Version 1.1 · Effective 15 June 2026 · Jurisdiction: India
1. Our commitment
Certopact, operated by Perigeon Software Private Limited, is committed to India's Digital Personal Data Protection Act, 2023 (DPDP Act), the Aadhaar Act, 2016 and related regulations. This statement explains how that commitment applies across both products — Certopact Entry (identity verification) and Certopact Access (visit management) — covering visitor data, Aadhaar verification and DigiLocker documents. It complements our Privacy Policy.
2. Our roles
| Role | Applies to |
|---|---|
| Data Processor (on the Customer's instructions) | Visitor records, Aadhaar verification responses, DigiLocker documents, name-match scores, Access visit and badge data |
| Data Fiduciary (our own purposes) | Admin accounts, billing, contracts, website analytics |
For visitor and visit data captured through Entry or Access, the enterprise is the Data Fiduciary and Certopact processes that data under a Data Processing Agreement.
3. Principles we follow
- Lawfulness & consent — processing on a valid legal basis, with consent where required.
- Purpose limitation — data used only for the stated verification or visit-management purpose.
- Data minimisation — we collect only what's needed (e.g. last 4 Aadhaar digits, never the full number).
- Accuracy — mechanisms to keep data correct and current.
- Storage limitation — retained only as long as necessary.
- Security safeguards — encryption, access control and monitoring.
- Accountability — documented controls and clear ownership.
4. Data principal rights
Under the DPDP Act, a data principal has the right to:
- information about how their data is processed;
- correction of inaccurate data and erasure when no longer needed;
- grievance redressal;
- nominate someone to exercise their rights; and
- withdraw consent for future processing.
For visitor or visit data, contact the host enterprise (the Data Fiduciary) first. For data where Certopact is the Data Fiduciary, write to our Grievance Officer. We acknowledge a request within 3 working days and respond substantively within 30 calendar days. You may escalate to the Data Protection Board of India.
5. Aadhaar handling
Aadhaar verification is part of Entry, and runs inside Access where KYC Verification is enabled. In both cases:
- explicit, informed consent is required at the kiosk, and a visitor may decline;
- the full Aadhaar number and raw biometrics are never stored;
- both online (OTP) and offline (secure QR / Paperless Offline e-KYC, under the OVSE framework) verification are supported;
- access to Aadhaar-linked data is role-based and logged; and
- data is purged within 90 days of the end of its retention period.
6. Data residency
No cross-border transfer. All data is hosted in India (currently the GCP Mumbai region), encrypted at rest (AES-256) and in transit (TLS 1.2+).
7. Breach notification
| Within | Action |
|---|---|
| 1 hour | Incident response team activated |
| 6 hours | Report to CERT-In |
| 24 hours | Affected customers notified |
| 72 hours | Data Protection Board of India notified |
8. Children's data
Certopact is a B2B service for adult workplace visitors. We do not knowingly process personal data of anyone under 18, and do not undertake tracking, behavioural monitoring or targeted advertising directed at children.
9. Retention
Visitor and visit data is retained for the period the enterprise sets in its DPA (defaults: 180 days for active records, 3 years for masked audit logs). Certopact's own records follow the periods in our Privacy Policy. Backups are purged within 90 days of deletion.
10. Contact
Data Protection Officer: [email protected]
Grievance Officer: [email protected]
General: [email protected] · +91 63574 97151
Post: Perigeon Software Private Limited, Ahmedabad, Gujarat, India
Please include “DPDP request” in the subject line.