Data Protection Policy

1 Introduction & Scope

1.1. This Data Protection Policy ("Policy") sets out the framework, principles, and measures adopted by BrainBit Infotech Private Limited ("Company", "We", "Us") to protect personal data processed through the BrainBit-SOMS (School Operations Management System) platform ("Platform").

1.2. BrainBit-SOMS is a multi-tenant, cloud-based school management platform that processes personal data belonging to students (predominantly children below 18 years), parents/guardians, teaching staff, non-teaching staff, and school administrators across multiple educational institutions in India.

1.3. This Policy applies to:

• All personal data processed through the Platform, whether collected online or uploaded by subscribing Institutes
• All employees, contractors, and agents of BrainBit Infotech Private Limited who have access to personal data
• All subscribing educational institutions ("Institutes") and their authorized users
• All third-party service providers engaged by the Company for data processing
• Data processed through all modules: Academics, Student Management, Fee Management, HR & Payroll, Attendance, Communication, Portals, and Reports

1.4. This Policy should be read in conjunction with our Privacy Policy, Terms of Service, and Grievance Redressal Policy.

1.5. Definitions: Unless otherwise stated, all capitalized terms used in this Policy shall have the meanings ascribed to them in the DPDP Act, 2023, our Terms of Service, and our Privacy Policy.

2 Data Fiduciary Obligations

2.1. Under the Digital Personal Data Protection Act, 2023, BrainBit Infotech Private Limited acts as a Data Fiduciary (the entity that determines the purpose and means of processing personal data). Each subscribing Institute acts as a joint Data Fiduciary for the data it uploads, as the Institute determines the specific data to be processed and the educational purposes thereof.

2.2. Obligations Under Section 8 of the DPDP Act, 2023

As a Data Fiduciary, the Company undertakes the following obligations:

Obligation (DPDP Act Reference)	Our Commitment
Lawful Processing (Section 4)	We process personal data only for lawful purposes for which the Data Principal has given consent, or for certain legitimate uses as specified under Section 7.
Notice Before Consent (Section 5)	We provide clear notice (via this Policy and our Privacy Policy) describing the personal data to be collected and the purpose of processing before obtaining consent.
Purpose Limitation (Section 8(1))	We process personal data only for the purposes specified at the time of collection and do not use it for any incompatible purpose without fresh consent.
Data Accuracy (Section 8(3))	We implement reasonable measures to ensure personal data is complete, accurate, and not misleading, considering the purpose for which it is processed.
Reasonable Security (Section 8(4))	We implement appropriate technical and organizational security safeguards to protect personal data against unauthorized access, use, modification, disclosure, or destruction. See Sections 6 and 7 of this Policy.
Storage Limitation (Section 8(7))	We erase personal data once the purpose for processing has been fulfilled and retention is no longer necessary for legal or business purposes. See Section 11 for the retention schedule.
Breach Notification (Section 8(6))	We notify the Data Protection Board of India and affected Data Principals of any personal data breach in the manner and timeframe prescribed. See Section 8 of this Policy.
Grievance Redressal (Section 8(10))	We have appointed a Grievance Officer and established a grievance redressal mechanism as detailed in our Grievance Redressal Policy.

2.3. Significant Data Fiduciary Assessment

Given that we process data of children on a large scale, the Central Government may designate us as a Significant Data Fiduciary under Section 10 of the DPDP Act. In anticipation, we have proactively adopted the following additional safeguards:

• Periodic Data Protection Impact Assessments (DPIA) for new features and modules
• Annual audit of data protection practices and policies
• Maintenance of records demonstrating compliance with the DPDP Act
• Designation of a contact person to act as a point of contact for grievance redressal

