DPDP Act Compliance

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data protection legislation that governs the processing of digital personal data. Sahayogi One Private Limited ("Company") is committed to full compliance with the DPDP Act in its operation of the BoSS platform and all related services.

This page explains how we align our data practices with the requirements of the DPDP Act, including how we collect, process, store, and protect the personal data of our users, customers, and business partners.

This compliance statement applies to all digital personal data processed by the BoSS platform, including data collected through our website (boss.officesahayogi.com), desktop applications (Windows and macOS), mobile applications, and any related services operated by Sahayogi One Private Limited.

The DPDP Act applies to our processing activities because:

• We process digital personal data collected within India
• We process personal data in connection with offering services to individuals in India
• Our platform is used by Indian businesses and their employees, vendors, and customers

Under the DPDP Act, individuals whose personal data we process ("Data Principals") have the following rights, which we fully support:

To exercise any of these rights, please contact our Data Protection Officer using the details provided at the end of this page.

We obtain clear, informed, and specific consent from Data Principals before processing their personal data. Our consent mechanisms comply with the DPDP Act requirements:

• Consent is obtained through clear, affirmative action (not pre-ticked boxes)
• The purpose of data processing is communicated in clear, plain language
• Consent requests are presented separately from other terms and conditions
• Data Principals can withdraw consent as easily as they gave it
• We maintain records of consent given and withdrawn

Sahayogi One Private Limited acts as a Data Fiduciary under the DPDP Act. As a Data Fiduciary, we:

• Determine the purpose and means of processing personal data
• Ensure that personal data is processed only for lawful purposes
• Implement appropriate technical and organisational security measures
• Ensure accuracy and completeness of personal data
• Delete personal data when the purpose for processing has been met
• Appoint a Data Protection Officer to address grievances

When our customers (businesses using BoSS) collect personal data of their own employees, vendors, or customers through the platform, the customer acts as the Data Fiduciary for that data, and we act as a Data Processor processing data on their behalf and under their instructions.

We process personal data only for the following lawful purposes:

• Providing and maintaining the BoSS platform and services
• User authentication and account management
• Processing transactions and managing subscriptions
• Communicating service updates, security alerts, and support messages
• Improving our products and services based on usage patterns
• Complying with legal and regulatory obligations
• Protecting the security and integrity of our platform

The BoSS platform is a business management tool designed for use by businesses and their adult employees. We do not knowingly collect or process personal data of children (individuals below 18 years of age).

If we become aware that we have collected personal data of a child without verifiable parental consent, we will take steps to delete such data promptly.

Our primary data processing and storage infrastructure is located in India. We do not transfer personal data outside India except where:

• The transfer is to a country or territory notified by the Central Government as permitted
• The transfer is necessary for the performance of a contract with the Data Principal
• The Data Principal has given explicit consent for the transfer

In the event of a personal data breach, we will:

• Notify the Data Protection Board of India as prescribed under the DPDP Act
• Notify affected Data Principals about the breach and its potential impact
• Take immediate remedial measures to contain and mitigate the breach
• Conduct a thorough investigation and implement measures to prevent recurrence
• Maintain a record of all data breaches and actions taken

We retain personal data only for as long as necessary to fulfill the purpose for which it was collected, or as required by applicable law. When personal data is no longer needed:

• We will erase the data and ensure that our Data Processors do the same
• Erasure will be completed within a reasonable timeframe
• Where complete erasure is not technically feasible, we will anonymise the data

We have appointed a Data Protection Officer to address any concerns, complaints, or grievances related to our processing of personal data. Our grievance redressal process ensures:

• Acknowledgment of complaints within 48 hours
• Resolution or substantive response within 30 days
• Escalation to the Data Protection Board if the Data Principal is not satisfied

For any queries regarding our DPDP Act compliance, please contact: