, indirect or consequential loss or damage.

19.6 The aggregate liability of MANAS FREIGHTS PVT LTDto the Customer under this Agreement shall not exceed the Subscription Charges (for avoidance of doubt shall exclude Transaction Charges) paid by the Customer to MANAS under this Agreement in the immediately preceding 12 (twelve) months. The Customer agrees that refund of such Subscription Charges for the immediately preceding 12 (twelve) months shall be the sole and exclusive remedy available with the Customer under this Agreement, and shall be in lieu of all other claims that the Customer may have against MANAS.

20. FORCE MAJEURE EVENT

20.1 If a Force Majeure Event gives rise to a failure or delay in either Party performing any obligation under this Agreement, that obligation will be suspended for the duration of the Force Majeure Event.

20.2 A Party that becomes aware of a Force Majeure Event which gives rise to, or which is likely to give rise to, any failure or delay in that Party performing any obligation under this Agreement, must:

(a) promptly notify the other; and

(b) inform the other of the period for which it is estimated that such failure or delay will continue.

20.3 A Party whose performance of its obligations under this Agreement is affected by a Force Majeure Event must take reasonable steps to mitigate the effects of the Force Majeure Event.

21. TERMINATION

21.1 MANAS shall not terminate this Agreement until of expiry of 1 year from the Effective Date ("Lock-in Period"), provided, however, MANAS shall have the right to terminate within the Lock-In Period if the Customer has defaulted in payment of the Charges. After expiry of the Lock-in Period, MANAS may terminate this Agreement by giving to the oher Party at least 30 (thirty) days' written notice of termination.

21.2 The Customer shall may terminate the Agreement by giving MANAS a 30 days’ prior notice.

21.3 Either Party may terminate this Agreement immediately by giving written notice of termination to the other Party if:

(a) the other Party:

(i) commits a material breach of this Agreement, which remains uncured after 30 days written notice by such Party to cure the breach;

(ii) is dissolved;

(iii) ceases to conduct all (or substantially all) of its business;

(iv) is or becomes unable to pay its debts as they fall due;

(v) is or becomes insolvent or is declared insolvent; or

(vi) convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;

(b) an administrator, administrative receiver, liquidator, receiver, trustee, manager or someone similar is appointed over any of the assets of the other Party;

(c) an order is made for the winding up of the other Party, or the other Party passes a resolution for its winding up (other than for the purpose of a solvent company reorganisation where the resulting entity will assume all the obligations of the other Party under this Agreement); or

(d) if that other Party is an individual:

(i) that other Party dies;

(ii) as a result of illness or incapacity, that other Party becomes incapable of managing his or her own affairs; or

(iii) that other Party is the subject of a bankruptcy petition or order.

22. EFFECTS OF TERMINATION

22.1 Upon the termination of this Agreement, all of the provisions of this Agreement shall cease to have effect, save the provisions of this Agreement which are intended to survive by nature.

22.2 Except to the extent that this Agreement expressly provides otherwise, the termination of this Agreement shall not affect the accrued rights of either Party.

Without prejudice to the parties' other legal rights, within 30 (thirty) days following the termination of this Agreement for any reason, the Customer must pay to MANAS any undisputed Charges that may be due in respect of the SAAS provided to the Customer before the termination of this Agreement.

23. NOTICES

Any notice or communication pursuant to this Agreement shall be deemed to be duly given or made when it is in writing and has been delivered by hand, e-mail, first class registered mail or telex, addressed to the Party at the address set forth at the beginning of this Agreement (which may be updated from time to time by a Party giving written notice of the update to the other Party), or to such other address as provided to the other Party. The Parties also recognise e-mail with affirmative delivery confirmation as a valid notice of communication.

24. SUBCONTRACTING

24.1 MANAS may subcontract any of its obligations under this Agreement and agrees to provide the Customer any and all the information required by the regarding such sub-contractors as may be required by the Customer with respect to the scope under this Agreement.

25. MISCELLANEOUS

25.1 Waivers and Remedies

25.1.1 No failure or delay by the Parties in exercising any right or remedy provided by the relevant Applicable Law under or pursuant to this Agreement shall impair such right or remedy or operate or be construed as a waiver or variation of it or preclude its exercise at any subsequent time and no single or partial exercise of any such right or remedy shall preclude any other or further exercise of it or the exercise of any other right or remedy.

25.1.2 The rights and remedies of the Parties under or pursuant to this Agreement are cumulative, may be exercised as often as such Party considers appropriate and are in addition to its rights and remedies under general law.

25.2 Assignment

Neither Party may without the prior written consent of the other party assign, transfer, charge, license or otherwise deal in or dispose of any contractual rights or obligations under this Agreement.

25.3 Governing Law and Jurisdiction

25.3.1 This Agreement shall be governed by and construed in accordance with the laws of India.

25.3.2 The courts of Ahmedabad shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with this Agreement.

25.4 Dispute Resolution

25.4.1 In the event of any dispute arising in connection with the subject matter or thing herein contained or the operation or construction thereof or any matter or thing in any way connected with this Agreement, including any question regarding its existence, interpretation, validity or termination, the Parties shall first endeavour to reach an amicable settlement through mutual consultations and negotiations. If the Parties are unable to reach an amicable settlement within 30 (thirty) Business Days from the date on which the dispute arose (except as to any matter for which express provisions are made in this agreement), either Parties may make a reference to arbitration in accordance with clause 25.4.2 below.

25.4.2 In the absence of any settlement of disputes under clause 25.4.1 above, any and all disputes or differences arising out of or in connection with this agreement or its performance including any dispute regarding the existence, validity or termination, shall be exclusively and finally settled by arbitration under the provisions of Indian Arbitration and Conciliation Act, 1996.

25.4.3 The arbitration proceedings shall be conducted in English.

25.4.4 The seat, or legal place, of the arbitration shall be Ahmedabad, India.

25.6 Severability

If any provision of this Agreement is found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions of this Agreement, and all provisions not affected by such invalidity shall remain in full force and effect.

25.7 Counterparts

The Parties may execute this Agreement in multiple counterparts, each of which constitutes an original as against the Party that signed it, and all of which together constitute one agreement. The signatures of all Parties need not appear on the same counterpart. The delivery of signed counterparts by facsimile or email transmission that includes a copy of the sending Party’s signature(s) is as effective as signing and delivering the counterpart in person.

25.8 Non-Partnership

25.8.1 Nothing in this Agreement shall be deemed to constitute a partnership between the parties or constitute either Party the agent of the other for any purpose.

25.8.2 This Agreement is made for the benefit of the Parties, and is not intended to benefit any third party or be enforceable by any third party. The rights of the Parties to terminate, rescind, or agree any amendment, waiver, variation or settlement under or relating to this Agreement are not subject to the consent of any third party.

25.9 Entire Agreement

This Agreement sets out the entire agreement and understanding between the Parties with respect to the subject matter hereof. This Agreement supersedes all previous letters of intent, prior discussions and correspondence exchanged between any of the Parties in connection with the transactions referred to herein, all of which shall not have any further force or effect.

25.10 Modification

No variation, amendment, modification or waiver of any provision of this Agreement shall in any event be of any force or effect unless the same shall be agreed in writing between the Parties by persons possessing specific authority to do so and then such variation, modification, waiver or consent shall be effective only on the specific instance and for the purpose and to the extent for which made or given.

SCHEDULE1 SOFTWARE AS A SERVICE (SAAS) PARTICULARS

1. Specification of Software as a Service (SAAS) DOCOHOLIC will offer SAAS services to its customers during the terms of this Agreement, it includes provided digital solutions to Exporters, Importers, Merchant Exporters, Importers Transporter/ CHA/ Nvocc’s/ Shipping line such as (e-trailer booking /Ocean freight management, invoicing management, providing trailer/ container freight booking system, fleet management, Booking history management, online payment management, Cargo insurance, online documents filing and it’s management, pricing management, EXIM Document creation.) This Service shall be offered for the tenure up to which it has been agreed as per terms and conditions.

SCHEDULE2

ACCEPTABLE USE POLICY

(refer clause 3.8)

1. Policy

1.1 This acceptable use policy (the "Policy") sets out the rules governing:

(a) the use of the SAAS; and

(b) the transmission, storage and processing of content by you, or by any person on your behalf, using the SAAS ("Content").

1.2 References in this Policy to "you" are to any customer for the SAAS and any individual user of the SAAS (and "your" should be construed accordingly); and references in this Policy to "us" are to [identify provider] (and "we" and "our" should be construed accordingly).

1.3 By using the SAAS, you agree to the rules set out in this Policy.

1.4 We will ask for your express agreement to the terms of this Policy before you upload or submit any Content or otherwise use the SAAS).

1.5 You must be at least 18 (eighteen) years of age to use the SAAS; and by using the SAAS, you warrant and represent to us that you are at least 18 (eighteen) years of age.

2. General usage rules

2.1 You must not use the SAAS in any way that causes, or may cause, damage to the SAAS or impairment of the availability or accessibility of the SAAS.

2.2 You must not use the SAAS:

(a) in any way that is unlawful, illegal, fraudulent or harmful; or

(b) in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.

2.3 You must ensure that all Content complies with the provisions of this Policy.

3. Unlawful Content

3.1 Content must not be illegal or unlawful, must not infringe any person's legal rights, and must not be capable of giving rise to legal action against any person (in each case in any jurisdiction and under any Applicable Law).

3.2 Content, and the use of Content by us in any manner licensed or otherwise authorised by you, must not:

(a) be libellous or maliciously false;

(b) be obscene or indecent;

(c) infringe any copyright, moral right, database right, trade mark right, design right, right in passing off, or other intellectual property right;

(d) infringe any right of confidence, right of privacy or right under data protection legislation;

(e) constitute negligent advice or contain any negligent statement;

(f) constitute an incitement to commit a crime, instructions for the commission of a crime or the promotion of criminal activity;

(g) be in contempt of any court, or in breach of any court order;

(h) constitute a breach of racial or religious hatred or discrimination legislation;

(i) be blasphemous;

(j) constitute a breach of official secrets legislation; or

(k) constitute a breach of any contractual obligation owed to any person.

3.3 You must ensure that Content is not and has never been the subject of any threatened or actual legal proceedings or other similar complaint.

4. Graphic material

4.1 Content must be appropriate for all persons who have access to or are likely to access the Content in question, and in particular for children over 12 (twelve) years of age.

4.2 Content must not depict violence in an explicit, graphic or gratuitous manner.

4.3 Content must not be pornographic or sexually explicit.

5. Factual accuracy

5.1 Content must not be untrue, false, inaccurate or misleading.

5.2 Statements of fact contained in Content and relating to persons (legal or natural) must be true; and statements of opinion contained in Content and relating to persons (legal or natural) must be reasonable, be honestly held and indicate the basis of the opinion.

6. Negligent advice

6.1 Content must not consist of or contain any legal, financial, investment, taxation, accountancy, medical or other professional advice, and you must not use the SAAS to provide any legal, financial, investment, taxation, accountancy, medical or other professional advisory services.

6.2 Content must not consist of or contain any advice, instructions or other information that may be acted upon and could, if acted upon, cause death, illness or personal injury, damage to property, or any other loss or damage.

7. Etiquette

7.1 Content must be appropriate, civil and tasteful, and accord with generally accepted standards of etiquette and behaviour on the internet.

7.2 Content must not be offensive, deceptive, threatening, abusive, harassing, menacing, hateful, discriminatory or inflammatory.

7.3 Content must not be liable to cause annoyance, inconvenience or needless anxiety.

7.4 You must not use SAAS to send any hostile communication or any communication intended to insult, including such communications directed at a particular person or group of people.

7.5 You must not use the SAAS for the purpose of deliberately upsetting or offending others.

7.6 You must not unnecessarily flood the SAAS with material relating to a particular subject or subject area, whether alone or in conjunction with others.

8. Marketing and spam

8.1 You must not without our written permission use the SAAS for any purpose relating to the marketing, advertising, promotion, sale or supply of any product, service or commercial offering.

8.2 Content must not constitute or contain spam, and you must not use the SAAS to store or transmit spam - which for these purposes shall include all unlawful marketing communications and unsolicited commercial communications.

8.3 You must not send any spam or other marketing communications to any person using any email address or other contact details made available through the SAAS or that you find using the SAAS.

8.4 You must not use the SAAS to promote or operate any chain letters, ponzi schemes, pyramid schemes, matrix programs, "get rich quick" schemes or similar letters, schemes or programs.

9. Gambling

You must not use the Services for any purpose relating to gambling, gaming, betting, lotteries, sweepstakes, prize competitions or any gambling-related activity.

10. Monitoring

You acknowledge that we may actively monitor the Content and the use of the SAAS.

11. Data mining

You must not conduct any systematic or automated data scraping, data mining, data extraction or data harvesting, or other systematic or automated data collection activity, by means of or in relation to the SAAS.

12. Hyperlinks

You must not link to any material using or by means of the Services that would, if it were made available through the Services, breach the provisions of this Policy.

13. Harmful software

13.1 The Content must not contain or consist of, and you must not promote or distribute by means of the Services, any viruses, worms, spyware, adware or other harmful or malicious software, programs, routines, applications or technologies.

13.2 The Content must not contain or consist of, and you must not promote or distribute by means of the Services, any software, programs, routines, applications or technologies that will or may have a material negative effect upon the performance of a computer or introduce material security risks to a computer.

SCHEDULE 3 MAINTENANCE AND SUPPORT SLA

(refer clause 5.1)

PART A MAINTENANCE SLA

This Part A (Maintenance SLA) of Schedule 3 (Maintenance and Support SLA) sets out the service levels applicable to the Maintenance Services.

1. UPDATES

MANAS may apply Updates to the Software from time to time without any prior intimation to the Customer provided it has no impact on services offered to customer.

2. UPGRADES

2.1 MANAS may Upgrade the Software from time to time.

2.2 MANAS shall keep the Customer reasonably informed during the Term of its plans for the Release of Upgrades; however, except to the extent that the parties agree otherwise in writing, MANAS shall have no obligation to Release Upgrades with features requested by the Customer or to take into account the opinions of the Customer in relation to plans for the Release of Upgrades.

PART B SUPPORT SLA

This Part B (Support SLA) of Schedule 3 (Maintenance and Support SLA) sets out the service levels applicable to the Support Services.

1. TOUCH POINTS

Following will be the touch points between the Parties for logging issues, resolving them and any other communication required in this regard:

(a) Access to [insert to link];

(b) Direct phone lines & cell-phone based support on Business Days during normal business hours;

(c) Program updates, fixes, security alerts, and critical patch updates;

(d) General maintenance releases, selected functionality releases, and updates; or

(e) Non-technical Customer service during normal business hours.

2. The service request severity level is selected by the Customer and MANAS and should be based on the following severity criteria:

2.1 Severity - High

The use of the SAAS has stopped or so severely impacted that the Customer cannot reasonably continue work. The Customer experiences a complete loss of Service. The operation is mission critical to the business and the situation is an emergency. A Severity P1 service request has one or more of the following characteristics:

(a) Data corrupted;

(b) A critical documented function is not available;

(c) System hangs indefinitely, causing unacceptable or indefinite delays for resources or response; or

(d) System crashes, and crashes repeatedly after restart attempts.

2.2 Severity - Medium

The Customer experiences a severe loss of Service. Important features of the SAAS are unavailable with no acceptable workaround; however, operations can continue in a restricted fashion.

2.3 Severity -Low

The Customer experiences a minor loss of Service. The impact is an inconvenience, which may require a workaround to restore functionality.

3. SERVICE REQUEST ESCALATION

3.1 If the Customer believes in good faith that it has not received quality or timely assistance in response to a service request or that it urgently needs to communicate important support related business issues to MANAS management, the Customer's technical contact may escalate the service request by contacting MANAS and requesting that the service request be escalated. The escalation process should not be used if the Customer wishes to change the reported business impact of the issue and as otherwise indicated in MANAS support.

3.2 For service requests that are escalated, MANAS support analyst will engage the MANAS service request escalation manager who will be responsible for managing the escalation by the Customer. MANAS service request escalation manager will work with the Customer to develop an action plan and allocate the appropriate MANAS resources. If the issue underlying the service request continues to remain unresolved, the Customer may contact the MANAS service request escalation manager to review the service request and request that it be escalated to the next level within MANAS as required. To facilitate the resolution of an escalated service request, the Customer is required to provide contacts within your organisation that are at the same level as that within MANAS to which the service request has been escalated.

SCHEDULE 5 PAYMENT SCHEDULE

(refer clause 10.2)

Subscription Charges shall mean yearly subscription charges as mentioned and updated from time to time on below subscription page links payable by the Customer to MANAS.

Subscription : https://docoholic.com/site/subscription

Payment and Invoicing - MANAS shall issue invoices for the Charges in accordance with Schedule 4 (Payment Schedule) to the Customer by 1st of every month for the SAAS provided for the preceding month.

The Customer must pay the Charges to MANAS within the period of 7 (Seven) days following the issue of an invoice in accordance with this clause 10 (Payments).

Expenses – The Customer will reimburse MANAS for its reasonable, out of pocket travel and related expenses incurred in performing the Services. Docoholic shall notify to user before incurring such expenses.

Taxes – MANAS shall bill the Customer for the applicable Taxes as a separate line item on each invoice. The Customer shall be responsible for payment of all the Taxes or similar charges related to Customer’s purchase or use of SAAS.

Refund and cancellation – MANAS has a fair refund policy for its users as below.

• Refund policy will be applicable only until 30 days has elapsed from date of subscribing.

• Any charges paid towards subscription will be refunded on Pro rata basis ie: Monthly charges x remaining months.

• Remaining month : At least 20 days remaining in the month.

• User will have to email DOCOHOLIC support team at support@docoholic.com in order to cancel or discontinue subscription.

• Upon receipt of email in 15 days User account will be suspended and Refund will be processed in the Bank account of customer.

• For any subscription plan SSL secured certificate & installation charge of 1500 INR or 30 USD will be Deducted from the refund amount. MANAS will issue an invoice for the same.

• For any Queries about Docoholic terms and condition please email us at support@docoholic.com. Docoholic customer happiness team will be delighted to guide you!

Privacy Policy
INTRODUCTION:

Docoholic works hard to maintain the privacy of data you entrust with us. Data you store in Docoholic products is yours. We put our security program in place to protect it, and use it only to provide the Docoholic service to you. We never share your data across customers and never sell it. Docoholic is Eu-GDPR & CCPA complied, Data centres are SOC 1 & SOC 2 with ISO 27001 certified.

We at MANAS FREIGHTS PVT LTD ('We,' 'Us,' 'Our' ‘DOCOHOLIC’) know that you as a user ('You,' 'Your', 'User(s)') care about how your personal information is used and shared, and we take your privacy seriously. Please read the following to learn more about our privacy policy. By visiting or using our website, mobile site, mobile app & offline channels including offices and any other linked pages, features, content, or any other services we offer from time to time in connection therewith (collectively, the Website'), or by using the Services (as defined in our Terms of Service ) in any manner, you acknowledge that you accept the practices and policies outlined in this privacy policy, and you hereby consent that we will collect, use, and share your information in the following ways.

By mere use of or accessing the Website, the User hereby expressly agrees with the terms of this privacy policy and the contents herein. If you disagree with this privacy policy, please do not use or access our Website.

WHAT DOES THIS PRIVACY POLICY COVER?

This privacy policy aims to give you information on how we collect and process your personally identifiable information ('personal information') that we gather when you access our Website OR use our Services.

It is important that you read this privacy policy together with the Terms of Service and any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. We have tried to keep our privacy policy as simple as possible, but if you are not familiar with terms like cookies, IP addresses, pixel tags and browsers, then read about these under key terms section (as provided below) first. Your privacy matters to us, so whether you are new to the Website or a long-time user, please do take the time to get to know our practices.

We do not knowingly collect or solicit personal information from anyone under the age of 18 years or knowingly allow such persons to register for the Services. If you are under 18 years, you may use the Website and our Services only with the involvement of a parent or guardian. If you believe that we might have any information from or about a child under the age of 18 years, please reach out to us at support@docoholic.com

This Privacy Policy does not apply to any other websites and mobile applications of third parties, even if their websites/software/products are linked to our Website. User should take note that information and privacy policies of MANAS FREIGHTS PVT LTD partners, advertisers, sponsors or other sites to which MANAS FREIGHTS PVT LTD provides hyperlink(s), may be materially different from this Privacy Policy. Accordingly, it is recommended that you review the privacy statements and policies of any such third parties with whom they interact.