3 Personal Data Categories

3.1. The Platform processes the following categories of personal data, each with specific protection requirements:

3.1.1. Student Data

Data Category	Specific Data Elements	Sensitivity Level
Identity Information	Full name, date of birth, gender, photograph, student code, Aadhaar number (if provided), religion, caste/category, nationality	High
Academic Records	Class, section, stream, roll number, exam marks, grades, report cards, co-scholastic assessments, ranking, promotion history	Medium
Attendance Records	Daily and period-wise attendance, leave applications, leave type, leave reasons	Medium
Financial Records	Fee ledger, payment history, receipts, concessions, installment details, outstanding dues	High
Medical Information	Blood group, known allergies, chronic medical conditions, disability status	Critical (Sensitive Personal Data)
Guardian/Family Details	Parent/guardian names, relationship, contact numbers, email, occupation, employer, annual income, address	High
Documents	Transfer certificates, birth certificates, previous school marksheets, caste certificates, photographs	High
Portal Activity	Login timestamps, pages accessed, actions performed (Student Portal)	Low

3.1.2. Staff Data

Data Category	Specific Data Elements	Sensitivity Level
Identity Information	Full name, date of birth, gender, photograph, Aadhaar, PAN, marital status	High
Employment Details	Designation, department, joining date, employment type, reporting structure	Medium
Qualifications & Experience	Educational qualifications, certifications, previous employment history	Medium
Financial Information	Salary structure, bank account number, IFSC code, PF number, ESI number, IT declarations, TDS details, salary advances	Critical (Sensitive Personal Data)
Attendance & Leave	Attendance records, leave balances, leave applications, leave history	Medium
Documents	ID proofs, qualification certificates, experience letters, appointment letters	High

3.1.3. Parent Data

Data Category	Specific Data Elements	Sensitivity Level
Identity Information	Full name, relationship to student, contact number, email address	Medium
Authentication Credentials	Username, password (bcrypt-hashed), remember-me tokens	Critical
Financial Transactions	Fee payment records, Razorpay transaction IDs, payment receipts	High
Portal Activity	Login timestamps, pages accessed, actions performed, leave applications submitted	Low
Communication Preferences	Notification preferences (SMS, Email, WhatsApp, In-app)	Low

3.1.4. Institute Administrative Data

Data Category	Specific Data Elements	Sensitivity Level
Institute Identity	School name, registration number, board affiliation, UDISE+ code, logo	Medium
Contact Information	Address, phone numbers, email, website URL	Medium
Financial Details	GSTIN, PAN, bank details (for payroll processing)	High
Configuration Data	Academic years, class structures, fee structures, grading systems, timetables	Low

4 Children's Data Protection

4.1. Verifiable Parental Consent (Section 9(1), DPDP Act)

4.1.1. Before any personal data of a child is processed through the Platform, verifiable consent of the child's parent or lawful guardian must be obtained.

4.1.2. The subscribing Institute (as joint Data Fiduciary) is responsible for obtaining verifiable parental consent through the following mechanisms:

• Admission Process: Physical or digital admission forms signed/submitted by the parent/guardian, which include a clear data processing consent clause
• Online Admission: The public admission form includes an explicit consent checkbox and declaration by the parent/guardian
• Portal Registration: Parent Portal account creation constitutes additional verifiable consent for portal-related data processing

4.1.3. The Company maintains a record of the consent mechanism used by each Institute and may audit Institutes to verify compliance with consent requirements.

4.2. Prohibited Activities (Section 9(2) and 9(3), DPDP Act)

In strict compliance with Section 9 of the DPDP Act, 2023, the Company and the Platform shall NOT:

• Undertake tracking or behavioral monitoring of children beyond what is necessary for educational management
• Undertake targeted advertising directed at children
• Process children's personal data in any manner that is likely to cause any detrimental effect on the well-being of a child
• Engage in profiling of children for commercial, marketing, or non-educational purposes
• Sell, trade, or share children's data with any third party for commercial or advertising purposes
• Use children's data to create behavioral profiles, predictive analytics, or scoring systems outside the scope of academic assessment

4.3. Data Minimization for Children

4.3.1. We collect only the minimum personal data necessary for the specified educational management purposes.

4.3.2. The Institute shall ensure that only relevant and necessary data is entered into the Platform. The Company provides guidance to Institutes on the minimum data fields required for each module.

