1. Privacy Notice
›
Sahayak collects only the data needed to deliver the service: company name, contact details, and API usage logs.
We do not sell, trade, or transfer your data to outside parties. We do not use customer data to train any AI models.
Data is stored at AWS Mumbai (ap-south-1) — entirely within India. No cross-border transfer of customer data in the ordinary course.
Retention: 90-day security-incident logs · 12-month audit logs · 30-day post-termination customer-data deletion.
Detailed privacy notice at sahayakonline.co.in/privacy.html.
2. Data Processing Agreement (DPA) Template
›
Most customers find it faster to execute Sahayak's DPA template than to send their own. The template is single-page, DPDP Act 2023 aligned, and covers parties, definitions, scope, sub-processors, security, breach notification, return/deletion, and signatures.
If you'd rather use your standard DPA, send it over — turnaround on countersign is 2–3 business days.
↓ Download Sahayak DPA template (PDF)
3. Sub-processors
›
30 calendar days' prior notice on any change. Right to object with contractual exit preserved.
| Sub-processor | Purpose | Location | Data shared |
|---|---|---|---|
| AWS (EC2, RDS, SES) | Hosting + transactional email | Mumbai (ap-south-1) | All customer data |
| n8n (self-hosted) | Workflow orchestration | Mumbai (Sahayak's VPS) | Customer requests/responses |
| LiteLLM proxy (self-hosted) | LLM gateway | Mumbai (Sahayak's VPS) | API personalization data |
| Google Gemini API | LLM provider for personalization | Global edge (no-training flag set) | Email content only |
| Sentry | Error tracking | EU/US | Stack traces only — no customer data |
| Cloudflare | DNS + CDN + WAF | Global edge | Public requests (encrypted in transit) |
| Razorpay | Payments | Mumbai | Billing details only |
4. Security Practices
›
12 controls. Mapped to ISO 27001 Annex A; certification targeted Q4 FY26.
- Encryption in transit: TLS 1.2+ enforced via Cloudflare edge and origin nginx.
- Encryption at rest: AES-256 for database storage; KMS-managed keys, rotated annually.
- Field-level encryption: PAN, GSTIN, last-4 of Aadhaar are field-level encrypted in addition to disk-level.
- API authentication: Bearer-token (JWT-based), with mandatory 90-day key rotation reminders.
- Access control: Role-based, principle of least privilege. Founder + named operations personnel only; access reviewed monthly.
- Audit logging: Centralized, immutable, 12-month retention.
- Vulnerability scanning: Trivy (containers), Semgrep (code), Gitleaks (secrets) in CI; weekly scheduled scans.
- Dependency updates: Renovate bot — auto-merged patches, founder-reviewed majors.
- Encrypted backups: restic to Backblaze B2, daily, with monthly restore drills.
- Multi-factor authentication: Enforced on all admin accounts (Google Workspace, AWS Console, GitHub).
- DDoS + WAF: Cloudflare's edge protection on every public surface.
- Disaster recovery: RTO target 4 hours, RPO target 24 hours. Quarterly DR drill log on request.
5. Breach Response
›
- →Internal notification: founder + ops within 24 hours of detection.
- →Customer notification: within 48 hours of detection, via email to your registered tech contact + grievance officer.
- →Customer's DPB obligation: we provide all artifacts (incident timeline, affected records, mitigation steps) needed for your 72-hour Data Protection Board notification under DPDP Rule 7.
- →CERT-In coordination: we coordinate with the 6-hour reporting obligation under IT Act Section 70B where applicable.
- →Post-incident review: public (anonymized) postmortem within 30 days.
DPDP procurement FAQ — the 12 questions you'll be asked
Pre-answered. Send this section to your security or procurement team.
Q1. Are you a Data Fiduciary or Data Processor under DPDP Act 2023?
Sahayak is a Data Processor for our customers. Our customers (you) are Data Fiduciaries for the personal data of your end-users.
Q2. Where is data hosted?
AWS Mumbai (ap-south-1). No cross-border transfer of customer data in the ordinary course.
Q3. What's your breach notification timeline?
24-hour internal notification, 48-hour customer notification, full assistance with your 72-hour Data Protection Board obligation.
Q4. How is data encrypted?
TLS 1.2+ in transit; AES-256 at rest; KMS-rotated annually; field-level encryption for PAN, GSTIN, and Aadhaar last-4.
Q5. Who has access to customer data?
Founder + named operations personnel with documented business need only. All access is logged and reviewed monthly.
Q6. How long is data retained?
90-day security-incident logs · 12-month audit logs · 30-day post-termination customer-data deletion.
Q7. What's your ISO 27001 / SOC 2 status?
ISO 27001 certification targeted Q4 FY26. Current controls are aligned to ISO 27001 Annex A. A control-mapping document is available on request to prafful@sahayakonline.co.in.
Q8. Can you sign our standard DPA?
Yes. We also offer our own DPA template (downloadable above) — most customers find it shorter and easier to execute.
Q9. Will you support a Data Protection Impact Assessment (DPIA)?
Yes. We provide all required artifacts — data-flow diagram, sub-processor list, security controls — within 5 business days of request.
Q10. What's your sub-processor change notification policy?
30-day advance notice via email to all customers. Right to object with contractual exit preserved.
Q11. Who is your grievance officer?
Prafful Garg, contactable at grievance@sahayakonline.co.in. Acknowledgement within 48 hours, resolution within 30 days per DPDP Rules 2025.
Q12. How do customers exercise data deletion rights?
Email grievance@sahayakonline.co.in with subject "Data Deletion Request." Processed within 30 days.
Have a question this page didn't answer?
Email prafful@sahayakonline.co.in or grievance@sahayakonline.co.in. We respond within one working day.