Official Governance Document

Data Compliance & Security

Transparency in how we collect, secure, and process data for national security and hospitality compliance.

Last Updated: December 1, 2025

1. Compliance Overview

Our Commitment

SurakshaStay is built on the principle of Privacy by Design. We collect only the minimum data required to fulfill our legal obligations to hospitality safety and national security.We do not sell, rent, or trade personal data to third-party advertisers.

2. Applicable Legal Frameworks

Digital Personal Data Protection Act (DPDP), 2023

Compliant

Information Technology Act, 2000 (SPDI Rules)

Compliant

The Foreigners Act, 1946 (C-Form Compliance)

Compliant

Aadhaar Act, 2016 (Data Vault Regulations)

Compliant

*For international users, we adhere to GDPR principles regarding data minimization and transparency, though data resides in India.

3. Data Processing Lifecycle

Collection

Encrypted capture of ID documents.

Processing

OCR extraction, Risk analysis.

Storage

AES-256 encrypted storage (India).

Sharing

Secure API to Police & Hotels.

Deletion

Cryptographic erasure on expiry.

4. Aadhaar & Sensitive KYC Handling

Aadhaar Data Vault Compliance

We strictly adhere to UIDAI guidelines. Raw Aadhaar numbers are never stored in our primary databases.

Data Masking

Only the last 4 digits (XXXX-XXXX-1234) are visible to hotel staff.

Reference Keys

Actual data is stored in a secure, isolated Data Vault using Reference Key mapping.

5. Security Controls

Encryption

Data at rest (AES-256) and in transit (TLS 1.3) is fully encrypted.

Access Control

Strict Role-Based Access Control (RBAC) & Multi-Factor Authentication.

Monitoring

24/7 SOC monitoring for intrusion detection and anomaly flagging.

6. Data Retention Policy

Data Type	Retention Period	Legal Rationale
Foreigner C-Forms	7 Years	Mandated by The Foreigners Act, 1946
Domestic Guest Logs	5 Years	Prevention of Money Laundering Act (PMLA)
System Access Logs	18 Months	Security auditing and forensic readiness
Deleted Account Data	90 Days	Grace period for accidental deletion recovery

7. Data Subject Rights

Users and guests have the following rights regarding their personal data, exercisable via the SurakshaStay portal.

Right to Access & Portability

Right to Correction

Right to Erasure (where lawful)

Right to Grievance Redressal

Note: "Right to Erasure" does not apply to data mandated for retention by law (e.g., Police Reports, C-Forms) until the retention period expires.

8. Third-Party Processors

We share data only with vetted subprocessors necessary for service delivery. All partners sign strict Data Processing Agreements (DPA).

Role

Partner

Purpose

Cloud Infrastructure

Microsoft Azure

Data Hosting & Compute

SMS & Notifications

Infozy SMS & AI Intellisoft LLP

OTP & Alerts

OCR Engine

Google Vision

Text Extraction

Payment Gateway

Razorpay

Transaction Processing

9. Audits & Certifications

Annual VAPT

We conduct Vulnerability Assessment & Penetration Testing (VAPT) annually via CERT-In empaneled auditors to identify and patch security risks.

Cloud Security

Our infrastructure is hosted on ISO 27001 certified data centers within India, ensuring physical and digital security compliance.

10. Breach Response Protocol

Incident Notification SLA

In the event of a significant data breach, SurakshaStay is committed to notifying:

CERT-In

Within 6 hours of confirmation

Affected Users

Within 72 hours of assessment

Data Board

As per DPDP Act mandate

Frequently Asked Questions

While our primary jurisdiction is India, our privacy framework aligns with GDPR principles (Consent, Minimization, Access) to support international guests.