1. Introduction & Scope
Better Compliance ("Company," "we," "our," or "us") is committed to protecting the privacy and security of personal data entrusted to us by our clients, partners, and stakeholders. This Data Protection Policy outlines our comprehensive approach to data protection in compliance with applicable laws including India's Digital Personal Data Protection Act 2023 (DPDPA), the European Union's General Data Protection Regulation (GDPR), and other relevant international data protection frameworks.
Our Commitment: We recognize that data protection is fundamental to building trust with international companies seeking to establish operations in India. As a one-stop platform facilitating business expansion, we handle sensitive corporate and personal information requiring the highest standards of protection.
Scope of Application: This policy applies to all personal data processing activities conducted by Better Compliance, including:
- Client business information and corporate data.
- Employee and contractor personal information.
- Third–party service provider data.
- Digital interactions through our platform and website.
- Cross–border data transfers between India and our clients' home countries.
2. Legal Framework and Compliance
Primary Legislation Compliance :
- Digital Personal Data Protection Act 2023 (DPDPA) : Our primary compliance framework for processing personal data within India.
- General Data Protection Regulation (GDPR) : Applicable when processing data of EU residents or providing services to EU-based companies.
- Sector-specific regulations : Including RBI guidelines for financial data, SEBI regulations for capital market information, and other industry-specific requirements.
Extraterritorial Application :
Given our focus on international business expansion, we ensure compliance with data protection laws that apply extraterritorially, particularly GDPR for EU clients and similar frameworks for clients from the UK, US, Australia, and Japan.
3. Data Collection and Processing
Types of Data We Collect
Client Business Data :
- Company registration information and corporate documents
- Financial records and banking details for setup services
- Business plans and strategic information
- Contact details of directors, authorized signatories, and key personnel
- Compliance and regulatory documentation
Personal Data Categories :
- Company registration information and corporate documents
- Financial records and banking details for setup services
- Business plans and strategic information
- Contact details of directors, authorized signatories, and key personnel
- Compliance and regulatory documentation
Lawful Basis for Processing :
- Consent: Explicit, informed consent where required by law
- Contractual Necessity: Processing required to fulfill service agreements
- Legitimate Interests: Processing necessary for business operations, including:
- Business expansion services
- Compliance with Indian regulations
- Fraud prevention and security
- Service improvement and platform functionality
4. Data Security Measures
Technical Safeguards :
- AES-256 encryption for data at rest
- TLS 1.3 for data in transit
- End-to-end encryption for sensitive communications
- Multi-factor authentication (MFA) for system access
- Role-based access control (RBAC)
- Regular access reviews
- Biometric authentication for high-security areas
- Secure cloud infrastructure with leading providers
- Regular penetration testing and vulnerability assessments
- 24/7 monitoring and incident response
- Redundant systems and disaster recovery
Organizational Measures :
- Comprehensive staff training on DPDPA, GDPR, and secure data handling
- Incident response protocols and confidentiality obligations
- Secure office facilities with access controls and surveillance
- Visitor management and clean-desk policies
- Controlled access to server rooms and data centers
5. Cross-Border Data Transfers
Transfer Framework Under DPDPA :
- Blacklist approach : Transfers allowed to all countries except those blacklisted by the Indian government.
- Contractual safeguards : Data-transfer agreements with protection clauses, breach notification, subject-rights, and confidentiality obligations.
GDPR Compliance for EU Transfers :
- Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
- Binding Corporate Rules for intra-group transfers
- Specific derogations for necessary transfers
- Data Protection Impact Assessments (DPIAs) for high-risk transfers
6. Data Subject Rights
Rights Under DPDPA :
- Right to Information
- Right to Correction
- Right to Erasure
- Right to Grievance Redressal
Rights Under GDPR :
- Right of access
- Right to rectification and erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making
Rights Exercise Process :
- Request via email: hello@bettercompliance.in
- Online portal on our website
- Written request to Data Protection Office
- Through client relationship managers
Response Timeline :
- 30 days under DPDPA
- 1 month under GDPR (extendable by 2 months for complex cases)
- Immediate action for urgent deletion requests
7. Data Retention and Deletion
Retention Principles :
- Data retained only as long as necessary
- Aligned with Indian company law (8 years for financial records), tax compliance (6 years), and other regulatory requirements
Secure Deletion :
- Overwriting of digital storage media
- Physical destruction of hardware
- Verification of complete removal
- Documentation of deletion activities
8. Breach Management and Incident Response
Incident Detection and Response :
- Continuous 24/7 monitoring
- Automated threat detection
- Real-time alerts and audits
- Employee reporting channels
Breach Notification Procedures :
- Internal: DPO, CISO, compliance, and senior management notified immediately
- Regulatory:
- DPDPA – Data Protection Board of India
- GDPR – Supervisory authority within 72 hours
- Industry-specific regulators where required
- Client Notification: Within 24–48 hours with details of breach, impact, mitigation, and client actions
9. Third-Party Data Sharing
Service Provider Management :
Due diligence on processors (security, certifications, compliance)
Data processing agreements with specific obligations, sub-processor approvals, and audit rights
Limited Sharing Scenarios :
- With client consent
- Legal compliance and regulatory needs
- Fraud prevention and security
- Corporate transactions with safeguards
10. Governance and Accountability
Data Protection Officer (DPO) :
- Monitors compliance and conducts DPIAs
- Acts as contact point for authorities
- Provides training and guidance
Contact Information :
- Email: hello@bettercompliance.in
- Phone: +91-9964986427
- Address: No.19/1, Chetan Tower, 3rd Floor, Infantry Road Cross, Bengaluru - 560001
Regular Audits and Reviews :
- Annual data protection audits
- Quarterly security assessments
- Regular policy reviews and updates
- Ongoing staff training
Documentation :
- Processing activity records
- DPIAs
- Breach incident logs
- Training records and certifications
11. Updates and Amendments
Policy Review :
- Annual review
- Triggered by law changes, operational changes, incidents, or regulatory guidance
Notification of Changes :
- Email updates to clients
- Website updates with highlights
- Direct communication for significant changes
- Internal training updates
12. Contact Information and Complaints
Primary Contacts :
- Privacy: hello@bettercompliance.in
- Data Protection Officer: rahul@bettercompliance.in
- Security Incidents: security@bettercompliance.in
- General Inquiries: hello@bettercompliance.in
Complaint Resolution :
- Acknowledgment within 48 hours
- Investigation and response within 30 days
- Escalation to senior management if unresolved
External Authorities :
- India: Data Protection Board of India
- EU: Supervisory authority in client's country
- Other jurisdictions: Relevant data protection authorities
Document Control :
- Version: 1.0
- Effective Date: [Date]
- Next Review: [Annual Review Date]
- Owner: Data Protection Officer
- Approved By: Chief Executive Officer