This privacy policy is an integral part of Terms of Service of MANAS FREIGHTS PVT LTD, but not otherwise defined herein, shall have the respective meanings as ascribed to them in the Terms of Service.

WHAT INFORMATION DOES MANAS FREIGHTS PVT LTD COLLECT?

We may collect, use, store and transfer two types of information about our Users: "Personally Identifiable Information" and "Non-Personally Identifiable Information" (collectively referred to as "Information"). By agreeing to this privacy policy, you consent to collection, usage, storage, processing and transfer of Information in the manner mentioned in this privacy policy for the purposes set out herein. Further, even if you have consented as above, you have the right to withdraw such consent at any time by contacting us.

WHAT IS THE BASIS FOR PROCESSING YOUR INFORMATION?

We have a lawful basis for processing of your Information (unless an exemption applies) which is as outlined below:

  • Performance of a contract. We may process your Information for performance of a contract with you as may be necessary. For example, we may process your payment information for a payment made by you through our Website. We do not store any payment information and we use PCI complied payment and subscription providers.
  • Legitimate Interest. We will process your Information in a manner that it serves our necessary and legitimate interests, except in the event where your interests or fundamental rights and freedoms in relation to such Information, override our legitimate interests. Such legitimate interests shall include prevention of fraud or misuse of services, IT and network security, marketing and advertising of Services, and processing for marketing research purposes.
  • PERSONALLY IDENTIFIABLE INFORMATION

    "Personally Identifiable Information" is information that identifies a specific User when such User engages in certain activities on the Website, such as creating an account, availing a service through the Website, requesting information about our Services, and such other activities as we may identify on the Website (collectively, "Identification Activities"). It is optional for you to engage in an Identification Activity. We may also receive certain Information about you from third parties when you have agreed via a third party's form/website to share such information with us. Our primary goal in doing so is to provide you a safe, efficient, smooth and customized experience.

    The Personally Identifiable Information we collect depends on the Identification Activity involved. For example, while registering or availing services, on our Website we may ask you to provide us with certain personal information about yourself, such as Information provided by you while subscribing to or registering on the Website , your company name, contact details, , such as your email address, postal addresses, telephone numbers, mobile numbers, fax numbers, your first and last name, mailing address (including zip code), email address, telephone number, date of birth, credit card number, expiration date and authentication codes or related information. The information may also include your banking details and any other information relating to your turnover/profit/income, billing information payment history etc. (as shared by you).

    Depending on the Identification Activity, some of the information we ask you to provide is identified as mandatory and some is identified as voluntary. If you do not provide the mandatory information for a particular activity that requires it, you may not be permitted to engage in that Identification Activity. Further, since the accuracy of your information is important to us, if you provide us with your Personally Identifiable Information, please keep us informed if such information changes during your relationship with us.

    NON-PERSONALLY IDENTIFIABLE INFORMATION or NAVIGATIONAL INFORMATION

    Non-Personally Identifiable Information is information that does not identify a specific User. This type of information may include things like the date and time of your visit, Uniform Resource Locator ("URL") of the website you visited before coming to our Website, the URL of the website you visit after leaving our Website, the type of browser you are using and your Internet Protocol ("IP") address. Generally, this Information is sent to us by your web browser when you use this Website through the use of electronic tools like Cookies and Pixel tags and depends on the settings on your web browser. If you have created a user identity on one of your visits to this Website, we may link the information provided by your browser to information that identifies you personally and use it for the purposes mentioned in this privacy policy.

    Information related to any other customer for whom you do any activity through your MANAS FREIGHTS PVT LTD account. In such cases, you must confirm and represent that each of the other customers have agreed to share information shared by you and disclosed to us. If in the future you do not wish to receive Cookies, you may be able to refuse them by adjusting your browser settings to reject/block cookies including Cookies associated with our service, or to indicate when a cookie is being set by us. However, it is important to remember that if you do so, we may be unable to offer you some of our functionalities, services or support. If you have previously visited our Website, you may also have to delete any existing cookies from your browser.

    USE OF INFORMATION COLLECTED

    We may use the Information collected from you for the purposes, including but not limited to those mentioned below: We Never Sell Personal Information. We will never sell your Personal Information to any third party.

    • to contact you if you have requested information or communication from us
    • to enhance the operation of the Website;
    • to provide and improve our Services;
    • to analyse Website use;
    • to determine the country in which you are located for compliance purposes;
    • for security, anti-piracy, and fraud prevention purposes;
    • to verify that existing Information about you in our possession is accurate and complete;
    • to tailor your experience with third parties;
    • to undertake any other promotional activities (where you have previously consented to such promotional activities);
    • to ensure compliance with applicable laws, rules and regulations;
    • to troubleshoot, resolve disputes and accomplish administrative tasks;
    • to enforce our agreements with you (including our Terms of Service, this privacy policy).
    • In addition to the above, we may use Cookies, Pixel tags or other similar technologies on our Website or emails to, among other things:
    • tailor information presented to you based on your browsing preferences, such as language and geographical region;
    • collect statistics regarding your Website usage; and provide us with information to support technical functionality of service, improve the Website experience and measure marketing effectiveness.
    • To confirm your bookings / activity with concerned service providers;
    • To keep you updated about the transaction status;
    • To send confirmations ( emails/sms) wherever applicable;
    • For our operation team contact you, if necessary
    • To customize our website and mobile application
    • Request to rate and review any particular services offered.
    • To send verification message(s) or email(s).

    We will only use your Personally Identifiable Information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. Further, we will ask for your consent before using Information for a purpose other than those that are set out in this privacy policy.

    Legal basis for processing Personal Information (EEA visitors only)

    If you are a visitor located in the European Economic Area ("EEA"), Manas Freights Pvt Ltd is the data controller of your personal information. Manas Freights Pvt Ltd's Data Protection Officer can be contacted here. Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. However, we will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you.

    If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information). Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.

    In some circumstances we will anonymize your Information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

    OPINION

    We highly appreciate opinions / queries and comments from our Users and frequently conduct surveys, online as well as offline, the information is aggregated, and used to make improvements to Website, other Sales Channels and its services and to develop efficient content, features and promotions for members.

    MARKETING CAMPAIGNS, DATA ANALYSIS:

    Marketing campaigns, data analysis help us to know your preferences, create programs and improve user experience. Personal Information collected by us for such activities may include contact information and opinion questions. As our esteemed subscriber, you will also receive notifications and updates from us about new freights , services, new MANAS FREIGHTS PVT LTD services, or any other important information and marketing campaigns.

    In addition, you may look forward to periodically receiving marketing emails, newsletters and exclusive promotional offering.

    From time to time we may enhance services available on our Website/Mobile app. To the extent these services are provided, and used by you, we will use the Information you provide to facilitate the service requested and make your experience better.

    You will occasionally receive e-mail updates from us about fare sales in your area, special offers, new MANAS FREIGHTS PVT LTD services, and other noteworthy items. We hope you will find these updates interesting and informative. If you wish not to receive them, please click on the "unsubscribe" link or follow the instructions in each e - mail message or send us an email at support@docoholic.com

    COOKIES AND INFORMATION

    Our use of cookies is similar to that of any other reputable online companies. No Information about User is gathered or stored in the cookies placed by a website or mobile site and, as a result, none can be passed on to any third parties. Cookies allow us to serve you better and more efficiently. MANAS FREIGHTS PVT LTD uses cookies to personalize your experience on the Website and the advertisements that maybe displayed. Cookies also allow ease of access, by logging you in without having to type your login name each time (only your password is needed); we may also use such cookies to display any advertisement to you while you are on the Website or to send you a offers (or similar emails – provided you have not opted out of receiving such emails) focusing on ports which may be of your interest. None of this information is passed to any third party, and is used solely by us to provide you with a better user experience on the Website. All these information is only used by MANAS FREIGHTS PVT LTD or MANAS FREIGHTS PVT LTD suppliers to formally compile with maritime regulations and international trade best practices. This information includes shipping and receiving addresses, product descriptions and the date and time of the shipment. All of this information is required in order to correctly process a shipment request.

    You may not use MANAS FREIGHTS PVT LTD services for any illegal purpose. We may cease providing any and we may terminate your right to use MANAS FREIGHTS PVT LTD at any time. Your rights to use MANAS FREIGHTS PVT LTD will automatically terminate without notice from us if you fail to comply with any of these Conditions of Use or any other Service Terms.

    A cookie may also be placed by our advertising server. Such cookies are used only for purposes of tracking the effectiveness of advertising served by us on our Website. Similarly, a cookie may be placed by our third party advertising companies or advertisement providers or servers. These companies may use aggregated statistics about your visits to the Website in order to provide advertisements about goods and services that may be of potential interest to you. The information they collect does not include your Personal Information.

    The third party advertising companies or advertisement providers may also employ technology that is used to measure the effectiveness of the advertisements. All such information is anonymous. This anonymous information is collected through the use of a pixel tag, which is an industry standard technology and is used by all major online companies. They may use this information about your visits to the Website in order to provide advertisements about goods and services of probable interest to you. No Personal Information is collected during this process. The information so collected during this process, is anonymous, and does not link online actions to a User.

    Most web browsers automatically accept cookies. Of course, by changing the options on your web browser or using certain software programs, you can control how and whether cookies will be accepted by your browser. MANAS FREIGHTS PVT LTD supports your right to block any unwanted Internet activity, especially that of unscrupulous websites. However, blocking MANAS FREIGHTS PVT LTD cookies may disable certain features on the Website, and may make it impossible to purchase or use certain services available on the Website. Please note that it is possible to block cookie activity from certain websites while permitting cookies from websites you trust.

    AUTOMATIC LOGGING OF SESSION DATA:

    Each time you access the Website your session data gets logged. Session data consists of the User’s IP address, operating system and type of browser software being used and the activities conducted by the User while on the Website. We collect session data because it helps us analyze User’s choices, browsing pattern including the frequency of visits and duration for which a User is logged on. It also helps us diagnose problems with our servers and lets us better administer our systems. The aforesaid information cannot identify any User personally. However, it is possible to determine a User's Internet Service Provider (ISP), and the approximate geographic location of User's point of connectivity from the IP address.

