Data Protection Policy

1. Purpose and scope

This policy applies to all personal data processed by DPDPA Suite — whether about website visitors, leads, account holders, employees, vendors, or Data Principals whose records are held by our customers inside their tenants. It binds every employee, contractor and sub-processor.

2. Roles

We act as a Data Processor for personal data inside customer tenants, and as a Data Fiduciary for our own marketing, sales, support, HR and account data. Our processor obligations are set out in our Data Processing Addendum which forms part of every customer contract.

3. Data governance principles

• Lawfulness, fairness and transparency. We process data on a clear lawful basis and tell people what we do.
• Purpose limitation. Data is used only for the purpose it was collected for.
• Data minimisation. We collect only what is necessary.
• Accuracy. Inaccurate data is corrected or erased without undue delay.
• Storage limitation. Data is retained only as long as needed.
• Integrity and confidentiality. Data is protected from unauthorised or unlawful processing, loss, destruction or damage.
• Accountability. Every privileged action is logged and reviewable.

4. Technical measures

• TLS 1.2+ for data in transit; AES-256 for data at rest.
• Multi-tenant database isolation with PostgreSQL row-level security and tenant-scoped access tokens.
• Role-based access control with least privilege; mandatory MFA for administrators and engineers with production access.
• Hash-chained audit log of every privileged action, exportable for inspection.
• Secrets stored in a dedicated key-management service with envelope encryption.
• Continuous dependency and vulnerability scanning; periodic third-party penetration testing.
• Encrypted, geo-redundant backups; documented Recovery Point Objective and Recovery Time Objective.
• Hardened CI/CD pipeline; signed releases; reproducible builds.
• Network egress allow-lists; private subnets for databases; isolated administrative bastion.

5. Organisational measures

• Background-checked employees and contractors under written confidentiality and non-disclosure obligations.
• Mandatory privacy and security training at onboarding and annually thereafter.
• Documented change management with peer review and continuous integration gates.
• Sub-processor due diligence with written DPDP-compliant contracts and an internal sub-processor register.
• Designated Data Protection Officer and Grievance Officer reachable through public channels.
• Annual review of access rights, joiners-movers-leavers controls, and key personnel risk.

6. Data localisation and cross-border transfers

Primary production data is stored in India. Cross-border processing happens only with categories of data not restricted by the Central Government under Section 16 of the DPDP Act and Rule 13(4) of the DPDP Rules, 2025, and only under contractual safeguards that mirror DPDP requirements. We maintain an internal localisation watchlist and update it as MeitY notifies new restrictions.

7. Retention and secure deletion

We retain personal data only as long as necessary for the stated purpose or as required by law (for example, tax, accounting or statutory record-keeping). On termination of a customer contract, customer tenant data is returned or deleted within 30 days unless a longer statutory retention applies. Deletion is irreversible across primary stores; backups are purged according to backup rotation cycles documented in the Documentation.

8. Incident management and breach notification

We follow a CERT-In aligned incident response process: detect, triage, contain, eradicate, recover, notify and post-mortem. In the event of a personal data breach we will notify the Data Protection Board and affected Data Principals in the manner and within the timelines prescribed by Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules, 2025, and report the incident to CERT-In within the timelines mandated by the 2022 directions where applicable. Customers acting as Data Fiduciaries will be notified without undue delay to enable their own statutory notifications.

9. Data Principal rights handling

Data Principal requests are handled through our DSAR workflow with a default response SLA of 90 days, in line with Rule 14(3). The workflow tracks intake, identity verification, scope determination, fulfilment, redaction, secure delivery and statutory recordkeeping. For data held inside a customer tenant we forward the request to the relevant Data Fiduciary and provide assistance via the platform.

10. Children and special categories

We process personal data of children below 18 years only with verifiable parental consent or within an exemption listed in the Fourth Schedule of the DPDP Rules, 2025 (healthcare, educational institutions, creche and child-care services, child-safety tracking, State subsidies and benefits, or legal obligations). Behavioural tracking and targeted advertising directed at children are prohibited on our platform.

11. Significant Data Fiduciary obligations

Where a customer is notified as a Significant Data Fiduciary, our platform supports the additional obligations under Section 10 of the DPDP Act and Rule 13 of the DPDP Rules, 2025 — including Data Protection Impact Assessments, periodic algorithmic due-diligence, independent data audits, and the appointment of a Data Protection Officer.

12. Government information requests

All requests for personal data from a Government agency are logged in our Government Information Request register and assessed for legal validity under Section 23 of the DPDP Act. We disclose only what is strictly required by the order and notify affected customers wherever lawful.

13. Audits and assurance

We undergo periodic third-party security assessments, maintain an internal audit programme, and make summary reports available to customers under NDA. Customers may exercise reasonable audit rights as set out in the Data Processing Addendum.

14. Policy ownership and review

This policy is owned by the Data Protection Officer and reviewed at least annually, and after any material change in law, technology, or business model.

15. Contact

Email: hello@dpdpasuite.com
Phone: +91 88513 05915