What does Vashix actually prove about a photo?

Vashix proves four things: WHO took the photo (device identity), WHERE it was taken (GPS, verified against spoofing), WHEN it was taken (timestamp sealed at capture), and that it has NOT been edited after capture (hardware signature breaks if any pixel changes). It does NOT verify what is in the photo — a fraudster can take a genuine photo of pre-existing damage. Photo verification addresses evidence integrity. Claim validation still requires human judgment.

Can someone screenshot the capture screen and submit that instead?

No. Vashix does not accept uploads or screenshots. The link opens a live camera. The photo must be taken in real time through the Vashix capture flow. If someone points their camera at a screen showing an existing photo, our liveness detection (motion analysis and optical flow) catches it.

What if our field teams already use WhatsApp for photos?

WhatsApp strips all verification data — GPS, timestamps, device info, and provenance signatures — when sending photos. A WhatsApp photo scores 4/100 on the Trust Score. With Vashix, you send a WhatsApp message containing a capture link. The user taps the link, takes the photo through Vashix, and you get a verified result. Same delivery channel (WhatsApp), completely different proof level.

Does the person need to download an app?

Not for basic captures. They open the link in their phone's browser and take the photo (BRONZE tier, score 25-38). For stronger verification (SILVER/GOLD, score 60-95), the Vashix app is required — it's under 15MB and installs quickly on most connections. You choose the minimum tier per workflow.

Can AI-generated images be submitted through Vashix?

For SILVER and GOLD captures — no. The photo must be taken in real time through the device camera, signed by the phone's hardware security chip. There is no upload path for AI-generated images. AI images have no hardware origin and are rejected. For BRONZE (browser) captures, our multi-signal detection checks for AI indicators, but the score reflects the lower verification level.

What if the phone is rooted or modified?

Vashix checks device integrity using Google's Play Integrity API before every capture. Rooted phones, modified operating systems, virtual camera apps, and emulators fail this check. The capture is either blocked or automatically scored lower and flagged for review.

Is this admissible as evidence in Indian courts?

Vashix generates certificates designed to support Section 63 of the Bharatiya Sakshya Adhiniyam, 2023 (BSA) — the current law governing electronic evidence admissibility in India. Every capture includes a cryptographic chain of custody. PDF/A exports are available for legal proceedings. Admissibility in a specific case is always determined by the court, but the certificate ensures the evidence meets the technical requirements of Section 63(4).

Where is the data stored?

All data is processed and stored in Mumbai, India. No capture, no GPS coordinate, no device identifier ever touches a server outside India. Designed for DPDP Rules 2025 data residency requirements.

BRONZE browser capture works on iOS Safari. The Vashix app is currently Android-only — covering 95%+ of field devices in India. iOS SDK is on our roadmap.

How long does it take to start?

Dashboard and WhatsApp delivery: 5 minutes, zero code. REST API integration: your developer is making API calls in under 30 minutes. Android SDK embed in your own app: typically 4-8 weeks including testing.

We already use Truepic / Attestiv. Why switch?

Truepic and Attestiv are excellent products built for the US market. Vashix is purpose-built for Indian enterprise — with native Section 63 BSA certificate generation, DPDP compliance, WhatsApp delivery, and INR pricing designed for India-scale volumes.

Does Vashix work without internet?

The app captures and signs photos locally on the device. When connectivity returns, photos sync to the server. The anti-replay nonce requires a brief server check before capture begins, but the actual signing and storage happen on-device.

Does this work on older Android phones?

Yes. BRONZE and SILVER captures work on Android 8.0 and above — which covers virtually all phones currently in use in India. GOLD requires dedicated security hardware, available on most phones from 2020 onwards.

How long does SDK integration take if we want it in our own app?

Dashboard and API require zero integration — you can start in 5 minutes. REST API integration takes your developer under 30 minutes with our pre-built examples. SDK integration into your existing Android app typically takes 4-8 weeks including testing and security review.

Legal

Terms of Service

These Terms of Service govern your use of the Vashix photo verification platform, APIs, SDKs, and related services provided by Vashix, Mumbai, India.