    WITH WHOM YOUR PERSONAL INFORMATION IS SHARED

    Third Parties. We do not share Personally Identifiable Information with other parties ("Third Parties") except as a part of the normal operations, examples of which are set out below:

    • Your information shall be shared with the end service providers like shipping lines, transporters, NVOCC, Insurance companies, Freight Agent or any other suppliers who are responsible for fulfilling your booking or any other requests. You may note that while making a booking or Freight Quote Request with MANAS FREIGHTS PVT LTD you authorize us to share your information with the said service providers/suppliers. However, how the said service providers/suppliers use the information shared with them is beyond the purview of MANAS FREIGHTS PVT LTD. WE therefore advised you to review the privacy policies of the respective service providers/supplier whose services you choose to avail
    • For your safety we may share personal information with our other corporate entities and affiliates to help detect and prevent identity theft, fraud and other potentially illegal acts, correlate related or multiple accounts to prevent abuse of our services, and to facilitate joint or co-branded services that you request where such services are provided by more than one corporate entity. Those entities and affiliates may not market to you as a result of such sharing unless you explicitly opt-in.
    • MANAS FREIGHTS PVT LTD may share your Personal Identifiable Information to third party that MANAS FREIGHTS PVT LTD may engage to perform certain tasks on its behalf, including but not limited to payment processing, data hosting, and data processing platforms.
    • Sharing of Information with other entities, which may include but may not be limited to our present or future affiliates, i.e., individuals and companies with whom we have business relationships ("Affiliates"), to provide joint services or certain services to us or on our behalf and help us to operate our business. Such entities may also obtain Information from the Website itself, for providing services to us for our business including sending out and distributing our administrative and promotional emails and measurement of the overall effectiveness of our online advertising, content and programming, through means including those of Cookies, Pixel tags and other web technologies. We may share your Personally Identifiable Information with such Third Party service providers to fulfil your requests for Services, send post or email, remove repetitive information on customer lists, analyze data, provide marketing assistance, provide search results and links, process credit card payments, operate the Website, troubleshoot, and provide customer service. We may also collect personal information from our Affiliates and may have to also share their information with such Third Party service providers to accomplish our administrative tasks. We encourage Third Parties and Third Party service providers to adopt and publicly inform their privacy policies. However, the use of your Personally Identifiable Information by such parties is governed by the privacy policies of such parties and is not subject to our control.
    • Sharing of Information to such entities or authorities as may be necessary for compliance with legal requirements, cooperate with law enforcement authorities, a court order, enforcement or application of this privacy policy, our Terms of Service or other agreements; or protect the rights, property or safety of the Website, its Users or others, and prevent fraud and other crimes and protect our and your legal rights in relation to the same.
    • Sharing of your information in the event of a business transfer. As with any other business, we could merge with, or be acquired by another company. If this occurs, the successor company would acquire the information we maintain, including Personally Identifiable Information. However, Personally Identifiable Information would remain subject to this privacy policy.

    For all other purposes, we will ask for your consent before sharing Personally Identifiable Information with any Third Party. Also, when such Information has already been provided to a Third Party, and you wish that the Company or such Third Party stop using such information, you may, at any time, write to us or such Third Party, as the case may be, to stop using such Information. We specifically disclaim any responsibility or liability for the actions of such Third Parties. While we inform them that they are only permitted to communicate with you for the purposes of the specific activity in relation to the Company, we do not have any responsibility for the actions of the Third Parties, and the actions of the Third Parties are not in our control.

    INFORMATION SECURITY
    Data Retention

    We will only retain your Personally Identifiable Information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the appropriate retention period for Information, we consider the amount, nature and sensitivity of the Information, the potential risk of harm from unauthorised use or disclosure of your Information, the purposes for which we process your Information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. In some circumstances you can ask us to delete your data: see "Your Legal Rights" below for further information.

    Enforcement

    We regularly review our compliance with our privacy policy. When we receive formal written complaints, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of Information that we cannot resolve with our users directly. How we Share Information we Collect

    Service Providers

    We employ other third-party service providers to provide services on our behalf to visitors to our Websites and our customers and users of the Subscription Service and may need to share your information with them to provide information, products or services to you. Examples may include removing repetitive information from prospect lists, analyzing data or performing statistical analysis, providing marketing assistance, processing credit card payments, supplementing the information you provide us in order to provide you with better service, and providing customer service or support. These service providers are prohibited from using your Personal Information except for these purposes, and they are required to maintain the confidentiality of your information. In all cases where we share your information with such agents, we explicitly require the agent to acknowledge and adhere to our privacy and customer data handling policies.

    Manas Freights Pvt Ltd Partners

    In addition, we may share data with trusted partners to contact you based on your request to receive such communications, help us perform statistical analysis, or provide customer support. Such third parties are prohibited from using your Personal Information except for these purposes, and they are required to maintain the confidentiality of your information.

    We partner with trusted third parties to provide you with co-marketing content that we think may be relevant to you. When you engage with these co-marketing partners, we will tell you who we are sharing data with, and provide a link to the co-marketing partner’s privacy policy so you can learn more about how to opt-out of the partner’s communications. These co-marketing partners are required to adhere to our privacy and data protection policies. If you do not want us to share your personal information with these companies, please contact us here. Corporate Events

    If we (or our assets) are acquired by another company, whether by merger, acquisition, bankruptcy or otherwise, that company would receive all information gathered by Manas Freights Pvt Ltd on the Websites and the Subscription Service. In this event, you will be notified via email and/or a prominent notice on our website, of any change in ownership, uses of your Personal Information, and choices you may have regarding your Personal Information.

    WHAT ARE YOUR LEGAL RIGHTS

    Under certain circumstances, you have certain rights under data protection laws in relation to your Information such as requesting access to your data, requesting correction of your data, requesting erasure of your data, objecting to processing of your data, requesting restriction of processing of your data, requesting transfer of your data to you or a third party and requesting to withdraw consent to process your data. If you wish to exercise any of the rights set out above, please contact us.

    We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

    It is hereby clarified that you will not have to pay a fee to access your Information (or to exercise any of the other rights). However, we may refuse to comply with your request if your request is clearly unfounded, repetitive or excessive.

    SECURITY OF MY PERSONAL INFORMATION

    Your account is protected by a password for your privacy and security. You need to prevent unauthorized access to your account and personal information by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

    We endeavor to protect the privacy of your account and other personal information we hold in our records, but we cannot guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time.

    The Website may contain links to other sites. We are not responsible for the privacy policies and/or practices on other sites. When following a link to another site you should read that site's privacy policy.

    Note: As effective as encryption technology is, no security system is impenetrable. We cannot guarantee the security of our database, nor can we guarantee that information you supply won't be intercepted while being transmitted to us over the Internet. Any transmission of information by you to us or otherwise is at your own risk.

    WHAT PERSONAL INFORMATION CAN I ACCESS?

    Through your account settings, you may access, and, in some cases, edit or delete the following information you've provided to us:

    • name and password
    • e-mail address
    • user profile information and location

    The information you can view and update may change as the Website changes. If you have any questions about viewing or updating information reach us at support@docoholic.com

    WHAT CHOICES DO I HAVE?

    You can always opt not to disclose information to use, but keep in mind some information may be needed to register with us or to take advantage of some of our special features/ Services. We will retain your personal information for a reasonable period or as long as the law requires. If you'd like us to delete/modify Information that you have provided via the Website or otherwise to us, please visit here or reach out to us and we will respond in a reasonable time. Please note that some or all of the Information provided by You to us may be required in order for the Website or the Services to function properly.

    You may be able to add, update, or delete information as explained in section above. When you update information, however, we may maintain a copy of the unrevised information in our records. Please note that some information may remain in our private records after your deletion of such information from your account. We may use any aggregated data derived from or incorporating your personal information after you update or delete it, but not in a manner that would identify you personally.

    California Privacy Rights

    This section applies only to California consumers. It describes how we collect, use, and share California consumers' Personal Information in our role as a business, and the rights applicable to such residents. If you are unable to access this Privacy Policy due to a disability or any physical or mental impairment, please contact us and we will arrange to supply you with the information you need in an alternative format that you can access.

    For purposes of this section "Personal Information" has the meaning given in the California Consumer Privacy Act (“CCPA”).

    How We Collect, Use, and Share your Personal Information

    We have collected the following statutory categories of Personal Information in the past twelve (12) months: Identifiers, such as name, e-mail address, mailing address, and phone number. We collect this information directly from you or from third party sources.

    Commercial information, such as subscription records. We collect this information directly from you.

    Internet or network information, such as browsing and search history. We collect this information directly from your device.

    Geolocation data, such as IP address. We collect this information from your device.

    Financial information, such as Payment Information or financial account numbers in the process of providing you with a subscription. We collect this information from you. Inferences.

    Other personal information, in instances when you interact with us online, by phone or mail in the context of receiving help through our help desks or other support channels; participation in customer surveys or contests; or in providing the Subscription Service.

    Your California Rights

    You have certain rights regarding the Personal Information we collect or maintain about you. Please note these rights are not absolute, and there may be cases when we decline your request as permitted by law. The right of access means that you have the right to request that we disclose what Personal Information we have collected, used and disclosed about you in the past 12 months.

    The right of deletion means that you have the right to request that we delete Personal Information collected or maintained by us, subject to certain exceptions.

    The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights.

    Manas Freights Pvt Ltd does not sell Personal Information to third parties (pursuant to California Civil Code §§ 1798.100–1798.199, also known as the California Consumer Privacy Act of 2018). How to Exercise your California Rights

    You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your Personal Information, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent's identity to protect your Personal Information.

    Please use the contact details below, if you would like to:

    Access this policy in an alternative format;

    Exercise your rights; here

    Email: support@docoholic.com

    Learn more about your rights or our privacy practices; or

    Designate an authorized agent to make a request on your behalf.

    CHANGES TO THIS PRIVACY POLICY

    We may change this privacy policy at any time by posting the revised privacy policy in the "privacy policy" section of the Website. The revised privacy policy is effective immediately when posted on the Website. It is the responsibility of each User to review the Website and the privacy policy periodically to learn of any revisions to this privacy policy. Your continued use of the Website after the effectiveness of such revisions will constitute your acknowledgment and acceptance of the terms of the revised privacy policy.

    Please note that if you do not want to receive legal notices from us, such as this privacy policy, those legal notices will still govern your use of the Website and the Services, and you are responsible for reviewing such legal notices for changes.

