LAST UPDATED ON 11th December 2024

Data Processing Activities

This document outlines the data processing activities conducted by our website and services, including information on infrastructure, data handling, and compliance with relevant regulations.

1. Introduction
Our website leverages cloud services for deploying AI models and web applications, ensuring scalability, reliability, and security. These activities are conducted with adherence to applicable data protection and privacy laws, such as GDPR and SOC2.


2. Cloud Infrastructure
2.1. AWS (US-East-1)

  • Purpose: Hosting and managing AI models for inference and analytics.
  • Services Used: Amazon EC2, S3, and DynamoDB.
  • Data Location: Data is processed and stored within the AWS US-East-1 (N. Virginia) region.
  • Security Measures: Encryption in transit (TLS 1.2 or higher) and at rest (AES-256), IAM roles, and AWS.

2.2. Azure (US-West-3)

  • Purpose: Hosting web services and user-facing applications.
  • Services Used: Azure App Services, Azure SQL Database, and Blob Storage.
  • Data Location: Data is processed and stored within the Azure US-West-3 (Phoenix) region.
  • Security Measures: Managed identities, encryption at rest and in transit, and Azure Security Center monitoring.

3. Data Categories Processed
3.1. User Data

  • Types: Name, email address, IP address, and usage metrics.
  • Purpose: Personalization, service delivery, and analytics.
  • Retention Period: Retained for the duration of the user’s account and deleted upon request or account termination.

3.2. AI Model Data

  • Types: Training datasets, model parameters, and inference requests.
  • Purpose: AI model deployment, improvement, and performance monitoring.
  • Retention Period: Retained for the duration of service and purged periodically to ensure data minimization.

3.3. Operational Data

  • Types: Logs, system metrics, and error reports.
  • Purpose: Debugging, security monitoring, and service optimization.
  • Retention Period: Logs retained for 30 days unless otherwise required by regulatory obligations.

4. Data Transfers
All data transfers are secured using industry-standard encryption protocols. Data remains within the designated regions (US-East-1 and US-West-3) and is not shared with third parties without explicit user consent or contractual necessity.


5. Access and Control

  • Access Controls: Role-based access controls (RBAC) are implemented, ensuring that only authorized personnel have access to data.
  • User Rights: Users can request access to, correction of, or deletion of their data by contacting our support team.

6. Compliance
We adhere to the following standards and certifications:

  • GDPR: Ensuring user rights and data protection measures.
  • SOC 2: Adherence to principles of security, availability, and confidentiality.
  • CCPA: Compliance with California Consumer Privacy Act requirements.

7. Incident Response
In case of any data breach or incident:

  • Notification: Users will be notified within 72 hours of discovery.
  • Mitigation: Immediate measures will be taken to secure data and prevent recurrence.

8. Contact Information
For any queries regarding data processing activities, please contact:

This document will be reviewed and updated periodically to reflect changes in our data processing practices or regulatory requirements.

Term
Definition
Data subject
A data subject who is the subject of personal and sensitive personal data.
Personal data or Personally
Identifiable Information
(PII)
PII is any information about an individual (the data subject) which can
- any information that can be used to distinguish or trace an individual‘s identity;
- any other information that is linked or linkable to an individual
Examples included but not limited to: Name, Address, Date of birth etc.
Sensitive Personal
Information (SPI)
Sensitive personal data means personal data consisting of information but not limited to the following attributes of the data subject:
- password
- financial information such as bank account or credit card or debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- genetic or biometric information;
- racial and ethical origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- any detail relating to the above clauses as provided to body corporate for
    providing service; and
- any of the information received under above clauses by body corporate     for processing, stored or processed under lawful contract or otherwise:
Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
Third Party
All external parties – contractors, interns, summer trainees, vendors – who have access toIDQPL information assets or information systems.
Data protection and
security
Anyone collecting personal and customer information must fairly and lawfully process it, process it only for limited, specifically stated purposes, use the information in a way that is adequate, relevant and not excessive, use the information accurately, keep the information on file no longer than absolutely necessary, process the information in accordance with your legal rights, keep the information secure and never transfer the
information outside the country without adequate protection