Question 1

What does Vashix actually prove about a photo?

Accepted Answer

Vashix proves four things: WHO took the photo (device identity), WHERE it was taken (GPS, verified against spoofing), WHEN it was taken (timestamp sealed at capture), and that it has NOT been edited after capture (hardware signature breaks if any pixel changes). It does NOT verify what is in the photo — a fraudster can take a genuine photo of pre-existing damage. Photo verification addresses evidence integrity. Claim validation still requires human judgment.

Question 2

Can someone screenshot the capture screen and submit that instead?

Accepted Answer

No. Vashix does not accept uploads or screenshots. The link opens a live camera. The photo must be taken in real time through the Vashix capture flow. If someone points their camera at a screen showing an existing photo, our liveness detection (motion analysis and optical flow) catches it.

Question 3

What if our field teams already use WhatsApp for photos?

Accepted Answer

WhatsApp strips all verification data — GPS, timestamps, device info, and provenance signatures — when sending photos. A WhatsApp photo scores 4/100 on the Trust Score. With Vashix, you send a WhatsApp message containing a capture link. The user taps the link, takes the photo through Vashix, and you get a verified result. Same delivery channel (WhatsApp), completely different proof level.

Question 4

Does the person need to download an app?

Accepted Answer

Not for basic captures. They open the link in their phone's browser and take the photo (BRONZE tier, score 25-38). For stronger verification (SILVER/GOLD, score 60-95), the Vashix app is required — it's under 15MB and installs quickly on most connections. You choose the minimum tier per workflow.

Question 5

Can AI-generated images be submitted through Vashix?

Accepted Answer

For SILVER and GOLD captures — no. The photo must be taken in real time through the device camera, signed by the phone's hardware security chip. There is no upload path for AI-generated images. AI images have no hardware origin and are rejected. For BRONZE (browser) captures, our multi-signal detection checks for AI indicators, but the score reflects the lower verification level.

Question 6

What if the phone is rooted or modified?

Accepted Answer

Vashix checks device integrity using Google's Play Integrity API before every capture. Rooted phones, modified operating systems, virtual camera apps, and emulators fail this check. The capture is either blocked or automatically scored lower and flagged for review.

Question 7

Is this admissible as evidence in Indian courts?

Accepted Answer

Vashix generates certificates designed to support Section 63 of the Bharatiya Sakshya Adhiniyam, 2023 (BSA) — the current law governing electronic evidence admissibility in India. Every capture includes a cryptographic chain of custody. PDF/A exports are available for legal proceedings. Admissibility in a specific case is always determined by the court, but the certificate ensures the evidence meets the technical requirements of Section 63(4).

Question 8

Where is the data stored?

Accepted Answer

All data is processed and stored in Mumbai, India. No capture, no GPS coordinate, no device identifier ever touches a server outside India. Designed for DPDP Rules 2025 data residency requirements.

Question 9

What about iPhones?

Accepted Answer

BRONZE browser capture works on iOS Safari. The Vashix app is currently Android-only — covering 95%+ of field devices in India. iOS SDK is on our roadmap.

Question 10

How long does it take to start?

Accepted Answer

Dashboard and WhatsApp delivery: 5 minutes, zero code. REST API integration: your developer is making API calls in under 30 minutes. Android SDK embed in your own app: typically 4-8 weeks including testing.

Question 11

We already use Truepic / Attestiv. Why switch?

Accepted Answer

Truepic and Attestiv are excellent products built for the US market. Vashix is purpose-built for Indian enterprise — with native Section 63 BSA certificate generation, DPDP compliance, WhatsApp delivery, and INR pricing designed for India-scale volumes.

Question 12

Does Vashix work without internet?

Accepted Answer

The app captures and signs photos locally on the device. When connectivity returns, photos sync to the server. The anti-replay nonce requires a brief server check before capture begins, but the actual signing and storage happen on-device.

Question 13

Does this work on older Android phones?

Accepted Answer

Yes. BRONZE and SILVER captures work on Android 8.0 and above — which covers virtually all phones currently in use in India. GOLD requires dedicated security hardware, available on most phones from 2020 onwards.

Question 14

How long does SDK integration take if we want it in our own app?

Accepted Answer

Dashboard and API require zero integration — you can start in 5 minutes. REST API integration takes your developer under 30 minutes with our pre-built examples. SDK integration into your existing Android app typically takes 4-8 weeks including testing and security review.

DPDP Rule	Requirement	How Vashix Addresses It
Rule 3	Clear consent notice before data collection	SDK consent screen shown before every capture. Itemised list of data collected (GPS, timestamp, device ID, motion). Plain language.
Rule 6(1)(a)	Encryption of personal data	Encryption at rest and in transit. Hardware-bound private key never exported.
Rule 6(1)(b)	Access controls on computer resources	Role-based dashboard access. API key scoping. No adjuster can access another adjuster's captures.
Rule 6(1)(c)	Logs and monitoring for unauthorised access	Full audit log per capture. Every API call logged with timestamp, IP, and user.
Rule 6(1)(d)	Data backups for continued processing	Redundant cloud storage with availability targets per service plan.
Rule 6(1)(e)	Retain logs for minimum 1 year	Logs retained 1 year minimum. Configurable up to 7 years on Enterprise.
Rule 6(1)(f)	Contract must require security safeguards	Standard DPA included with all paid plans.
Rule 7	Breach notification within 72 hours	Dashboard breach detection. Export-ready incident report for DPB notification.
Rule 13	Data Principal rights (access + erasure)	Erasure request support via dashboard. Data export for access requests.
Rule 14	Data must not leave India	Processing on secure cloud infrastructure. Migration to India-only data residency is in progress.

DPDP Rule	Requirement	How Vashix Addresses It
Rule 3	Clear consent notice before data collection	SDK consent screen shown before every capture. Itemised list of data collected (GPS, timestamp, device ID, motion). Plain language.
Rule 6(1)(a)	Encryption of personal data	Encryption at rest and in transit. Hardware-bound private key never exported.
Rule 6(1)(b)	Access controls on computer resources	Role-based dashboard access. API key scoping. No adjuster can access another adjuster's captures.
Rule 6(1)(c)	Logs and monitoring for unauthorised access	Full audit log per capture. Every API call logged with timestamp, IP, and user.
Rule 6(1)(d)	Data backups for continued processing	Redundant cloud storage with availability targets per service plan.
Rule 6(1)(e)	Retain logs for minimum 1 year	Logs retained 1 year minimum. Configurable up to 7 years on Enterprise.
Rule 6(1)(f)	Contract must require security safeguards	Standard DPA included with all paid plans.
Rule 7	Breach notification within 72 hours	Dashboard breach detection. Export-ready incident report for DPB notification.
Rule 13	Data Principal rights (access + erasure)	Erasure request support via dashboard. Data export for access requests.
Rule 14	Data must not leave India	Processing on secure cloud infrastructure. Migration to India-only data residency is in progress.

Vashix + DPDP Rules 2025

Rule-by-Rule Compliance Mapping

Vashix is Your Data Processor — Not Your Fiduciary

DPDP + IRDAI — Both Addressed

Download Data Processing Agreement

What Non-Compliance Costs

Ready to explore DPDP-ready photo verification?

Official Sources