    You may always submit concerns regarding this Privacy Policy via email to us at support@docoholic.com We shall endeavour to respond to all reasonable concerns and inquires.

    DISPUTE RESOLUTION

    You have the right to lodge a complaint with the supervisory authority in your jurisdiction if you believe that our processing of your Information infringes the requirements of the applicable laws. We would, however, appreciate the chance to deal with your concerns before you approach such authority. If you believe that we have not adhered to this privacy policy you may write to us. In your e-mail, please describe in as much detail as possible, ways in which you believe the privacy policy has not been complied with. We will investigate your complaint promptly.

    Key Terms

    "Cookie": A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. When you visit the website again, the cookie allows that site to recognize your browser. Cookies may store user preferences and other information. You can reset your browser to refuse all cookies or to indicate when a cookie is being sent. However, some website features or services may not function properly without cookies.

    "IP address": Every computer connected to the Internet is assigned a unique number known as an IP address. Since these numbers are usually assigned in country-based blocks, an Internet Protocol address can often be used to identify the country from which a computer is connecting to the Internet.

    "Server logs": Like most websites, our servers automatically record the page requests made when you visit our sites. These "server logs" typically include your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.

    "Pixel tag": A pixel tag is a type of technology placed on a website or within the body of an email for the purpose of tracking activity on websites, or when emails are opened or accessed, and is often used in combination with cookies.

    This document is published in accordance with the provisions of Rule 3 (1) of the Information Technology (Intermediaries guidelines) Rules, 2011 that require publishing the privacy policy and Terms of Use for access or usage of the website
Docoholic Data Processing Agreement
INTRODUCTION:

We at MANAS FREIGHTS PVT LTD ('We,' 'Us,' 'Our' ‘DOCOHOLIC’) know that you as a user ('You,' 'Your', 'User(s)') care about how your personal information is used and shared, and we take your data privacy seriously. Please read the following to learn more about our Database protection Agreement. By visiting or using our website, mobile site, mobile app & offline channels including offices and any other linked pages, features, content, or any other services we offer from time to time in connection therewith (collectively, the Website'), or by using the Services (as defined in our Terms of Service ) in any manner, you acknowledge that you accept the practices and policies outlined in this privacy policy, and you hereby consent that we will collect, use, and share your information in the following ways.

This Docoholic Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Docoholic on behalf of Customer in connection with the Docoholic Subscription Services under the Docoholic Terms of Service between Docoholic and Customer (the “Agreement”).

The DPA is supplemental to, and becomes an integral part of the Agreement and its effective upon its incorporation into the agreement, which incorporation may be specified in agreement. We periodically update these terms, if you are an active Docoholic customer and subscriber we will update you via Email or In-app Notification.

“California Personal Information” - means Personal Data that is subject to the protection of the CCPA.

"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

"Consumer", "Business", "Sell" and "Service Provider" shall have the meanings given to them in the CCPA.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and the data protection and privacy laws of Australia and Singapore; in each case as amended, repealed, consolidated or replaced from time to time

.

“Data Subject” means the individual to whom Personal Data relates.

"Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

"European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

"Permitted Affiliates" means any of Customer's Affiliates that (i) are permitted to use the Subscription Services pursuant to the Agreement, but have not signed their own separate agreement with Docoholic and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller of Personal Data Processed by Docoholic, and (iii) are subject to European Data Protection Laws.

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Docoholic and/or its Sub-Processors in connection with the provision of the Subscription Services. "Personal Data Breach" shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

“Standard Contractual Clauses” means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, in the form set out at Annex 3.

“Sub-Processor” means any Processor engaged by Docoholic or its Affiliates to assist in fulfilling Docoholic's obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or Docoholic Affiliates but shall exclude any Docoholic employee or consultant.

2. Customer Responsibilities

Compliance with Laws. Within the scope of the Agreement and in its use of the services, Customer shall be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Docoholic.

In particular but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that it shall be solely responsible for: (i) the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring it has the right to transfer, or provide access to, the Personal Data to Docoholic for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that its Instructions to Docoholic regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Subscription Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. Customer shall inform Docoholic without undue delay if it is not able to comply with its responsibilities under this sub-section (a) or applicable Data Protection Laws. b. Controller Instructions. The parties agree that the Agreement (including this DPA), together with Customer's use of the Subscription Service in accordance with the Agreement, constitute Customer’s complete and final Instructions to Docoholic in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between Customer and Docoholic

Controller Instructions. The parties agree that the Agreement (including this DPA), together with Customer's use of the Subscription Service in accordance with the Agreement, constitute Customer’s complete and final Instructions to Docoholic in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between Customer and Docoholic.

Docoholic Obligations

Compliance with Instructions. Docoholic shall only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by applicable law. Docoholic is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer's industry that are not generally applicable to Docoholic.

Conflict of Laws. If Docoholic becomes aware that it cannot Process Personal Data in accordance with Customer's Instructions due to a legal requirement under any applicable law, Docoholic will (i) promptly notify Customer of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Customer issues new Instructions with which Docoholic is able to comply. If this provision is invoked, Docoholic will not be liable to Customer under the Agreement for any failure to perform the applicable Subscription Services until such time as Customer issues new lawful Instructions with regard to the Processing.

Security. Docoholic shall implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA ("Security Measures"). Notwithstanding any provision to the contrary, Docoholic may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

Confidentiality. Docoholic shall ensure that any personnel whom Docoholic authorizes to Process Personal Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.

Personal Data Breaches. Docoholic will notify Customer without undue delay after it becomes aware of any Personal Data Breach and shall provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, Docoholic will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws.

Deletion or Return of Personal Data. Docoholic will delete or return all Customer Data,including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of your Subscription Service in accordance with the procedures and timeframes set out in the Agreement, save that this requirement shall not apply to the extent Docoholic is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which data Docoholic shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices. You may request the deletion of your Docoholic account after expiration or termination of your subscription by sending a request to support@docoholic.com

Data Subject Requests

The Subscription Service provides Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict Personal Data, which Customer may use to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests").

To the extent that Customer is unable to independently address a Data Subject Request through the Subscription Service, then upon Customer’s written request Docoholic shall provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. Customer shall reimburse Docoholic for the commercially reasonable costs arising from this assistance.

If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Docoholic, Docoholic will promptly inform Customer and will advise the Data Subject to submit their request to Customer. Customer shall be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

Sub-Processors

Customer agrees that Docoholic may engage Sub-Processors to Process Personal Data on Customer's behalf. Docoholic has currently appointed, as Sub-Processors, the Docoholic Affiliates and third parties listed in Annex 4 to this DPA. Docoholic shall notify Customer if it adds or removes Sub-Processors to Annex 4 prior to any such changes.

Where Docoholic engages Sub-Processors, Docoholic will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Docoholic will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub- Processor that cause Docoholic to breach any of its obligations under this DPA.

Data Transfers

Customer acknowledges and agrees that Docoholic may access and Process Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by Docoholic in the United States and to other jurisdictions where Docoholic Affiliates and Sub-Processors have operations. Docoholic shall ensure such transfers are made in compliance with the requirements of Data Protection Laws.

Additional Provisions for European Data

Scope of Section 7. This Section 7 (Additional Provisions for European Data) shall apply only with respect to European Data.

Roles of the Parties. When Processing European Data in accordance with Customer's Instructions, the parties acknowledge and agree that Customer is the Controller of European Data and Docoholic is the Processor.

Instructions. If Docoholic believes that an Instruction of Customer infringes European Data Protection Laws (where applicable), it will inform Customer without delay.

Notification and Objection to New Sub-Processors. Docoholic will notify Customer of any changes to Sub-processors by updating Annex 4 to this DPA and will give Customer the opportunity to object to the engagement of the new Sub-Processor on reasonable grounds relating to the protection of Personal Data within 30 days after updating Annex 4 to this DPA. If Customer does notify Docoholic of such an objection, the parties will discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Docoholic will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the affected Subscription Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to Docoholic, and Customer does not otherwise have access to the required information, Docoholic will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.

Transfer Mechanisms for Data Transfers.

Docoholic shall not transfer European Data to any country or recipient not recognizedas providing an adequate level of protection for Personal Data (within the meaning of European Data Protection Law), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is self-certified to the Privacy Shield, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Law, or to a recipient that has executed appropriate standard contractual clauses adopted or approved by the European Commission.

Customer acknowledges that in connection with the performance of the Subscription Services, Docoholic, Inc. is a recipient of European Data in the United States. The parties agree that Docoholic makes available the transfer mechanisms listed below:

(a) Standard Contractual Clauses: Docoholic, Inc. agrees to abide by and process European Data in compliance with the Standard Contractual Clauses, provided that notwithstanding the foregoing the parties agree that where the Docoholic contracting entity under the Agreement is not Docoholic, such contracting entity (not Docoholic) will remain fully and solely responsible and liable to Customer for the performance of the Standard Contractual Clauses by Docoholic. If and to the extent the Standard Contractual Clauses (where applicable) conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.

Demonstration of Compliance. Docoholic shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer in order to assess compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA by instructing Docoholic to comply with the audit measures described in this sub-section (g). Customer acknowledges that the Subscription Service is hosted by Docoholic's data center partners who maintain independently validated security programs (including SOC 2 and ISO 27001) and Docoholic's systems are regularly tested by independent third party penetration testing firms. Upon request, Docoholic shall supply (on a confidential basis) a summary copy of its penetration testing report(s) to Customer so that Customer can verify Docoholic's compliance with this DPA. Further, at Customer's written request, Docoholic will provide written responses (on a confidential basis) to all reasonable requests for information made by Customernecessary to confirm Docoholic's compliance with this DPA, provided that Customer shall not exercise this right more than once per calendar year.

Additional Provisions for California Personal Information

Scope of Section 8. This Section 8 (Additional Provisions for California Personal Information) shall apply only with respect to California Personal Information.

Roles of the Parties. When processing California Personal Information in accordance with Customer's Instructions, the parties acknowledge and agree that Customer is a Business and Docoholic is a Service Provider for the purposes of the CCPA.

Responsibilities. The parties agree that Docoholic will process California Personal Information as a Service Provider strictly for the purpose of performing the Subscription Services under the Agreement (the "Business Purpose"). Docoholic uses service data for its own legitimate Business Purpose as per our Product Privacy Policy. The parties agree that Docoholic shall not (a) Sell California Personal Information (as defined in the CCPA); (b) retain, use, or disclose California Personal Information for a commercial purpose other than for the Business Purpose or as otherwise permitted by the CCPA; or (c) retain, use, or disclose California Personal Information outside of the direct business relationship between Customer and Docoholic.