4.3.3. Optional data fields (such as medical information, Aadhaar number, religion, and caste) are clearly marked and not mandatory for platform functionality.

4.4. Enhanced Security for Children's Data

In addition to the standard security measures described in Section 6, the following enhanced protections apply to children's data:

• Role-based access control ensures that only authorized personnel (teachers, administrators) can access student records relevant to their role
• Student Portal access is restricted to view-only for academic, attendance, and fee information; students cannot modify records
• Parent Portal provides parents/guardians with full visibility into their child's data and the ability to request corrections
• Sensitive medical data is accessible only to designated administrative staff at the Institute level
• Multi-tenant data isolation ensures that no Institute can access another Institute's student data

4.5. Rights of Parents/Guardians Over Children's Data

Parents and lawful guardians of children whose data is processed on the Platform have the right to:

• Access all personal data of their child stored on the Platform via the Parent Portal or by request to the Institute
• Request correction of inaccurate, incomplete, or misleading data
• Withdraw consent for processing (subject to contractual and legal obligations of the Institute)
• Request erasure of their child's data upon the child leaving the Institute (subject to the retention schedule in Section 11)
• Receive information about the categories of data being processed and the purposes thereof
• File a grievance regarding processing of their child's data (see Grievance Redressal Policy)

5 Data Processing Principles

5.1. All processing of personal data through BrainBit-SOMS adheres to the following foundational principles, derived from the DPDP Act, 2023, and internationally recognized data protection standards:

5.1.1. Lawfulness, Fairness, and Transparency

• Personal data is processed only on a lawful basis: consent of the Data Principal or legitimate uses under Section 7 of the DPDP Act
• Data Principals are provided clear, accessible notice about processing activities through this Policy and our Privacy Policy
• Processing activities are fair and do not have unjustified adverse effects on Data Principals

5.1.2. Purpose Limitation

• Personal data is collected only for specified, clear, and lawful purposes as communicated to the Data Principal at the time of collection
• Data is not processed for any purpose incompatible with the original purpose without obtaining fresh consent
• The purposes are limited to: educational institution management, academic record-keeping, fee management, attendance tracking, HR/payroll processing, parent-school communication, and statutory compliance

5.1.3. Data Minimization

• Only personal data that is adequate, relevant, and necessary for the specified purpose is collected
• The Platform is designed with mandatory and optional data fields; Institutes are encouraged to collect only what is necessary
• Data collection forms are periodically reviewed to remove unnecessary fields

5.1.4. Accuracy

• Reasonable steps are taken to ensure that personal data is accurate, complete, and up-to-date
• Institutes are responsible for maintaining the accuracy of data they upload
• Data Principals (parents, staff) can request correction of inaccurate data through the Institute or directly via our Grievance Officer
• The Platform provides data validation at the point of entry (date formats, email validation, phone number format) to minimize errors

5.1.5. Storage Limitation

• Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected
• A detailed retention schedule (Section 11) governs the deletion of data upon expiry of the retention period
• Upon termination of an Institute's subscription, data is retained for 90 days (export window) and then permanently deleted

5.1.6. Integrity and Confidentiality

• Personal data is protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage
• Technical and organizational measures (Sections 6 and 7) ensure the ongoing confidentiality, integrity, and availability of data

6 Technical Security Measures

6.1. In compliance with Section 8(4) of the DPDP Act, 2023 and Rule 8 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we implement the following technical security measures:

6.1.1. Encryption

Measure	Implementation	Standard
Data in Transit	All data transmitted between the user's browser and the server is encrypted using HTTPS/SSL	TLS 1.2 or higher
Password Storage	All user passwords are hashed using industry-standard one-way hashing algorithms before storage; plain-text passwords are never stored or logged	bcrypt with salt rounds
Payment Data	Credit/debit card numbers, CVV, and sensitive payment data are never stored on our servers; all payment processing is handled by Razorpay (PCI-DSS certified)	PCI-DSS via Razorpay
Session Tokens	Session identifiers are generated using cryptographically secure random number generators	PHP session security best practices

