DPDPA 2023 Compliance

1. Overview

Rupam.ai, a product of Xillentech Private Limited, is committed to full compliance with Bharat’s Digital Personal Data Protection Act, 2023 (DPDPA). This page describes how we implement the requirements of the DPDPA in our operations, technology, and processes.

As a Data Fiduciary processing personal data of Bharatiya data principals, we recognise our obligations under the Act and have built our infrastructure and practices to meet or exceed its requirements.

2. Key Definitions Under DPDPA

• Data Principal: The individual to whom the personal data relates. In our context, this includes end users whose skin images are analysed and business customers who register for API access.
• Data Fiduciary: The entity that determines the purpose and means of processing personal data. Rupam.ai (Xillentech Private Limited) acts as the Data Fiduciary.
• Data Processor: An entity that processes personal data on behalf of a Data Fiduciary. Our cloud infrastructure provider (AWS) and payment processor act as Data Processors.
• Consent Manager: A registered entity that manages consent on behalf of the Data Principal. Rupam.ai provides built-in consent management through our API and widgets.

3. Lawful Basis for Processing

Rupam.ai processes personal data on the following lawful bases under the DPDPA:

• Consent: We obtain explicit, informed, and freely given consent before processing facial images for skin analysis. Consent is collected through our API consent flow or widget consent UI.
• Legitimate uses: Processing necessary for the performance of a contract (API service delivery), compliance with Bharatiya law, and responding to medical emergencies where applicable.

4. Consent Management

Our consent implementation meets the DPDPA requirements:

• Consent is obtained in clear, plain language before any image processing begins.
• Consent requests specify the exact purpose (skin analysis), categories of data (facial image, skin analysis results), and retention period.
• Consent is granular and unbundled from other terms.
• Data principals can withdraw consent at any time through the API or by contacting our Grievance Officer.
• Withdrawal of consent triggers automatic deletion of associated personal data within 72 hours.
• We maintain auditable consent records for compliance verification.

5. Rights of Data Principals

Under the DPDPA, Bharatiya data principals have the following rights, all of which Rupam.ai honours:

• Right to information: You have the right to know what personal data we collect, how we process it, and with whom we share it.
• Right to access: You can request a summary of all personal data we hold about you, including processing activities and third parties with whom data has been shared.
• Right to correction: You can request correction of inaccurate or misleading personal data.
• Right to erasure: You can request complete deletion of your personal data. Upon receiving a valid request, we delete all data within 72 hours (facial images) or 30 days (account and analysis data).
• Right to grievance redressal: You can file complaints with our Grievance Officer. If unsatisfied, you may escalate to the Data Protection Board of Bharat.
• Right to nominate: You may nominate another individual to exercise your data protection rights in the event of your death or incapacity.

To exercise any of these rights, email privacy@rupam.ai with the subject line “DPDPA Data Request.” We will respond within 72 hours and fulfil valid requests within the timelines specified above.

6. Data Localisation

Rupam.ai stores and processes all personal data of Bharatiya data principals exclusively on Bharat-hosted infrastructure:

• Primary infrastructure: AWS Mumbai (ap-south-1) region.
• No cross-border transfer: Personal data of Bharatiya data principals is not transferred outside of Bharat unless explicitly consented to and permitted under the DPDPA.
• Data residency guarantee: Available on Professional and Enterprise plans with contractual assurance.

7. Data Protection Measures

We implement reasonable security safeguards as required under Section 8 of the DPDPA:

• Encryption in transit (TLS 1.3) and at rest (AES-256) for all personal data.
• Role-based access controls with principle of least privilege.
• Regular security audits, vulnerability assessments, and penetration testing.
• Automated anomaly detection on data access patterns.
• Employee data protection training and confidentiality agreements.
• Incident response plan with 72-hour notification commitment for data breaches.
• SOC 2 Type II compliance (Professional and Enterprise plans).

8. Data Breach Notification

In the event of a personal data breach, Rupam.ai will:

• Notify the Data Protection Board of Bharat within 72 hours of becoming aware of the breach, as required under the DPDPA.
• Notify affected data principals without unreasonable delay, including details of the breach, potential impact, and remediation steps.
• Document the breach, its effects, and remedial actions taken.
• Conduct a post-incident review and implement measures to prevent recurrence.

9. Children’s Data

In accordance with Section 9 of the DPDPA, Rupam.ai does not process personal data of children (individuals under the age of 18). Our Services require users to confirm that they are at least 18 years of age. We do not knowingly collect or process data from children, and we do not engage in tracking, behavioural monitoring, or targeted advertising directed at children.

10. Grievance Officer

In accordance with the DPDPA, Rupam.ai has appointed a Grievance Officer to address data protection concerns:

If you are not satisfied with the resolution provided by our Grievance Officer, you may escalate your complaint to the Data Protection Board of Bharat as established under the DPDPA.

11. Data Processing Agreements

When Rupam.ai acts as a Data Processor on behalf of business customers (Data Fiduciaries), we enter into Data Processing Agreements (DPAs) that specify:

• The scope and purpose of data processing.
• Categories of personal data processed.
• Data retention and deletion obligations.
• Security measures and audit rights.
• Sub-processor management and notification.
• Data breach notification procedures.

Enterprise and Professional plan customers can request a custom DPA by contacting legal@rupam.ai.

12. Updates to This Page

We will update this DPDPA Compliance page as the regulatory landscape evolves and as rules under the Digital Personal Data Protection Act, 2023 are further clarified by the Government of Bharat. Material changes will be communicated via email to registered users.