1. Parties & scope
This DPA governs the processing of personal data by Marketsync Global Ltd ('processor') on behalf of a B2B partner ('controller') using nationwide APIs, build.bd services, or the shared-service platforms (1pay.bd, kyc.bd, msg.bd). It supplements the Terms & Conditions and takes precedence in the event of conflict on data-protection matters.
2. Subject-matter & duration
Processing is limited to what the controller instructs — identity verification, payment initiation, message delivery, listing retrieval — for the duration of the underlying commercial agreement, plus a documented tail period for compliance retention.
3. Nature of data
Categories may include identifiers (name, email, phone), NID/passport data (via kyc.bd), transaction data (via 1pay.bd), communication content (via msg.bd) and device metadata. Special-category data is not knowingly processed except where controller-authorised for KYC purposes.
4. Sub-processors
Marketsync Global Ltd engages the following sub-processors: Bangladesh Bank-licensed payment service providers (via 1pay.bd), the Election Commission NID verification service (via kyc.bd), cloud infrastructure providers with data centres in-region where possible. A current sub-processor list is available on request and updated with 30 days' notice for material changes.
5. Security
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is role-based, logged, and reviewed quarterly. Incident response follows the Cybersecurity Act, 2023 and internal SLAs — controller notification within 72 hours of confirmed personal-data breach.
6. Data-subject rights
The processor assists the controller in responding to access, correction, deletion, portability and objection requests within statutory timelines. Direct data-subject requests received by the processor are forwarded to the controller without action, unless the processor is the controller for that dataset.
7. International transfers
Data is primarily processed in Bangladesh. Any cross-border transfer to a sub-processor uses contractual safeguards equivalent to standard contractual clauses and the controller is notified in advance.
8. Audit
The controller may audit compliance annually with reasonable notice, or accept an equivalent third-party attestation. Audit costs are borne by the controller unless material non-compliance is found.
9. Return or deletion
On termination, personal data is returned or deleted per controller instruction, subject to mandatory retention under Bangladesh Bank AML/CFT rules, the Income Tax Ordinance and the Digital Security Act.
10. Liability
Liability under this DPA is subject to the limitation clauses of the underlying Terms & Conditions and the applicable commercial agreement.
11. Governing law
This DPA is governed by the laws of Bangladesh. Disputes follow the arbitration and jurisdiction terms of the underlying commercial agreement.
12. Contact
Data protection contact: dpo@nationwide.bd.