6.1.2. Access Control

Measure	Implementation
Role-Based Access Control (RBAC)	The Platform supports 11 distinct user roles (Super Admin, Principal, Vice Principal, Admin Staff, Accountant, Class Teacher, Subject Teacher, Librarian, Transport Incharge, Parent, Student), each with granular permissions defining what data and functions they can access.
Principle of Least Privilege	Each user role is granted the minimum level of access necessary for their function. For example, a Subject Teacher can only view and enter marks for their assigned subjects.
Session Management	Secure session handling with httpOnly and secure cookie flags, session timeout after inactivity, and session regeneration on authentication events.
Authentication Security	Login credential validation, remember-me token management with secure token storage, and login audit trails.

6.1.3. Multi-Tenant Data Isolation

• Every database table containing tenant data includes an institute_id foreign key
• All data queries are automatically filtered by the authenticated Institute's identifier
• No Institute can access, view, modify, or interact with data belonging to another Institute
• API endpoints enforce Institute-level access control on every request
• Database indexes on institute_id ensure query performance while maintaining isolation

6.1.4. CSRF (Cross-Site Request Forgery) Protection

• All authenticated POST forms include a CSRF token (csrfField()) that is validated on the server side (requireCSRFToken()) before processing
• CSRF tokens are unique per session and are regenerated periodically
• Public-facing forms (such as the online admission form) use honeypot fields and rate limiting as additional protection

6.1.5. Rate Limiting

• File-based rate limiting is implemented for sensitive operations (login, password reset, form submissions)
• Login attempts are limited to 5 attempts per 15-minute window per IP address to prevent brute-force attacks
• API endpoints are rate-limited to prevent abuse and denial-of-service attempts

6.1.6. Input Validation and Sanitization

• All user inputs are validated and sanitized at the server side before processing
• Parameterized database queries (prepared statements via MySQLi) are used throughout the application to prevent SQL injection attacks
• Output encoding is applied to prevent Cross-Site Scripting (XSS) attacks
• Date inputs are validated and parsed using standardized format functions

6.1.7. Backup and Recovery

• Regular automated database backups are performed to prevent data loss
• Backups are stored securely with access restricted to authorized personnel only
• Backup restoration procedures are documented and periodically tested
• Institutes are additionally encouraged to export and maintain their own backup copies of critical data

6.1.8. Logging and Audit Trails

• All authentication events (login, logout, failed login attempts) are recorded in the login_logs table with IP address, user agent, and timestamp
• Portal activity (Parent and Student Portals) is logged in the portal_activity_log table
• Marks entry and modification events are tracked in the marks_entry_log table with user and timestamp
• Fee payment transactions are fully auditable with Razorpay order and payment IDs
• Payroll processing is tracked in batch records with processing user and timestamp

7 Organizational Security Measures

7.1. In addition to technical measures, the Company implements the following organizational safeguards:

7.1.1. Access Management

• Access to production systems and databases is limited to authorized development and operations personnel on a need-to-know basis
• Access privileges are reviewed periodically and revoked promptly when no longer required
• Subscribing Institutes are responsible for managing user accounts within their tenancy, including revoking access for staff who leave the institution

7.1.2. Data Classification

All personal data processed through the Platform is classified into the following categories to determine the appropriate level of protection:

Classification	Description	Examples	Protection Level
Critical	Sensitive Personal Data / Information (SPDI) as defined under IT (SPDI) Rules	Passwords, financial data (bank accounts, salary), medical information	Encryption, strict access control, audit logging
High	Personal data that can directly identify an individual	Names, Aadhaar, PAN, photographs, contact details, guardian information	Access control, audit logging, encryption in transit
Medium	Educational and operational data linked to identifiable individuals	Academic records, attendance, employment details	Role-based access, tenant isolation
Low	Non-sensitive operational data	Academic year configuration, timetable, holiday calendar, fee structures (generic)	Standard access control

