Privacy Policy

Effective Date: May 2024 | Version: 2.1

1. DEFINITIONS & INTERPRETATION

1.1 In this Policy, the following terms shall have the meanings ascribed below:

“Controller” means the entity which determines the purposes and means of processing Personal Data.
“Processor” means the entity which processes Personal Data on behalf of the Controller.
“DPA” refers to the Data Processing Addendum executed between Vedhin and Client.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“SCCs” means Standard Contractual Clauses approved by the European Commission.

2. DATA PROTECTION FRAMEWORK COMPLIANCE

Vedhin Technology maintains a multi-jurisdictional compliance framework encompassing:

Primary Regulations

EU General Data Protection Regulation (GDPR)
California Privacy Rights Act (CPRA)
India’s Digital Personal Data Protection Act (DPDPA, 2023)
UAE Personal Data Protection Law

Security Certifications

ISO/IEC 27001:2022 Implementation
SOC 2 Type II Principles
NIST Cybersecurity Framework

Sector-Specific

HIPAA Business Associate Provisions
Payment Card Industry Data Security Standard (PCI DSS)
Federal Information Processing Standards (FIPS)

3. DATA PROCESSING ROLES & RESPONSIBILITIES

Scenario	Vedhin’s Role	Legal Basis	Governing Document
Website visitor data collection	Controller	Legitimate Interest, Consent	This Privacy Policy
Candidate recruitment data	Controller	Pre-contractual measures	Recruitment Policy + Consent
Client project data processing	Processor	Client instructions	Data Processing Addendum (DPA)
Employee/Contractor data	Controller	Employment contract, Legal obligation	Employment Agreement

4. DATA COLLECTION MATRIX

Data Category	Specific Elements	Retention Period	Deletion Protocol
Professional Profile	CV, Certifications, Work samples, References	36 months post last engagement	Automated purge after 36 months; Manual deletion request available
Client Project Data	Source code, Databases, Design documents	Project duration + 90 days	Secure erasure per NIST 800-88 Rev. 1 standards
Technical Metadata	IP logs, Access timestamps, Device fingerprints	180 days	Automated anonymization after retention period
Financial Records	Invoices, Payment records, Tax documents	7 years (statutory requirement)	Secured archive with restricted access

5. CROSS-BORDER DATA TRANSFER MECHANISMS

Transfer Framework Compliance

Vedhin employs a multi-layered approach to international data transfers:

✓ EU/EEA Transfers

EU SCCs (2021 version)
UK International Data Transfer Addendum
Adequacy Decisions

✓ US Transfers

Data Privacy Framework participation
Supplementary measures for government access
Enhanced contractual protections

✓ APAC Transfers

CBPR/PG system alignment
Model Contract Clauses (Singapore, Japan)
Local law adequacy assessments

Transfer Impact Assessments (TIAs): We conduct mandatory TIAs for all new jurisdiction transfers, evaluating:

• Local surveillance laws

• Judicial redress availability

• Data subject rights enforceability

• Previous breach history in jurisdiction

6. DATA SUBJECT RIGHTS EXERCISE PROCEDURE

Formal Request Protocol

Step 1: Identity Verification
Submit request to privacy@vedhin.com with:

• Government-issued ID (redacted except name/photo)

• Previous interaction evidence

• Specific right being exercised

Step 2: Validation Phase (5 business days)
Our DPO team verifies:

• Request legitimacy

• Jurisdictional applicability

• Third-party data impact

Step 3: Fulfillment Timeline
• Simple requests: 15 business days
• Complex requests: 45 business days (with interim updates)
• Extension notifications as per GDPR Article 12.3

Step 4: Appeal Process
Denied requests may be appealed to our Data Protection Board within 30 days.

7. SECURITY INCIDENT RESPONSE PROTOCOL

Tiered Response Framework

Tier 1
Low Impact

Contained, minimal data exposure
Internal resolution within 24h

Tier 2
Moderate Impact

Multiple affected parties
Regulatory notification within 72h

Tier 3
High Impact

Systemic breach, high-risk data
72h regulatory + individual notification

Mandatory Reporting Thresholds:
• GDPR: Risk to rights/freedoms within 72 hours
• DPDPA: Significant harm within 72 hours
• CCPA: Affecting 500+ Californians

8. ARTIFICIAL INTELLIGENCE GOVERNANCE

AI Ethics & Compliance Framework

8.1 Recruitment AI Transparency
• Algorithmic bias testing every 6 months
• Human-in-the-loop requirement for all hiring decisions
• Right to opt-out of AI screening (email: ai-optout@vedhin.com)

8.2 Development AI Protocols
• Code generation tools: Security review mandatory
• Training data provenance documentation
• Client consent for AI-assisted development

8.3 Monitoring & Audit
• AI system impact assessments (AIA)
• Third-party algorithmic audit annually
• Grievance mechanism for AI decisions

9. CONTACT & GOVERNANCE

Data Protection Officer

Ms. Ananya Sharma
Email: dpo@vedhin.com
Phone: +91-9620242450
Available: Mon-Fri, 9 AM – 6 PM IST

EU Representative

GDPR Rep Europe UG
Email: eu-representative@vedhin.com

UK Representative

DataRep UK
Email: uk-representative@vedhin.com

LEGAL NOTICE

This Privacy Policy constitutes a legally binding document under Indian Contract Act, 1872. Version control is maintained through Git repository with cryptographic hashing. Previous versions available upon written request.

Jurisdiction: Courts in Jaipur, Rajasthan shall have exclusive jurisdiction.

Last Updated: May 2025 | Next Review: November 2026