Designed for DPDP Rules 2025Mumbai JurisdictionRazorpay Payments

Effective date: March 12, 2026Last updated: March 12, 2026

1. Acceptance of Terms 2. Definitions 3. Description of Service 4. Account Registration & Security 5. Subscription, Billing & Payments 6. Refund & Cancellation Policy 7. API & SDK Usage Terms 8. Acceptable Use Policy 9. Data Processing & DPDP Compliance 10. Intellectual Property 11. Limitation of Liability 12. Indemnification 13. Termination 14. Force Majeure 15. Governing Law & Dispute Resolution 16. General Provisions

1. Acceptance of Terms

By accessing or using the Vashix photo verification platform, APIs, SDKs, dashboard, documentation, or any related services (collectively, the "Service"), you agree to be bound by these Terms of Service ("Terms"). If you are entering into these Terms on behalf of an organisation, you represent and warrant that you have the authority to bind that organisation to these Terms.

If you do not agree to these Terms, you must not access or use the Service. These Terms constitute a legally binding agreement between your organisation ("Customer", "you") and the operator of the Vashix platform, based in Mumbai, Maharashtra, India ("Vashix", "we", "us").

We may update these Terms from time to time. Material changes will be communicated via email to your registered account address at least 30 days before they take effect. Continued use of the Service after such notice constitutes acceptance of the updated Terms. If you do not agree with the changes, you may terminate your account before the changes take effect.

2. Definitions

The following definitions apply throughout these Terms:

•"Service" means the Vashix photo verification platform, including the marketing website (vashix.com), the dashboard (dashboard.vashix.com), REST API, Android SDK, and all related tools, features, and documentation

•"Customer" or "you" means the organisation or individual that creates an account and subscribes to the Service

•"User" means any individual authorised by the Customer to access the Service, including administrators, team members, adjusters, and field agents

•"Data Fiduciary" means the Customer, who determines the purpose and means of processing personal data through the Service, as defined under the DPDP Act, 2023

•"Data Processor" means Vashix, which processes personal data on behalf of and under the instructions of the Data Fiduciary, as defined under the DPDP Act, 2023

•"Data Principal" means the individual whose personal data is processed through the Service (e.g., insurance claimants, field agents)

•"Capture" means a single photo verification event through the SDK or web upload, including the photo, metadata, trust score, and all associated provenance data

•"Trust Score" means the numerical score (0-100) assigned to a Capture based on multi-signal analysis of device integrity, location, timing, motion, and provenance

•"Plan" means the subscription tier selected by the Customer (Free, Pro, Enterprise, or Whitelabel), which determines feature access, usage limits, and pricing

3. Description of Service

Vashix provides a photo verification platform designed for Indian enterprises, with a particular focus on insurance claims documentation, NBFC field verification, and regulated industry workflows. The Service includes:

•An Android SDK that captures photos with hardware-backed device attestation, GPS coordinates, timestamps, motion analysis, and content credentials

•A REST API for submitting, querying, verifying, and managing Captures programmatically, with replay protection and rate limiting

•A web-based dashboard for reviewing Captures, managing team members and devices, configuring workflows, generating compliance reports, and exporting documents

•Trust score computation based on multi-signal analysis including device integrity, GPS validation, cell tower cross-referencing, motion seal verification, duplicate detection, AI generation detection, and C2PA manifest validation

•Tamper-evident audit logging for every Capture and API interaction

•Compliance tooling including: erasure APIs with signed certificates, breach notification templates, DPDP-ready data exports, data residency certificates, and consent management

•Perceptual hash database for cross-enterprise duplicate detection (hashes only, never raw images)

The Service is provided on a subscription basis as described in the applicable Plan. Feature availability, usage limits, and SLA commitments vary by Plan. Detailed Plan comparison is available at vashix.com/pricing.