Certification. Docoholic certifies that it understands and will comply with the restrictions set out in Section 8(c) (Responsibilities).

General Provisions

Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to Section 3(c) (Security), Docoholic reserves the right to make any updates and changes to this DPA and the terms that apply in Section 9 (a), para. 1 “Amendment; No Waiver” of the Agreement shall apply.

Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.

Limitation of Liability. Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA (and any other DPAs between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the section of the Agreement entitled 'Limitation of Liability' and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA). For the avoidance of doubt, if Docoholic is not a party to the Agreement, the section of the Agreement entitled ‘Limitation of Liability’ shall apply as between Customer and Docoholic and in such respect any references to ‘Docoholic’, ‘we’, ‘us’.or ‘our’ shall include both Docoholic and the Docoholic entity that is a party to the Agreement

Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

Parties to this DPA

Permitted Affiliates. By signing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Permitted Affiliates, thereby establishing a separate DPA between Docoholic and each such Permitted Affiliate subject to the Agreement and Sections 9 and 10 of this DPA. Each Permitted Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and such Permitted Affiliates.

Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.

Remedies. Except where applicable Data Protection Laws require a Permitted Affiliate to exercise a right or seek any remedy under this DPA against Docoholic directly by itself, the parties agree that (i) solely the Customer entity that is the contracting party to the Agreement shall exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all communication with Docoholic under the DPA and shall be entitled to make and receive any communication related to this DPA on behalf of its Permitted Affiliates.

Other rights. The parties agree that Customer shall, when reviewing Docoholic's compliance with this DPA pursuant to Section 7(g) (Demonstration of Compliance), take all reasonable measures to limit any impact on Docoholic and its Affiliates by combining several audit requests carried out on behalf of the Customer entity that is the contracting party to the Agreement and all of its Permitted Affiliates in one single audit.

EXECUTED BY THE PARTIES AUTHORIZED REPRESENTATIVES:

Manas Freights Pvt. Ltd. by and on behalf of its affiliates, as applicable. Controller: ________

Signature:                                                        Signature: ________

Name: Vedant Mankad                                                          Name: ____________

Title: Director.                                                                         Title: ___

Date:

Annex 1 - Details of Processing

This Annex forms part of the DPA.

Nature and Purpose of Processing

Docoholic will Process Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by Customer in its use of the Subscription Services.

Duration of Processing

Subject to the Deletion or Return of Personal Data” section of this DPA, Docoholic will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

Categories of Data subjects

Customer may submit Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

Customer’s Contacts and other end users including Customer’s employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customer’s end users.

Categories of Personal Data

Customer may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to the following categories of Personal Data: Contact Information (as defined in the Docoholic Customer Terms of Service). Any other Personal Data submitted by, sent to, or received by Customer, or Customer’s end users, via the Subscription Service.

Special categories of data (if appropriate)

The parties do not anticipate the transfer of special categories of data.

Processing operations Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:

Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to Customer; and/or

Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.

Annex 2 - Security Measures

This Annex forms part of the DPA.

Docoholic currently observes the Security Measures described in this Annex 2. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

Access Control

Preventing Unauthorized Product Access

Outsourced processing to best in world: Docoholic hosts its Service with outsourced cloud infrastructure providers. Additionally, Docoholic maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement.

Docoholic relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors. ( AWS & GCP )

Physical and environmental security: Docoholic hosts its product infrastructure with multi- tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Authentication: Docoholic implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure.

The authorization model in each of Docoholic’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through O-auth authorization

Preventing Unauthorized Product Use

Docoholic implements industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include

Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: Docoholic implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

Static code analysis: Security reviews of code stored in Docoholic’s source code repositories is performed, checking for coding best practices and identifiable software flaws.

Penetration testing: Docoholic maintains relationships with industry recognized penetration testing service providers for two annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

Bug bounty: A bug bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. Docoholic implemented a bug bounty program in an effort to widen the available opportunities to engage with the security community and improve the product defenses against sophisticated attacks.

Limitations of Privilege & Authorization Requirements

Product access: A subset of Docoholic’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high-risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.

Background checks: All Docoholic employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

Transmission Control

In-transit: Docoholic makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer with Scaleup and enterprise site hosted on the Docoholic products. Docoholic’s HTTPS implementation uses industry standard algorithms and certificates.

At-rest: Docoholic stores user passwords following policies that follow industry standard

practices for security. Docoholic has implemented technologies to ensure that stored data is encrypted at rest.

Input Control

Detection: Docoholic designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Docoholic personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: Docoholic maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Docoholic will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to Customer will be in accordance with the terms of the DPA or Agreement.

Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Docoholic’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Docoholic operations in maintaining and updating the product applications and backend while limiting downtime.

Annex 3 - Standard Contractual Clauses

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection,

The Customer, as defined in the Docoholic Customer Terms of Service (the “data exporter”)

And

Manas Freights Pvt Ltd (the “data importer”), each a ‘party’; together ‘the parties’,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

‘the data exporter’ means the controller who transfers the personal data;

‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;

that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

that it will ensure compliance with the security measures;

that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;

that it will promptly notify the data exporter about:

any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

any accidental or unauthorized access; and

any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

that the processing services by the subprocessor will be carried out in accordance with Clause 11;

to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered limited to Subscription amount.

If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

to refer the dispute to the courts in the Member State in which the data Importer is established.

The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data-processing services

The parties agree that on the termination of the provision of data-processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

On behalf of the data exporter:

Name (written out in full): … Position: …

Address: …

Other information necessary in order for the contract to be binding (if any):

On behalf of the data importer:

Name (written out in full):Vedant Mankad Position: Director

Address: Gusec west Wing Gujarat University Campus, Ahmedabad 380019 Gujarat India.

Other information necessary in order for the contract to be binding (if any):

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

Defined terms used in this Appendix 1 shall have the meaning given to them in the Agreement (including the DPA).

Data exporter

The data exporter is the legal entity specified as "Customer" in the DPA.

Data importer

The data importer is Docoholic

Data subjects

Please see Annex 1 of the DPA, which describes the data subjects.

Categories of data

Please see Annex 1 of the DPA, which describes the categories of data. Special categories of data (if appropriate)

The parties do not anticipate the transfer of special categories of data.

Purposes of Processing

Docoholic shall process personal data as necessary to provide the Subscription Services to data exporter in accordance with the Agreement.

Processing operations

Please see Annex 1 of the DPA, which describes the processing operations. DATA EXPORTER

Name: …

Authorised Signature …

DATA IMPORTER

Name: Vedant Mankad Position: Director

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Please see Annex 2 of the DPA, which describes the technical and organisational security measures implemented by Docoholic.

DATA EXPORTER

Name: …

Authorised Signature …

DATA IMPORTER

Name: Vedant Mankad

Position: Director

Appendix 3 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

This Appendix sets out the parties' interpretation of their respective obligations under specific terms of the Standard Contractual Clauses ("Clauses"). Where a party complies with the interpretations set out in this Appendix, that party shall be deemed by the other party to have complied with its commitments under the Clauses.

For the purposes of this Appendix, "DPA" means the Data Processing Agreement in place between Customer and Docoholic and to which these Clauses are incorporated and "Agreement" shall have the meaning given to it in the DPA.

Clause 4(h) and 8: Disclosure of these Clauses

a. Data exporter agrees that these Clauses constitute data importer's Confidential Information as that term is defined in the Agreement and may not be disclosed by data exporter to any third party without data importer's prior written consent unless permitted pursuant to Agreement. This shall not prevent disclosure of these Clauses to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8

Clause 5(a): Suspension of data transfers and termination

The parties acknowledge that data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses. The parties acknowledge that if data importer cannot provide such compliance for whatever reason, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract. If the data exporter intends to suspend the transfer of personal data and/or terminate these Clauses, it shall endeavor to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”). If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend or terminate the transfer of personal data immediately. The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.

Clause 5(f): Audit

a. Data exporter acknowledges and agrees that it exercises its audit right under Clause 5(f) by instructing data importer to comply with the audit measures described in Section 7(g) (Demonstration of Compliance) of the DPA.

Clause 5(j): Disclosure of subprocessor agreements

The parties acknowledge the obligation of the data importer to send promptly a copy of any onward subprocessor agreement it concludes under the Clauses to the data exporter. The parties further acknowledge that, pursuant to subprocessor confidentiality restrictions, data importer may be restricted from disclosing onward subprocessor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any subprocessor it appoints to permit it to disclose the subprocessor agreement to data exporter. Even where data importer cannot disclose a subprocessor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably requires in connection with such subprocessing agreement to data exporter.

Clause 6: Liability

a. Any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.

Clause 11: Onward subprocessing

The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled "FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC" the data exporter may provide a general consent to onward subprocessing by the data importer. Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these Clauses, to engage onward subprocessors. Such consent is conditional on data importer’s compliance with the requirements set out in Section 7(d) (Notification and Objection to New Sub-Processors) of the DPA.

Clause 12: Obligation after the termination of personal data-processing services

a. Data importer agrees that the data exporter will fulfil its obligation to return or destroy all the personal data on the termination of the provision of data-processing services by complying with the “Deletion or Return of Personal Data” section of the DPA.

DATA EXPORTER

Name: …

Authorised Signature …

DATA IMPORTER

Name: Vedant Mankad
Position: Director

Annex 4 - Docoholic Sub-Processors
Amazon Inc. Amazon Web Services -US west, Eu-Central-1
Google, Inc. Google cloud platform – Asia South 1
Zoho Corporations Pvt Ltd
Chargebee Inc

Security Overview

www.docoholic.com

We are EU-GDPR & CCPA Complied

Docoholic works hard to maintain the privacy of data you entrust with us. Data you store in Docoholic products is yours. We put our security program in place to protect it, and use it only to provide the Docoholic service to you. We never share your data across customers and never sell it.

Docoholic Security Overview

1 OUR COMPANY AND PRODUCTS

Docoholic is the world’s leading Export, Import Documentation and service platform. Since 2019, Docoholic has been on a mission to make the export Import easy, error free and fast. Today, thousands of customers in more than 10 countries use Docoholic’s software, services, and support to transform the way they manage their shipment and delight customers. Docoholic’s award-winning web applications, enables Exporters and importers teams to have more efficient, error free and reliable operations.The Docoholic products are offered as Software-as-a-Service (SaaS) solutions. These solutions are available to customers through purpose-built web applications, application programming interfaces (APIs), and email plugins.

