Digital Personal Data Protection Policy

1. INTRODUCTION, OBJECTIVES & SCOPE

Terralytics Analysis Private Limited (the "Company") is committed to protecting personal data and processing it in a lawful, fair, and transparent manner in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and applicable rules.

1.1 Policy Objectives

This Policy establishes the Company's:

• Compliance Objective: Ensure adherence to the DPDP Act, RBI guidelines (where applicable), and contractual obligations with clients
• Accountability Objective: Define roles, responsibilities, and ownership of data processing activities
• Risk Management Objective: Identify, assess, and mitigate risks relating to personal data processing
• Governance Objective: Establish structured oversight, audit, and monitoring mechanisms for privacy compliance

1.2 Scope

This Policy applies to:

• Website visitors and users (where the Company acts as a Data Fiduciary)
• Client data processed as part of services (where the Company acts as a Data Processor)
• All employees, departments, and third-party processors handling personal data

2. ORGANISATIONAL ROLE CLARITY

The Company operates under dual roles:

• As Data Fiduciary: For personal data collected directly (e.g., website visits, cookies, inquiries)
• As Data Processor: When processing personal data on behalf of clients (who remain Data Fiduciaries)

All subcontractors engaged by the Company act as Sub-Processors and are contractually bound.

3. DEFINITIONS

• "Personal Data": Any data about an identifiable individual
• "Sensitive Personal Data": Any category of personal data requiring enhanced protection under applicable law or contractual obligations (including financial, identification, or regulated data categories where applicable)
• "Data Principal": The individual to whom the personal data relates
• "Data Fiduciary": Entity determining purpose and means of processing
• "Data Processor": Entity processing personal data on behalf of a Data Fiduciary
• "Processing": Any operation performed on personal data

4. PRIVACY PRINCIPLES

The Company adheres to the following principles:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

5. DATA PROCESSING ACTIVITIES & FUNCTIONAL OWNERSHIP

6. CATEGORIES OF PERSONAL DATA

• Identity & Contact Data
• Technical & Usage Data
• Communication Data
• Transaction Data (if applicable)

The Company follows strict data minimisation practices.

7. PURPOSES OF PROCESSING & LEGAL BASIS MAPPING

8. CONSENT MANAGEMENT

Consent shall be:

• Free, informed, specific, and unambiguous
• Withdrawable at any time

Consequences of withdrawal will be clearly communicated.

9. CHILDREN'S DATA

Processed only with verifiable parental consent and in compliance with the DPDP Act.

10. DISCLOSURE OF PERSONAL DATA

The Company may disclose data to:

• Service providers (Data Sub-Processors contractually and professionally bound to exercise the same degree of caution as the company)
• Government authorities (When required by any applicable law, rule or regulation)

No sale of personal data is undertaken.

11. CROSS-BORDER TRANSFER

Transfers occur only in compliance with Government notifications under the DPDP Act.

12. DATA RETENTION

Data is retained:

• Only as long as necessary
• As required by law or contractual obligation
• Logs retained per regulatory requirements

13. DATA PRINCIPAL RIGHTS

• Access
• Correction & erasure
• Withdrawal of consent
• Grievance redressal
• Nomination

Rights are subject to DPDP limitations.

14. GRIEVANCE REDRESSAL

Data Protection Officer (DPO) & CISO:

CTO – Head of Technology & Security

• Email: ashik@tealindia.in

Timelines for addressing all grievances will be according to statutory requirements.

15. SECURITY SAFEGUARDS

The Company implements:

• Technical controls (encryption, access control)
• Organisational controls (policies, training)
• Periodic risk assessments

16. PERSONAL DATA BREACH MANAGEMENT

16.1 Responsibility

All breach handling shall be managed exclusively by:

• Technology Team (CISO)
• Legal Team (DPO function)

No other departments are part of the breach response decision-making process.

16.2 Incident Lifecycle

1. Detection & reporting
2. Containment
3. Assessment
4. Investigation
5. Notification
6. Remediation
7. Closure & documentation

16.3 Notification

• Regulator (Data Protection Board): As per DPDP Act
• Affected Data Principals: Where required
• Clients (if processor): Immediate notification

16.4 Timelines

Handled as per statutory requirements and contractual obligations.

17. INTERNAL & EXTERNAL COMMUNICATION

• Employees: Mandatory privacy training and policy awareness
• Vendors: Contractual obligations and compliance requirements
• Clients: Defined data processing agreements

18. COMPLIANCE MONITORING & AUDIT

The Company maintains a structured compliance framework:

• Periodic internal audits
• Risk assessments (ISO 27001 aligned)
• Compliance testing
• Exception management with approvals
• Audit trails and documentation

19. PERFORMANCE & EFFECTIVENESS MEASUREMENT

The Company evaluates privacy effectiveness through:

• Number of incidents/breaches
• Resolution timelines
• Audit findings and closure rates
• Training completion rates
• Data subject request turnaround time

Periodic reviews are conducted by Legal and Technology leadership.

20. GOVERNANCE & REVIEW

• Policy reviewed annually or upon regulatory change
• Approved by senior management
• Changes tracked with version control

21. UPDATES TO POLICY

This Policy may be updated from time to time and will be published on the website. Continued use of services constitutes acceptance of the updated Policy.