4. Account Registration & Security

•To use the Service, you must create an account with a valid business email address, full name, and organisation name. You represent that all registration information is accurate and current

•You are responsible for maintaining the confidentiality of your account credentials, API keys, and access tokens. Notify us immediately at hello@vashix.com if you suspect unauthorised access

•You must not share account credentials or API keys with unauthorised individuals. Each User must have their own account

•Vashix is not liable for any loss or damage arising from unauthorised access to your account that results from your failure to safeguard your credentials

•We may suspend or terminate accounts that show signs of compromise, automated abuse, or credential sharing, after providing reasonable notice

•You must designate at least one account administrator who has authority to manage Users, API keys, and billing for your organisation

5. Subscription, Billing & Payments

This section governs all payment-related terms for the Service. By subscribing to a paid Plan, you agree to the following:

•Subscription Plans: The Service is offered in multiple tiers — Free, Plus, Pro, and Enterprise. Current pricing is available at vashix.com/pricing. All prices are exclusive of applicable GST (currently 18%)

•Free Plan: The Free Plan provides core verification features at no cost with usage caps as described on the pricing page. No credit card required. Vashix reserves the right to modify Free Plan limits with 30 days' notice

•Billing Cycle: Paid subscriptions are billed in advance on a monthly or annual basis, depending on the billing frequency selected at checkout. Monthly billing occurs on the same calendar date each month. Annual billing occurs on the anniversary of your subscription start date

•Payment Methods: We accept UPI, credit cards (Visa, Mastercard, RuPay, American Express), debit cards, netbanking, and wallets via Razorpay. Enterprise and Whitelabel customers may pay via wire transfer, NEFT/RTGS, or purchase orders with NET-30 terms

•Payment Processing: All online payments are processed by Razorpay Software Private Limited. Vashix does not store, process, or have access to your full card number, CVV, UPI PIN, or netbanking password at any point

•Auto-Renewal: All paid subscriptions renew automatically at the end of each billing cycle unless cancelled at least 24 hours before the renewal date. You can cancel auto-renewal from the dashboard at any time

•Usage Limits: Each plan has usage limits for captures, API calls, and other features as described on the pricing page. When you reach your limit, further usage is restricted until the next billing period or plan upgrade

•Taxes: All prices are exclusive of applicable taxes. GST at the prevailing rate (currently 18%) will be added to all invoices. If your organisation is GST-registered, please provide your GSTIN during checkout for proper tax documentation

•Invoice: A GST-compliant tax invoice is generated for every payment and available for download from the dashboard. Invoices are retained for 8 years per Indian tax law

•Late Payment: If payment fails, we will retry the charge up to 3 times over 7 days. If all retries fail, your account will be downgraded to the Free Plan after a 7-day grace period. You will not lose your data during the grace period, but access to paid features will be restricted

•Price Changes: We may modify pricing with 30 days' advance notice. Price changes take effect at the start of your next billing cycle. If you do not agree with the new pricing, you may cancel before the next cycle begins

•Currency: All prices are in Indian Rupees (INR). For international customers, payments are processed in INR and your bank's exchange rate applies

6. Refund & Cancellation Policy

For the complete Refund & Cancellation Policy, please visit our dedicated page. Key terms are summarised below:

•Monthly subscriptions: You may cancel at any time. Access continues until the end of the current billing period. No refund for partial months

•Annual subscriptions: You may cancel at any time. Contact us within 30 days of annual renewal for refund review. After 30 days, access continues until the end of the annual term

•Refund requests: Email hello@vashix.com with your registered email and reason for refund

•Data after cancellation: Your data remains accessible after cancellation. If you request account deletion, data is retained for 90 days before permanent erasure

•No refunds for: partial months, or accounts terminated for Terms violation

•For full details, see our Refund & Cancellation Policy at vashix.com/refund-policy

7. API & SDK Usage Terms

Access to the Vashix API and SDK is governed by the following terms:

•API keys are confidential. You are responsible for safeguarding all API keys, tokens, and credentials issued to your account. Vashix is not liable for unauthorised access resulting from compromised credentials that were not reported to us within 24 hours of discovery

•Rate limits apply per Plan tier. Exceeding documented rate limits will result in HTTP 429 responses with Retry-After headers. Persistent abuse (sustained attempts to exceed limits) may result in temporary suspension of API access after written warning