2 DOCOHOLIC SECURITY AND RISK GOVERNANCE

Docoholic’s primary security focus is to safeguard our customers’ and users’ data. This is the reason that Docoholic has invested in the appropriate resources and controls to protect and service our customers. This investment includes the implementation of dedicated Enterprise Security and Product Security teams. These teams are responsible for the Docoholic’s comprehensive security program and the governance process. We are focused on defining new and refining existing controls, implementing and managing the Docoholic security framework as well as providing a support structure to facilitate effective risk management. Our Chief Security Assesment Officer, who reports to the Chief Executive Officer, oversees the implementation of security safeguards across Docoholic and its products.

3 OUR SECURITY AND RISK MANAGEMENT OBJECTIVES

We have developed our security framework using best practices in the SaaS industry. Our key objectives include:

  • Customer Trust and Protection – consistently deliver superior product and service to our customers while protecting the privacy and confidentiality of their information.
  • Availability and Continuity of Service – ensure ongoing availability of the service and data to all authorized individuals and proactively minimize the security risks threatening service continuity
  • Information and Service Integrity – ensure that customer information is never corrupted or altered inappropriately.
  • Compliance with Standards – implement process and controls to align with current international regulatory and industry best practice guidance. We have designed our security program around best-of-breed guidelines for cloud security
4 DOCOHOLIC SECURITY CONTROLS

In order to ensure we protect data entrusted to us; we implemented an array of security controls. Docoholic’s security controls are designed to allow for a high level of employee efficiency without artificial roadblocks, while minimizing risk. The following sections describe a subset of controls. For more information about the Docoholic security program, please check out all the details at Docoholic/security.com

4.1 DOCOHOLIC PRODUCT INFRASTRUCTURE

4.1.1 DATA CENTER SECURITY

Docoholic outsources hosting of its product infrastructure to leading cloud infrastructure providers. Principally, the Docoholic product leverages Amazon Web Services (AWS) and Google Cloud Platform (GCP) for infrastructure hosting. These solutions provide high levels of physical and network security and well as hosting provider vendor diversity. At present, Docoholic’s AWS cloud server instances reside in US locations; GCP cloud instances reside in Asia Pacific. Both providers maintain an audited security program, including SOC 2 and ISO 27001 compliance. Docoholic does not host any product systems within its corporate offices.

These world-class infrastructure providers leverage the most advanced facilities infrastructure such as power, networking, and security. Facilities uptime is guaranteed between 99.95% and 100%, and the facilities ensure a minimum of N+1 redundancy to all power, network, and HVAC services. Access to these providers’ sites is highly restricted to both physical access as well as electronic access through public (internet) and private (intranet) networks in order to eliminate any unwanted interruptions in our service to our customers.

The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of their SOC 2 Type II and ISO 27001 certifications.

Certificates are available at the AWS compliance site and Google Cloud Platform security site.

4.1.2 NETWORK SECURITY & PERIMETER PROTECTION

The Docoholic product infrastructure is built with internet-scale security protections in mind. In particular, network security protections are designed to prevent unauthorized network access to and within the internal product infrastructure. These security controls include enterprise-grade routing and network access control lists (firewalling).

Network-level access control lists are implemented in AWS Virtual Private Cloud (VPC) security groups or GCP firewall rules, which applies port- and address-level protections to each of the server instances in the infrastructure. These firewalling technologies deny unintended traffic by default, and all network traffic is logged and used to inform our monitoring systems (more about that in Section 4.1.4). These network access rules allow for finely grained control of network traffic from a public network as well as between server instances on the interior of the infrastructure. Within the infrastructure, internal network restrictions allow a many-tiered approach to ensuring only the appropriate types of devices can communicate.

Changes in the network security model are actively monitored and controlled by standard change control processes. All existing rules and changes are evaluated for security risk and captured appropriately.

4.1.3 CONFIGURATION MANAGEMENT

Automation drives Docoholic’s ability to scale with our customers’ needs. The product infrastructure is a highly automated environment that flexibly expands capacity and capability as needed.

All server type configurations are embedded in images and Puppet configuration files. Server- level configuration management is handled using these images and configuration scripts when the server is built. Changes to the configuration and standard images are managed through a controlled change management process. Each instance type includes its own hardened configuration, depending on the deployment of the instance.

4.1.4 ALERTING & MONITORING

Not only does Docoholic fully automate its build procedures, we invest heavily in automated monitoring, alerting and response technologies to continuously address potential issues. The Docoholic product infrastructure is instrumented to alert engineers and administrators when anomalies occur. In particular, error rates, abuse scenarios, application attacks, and other anomalies trigger automatic responses and alerts to the appropriate teams for response, investigation, and correction. As unexpected or malicious activities occur, systems bring in the right people to ensure that the issue is rapidly addressed.

Many automated triggers are also designed into the system to immediately respond to foreseen situations. Traffic blocking, quarantine, process termination, and similar functions kick in at pre-defined thresholds to ensure that the Docoholic platform can protect itself against a wide variety of undesirable situations.

The power behind Docoholic’s ability to detect and respond to anomalies is our 24x7x365 monitoring program and extensive logging. Our systems capture and store logs that include all the technologies that comprise our products. At the application layer, all logins, page views, modifications, and other access to Docoholic portals are also logged. In the infrastructure back-end, we log authentication attempts, horizontal and vertical permission changes, infrastructure health, and requests performed. among many other commands and transactions. Logs and events are monitored in real time and events are escalated immediately at any hour of the day to developers, security professionals, and engineers to take appropriate action.

4.1.5 INFRASTRUCTURE ACCESS

Entire categories of potential security events are prevented with a stringent, consistent, and well- designed access control model. Along those lines, access to Docoholic’s systems is strictly controlled. Docoholic employees are granted access to corporate services, Docoholic product infrastructure based on their jobs, using a role-based access control model. More information about Docoholic’s RBAC model across the company is available in section 4.3.

For access to infrastructure tools, servers, and similar services, access is minimized to only the individuals whose jobs require it. For emergency access and access to administrative functions, Docoholic’s system use a Just-In-Time-Access (JITA) model in which users can request access to privileged functions for a limited duration.

Users are assigned the privileges to make JITA requests by business unit and team. When non- standard, emergency access is needed, like sudo access on a Linux server, the user makes a JITA request. The JITA request is logged, and logs are continuously monitored for anomalous requests. Access to the privileged function is granted, and the person can go about his or her work.

Additionally, direct network connections to product infrastructure devices over SSH or similar protocols is prohibited, and engineers are required to authenticate first through a bastion host or "jump box" before accessing QA or production environments. Server-level authentication uses user-unique SSH keys and token-based two factor authentication.

4.2 APPLICATION PROTECTION

4.2.1 WEB APPLICATION DEFENSES

As part of its commitment to protecting customer data and websites, Docoholic implemented an industry recognized Web Application Firewall (WAF). The WAF automatically identifies and protects against attacks aimed at the Docoholic products or customer sites hosted on the platform. Docoholic’s WAF protects Docoholic platform access (e.g., the features you can access by browsing to yourcompany.docoholic.com or integrating with APIs. Additionally, all customer content hosted on the platform is also automatically protected. The rules used to detect and block malicious traffic are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP) in the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, helping to ensure that customers’ sites and other parts of the Docoholic products are available continuously.

4.2.2 DEVELOPMENT & RELEASE MANAGEMENT

One of Docoholic’s greatest advantages is a Efficient, fast feature set, and we provide constantly improving products through a modern continuous deployment continuous delivery approach to software development. New code is proposed, approved, merged and deployed thousands of times every week. Code reviews and quality assurance are performed by specialized teams of engineers with intimate knowledge of the Docoholic platform as it is developed. Approval is controlled by designated repository owners. Once approved, code is automatically submitted to Docoholic’s continuous integration environment where compilation, packaging and unit testing occur. If all passes, the new code is deployed automatically across the application tier.

All code deployments create archives of existing production-grade code in case failures are detected by post-deploy hooks. The deploying team manages notifications regarding the health of their applications. If a failure occurs, roll-back is immediately engaged.

As part of the continuous deployment model, we use extensive software gating and traffic management to control features based on customer preferences (private beta, public beta, full launch). Major feature changes, are communicated through in-app messages

Newly developed, built code is first deployed to the dedicated and separate Docoholic QA environment for the last stage of testing before being promoted to production. Network-level segmentation prevents unauthorized and undesirable access between QA and production environments. Customer data is never used by Docoholic in the QA environment, nor does any other testing use customer data.

4.2.3 VULNERABILITY SCANNING, PENETRATION TESTING, & BUG BOUNTIES

The Docoholic Security team manages a multi-layered approach to vulnerability scanning, using a variety of industry-recognized tools to ensure comprehensive coverage of our technology stack. We perform hundreds of vulnerabilities scanning and penetration testing activities against ourselves on a continuous basis. We perform vulnerability scanning continually against our internal networks, applications, and corporate infrastructure. Network-based and application-level vulnerability scans run at least every month to ensure that we detect and respond to the latest vulnerabilities. Static code analysis automatically reviews the most current code to detect potential security flaws early in the development lifecycle.

Continually running scans, adaptive scanning inclusion lists, and continuously updating vulnerability signatures help Docoholic stay ahead of many security threats. To get a second opinion about our ability to identify and respond to security risks, we bring in industry-recognized third parties to perform two annual penetration tests. The goal of these programs is to iteratively identify flaws that present security risk and rapidly address any issues. Penetration tests are performed against the application layers and network layers of the Docoholic technology stack, and penetration testers are given internal access to the Docoholic product and/or corporate networks in order to maximize the kinds of potential vectors that should be evaluated.

