← Back to home

Trust & security

Security & data protection.

We hold compliance data — GSTINs, PANs, filings, client records — so we hold ourselves to a higher bar. This page is the honest version: what's actually in place today, and what isn't yet.

🛡️
DPDP Act 2023-aligned

Privacy notice, DPA template & sub-processor list.

🇮🇳
Hosted in India only

No cross-border transfer of customer data.

🔒
Encrypted end-to-end

TLS 1.3 in transit · AES-256 at rest.

👤
Role-based access

Per-user roles, seats & full audit trail.

🇮🇳

Hosting & data residency

Your data is stored and processed entirely within India, on our self-managed VPS infrastructure (India region). There is no cross-border transfer of customer data.

This is a data-residency decision, not just a hosting one: it keeps you clear of cross-border-transfer questions in procurement and under the DPDP Act 2023. Our sub-processor list (on the trust centre) names every third party that touches data, with its location.

🔒

Encryption

In transit

TLS 1.3 (1.2+ minimum) on every connection — browser, API and webhook.

At rest

AES-256 on stored data, with KMS-managed key rotation.

Field-level

PAN, GSTIN and Aadhaar are field-level encrypted on top of disk-level encryption.

👤

Access control

Role-based access control (RBAC). Each product issues per-user roles and seats, so staff see only the entities and actions their role permits.

Audit trail. Every significant action — logins, filings marked done, data exports, key changes — is timestamped and logged, and is exportable when an auditor asks.

Sessions are short-lived and cookie-based (HttpOnly); API access is per-key and revocable.

🛡️

DPDP Act 2023 readiness

  • A published Privacy Notice covering all Sahayak surfaces.
  • A Data Processing Agreement (DPA) template you can sign — DPDP §13 attestation available by email.
  • A maintained sub-processor list with change-notification policy.
  • Data-principal rights: access, correction and deletion (DPDP §13 / Rule 7) honoured within the statutory window.
  • Breach response with notification per DPDP timelines, plus a data-flow diagram and control list on request.

Open the full DPDP trust centre → (privacy notice, DPA, sub-processors, breach policy, the 12 procurement questions).

📋

Certifications — the honest status

ISO 27001: in progress — not yet certified. Our controls are mapped to ISO 27001 Annex A and certification is targeted for Q4 FY26. Until the certificate is in hand, we display no ISO or SOC badge and won't claim one. SOC 2 is not in scope yet.

We'd rather under-claim and earn the badge than show a logo we don't hold. If a control-mapping document would help your procurement review, ask and we'll share it.

🛡️

Data protection & DPDP Act 2023

We process personal data as a Data Fiduciary under India's Digital Personal Data Protection Act, 2023. Data-principal requests — access, correction, and erasure — and grievances are handled by a named officer below.

Grievance Officer
Prafful Garg
grievance@sahayakonline.co.in
Data Protection Officer
Prafful Garg
grievance@sahayakonline.co.in
Registered address
Sahayak MSME Services
Noida, Uttar Pradesh – 250001
India
Data Processing Agreement
For procurement and DPA execution, download our DPA template (PDF).

We respond to data-principal requests within statutory timelines. Full detail on rights, retention, and processing is on our Privacy Policy and Trust Centre.

🤝

Founder-direct support

Security and data questions go straight to the founder — no ticket maze. For data-principal requests (access / correction / deletion) and grievances, our grievance officer is reachable at grievance@sahayakonline.co.in. General queries: hello@sahayakonline.co.in. We reply within one business day.

Want the procurement-grade detail?

The DPDP trust centre has the privacy notice, DPA template, sub-processor list and breach policy — everything your security team will ask for.

Open the trust centre → Start free