•You must not reverse-engineer, decompile, disassemble, or attempt to extract the source code of the Vashix API, SDK, or any component of the Service

•You must not use the Service to build a competing photo verification, provenance, or trust scoring product, or resell API access to third parties without a written reseller agreement

•You must not submit test, synthetic, or deliberately fraudulent data to production endpoints. Use the designated sandbox environment (api-sandbox.vashix.com) for development and testing

•All API calls are logged with timestamp, endpoint, response code, IP address, and authenticated user. Logs are retained for a minimum of 1 year per DPDP Rules 2025, Rule 6(1)(e)

•SDK integration must follow our published integration guidelines at docs.vashix.com. Modifications to SDK behaviour (hooking, patching, instrumentation, Frida injection) void all trust score guarantees and may result in account suspension

•The API and SDK are provided with target availability of 99.5% (Pro) or 99.9% (Enterprise). These are targets, not guarantees. Service credits for qualifying downtime events are described in the applicable service agreement.

8. Acceptable Use Policy

You agree not to use the Service for any of the following purposes:

•Any activity that violates applicable Indian law, including the DPDP Act 2023, IT Act 2000, or any sector-specific regulation

•Processing personal data without valid consent from the Data Principal or without a lawful basis under the DPDP Act

•Uploading, storing, or transmitting content that is obscene, defamatory, harassing, threatening, or that infringes the intellectual property rights of any third party

•Attempting to gain unauthorised access to any part of the Service, other accounts, or computer systems or networks connected to the Service

•Introducing malware, viruses, worms, Trojans, or any harmful code into the Service or any system connected to it

•Using the Service to facilitate fraud, identity theft, money laundering, or any other criminal activity

•Scraping, crawling, or using automated tools to extract data from the Service beyond what is available through the documented API

•Circumventing, disabling, or interfering with security features, rate limits, or access controls of the Service

•Submitting deliberately false or misleading data with the intent to manipulate trust scores or verification outcomes

•Using the Service for surveillance, tracking, or monitoring of individuals without their knowledge and consent

Violation of this Acceptable Use Policy may result in immediate suspension or termination of your account, without refund, and may be reported to relevant law enforcement authorities.

9. Data Processing & DPDP Compliance

Vashix acts as a Data Processor under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025. Your organisation acts as the Data Fiduciary. The following obligations apply:

•You are responsible for obtaining valid consent from Data Principals (claimants, adjusters, field agents) before using the Vashix SDK to collect their data. The SDK provides a configurable consent screen (Rule 3 compliant) to assist with this obligation

•You determine the purpose and scope of data processing. Vashix processes personal data strictly on your documented instructions as set forth in the Data Processing Agreement (DPA)

•All personal data is stored exclusively in Mumbai, Maharashtra, India. No data is transferred outside Indian jurisdiction. This satisfies DPDP Rules 2025, Rule 14

•You must execute the Vashix Data Processing Agreement (available at vashix.com/dpa) before processing personal data through the Service. The DPA constitutes the mandatory contract provision under Rule 6(1)(f)

•Erasure requests from Data Principals can be processed through your dashboard or by contacting support. A cryptographic receipt is generated as proof of deletion

•In the event of a data breach, Vashix will notify your organisation within the timeline specified in the DPA (and in any case within 72 hours) and provide a pre-filled incident report for submission to the Data Protection Board of India (Rule 7)

•Security audit logs are retained for 1 year per Rule 6(1)(e) even after erasure of personal data, as disclosed in the consent notice

•You are responsible for complying with the DPDP Act's requirements regarding: appointment of a Data Protection Officer (if applicable), responding to Data Principal requests, maintaining consent records, and reporting breaches to the Data Protection Board

You are solely responsible for your obligations as Data Fiduciary under the DPDP Act 2023. Vashix provides technical tooling that may assist your compliance efforts, but this does not constitute legal advice or guarantee regulatory compliance. Consult qualified legal counsel for DPDP compliance guidance.