In addition to internal vulnerability scanning and independent penetration testing, Docoholic manages a bug bounty program. Independent security researchers are invited to participate in identifying security flaws in the Docoholic products and are rewarded for their submissions. Security community members and Docoholic customers are welcome to perform security testing against trial portals. Information about Docoholic’s bounty program is available at CUSTOMER DATA PROTECTION

4.2.4 CONFIDENTIAL INFORMATION IN THE DOCOHOLIC PRODUCTS

The Docoholic products are an integrated marketing, sales, and customer service experience. The information collected in our products is data gathered through lead or customer interaction, public directories, and reputable 3rd party sources. Docoholic’s tools allow customers to define the type of information to be collected stored on their behalf. Our customers ensure that they capture only appropriate information to support their marketing, sales, and service processes. The Docoholic products are not used to collect or capture sensitive data such as credit or debit card numbers, personal financial account information, Social Security numbers, passport numbers, driver’s license numbers or similar identifiers, or employment,financial or health information.

4.2.5 CREDIT CARD INFORMATION PROTECTION

Many Docoholic customers pay for the service by credit card. Docoholic does not store, process or collect credit card information submitted to us by customers. We leverage trusted and PCI-compliant payment vendors to ensure that customers’ credit card information is processed securely and according to appropriate regulation and industry standards.

4.2.6 ENCRYPTION IN-TRANSIT & AT-REST

All sensitive interactions with the Docoholic products (e.g., API calls, login, authenticated sessions to the customer's portal, etc.) are encrypted in-transit with TLS 1.0, 1.1, 1.2, or 1.3- and 2,048-bit keys or better. Transport layer security (TLS).

Docoholic leverages several technologies to ensure stored data is encrypted at rest. The physical and virtualized hard drives used by Docoholic product server instances as well as long-term storage solutions like AWS S3 use AES-256 encryption. Additionally, certain databases or field-level information is encrypted at rest, based on the sensitivity of the information. For instance, user passwords are hashed and certain email features work by providing an additional level of both at-rest and in-transit encryption.

Encryption keys for both in-transit and at-rest encryption are securely managed by the Docoholic platform. TLS private keys for in-transit encryption are managed through our content delivery partner. Volume and field-level encryption keys for at-rest encryption are stored in a hardened Key Management System (KMS). Keys are rotated, and the frequency varies by the type of key and the sensitivity of the key and the data it protects; in general, TLS certificates expire every two years.

4.2.7 USER LOGIN PROTECTIONS

The Docoholic products allow users to login to their Docoholic accounts using built-in Docoholic login,. The built-in login enforces a uniform password policy which requires a minimum of 8 characters and a combination of lower- and upper-case letters, special characters, whitespace, and numbers. People who use Docoholic’s built-in login cannot change the default password policy.

4.2.8 DOCOHOLIC EMPLOYEE ACCESS

Docoholic controls individual access to data within its production and corporate environment. A subset of Docoholic’s employees are granted access to production data based on their role in the company through role-based access controls (RBAC) or on an as-needed basis referred to as JITA (just in time access).

Engineers and members of Operations teams may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyze information for product investment decisions as well as product support. Access to the product infrastructure is limited by network access and user authentication and authorization controls. Access to networking functions is strictly limited to individuals whose jobs require that access, and access is reviewed on a continual basis.

Customer Support, Services, and other customer engagement staff with a need-to-know may request just in time access to customer portals on a time-limited basis. Requests for access are limited to their work responsibilities associated with supporting and servicing our customers. The requests are limited to just-in-time access to a specific customer's portal for a maximum 24 hour period. All access requests, logins, queries, page views and similar information are logged.

4.3 PRIVACY

The privacy of our customers’ data is one of Docoholic’s primary considerations. As described in our Privacy Policy we never sell your Personal data to any third parties. The protections described in this document and other protections that we have been implemented are designed to ensure that your data stays private and unaltered. The Docoholic products are designed and built with customer needs and privacy considerations in the forefront. Our privacy program incorporates best practices, customers’ and their contacts’ needs, as well as regulatory requirements.

4.3.1 DATA RETENTION POLICY

Customer data is retained for as long as you remain an active customer. The Docoholic platform provides active customers with the tools to delete their data, as they see fit. Former customers’ data is removed from live databases upon a customer’s written request or after an established period following the termination of all customer agreements. Freemium customers’ data is purged when the portal is no longer actively used, and former paying customers’ data is purged 90 days after all customer relationships are terminated. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. Docoholi cretains certain data like logs and related metadata in order to address security, compliance, or statutory needs.

4.3.2 PRIVACY PROGRAM MANAGEMENT

Docoholic’s Legal, Security, and several other teams collaborate to ensure an effective and consistently implemented privacy program. Information about our commitment to the privacy of your data is described in greater detail in our Privacy policy and DPA

4.4 BUSINESS CONTINUITY & DISASTER RECOVERY

Docoholic maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of an availability or performance issue. Whenever customer-impacting situations occur, Docoholic’s goal is to quickly and transparently isolate and address the issue. Identified issues are published and are subsequently updated until the issue is resolved.

4.4.1 SYSTEM RELIABILITY & RECOVERY

Business continuity testing is part of Docoholic normal processing. Docoholic recovery processes are validated continuously through normal maintenance and support processes. We follow continuous deployment principles, and create or destroy many server instances daily as part of our regular maintenance and growth. We also use those procedures to recover from impaired instances and other failures, allowing us to practice our recovery process every day.

Docoholic primarily relies on infrastructure redundancy, real time replication and backups. All Docoholic product services are built with full redundancy. Server infrastructure is strategically distributed across multiple distinct availability zones and virtual private cloud networks within our infrastructure providers, and all web, application, and database components are deployed with a minimum of n+1 supporting server instances or containers.

4.4.2 BACKUP STRATEGY

Docoholic ensures data is replicated and backed up in multiple durable data-stores. The retention period of backups depends on the nature of the data. Data is also replicated across availability zones and infrastructure locations in order to provide fault-tolerance as well as scalability and responsive recovery, when necessary.

  • Customer (production) data is backed up leveraging multiple online replicas of data for immediate data protection. All production databases have no less than 1 primary (master) and 1 replica (slave) copy of the data live at any given point in time. Seven days worth of backups are kept for any database in a way that ensures restoration can occur easily. Snapshots are taken and stored to a secondary service no less often than daily and where practicable, real time replication is used. All production data sets are stored on a distributed file storage facility like Amazon’s S3.
  • Because we leverage private cloud services for hosting, backup and recovery, Docoholic does not implement physical infrastructure or physical storage media within its products. Docoholic does also not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.
  • By default, all backups are protected through access control restrictions on Docoholic product infrastructure networks, access control lists on the file systems storing the backup files and/or through database security protections.

4.5 DOCOHOLIC CORPORATE SECURITY

4.5.1 EMPLOYEE AUTHENTICATION & AUTHORIZATION

Docoholic enforces an industry-standard corporate password policy. That policy requires changing passwords at least every 90 days. It also requires a minimum password length of 8 characters and complexity requirements including special characters, upper and lower case characters, and numbers. Docoholic prohibits account and password sharing by multiple employees.

Employees generally authenticate to Docoholic product infrastructure using SSH keys. Where passwords are allowed, the password policy requires 8 character passwords. Additionally, all of the tools we use to build the Docoholic products leverage multi-factor authentication or are protected by single-sign on solutions that enforce multi-factor authentication.

4.5.2 ACCESS MANAGEMENT

Docoholic has regimented and automated authentication and authorization procedures for employee access to Docoholic systems, including the marketing and sales platforms. All access is logged. Most frequently, access is granted based on a role-based access control model. Just in time access is built into automated procedures around a set of rigorous authorization mechanisms.

We built an extensive set of support systems to streamline and automate our security management and compliance activities. In addition to many other functions, the system sweeps our product and corporate infrastructure several times daily to ensure that permission grants are appropriate, to manage employee events, to revoke accounts and access where needed, to compile logs of access requests, and to capture compliance evidence for each of our technology security controls. These internal systems sweep the infrastructure validating that it meets approved configurations on a 24-hours basis.

4.5.3 BACKGROUND CHECKS

Docoholic employees undergo an extensive 3rd party background check prior to formal employment offers, wherever local regulations and employment standards allow. In particular, employment, education, and criminal checks are performed for potential employees. Reference verification is performed at the hiring manager's discretion. All employees must comply with Non-Disclosure Agreements and Acceptable Use Policy as part of access to corporate and production networks.

4.5.4 SECURITY AWARENESS & SECURITY POLICIES

To help keep all our engineering, support, and other employees on the same page with regard to protecting your data, Docoholic developed and maintains a Written Information Security Policy. The policy covers data handling requirements, privacy considerations, and responses to violations, among many other topics.

With this policy and the myriad protections and standards in place, we also ensure Docoholic employees are well-trained for their roles. Multiple levels of security training are provided to Docoholic employees, based on their roles and resulting access. General security awareness training is offered to all new employees and covers Docoholic security requirements. After initial training, different training tracks are available based on an employee's role. Developer-specific training is provided by and tailored to Docoholic's engineering teams. Role-specific security awareness training for Services & Support, Sales, and many other roles is tailored for the unique considerations of the role. Recurring training is provided through regular updates, notices, and internal publications.

4.6 INCIDENT MANAGEMENT

Docoholic provides 24x7x365 coverage to respond quickly to all security and privacy events. Docoholic's rapid incident response program is responsive and repeatable. Pre-defined incident types, based on historical trending, are created in order to facilitate timely incident tracking, consistent task assignment, escalation, and communication. Many automated processes feed into the incident response process,including malicious activity or anomaly alerts, vendor alerts, customer requests, privacy events, and others.

In responding to any incident, we first determine the exposure of the information and determine the source of the security problem, if possible. We communicate back to the customer (and any other affected customers) via email or phone (if email is not sufficient). We provide periodic updates as needed to ensure appropriate resolution of the incident. Our Chief Security Officer reviews all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.

5. PRODUCT SECURITY FEATURES

Docoholic’s security program is designed to protect all of the Docoholic products. Each product takes advantage of common application development security best practices as well as infrastructure security and high availability configurations.

Whether our products are free or paid, feature-rich or lightweight, Docoholic works hard to maintain the privacy of data you entrust with us. Data you store in Docoholic products is yours. We put our security program in place to protect it, and use it only to provide the Docoholic service to you. We never share your data across customers and never sell it.

6. DOCUMENT SCOPE AND USE

Docoholic values transparency in the ways we provide solutions to our customers. This document is designed with that transparency in mind. We are continuously improving the protections that have been implemented and, along those lines, the information and data in this document (including any related communications) are not intended to create a binding or contractual obligation between Docoholic and any parties, or to amend, alter or revise any existing agreements between the parties.