Employer Terms & Data Sharing Agreement

By creating an employer account, submitting a consent request, or accessing any employee profile data on Datagate, you ("Employer") agree to these Employer Terms and Data Sharing Agreement ("Agreement"). If you are accepting on behalf of a company, you represent that you have authority to bind that company.

If you do not agree to this Agreement, do not create an account or access employee data.

This Agreement is between you and Datagate ("Datagate") and operates alongside applicable law, including the Digital Personal Data Protection Act, 2023 ("DPDP Act") and any rules or regulations issued thereunder.

• "Employee data" means any personal data about an employee that you access through the Datagate platform following the employee's consent
• "Consent request" means a formal request submitted by you through the platform to access a specific employee's profile for a stated purpose
• "Stated purpose" means the specific purpose you declared in your consent request (e.g. background verification, onboarding)
• "BGV vendor" means a background verification agency assigned by you through the platform to conduct checks on your behalf
• "Data Fiduciary" has the meaning given in the DPDP Act — an entity that determines the purpose and means of processing personal data. You are a Data Fiduciary for your own processing of employee data received through this platform.
• "Platform" means the Datagate employment verification platform accessible at datagate.co.in

Once an employee approves your consent request, you may use their data only for:

• Background verification of the specific candidate named in your consent request, for the purpose you stated
• Onboarding of a candidate who has accepted a confirmed offer of employment from you
• Compliance with legal obligations arising directly from the employment relationship with that candidate

Use is strictly limited to the stated purpose. If your purpose changes — even for the same candidate — you must submit a new consent request and obtain fresh approval.

• Do not use employee data for any purpose other than the stated purpose
• Do not retain employee data beyond the period necessary for the stated purpose
• Do not share employee data with any third party — including subsidiaries, affiliates, group companies, or partners — without fresh consent from the employee, except as provided in Section 7 (BGV vendor routing)
• Do not use employee data for marketing, profiling, scoring, or any commercial purpose unrelated to the specific hiring or onboarding process
• Do not retain copies after the employee withdraws consent
• Do not retain copies after a candidate is rejected and the hiring process for that candidate is concluded
• Do not sell, license, sublicense, or transfer employee data to any party under any circumstances
• Do not use employee data to train machine learning models or any automated system
• Do not combine employee data received from Datagate with data obtained from other sources to create profiles beyond the stated purpose

An employee may withdraw consent at any time without giving a reason. When this happens:

• Your access to their profile on the platform is revoked instantly and automatically
• You receive an email notification immediately
• You must delete all digital copies of their data within 72 hours of the notification timestamp
• You must complete a full purge from all systems — including backups, email, HR platforms, local storage, and any system you shared the data with — within 7 days
• Where you have assigned a BGV vendor, you must instruct them to delete all copies within the same timeframes

When an employee deletes their Datagate account, you will receive an email notification immediately. Upon receiving it:

• Delete all digital copies from all your systems within 72 hours
• Complete a full purge — including email, HR systems, shared drives, local storage, backups, and any downstream systems — within 7 days
• Instruct any BGV vendor you assigned to delete all copies within the same timeframes
• Datagate retains a cryptographically timestamped record of this notification as evidence that the obligation was formally communicated

You may not penalise, disadvantage, or discriminate against any employee or candidate for exercising their right to delete their account or withdraw consent.

You may assign a Datagate-approved BGV vendor to conduct background checks on your behalf through the platform. When you do:

• The assignment is limited to the scope of the employee's original consent
• The BGV vendor receives access only to the data necessary for the checks they are assigned to conduct
• The BGV vendor is independently bound by Datagate's BGV Vendor Terms
• You remain responsible as the instructing Data Fiduciary for the BGV vendor's handling of the employee's data
• You must not instruct the BGV vendor to conduct checks beyond the scope of the stated purpose
• On consent withdrawal or account deletion, your instruction to the BGV vendor to delete data is your obligation — Datagate will revoke platform access to the vendor simultaneously

As a Data Fiduciary processing employee data received through Datagate, you agree to:

• Process employee data only for the stated purpose in your consent request
• Ensure all personnel with access to employee data are bound by appropriate confidentiality obligations
• Implement and maintain appropriate technical and organisational security measures for all employee data you store
• Notify Datagate within 72 hours of becoming aware of any incident involving employee data — including unauthorised access, disclosure, loss, or breach
• Cooperate with any audit, inspection, or investigation by Datagate or competent regulatory authorities
• Maintain records of all consent requests submitted and the purposes stated, for a minimum of 7 years
• Ensure that any BGV vendor you assign complies with all applicable obligations

If you store employee data received through Datagate, you must:

• Restrict access to authorised personnel only, on a need-to-know basis
• Store data only on systems with appropriate access controls and encryption
• Not store employee data on personal devices, personal email accounts, or unsecured shared drives
• Implement access logging so that any access to stored employee data is recorded
• Ensure data is deleted in a manner that makes recovery impossible (secure deletion, not just removal from active systems)

Datagate maintains a cryptographic, tamper-evident log of all consent events on the platform — including every consent request, approval, access event, and withdrawal. These logs are the authoritative record of what was consented to, by whom, for what purpose, and when.

You may request a copy of consent logs relating to your account by contacting support@datagate.co.in.

You agree to indemnify, defend, and hold harmless Datagate, its officers, employees, and agents from and against any and all claims, damages, losses, penalties, fines, and costs (including reasonable legal fees) arising from:

• Your breach of any provision of this Agreement
• Your violation of the DPDP Act, 2023 or any other applicable data protection law
• Your misuse of employee data received through the platform
• Any act or omission of a BGV vendor you assigned that results in a data protection breach
• Any third-party claim arising from your processing of employee data

To the maximum extent permitted by applicable law, Datagate's total aggregate liability to you under or in connection with this Agreement — whether in contract, tort, or otherwise — shall not exceed the total fees paid by you to Datagate in the three calendar months immediately preceding the event giving rise to the claim.

Datagate is not liable for any indirect, incidental, consequential, or punitive damages, including loss of profits, loss of data, or business interruption, even if advised of the possibility of such damages.

This limitation does not apply to liability arising from Datagate's fraud, wilful misconduct, or gross negligence.

Datagate may suspend or terminate your account immediately and without prior notice for:

• Any violation of the prohibited uses in Section 4
• Any material breach of this Agreement
• Any misuse of employee data that could harm employees or the platform
• Any regulatory action or legal order requiring suspension

On termination, your access to the platform and all employee profiles is immediately revoked. Your obligations under Sections 4, 5, 6, 8, and 9 survive termination and remain in full force with respect to all employee data you received prior to termination.

You may terminate your account at any time by contacting support. On account closure, you must delete all employee data in your possession within 7 days.

This Agreement is governed by and construed in accordance with the laws of India. Any dispute arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of competent jurisdiction in Hyderabad, Telangana, India.

Before initiating legal proceedings, both parties agree to attempt good-faith resolution within 30 days of written notice of the dispute.

Entire agreement: This Agreement, together with Datagate's Privacy Policy, constitutes the entire agreement between you and Datagate regarding the subject matter herein and supersedes all prior agreements or representations.

Severability: If any provision of this Agreement is found to be invalid or unenforceable by a court of competent jurisdiction, that provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.

Force majeure: Neither party shall be liable for failure to perform obligations due to circumstances beyond their reasonable control, including acts of God, natural disasters, government orders, or infrastructure outages, provided the affected party gives prompt notice and takes reasonable steps to mitigate the impact.

Changes to this Agreement: We may update these terms. For material changes, we will give at least 14 days' notice by email before they take effect. Continued use after the effective date constitutes acceptance.

No waiver: Failure by either party to enforce any provision of this Agreement shall not constitute a waiver of the right to enforce it in future.

Assignment: You may not assign your rights or obligations under this Agreement without Datagate's prior written consent. Datagate may assign this Agreement in connection with a merger, acquisition, or sale of assets.