Legal

Data Processing Agreement

Standard DPA between Veritas (Data Processor) and your organisation (Data Fiduciary) under DPDP Rules 2025, Rule 6(1)(f).

DPDP Rules 2025 CompliantRule 6(1)(f) Contract

Download Standard DPA

Ready-to-sign PDF. Covers all DPDP Rules 2025 requirements for Data Processor contracts.

Download PDF Request Custom DPA →

1. Definitions & Roles

✓Data Fiduciary: Your organisation (the insurer / NBFC / enterprise)

✓Data Processor: Veritas

✓Data Principal: The claimant / adjuster whose photo data is captured

✓Personal Data: GPS coordinates, timestamps, device identifiers, motion sensor data, photos

2. Purpose of Processing

✓Veritas processes personal data strictly on your instructions for claims photo verification

✓Veritas determines nothing about the purpose — you do (Data Fiduciary obligation)

✓Processing limited to: capture verification, trust score generation, audit log creation

3. Security Safeguards — Rule 6

✓Rule 6(1)(a): AES-256 encryption at rest, TLS 1.3 in transit

✓Rule 6(1)(b): Role-based access control, API key scoping, adjuster isolation

✓Rule 6(1)(c): Full audit log per capture — every API call logged with timestamp, IP, user

✓Rule 6(1)(d): Mumbai-region redundant storage, 99.9% uptime SLA (Enterprise)

✓Rule 6(1)(e): Security logs retained minimum 1 year

✓Rule 6(1)(f): This DPA constitutes the mandatory contract provision

4. Data Residency — Rule 14

✓100% processing in Mumbai, Maharashtra, India

✓Zero data transfer outside India — no CDN edge in foreign jurisdiction

✓Sub-processor: Google Cloud Platform (asia-south1 region only)

✓No foreign sub-processors

✓Data Residency Certificate available on request

5. Breach Notification — Rule 7

✓Veritas detects anomalies and fires webhook within minutes

✓72-hour DPB notification deadline auto-calculated

✓Pre-filled incident report generated for Data Protection Board submission

✓Your team files the report — Veritas provides the data

6. Data Principal Rights — Rule 13

✓Erasure API: DELETE /v1/captures/erase-by-principal

✓Signed erasure certificate (PDF/A) with Merkle proof of deletion

✓Security audit logs retained per Rule 6(1)(e) even after erasure (disclosed in consent notice)

✓Access request exports available via dashboard

7. Data Retention — Rule 8

✓Retention period configurable per plan (7 / 90 / custom days)

✓48-hour advance warning webhook before auto-expiry

✓Automatic hard-delete of photo data and personal metadata at expiry

✓Security logs retained 1 year minimum regardless of plan

8. Governing Law & Jurisdiction

✓Governed by Indian law

✓Jurisdiction: Courts of Mumbai, Maharashtra

✓Disputes resolved under Arbitration and Conciliation Act, 1996

Enterprise clients receive a custom DPA reviewed by our legal counsel, tailored to your organisation's compliance requirements including IRDAI audit report templates. Contact support.veritas@gmail.com

Legal References

DPDP Rules 2025 (Official Gazette)DPDP Act 2023 (MeitY)Data Protection Board of India