10. Intellectual Property

•The Service, including all software, APIs, SDKs, algorithms, trust score methodologies, documentation, designs, and fraud detection systems, is the exclusive intellectual property of Vashix, protected under Indian copyright, patent, and trade secret law

•Your subscription grants you a limited, non-exclusive, non-transferable, revocable licence to use the Service for your internal business purposes during the subscription term and in accordance with these Terms

•You retain all rights to the photo data and business data you submit through the Service. Vashix claims no ownership over your content. Upon termination, you may export all your data

•Vashix may use anonymised, aggregated usage data (not personal data or photo content) to improve the Service. Such data cannot be used to identify any individual, organisation, or specific Capture

•The Vashix name, logo, "Trust Layer" tagline, and product names are proprietary to the Vashix platform. You may not use these marks without prior written consent, except as necessary to identify your use of the Service in your own materials

•Feedback, suggestions, or feature requests you submit may be incorporated into the Service without obligation or compensation to you. By submitting feedback, you grant Vashix a perpetual, irrevocable, royalty-free licence to use it

11. Limitation of Liability

To the maximum extent permitted by applicable Indian law:

•The Service is provided with the uptime targets specified in your Plan. Outside of SLA-covered scenarios, the Service is provided without additional warranties. We do not warrant that the Service will be entirely free of errors or harmful components.

•Vashix's total aggregate liability for any claims arising from or related to the Service shall not exceed the fees actually paid by you to Vashix in the 12 months immediately preceding the event giving rise to the claim

•In no event shall Vashix be liable for indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, business opportunity, or goodwill, whether arising from contract, tort, or otherwise

•Vashix is not liable for decisions made by your organisation based on trust scores, verification results, fraud flags, or any output of the Service. Trust scores are algorithmic indicators based on available sensor data. They are advisory only and must not be used as the sole basis for any business, legal, or financial decision. Final claim decisions remain the sole responsibility of the Data Fiduciary

•Vashix is not liable for the accuracy of GPS coordinates, device attestation signals, sensor data, or timestamps where inaccuracy results from device hardware, firmware, or operating system behaviour outside our control

•Vashix is not liable for service disruptions caused by: force majeure events, third-party infrastructure failures (Google Cloud, Razorpay), internet connectivity issues, or regulatory actions

•These limitations do not exclude or limit liability for: fraud, wilful misconduct, gross negligence, breach of data protection obligations, or any liability that cannot be excluded or limited under applicable Indian law

12. Indemnification

•You agree to indemnify, defend, and hold harmless Vashix, its officers, directors, employees, and agents from any claims, losses, damages, liabilities, and expenses (including reasonable legal fees) arising from: (a) your use of the Service in violation of these Terms; (b) your violation of the DPDP Act 2023 or any applicable law; (c) any third-party claims relating to personal data you process through the Service; (d) your failure to obtain valid consent from Data Principals

•Vashix will indemnify you against third-party claims that the Service, as provided by Vashix and used in accordance with these Terms, infringes any valid Indian patent, copyright, or trademark, provided that you: (a) promptly notify Vashix of the claim in writing; (b) give Vashix sole control of the defence; and (c) cooperate fully in the defence

•If the Service becomes the subject of an infringement claim, Vashix may, at its sole option: (a) modify the Service to be non-infringing while maintaining substantially equivalent functionality; (b) obtain a licence for your continued use; or (c) terminate the affected portion of the Service and refund prepaid fees on a pro-rata basis

13. Termination

•Either party may terminate these Terms by providing 30 days' written notice to the other party via email

•You may cancel your subscription at any time from the dashboard. Cancellation takes effect at the end of the current billing period. See Section 6 (Refund & Cancellation) for refund eligibility

•Vashix may suspend or terminate your access immediately, without prior notice, if: (a) you materially breach these Terms and fail to cure within 15 days of written notice; (b) you fail to pay fees within 30 days of the due date despite 2 payment reminders; (c) your use poses an imminent security risk to the Service or other customers; (d) required by law, court order, or regulatory authority

•Upon termination, you have a 30-day grace period to export your data via the dashboard or API. During this period, you retain read-only access to your data but cannot create new Captures

•After the 30-day grace period, Vashix will permanently delete your data in accordance with the retention policies set forth in the DPA and Privacy Policy. Signed erasure certificates will be generated for all personal data

