Data Protection Policy

This Data Protection Policy outlines the technical and organisational measures Hyggex Digital Services Private Limited implements to safeguard all personal and institutional data processed through the Adaptmate platform. This policy supplements our Privacy Policy and is compliant with the Digital Personal Data Protection Act (DPDPA) 2023, GDPR, and the Information Technology Act 2000.

1. Data Classification

2. Technical Security Measures

2.1 Encryption

• Data in Transit: TLS 1.2+ with Perfect Forward Secrecy (PFS) for all communications
• Data at Rest: AES-256 encryption for all stored data including backups
• Key Management: Hardware Security Module (HSM) backed key rotation every 90 days

2.2 Access Control

• Role-Based Access Control (RBAC) with principle of least privilege
• Multi-Factor Authentication (MFA) mandatory for all administrative access
• Session timeout after 30 minutes of inactivity
• Automated deprovisioning upon role change or termination

2.3 Infrastructure Security

• Cloud hosting with SOC 2 Type II certified providers
• Network segmentation and firewall protection
• DDoS protection and rate limiting
• Automated vulnerability scanning (weekly)
• Penetration testing conducted annually by independent security firms

2.4 Monitoring & Detection

• 24/7 automated monitoring with real-time alerting for anomalies
• Comprehensive audit logs with tamper-proof storage (minimum 12 months retention)
• Intrusion Detection System (IDS) covering all production environments

3. Organisational Measures

• All employees undergo security awareness training upon onboarding and annually thereafter
• Background verification for all personnel with access to restricted data
• Non-Disclosure Agreements (NDAs) executed with all employees and contractors
• Dedicated Data Protection Officer (DPO)
• Data Protection Impact Assessments (DPIA) for new features processing sensitive data

4. Incident Response

4.1 Response Timeline

4.2 Breach Notification

In the event of a data breach affecting personal data, we will notify the Data Protection Board of India (under DPDPA), the relevant supervisory authority (under GDPR), and all affected data principals within 72 hours as required by law.

5. Data Processing Agreements

We execute Data Processing Agreements (DPAs) with all institutional clients, defining the scope, purpose, and obligations of data processing. Sub-processors are contractually bound to the same security and privacy standards.

6. Cross-Border Data Transfers

• Data transfers outside India comply with DPDPA 2023 provisions for cross-border transfer
• Transfers to EU/EEA are protected by Standard Contractual Clauses (SCCs)
• We do not transfer data to jurisdictions notified as restricted by the Government of India

7. Data Retention & Deletion

• Active data is retained for the duration of the subscription
• Post-termination, identifiable data is deleted within 90 days
• Backup data is purged within 180 days of deletion request
• Institutions may request immediate deletion at any time

8. Compliance Certifications

We are committed to obtaining and maintaining the following certifications:

• ISO 27001 (Information Security Management)
• SOC 2 Type II (Security, Availability, Confidentiality)
• Annual third-party security audits

9. Contact

For data protection inquiries or to report a security concern:

• Data Protection Officer: dpo@adaptmate.com
• Security Team: security@adaptmate.com
• Registered Office: Hyggex Digital Services Pvt Ltd, India