India's Digital Personal Data Protection Act 2023 changes the rules for any company processing personal data of Indian residents. Certopact handles some of the most sensitive data the Act covers — Aadhaar, DigiLocker documents, and visitor identity records. This statement explains, in plain language, how we comply with our obligations under the Act and what that means for you.
Why this matters.
The Digital Personal Data Protection Act 2023 (the "DPDP Act") is India's first comprehensive data protection law. It establishes rights for Data Principals (the people whose data is being processed), and obligations for Data Fiduciaries (organisations that decide what to do with personal data) and Data Processors (organisations that process data on behalf of a Fiduciary).
For Certopact, the DPDP Act sits alongside two other Indian laws we already comply with: the Aadhaar Act 2016, which governs the use of Aadhaar specifically, and the Information Technology Act 2000, which governs cybersecurity and reasonable security practices.
This statement is a public commitment to how we apply the DPDP Act to our products and operations. It is updated whenever the Act, its rules, or our practices change.
Our role under the DPDP Act.
Certopact takes one of two roles under the DPDP Act, depending on the situation:
- Visitor records collected at customer premises
- Aadhaar verification responses for visitors
- DigiLocker documents pulled by visitors
- Match scores and verification logs for visitors
- Admin user accounts and authentication data
- Customer billing, contracts, support tickets
- Marketing list subscribers and event attendees
- Website visitors and analytics
When we are a Data Processor, the customer (your enterprise) is the Data Fiduciary and decides what data to collect and why. We process only on their documented instructions, under a Data Processing Agreement (DPA). When we are a Data Fiduciary, we determine the purposes and means ourselves and bear the full obligations of the role.
The principles we follow.
The DPDP Act is built on a small number of principles. We've translated each into a concrete commitment.
Lawfulness and consent
We process personal data only for lawful purposes, with the consent of the Data Principal or under one of the legitimate uses specified in Section 7 of the Act (such as employment, public interest, or compliance with a court order). At every Certopact kiosk, the visitor is shown what will be collected, why, who will see it, and how long it will be retained — before they can proceed.
Purpose limitation
We use personal data only for the purposes for which it was collected. We do not repurpose visitor data for marketing, profiling, advertising, or any unrelated activity.
Data minimisation
We collect only what is necessary for the stated purpose. The visitor types only the last four digits of their Aadhaar — never the full number. We do not capture biometrics. We do not pull DigiLocker documents unless the visitor explicitly opts in.
Accuracy
Where we hold personal data that may be used to make a decision affecting a person, we take reasonable steps to keep it accurate, complete, and up to date.
Storage limitation
We retain personal data only for as long as is necessary for the original purpose, plus any additional period required by law. Default retention periods are set out in our Privacy Policy. Customers can configure shorter retention windows in their Data Processing Agreement.
Security safeguards
We apply strong technical and organisational safeguards proportionate to the sensitivity of the data — encryption at rest and in transit, access controls, audit logs, India data residency, and regular security testing.
Accountability
We maintain records of our processing activities. We respond to Data Principal requests within statutory timelines. We notify affected parties in the event of a breach. We submit to independent audits.
Rights of Data Principals.
Under Sections 11 to 14 of the DPDP Act, every Data Principal has the following rights, which Certopact honours regardless of whether we are the Fiduciary or the Processor:
| Right | What it means | How to exercise |
|---|---|---|
| Right to information | To know what personal data is being processed and a summary of the activities | Email the Grievance Officer |
| Right to correction | To have inaccurate or misleading data corrected, completed if incomplete, or updated | Email the Grievance Officer |
| Right to erasure | To have personal data deleted when no longer required for the original purpose | Email the Grievance Officer |
| Right to grievance redressal | To raise concerns and have them addressed within statutory timelines | Email the Grievance Officer |
| Right to nominate | To nominate someone to exercise rights on your behalf in case of death or incapacity | Written notice to Grievance Officer |
| Right to withdraw consent | To withdraw any consent previously given, with effect for the future | From kiosk consent screen or via email |
Response timelines
We will acknowledge a request within 3 working days and respond substantively within 30 calendar days. If a request is complex and requires a longer time, we will notify you of that and explain why.
Where we cannot help
If you are a visitor whose data was collected at an enterprise customer's premises, the customer is the Data Fiduciary. They control retention, access, and deletion decisions. Please contact them first. If they do not respond, write to us and we will facilitate the request to the extent permitted under our DPA with them.
Aadhaar and the DPDP Act.
Aadhaar data is regulated specifically by the Aadhaar Act 2016 and UIDAI's regulations, which sit alongside the DPDP Act. Where the two conflict, the more protective standard applies.
- Consent for Aadhaar verification is always explicit, specific, and shown at the kiosk before the visitor proceeds
- The full Aadhaar number is never stored, in any form, encrypted or otherwise
- Aadhaar-linked data is never transferred outside India
- Access to Aadhaar verification responses is logged and limited to authorised personnel with a documented business need
- Data is purged at the end of its retention period, with backups purged within 90 days
If UIDAI issues new guidance or amends the Aadhaar regulations, we update our practices and this statement to match.
Cross-border transfers.
The DPDP Act allows the Government of India to restrict transfer of personal data to certain foreign jurisdictions. Aadhaar-linked data is already restricted to India under separate regulations.
For all visitor data and Aadhaar verification responses, our position is straightforward: no cross-border transfer. All data is hosted in India (currently GCP Mumbai region). All processing happens in India.
For internal business operations — such as collaboration tools, support ticketing, or non-personal documentation — we may use vendors with infrastructure outside India. None of these vendors process Customer Data, Aadhaar data, or visitor records.
Personal data breach response.
The DPDP Act requires Data Fiduciaries to notify the Data Protection Board and affected Data Principals of personal data breaches. Separately, the CERT-In rules under the IT Act require notification of cyber incidents within 6 hours.
Certopact's incident response runbook is designed to meet both requirements:
- Within 1 hour of confirmation — internal incident response team activated, scope contained
- Within 6 hours — preliminary report to CERT-In as required under the IT Act
- Within 24 hours — affected enterprise customers (where Certopact is Processor) notified with available facts
- Within 72 hours — Data Protection Board notified once it is operational under the DPDP Act
- As soon as practicable — affected Data Principals notified directly where required, with information about the breach, its likely impact, and steps they can take to mitigate harm
If you believe a breach has occurred, please notify us immediately at [email protected].
Children and persons with disabilities.
The DPDP Act treats data of children (under 18) and persons with disability under guardianship as a protected category, with stricter consent requirements.
Certopact Entry is designed for adult visitors at workplaces and is not intended for use with persons under 18. We do not knowingly process the personal data of children. If a Customer's premises must accommodate child visitors (for example, a school or family-day event), the Customer is responsible for obtaining verifiable consent from a parent or lawful guardian under Section 9 of the Act before using Certopact for that purpose.
Aadhaar verification is intended only for adult Aadhaar holders. The kiosk confirms eligibility before proceeding.
Significant Data Fiduciary obligations.
The DPDP Act allows the central government to designate certain organisations as Significant Data Fiduciaries (SDFs) based on volume, sensitivity, and risk. SDFs have additional obligations including appointing a Data Protection Officer based in India, conducting Data Protection Impact Assessments, and undergoing periodic audits.
Whether or not Certopact is formally designated as an SDF when the rules are notified, we have voluntarily implemented the SDF controls already:
- A named Data Protection Officer based in India, contactable at [email protected]
- Documented Data Protection Impact Assessments for every major feature involving personal data
- Independent third-party security audits, with SOC 2 Type II and ISO 27001 in progress in 2026
- Internal records of processing activities, available for audit on request
Our public commitments.
This is what we commit to, in addition to the specific obligations of the DPDP Act:
- We will never sell, rent, or trade personal data — not as part of an exit, not as part of a merger, not under any circumstance
- We will never use Aadhaar or visitor data for marketing, advertising, or profiling
- We will publish a transparency report annually summarising government data requests received and our response
- We will publicly notify users of any change in ownership, business model, or jurisdiction that materially affects how their data is processed
- We will fund and operate a vulnerability disclosure programme so security researchers can report issues safely (see our Responsible Disclosure Policy)
How to contact us.
- Data Protection Officer
- [email protected]
Mr. [DPO name], based in Ahmedabad, India - Grievance Officer
- [email protected]
- Postal address
- Perigeon Software Pvt. Ltd.
Attn: Data Protection Officer
Ahmedabad, Gujarat, India - Data Protection Board
- Once operational under the DPDP Act, complaints may be escalated to the Data Protection Board of India