1. Purpose

This policy establishes Triple A’s commitment to protect personal and sensitive customer data throughout its lifecycle. It defines the principles, controls, and staff responsibilities for lawful, fair, secure, and transparent handling of information in compliance with the Digital Personal Data Protection Act 2023 (DPDP Act) and ISO 27001:2022 requirements.

2. Scope

Applies to all personal data processed by Triple A in India, including customers, employees, directors, vendors, contractors, partners, and other data principals. Covers all business activities, systems, and third parties that process, access, store, transfer, or destroy personal or sensitive personal data, in physical or electronic form.

3. Key Principles

·Lawfulness, Fairness, and Transparency: Personal data is processed only on legal bases (consent, contract, legal obligation, etc.), and individuals are informed of purposes and rights.

·Purpose Limitation: Data is collected/used for specific, clear, and lawful business purposes.

·Data Minimization: When you login to our websites or use our software, we automatically log some basic information like browser information, IP etc. But we do not store or track any other information like your browsing patterns etc.

·Accuracy: All personal data is kept accurate and up-to-date; outdated data is corrected or erased.

·Storage Limitation: Personal data is retained only for as long as necessary, then securely deleted.

·Integrity and Confidentiality: Appropriate security controls protect data against unauthorized access, loss, or misuse.

·Accountability: Triple A demonstrates compliance and maintains operational evidence of controls.

4. Lawful Basis of Processing and Consent

·Collect and process personal data only as permitted under the DPDP Act: consent, contract, vital interests, or legal obligation.

·Consent requests are:

·All consent logs are retained as evidence of compliance.

5. Data Collection, Use, and Minimization

·Collect only data essential for specified business/contractual/legal purposes.

·Regularly review all forms, flows, APIs, and third-party connectors to ensure no excess/unintended data is captured or processed.

·Prohibit profiling, automated decisions, or data sharing for marketing without explicit consent.

6. Data Security Controls

·Apply encryption, access controls, and audit processes for all personal and sensitive data (at rest and in transit).

·Enforce least privilege, MFA for sensitive functions.

·Log and monitor access; alert for unusual or unauthorized activity.

·Conduct regular vulnerability scans, penetration tests, and risk assessments, with focus on personal data risks.

·Data “in motion” outside company systems or India is prohibited, unless specifically allowed by DPDP Act or regulator and with proper safeguards.

7. Third-Party Data Processors

·All vendors/partners with access to personal data must:

oSign legally binding data processing agreements (DPAs), specifying responsibilities, technical/organizational measures, and audit rights.

oUndergo security and privacy due diligence before onboarding; annual review required.

oNotify Triple A immediately of any data breach or security event involving company data.

·Special restrictions for cross-border transfers, as per DPDP Act’s localization rules.

8. Data Retention and Secure Disposal

·Retain personal data only for the minimum period necessary for business, legal, contractual, or regulatory requirements.

·Document and automate data retention schedules; enforce policy-based deletion and secure erasure at end of lifecycle.

·Apply secure disposal methods to equipment/media containing personal data; destruction is logged and verifiable.