Data Privacy Policy
Contents
ESDS SOFTWARE SOLUTION LTD
PRIVACY POLICY
1. Introduction
ESDS Software Solution Ltd (“ESDS,” “we,” “our,” or “us”) is a MeitY-empanelled Cloud Service Provider headquartered in India, delivering a portfolio that spans community and sovereign cloud, GPU and AI infrastructure, data-centre operations, and managed services to government, banking, and enterprise clients.
In the course of providing these services, we handle personal data belonging to customers, their authorised users, prospective customers, partners, vendors, job applicants, and visitors to our websites and facilities. This Privacy Policy explains how we collect, use, process, store, transfer, and protect that personal data, and the rights available to you under applicable law.
We process personal data in compliance with the Digital Personal Data Protection Act, 2023 (India) (the “DPDP Act”), the Information Technology Act, 2000 and the rules made under it, and the directions and standards applicable to us as a MeitY-empanelled Cloud Service Provider, including those issued by CERT-In.
By using our platforms, availing our services, or submitting personal data through our interfaces, you confirm that you have read and understood this Policy. Where the law requires consent, we obtain it separately and explicitly; continued use alone is not treated as consent to processing for which the DPDP Act requires a distinct, affirmative opt-in.
2. Scope
This Policy applies to our processing of personal data when you: request information from us; engage our services or purchase our products; interact with us by virtue of your organisation’s relationship with ESDS; apply for employment or a work placement; visit our offices or data-centre facilities; or use our websites, portals, APIs, and online services.
3. Our Two Roles — Data Fiduciary and Data Processor
Our obligations, and your route to exercising rights, depend on the capacity in which we act:
| Capacity | When It Applies |
|---|---|
| Data Fiduciary | Where we determine the purpose and means of processing — data from our websites, marketing, sales, recruitment, facility access, and the administration of customer accounts. This Policy governs that processing, and you exercise your rights directly against us. |
| Data Processor | Where we process data solely on a customer’s documented instructions — the content a customer stores or runs within services hosted on our cloud. The customer is the Data Fiduciary; affected individuals exercise their rights through that customer, and we assist the customer in meeting them. |
4. Definitions
“Personal Data” means any data about an individual who is identifiable by or in relation to such data; the individual is the “Data Principal.” Certain categories carrying heightened risk — such as financial information, government identifiers, and biometric data — are treated by us with additional safeguards. For the purposes of this Policy, references to Personal Data include such sensitive categories.
5. Personal Data We Collect Directly From You
We collect data you provide voluntarily, including when you create an account, contract with us, seek support, attend an event, apply for a role, or visit a facility. The data elements collected vary by interaction, as set out below:
| At Registration | During KYC / Contracting | For Billing | For Support |
|---|---|---|---|
| Individual / organisation name | Identification proof | Billing name and address | First and last name |
| Primary contact name | Address proof | Country, state, city, PIN | |
| Primary email and phone | Tax information | Tax type and Tax ID (GSTIN) | Country code and contact no. |
| Company website | Financial details | Credit limit, billing cycle | Ticket / case details |
| Address (country/state/city/PIN) | Authorised-signatory details | Currency, bill date |
6. Personal Data We Collect Automatically
When you interact with our websites, portals, and APIs, we automatically collect: device and browser information (IP address, device identifiers, operating system, browser type); date, time, and duration of access, login events, and usage activity; navigation and interaction patterns; API usage metadata such as endpoints accessed, call volumes, response times, and error logs; and information collected through cookies and similar technologies, as described in our Cookie Policy.
7. Data Collected at Our Facilities
Because we operate physical data-centre facilities, additional collection occurs on site. When you visit our offices or data centres, we may record visitor details, capture CCTV footage for safety and security, and — for entry to secure areas — collect biometric identifiers such as facial-recognition data. Biometric data is collected only where necessary for physical access control, is stored with heightened safeguards, and is retained only for the period set out in Section 13.
8. Personal Data We Receive From Third Parties
- Enterprise customers and integration partners who provide authorised-user details for service access.
- Service providers and business partners assisting service delivery — for example, payment processors, resellers, and analytics providers.
- Recruitment agencies, background-verification providers, and referees during hiring.
9. Purposes and Lawful Basis
We process personal data only where a lawful basis applies. The table maps each purpose to its basis under the DPDP Act.
| Purpose | Detail | Lawful Basis |
|---|---|---|
| Account and service delivery | Creating and managing accounts; provisioning, operating, and supporting services; performing the contract. | Contract / legitimate use |
| Billing and collections | Invoicing, payment processing, credit assessment, and recovery. | Contract / legal obligation |
| KYC and financial-crime checks | Identity verification, anti-money-laundering, and counter-terrorist-financing. | Legal obligation |
| Security and integrity | Protecting platforms and facilities; detecting and investigating abuse and incidents. | Legitimate use |
| Regulatory compliance | Meeting MeitY, CERT-In, tax, and sectoral obligations. | Legal obligation |
| Recruitment | Assessing and processing job and internship applications. | Consent / pre-contract |
| Marketing | Sharing information about services that may interest you. | Consent (withdrawable) |
10. Marketing
We, and partners we permit, may contact you about products, services, events, and offers that may interest you, by email, telephone, SMS, post, or social media, where you have consented or as otherwise permitted by law. You may opt out at any time using the unsubscribe control in any marketing message, or by contacting our Grievance Officer. Telephone calls with us may be recorded for training and security purposes.