•Termination does not release either party from obligations that accrued prior to termination, including: unpaid fees, indemnification obligations, confidentiality obligations, and data protection obligations

•Sections that by their nature should survive termination will survive, including: Definitions, Intellectual Property, Limitation of Liability, Indemnification, Governing Law, and any accrued payment obligations

14. Force Majeure

•Neither party shall be liable for failure or delay in performance of its obligations under these Terms to the extent caused by circumstances beyond its reasonable control ("Force Majeure Events")

•Force Majeure Events include, but are not limited to: natural disasters, pandemics, wars, terrorism, riots, government actions, sanctions, embargoes, internet or telecommunications failures, power outages, and third-party cloud infrastructure failures

•The affected party must notify the other party within 48 hours of becoming aware of the Force Majeure Event, describing its nature and expected duration

•If a Force Majeure Event continues for more than 60 consecutive days, either party may terminate the affected portion of the Service. Refund of prepaid fees will be reviewed on a case-by-case basis

15. Governing Law & Dispute Resolution

•These Terms are governed by and construed in accordance with the laws of India, without regard to conflict of law principles

•The courts of Mumbai, Maharashtra, India shall have exclusive jurisdiction over any disputes arising from or related to these Terms

•Before initiating litigation, the parties agree to attempt resolution through good-faith negotiation for a period of 30 days from the date of written notice of the dispute

•If negotiation fails, disputes shall be resolved through binding arbitration under the Arbitration and Conciliation Act, 1996. The arbitration shall be conducted in English, seated in Mumbai, with a sole arbitrator mutually agreed upon by the parties (or appointed by the Mumbai Centre for International Arbitration if the parties cannot agree)

•The arbitral award shall be final and binding on both parties and may be enforced in any court of competent jurisdiction

•Nothing in this clause prevents either party from seeking interim or injunctive relief from a court of competent jurisdiction to prevent irreparable harm

•The United Nations Convention on Contracts for the International Sale of Goods (CISG) does not apply to these Terms

•If any provision of these Terms is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect

16. General Provisions

•Entire Agreement: These Terms, together with the Privacy Policy, DPA, Refund & Cancellation Policy, and any order forms or SOWs, constitute the entire agreement between you and Vashix regarding the Service and supersede all prior agreements and understandings

•Assignment: You may not assign or transfer these Terms without the prior written consent of Vashix. Vashix may assign these Terms in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the assignee agrees to honour these Terms

•Waiver: The failure of either party to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. Any waiver must be in writing and signed by the waiving party

•Notices: Legal notices must be sent via email to: Vashix — legal@vashix.com; Customer — the email address on file in the account. Notices are deemed received 24 hours after email transmission

•Independent Contractors: The parties are independent contractors. Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship between the parties

•No Third-Party Beneficiaries: These Terms do not confer any rights on any third party. Data Principals may exercise their rights under the DPDP Act 2023 as described in our Privacy Policy but are not parties to these Terms

Vashix — Photo Verification Platform
Mumbai, Maharashtra, India
Email: hello@vashix.com
Legal: legal@vashix.com

Terms of Service

Contents

1. Acceptance of Terms

2. Definitions

3. Description of Service

4. Account Registration & Security

5. Subscription, Billing & Payments

6. Refund & Cancellation Policy

7. API & SDK Usage Terms

8. Acceptable Use Policy

9. Data Processing & DPDP Compliance

10. Intellectual Property

11. Limitation of Liability

12. Indemnification

13. Termination

14. Force Majeure

15. Governing Law & Dispute Resolution

16. General Provisions

Related Documents

Terms of Service

Contents

1. Acceptance of Terms

2. Definitions

3. Description of Service

4. Account Registration & Security

5. Subscription, Billing & Payments

6. Refund & Cancellation Policy

7. API & SDK Usage Terms

8. Acceptable Use Policy

9. Data Processing & DPDP Compliance

10. Intellectual Property

11. Limitation of Liability

12. Indemnification

13. Termination

14. Force Majeure

15. Governing Law & Dispute Resolution

16. General Provisions

Related Documents