Compliance

GDPR &
Data Protection

Last updated: July 2025 · Infosign Technologies Pvt. Ltd.

Infosign Technologies is committed to compliance with the General Data Protection Regulation (GDPR) for European users, the Digital Personal Data Protection Act 2023 (DPDPA) for Indian users, and all applicable data protection regulations across the jurisdictions in which we operate.

Contents

Scope & Applicability
Data Controller & Processor Roles
Lawful Basis for Processing
Your Data Rights
Cross-Border Data Transfers
Data Protection Impact Assessment
Data Breach Response
Data Protection Officer
India DPDPA Compliance
Contact & Requests

1. Scope & Applicability

This GDPR & Data Protection Statement applies to:

European Economic Area (EEA) residents whose personal data is processed by Infosign Technologies
UK residents covered under UK GDPR post-Brexit
All individuals whose data is processed through our financial technology platforms
Data subjects in jurisdictions with equivalent data protection requirements

As a financial technology company primarily operating in India and serving international markets including Dubai, we process personal data in accordance with GDPR where applicable, DPDPA 2023 for Indian data, and relevant financial regulations.

2. Data Controller & Processor Roles

When We Act as a Data Controller

Infosign Technologies acts as a Data Controller for:

Personal data of our direct clients, prospects, and website visitors
Employee and contractor data
Marketing and communication data

When We Act as a Data Processor

When our clients (trading members, depository participants) use our software to process end-customer data, Infosign acts as a Data Processor. In this capacity:

We process data only on the documented instructions of our clients
We maintain appropriate technical and organisational security measures
We assist clients in fulfilling their own data protection obligations
We enter into Data Processing Agreements (DPAs) with all clients processing personal data

3. Lawful Basis for Processing

We process personal data under the following lawful bases:

Processing Activity	Lawful Basis
Service delivery & product access	Contract — necessary to perform our contractual obligations
eKYC & identity verification	Legal obligation — mandated by SEBI, RBI, CERSAI, and PMLA
Security monitoring & fraud prevention	Legitimate interests — to protect the security of our systems
Marketing communications	Consent — you may opt out at any time
Regulatory reporting	Legal obligation — required by financial regulators
Product analytics & improvement	Legitimate interests — improving service quality

4. Your Data Rights

Under GDPR and applicable data protection law, you have the following rights:

Art. 15

Right of Access

Obtain confirmation of whether we process your data and receive a copy of it

Art. 16

Right to Rectification

Have inaccurate or incomplete personal data corrected without undue delay

Art. 17

Right to Erasure

Request deletion of your data where there is no compelling reason for continued processing

Art. 18

Right to Restriction

Request restriction of processing in certain circumstances, such as while accuracy is disputed

Art. 20

Right to Portability

Receive your data in a structured, commonly used format and transfer it to another controller

Art. 21

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes

To exercise any of these rights, submit a request to [email protected]. We will respond within 30 days. Some rights may be limited where we have overriding legal obligations (e.g., financial record keeping under Indian law).

5. Cross-Border Data Transfers

Infosign operates cloud infrastructure across multiple regions. Where personal data is transferred outside the EEA or India, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs): Used for transfers to cloud providers (AWS, GCP, Azure) outside the EEA
Adequacy decisions: Transfers to countries with adequate data protection are made in reliance on European Commission adequacy decisions
Binding Corporate Rules: Where applicable for intra-group transfers
DPDPA cross-border provisions: For transfers involving Indian personal data, we comply with the restrictions under the DPDPA 2023

Our primary data centres are located in India. International processing may occur in relation to multi-cloud infrastructure and specifically for clients with international operations (e.g., Dubai Gold & Commodity Exchange).

6. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including:

Deployment of new eKYC features involving biometric data
Large-scale processing of financial transaction data
New cloud infrastructure deployments involving personal data
Integration of new third-party services that process personal data

DPIAs are reviewed by our data protection team prior to commencing new high-risk processing activities.

7. Data Breach Response

In the event of a personal data breach, we follow our Incident Response Procedure:

Immediate containment and investigation upon detection
Assessment of risk to affected individuals within 24 hours
Notification to relevant supervisory authorities within 72 hours of becoming aware of the breach (where required under GDPR)
Notification to affected individuals without undue delay where the breach poses a high risk
Full incident documentation and post-incident review

To report a suspected breach, contact: [email protected]

8. Data Protection Officer

Infosign Technologies has designated a Data Protection Officer (DPO) responsible for overseeing data protection strategy and compliance. The DPO can be contacted at:

Data Protection Officer
Infosign Technologies Pvt. Ltd.
Cyber Square, Ernakulam North, Kacheripaddy
Kochi 682 018, Kerala, India

Email: [email protected]
Response time: Within 30 days

9. India DPDPA 2023 Compliance

In addition to GDPR, Infosign Technologies complies with India's Digital Personal Data Protection Act, 2023 (DPDPA). Under the DPDPA:

We process personal data only for lawful purposes with consent or other valid grounds
We provide clear and accessible notice at the time of data collection
We honour data principal rights including access, correction, erasure, and grievance redress
We appoint a Consent Manager where applicable
We implement security measures commensurate with the sensitivity of data processed
We notify the Data Protection Board of India of significant data breaches

As a financial technology provider, our KYC and financial data processing also remains subject to SEBI, RBI, PMLA, and CERSAI regulations which may require retention of data beyond what data principals might request to be deleted.

10. Contact & Requests

For all data protection and GDPR-related requests:

📧 GDPR & Privacy: [email protected]
📧 Security incidents: [email protected]
📧 General privacy: [email protected]
🌐 Website: www.infosign.biz

If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For EEA residents, this would be the relevant national data protection authority. For Indian residents, this would be the Data Protection Board of India (once established under the DPDPA).

GDPR &Data Protection