11. Consent and Its Withdrawal
Where we rely on consent, we first give you a clear, plain-language notice of the data sought and the purpose, and obtain consent through an affirmative action that is free, specific, informed, unconditional, and unambiguous. You may withdraw consent at any time, as easily as it was given, via the contact in Section 18. Withdrawal operates prospectively and does not affect processing already carried out lawfully. We will action a withdrawal request without undue delay and within fourteen (14) working days. Withdrawal may limit or end our ability to provide a service that depends on the data.
12. Sharing and Disclosure of Personal Data
We do not sell, rent, or commercially exploit your personal data. We share it only as follows:
12.1 Regulators and Authorities
We may disclose personal data to statutory authorities, regulators, and law-enforcement agencies (including those enforcing anti-money-laundering law) in response to a lawful inquiry or order, and to data-protection authorities, limited to what the law or order requires.
12.2 Service Providers and Sub-Processors
We engage sub-processors who require access to deliver specific services, each bound by contractual data-protection obligations no less protective than this Policy:
| Category (Indicative) | Purpose (Indicative) |
|---|---|
| Cloud / infrastructure providers | Host the platform and store account data securely. |
| Payment and billing processors | Process payments, generate invoices, manage subscriptions. |
| Authentication tools | Enable secure login, multi-factor authentication, session management. |
| Analytics and monitoring tools | Improve platform reliability and usage insight. |
| Customer-support systems | Track and respond to enquiries and support requests. |
| Legal and compliance services | Maintain records and audit trails. |
12.3 Change of Ownership
If we sell, acquire, merge, or reorganise any business or assets, relevant personal data may be transferred to the counterparty or successor, subject to appropriate confidentiality and data-protection safeguards and to notice where required by law.
13. Data Residency, Storage, and Retention
For services designated as data-resident, personal data is stored and processed within India. We retain personal data only as long as necessary for the purpose for which it was processed, or as required by law, after which we securely delete or anonymise it. Our standard retention periods are:
| Data Type | Retention | Trigger |
|---|---|---|
| Active customer account data | Term of contract | + 45 days after termination |
| Billing, tax, and KYC records | 8 years | Statutory limitation |
| Support tickets and correspondence | 2 years | From closure |
| Website / marketing enquiry data | 12 months | From last interaction or withdrawal |
| Security and access logs | 180 days | Rolling, unless under investigation |
| CCTV footage | 60 days | Rolling |
| Biometric access templates | Duration of access entitlement | + 30 days after revocation |
14. Children
Our services are intended for organisations and individuals aged eighteen (18) or above. We do not knowingly process the personal data of children, and we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children. If we learn that we have inadvertently collected such data, we will delete it promptly.
15. How We Protect Personal Data
We maintain technical and organisational safeguards aligned to ISO/IEC 27001, with cloud-specific controls from ISO/IEC 27017 and 27018 and SOC 2 assurance where applicable. These include encryption of personal data in transit and at rest, role-based and least-privilege access, network segmentation across our service environments, continuous logging and monitoring, vulnerability and patch management, secure backups, and confidentiality obligations binding on our personnel. No method of safeguarding information is wholly immune to risk, and we continually review our controls.
Breach handling: we will report a reportable cyber-security incident to CERT-In within six (6) hours of detection, in line with the CERT-In Directions of 28 April 2022, and will notify the Data Protection Board of India and affected Data Principals in the manner and within the timelines required by the DPDP Act.
16. Your Rights as a Data Principal
Subject to the DPDP Act and verification of your identity, you have the following rights in respect of personal data we hold as a Data Fiduciary:
- Right to access — obtain a summary of the personal data we process about you and the processing activities we undertake, together with the identities of any other Data Fiduciaries and Processors with whom it has been shared.
- Right to correction and erasure — have inaccurate or misleading data corrected, incomplete data completed, data updated, and data erased where it is no longer necessary for the purpose for which it was processed.
- Right to withdraw consent — withdraw, at any time, consent previously given, as easily as it was given (see Section 11).
- Right of grievance redressal — a readily available means of raising a grievance with us about our processing or our handling of your rights requests.
- Right to nominate — nominate another individual to exercise your rights in the event of your death or incapacity.
We will acknowledge a verified request within seventy-two (72) hours and respond substantively without undue delay, and in any event within thirty (30) days, subject to any lawful extension of which we will notify you with reasons. You also have a duty under the DPDP Act to exercise these rights in good faith and not to furnish false particulars or file frivolous requests.
17. Data Residency and Cross-Border Processing
We operate from India and our services are directed at customers and users in India. For services designated as data-resident, personal data is stored and processed within India. We do not routinely transfer personal data outside India. Where, exceptionally, a supporting function requires processing by a service provider located elsewhere, we will do so only as permitted by the DPDP Act and any restriction notified by the Central Government, and subject to appropriate contractual and security safeguards; data-resident services remain within India regardless.
18. Contact and Grievance Redressal
For any question or complaint about how we process your personal data, or to exercise a right, contact our Grievance Officer, who will respond within the timelines in Section 16:
| Grievance Officer | [Name and designation] |
| [[email protected]] | |
| Correspondence address | ESDS Software Solution Ltd, [registered office address] |
| Escalation | If unsatisfied with our response, you may approach the Data Protection Board of India. |
19. Changes to This Policy
We review this Policy at least annually and whenever our practices or the law materially change. The version published on our website, bearing the effective date at the head of this document, is the one in force. We will give notice of material changes affecting your rights through the contact details we hold for you.