7.1.3. Vendor and Third-Party Management

• All third-party service providers (Data Processors) are evaluated for their data protection practices before engagement
• Contractual agreements with Data Processors include data protection obligations, confidentiality clauses, and breach notification requirements
• Third-party access to personal data is limited to the minimum necessary for service delivery

7.1.4. Incident Response Procedures

• A documented incident response plan is maintained covering identification, containment, eradication, recovery, and post-incident review
• Roles and responsibilities for incident response are clearly defined
• Communication protocols for notifying regulatory authorities and affected Data Principals are established (see Section 8)

7.1.5. Secure Development Practices

• Security considerations are integrated into the software development lifecycle
• Code reviews include security assessments for data protection vulnerabilities
• Dependencies and third-party libraries are monitored for known vulnerabilities
• Database migrations are reviewed for data protection implications before deployment

8 Data Breach Management

8.1. Breach Detection

The Company employs the following measures to detect potential data breaches:

• Continuous monitoring of authentication logs for anomalous activity (unusual login patterns, multiple failed attempts, access from unexpected locations)
• Monitoring of system and application logs for unauthorized access attempts
• Periodic review of access control configurations
• Employee and user reporting mechanisms for suspected incidents

8.2. Breach Notification to CERT-In

The CERT-In notification shall include:

• Date and time of the incident and its detection
• Type and nature of the incident
• Systems, networks, and data affected
• Brief description of the impact
• Remedial measures taken or planned

8.3. Breach Notification to Data Protection Board of India

In compliance with Section 8(6) of the DPDP Act, 2023, the Company shall notify the Data Protection Board of India of any personal data breach in the manner and timeframe prescribed by the Board. The notification shall include:

• Nature and description of the breach
• Categories and approximate number of affected Data Principals
• Likely consequences of the breach
• Measures taken or proposed to mitigate the breach
• Contact details of the person from whom further information can be obtained

8.4. Notification to Affected Data Principals

Following notification to regulatory authorities, the Company shall notify affected Data Principals (Institutes and, through Institutes, individual users) without undue delay. The notification shall:

• Describe the nature of the breach in clear, plain language
• Provide the contact details of the Company's designated contact person
• Describe the likely consequences of the breach
• Describe measures taken to address the breach and mitigate potential adverse effects
• Provide recommendations for affected individuals to protect themselves

8.5. Breach Response Timeline

Action	Timeline	Responsible Party
Incident detection and initial assessment	Immediate	Technical Team
Containment and mitigation	Within 2 hours of detection	Technical Team
CERT-In notification	Within 6 hours of detection	Compliance Officer
Data Protection Board notification	As per prescribed timeframe (DPDP Act)	Compliance Officer
Notification to affected Institutes	Within 24 hours of confirmation	Operations Team
Notification to affected Data Principals (via Institutes)	Within 48 hours of confirmation	Operations Team + Institutes
Post-incident review and report	Within 14 days of resolution	Technical + Compliance Team

8.6. Record of Breaches

The Company shall maintain a comprehensive register of all personal data breaches, regardless of whether they trigger a notification obligation. The register shall include the facts relating to the breach, its effects, and the remedial action taken.

9 Data Processor Obligations

9.1. Under Section 8(2) of the DPDP Act, 2023, the Company engages the following third-party Data Processors to support specific Platform functionalities. Each Data Processor is contractually obligated to implement appropriate security measures and process data only as instructed:

Data Processor	Purpose	Data Shared	Security Standard
Razorpay Software Pvt. Ltd.	Online fee payment processing (Institute and Portal payments)	Transaction amount, order ID, payer contact details. Card/bank details are handled directly by Razorpay and NOT stored on our servers.	PCI-DSS Level 1 certified, RBI regulated
SMTP Email Service Provider	Sending transactional and notification emails (fee receipts, notices, OTPs, communications)	Recipient email address, email subject, message body	TLS encryption, provider-specific security policies
WhatsApp Business API Provider	Sending WhatsApp notifications (fee reminders, attendance alerts, notices)	Recipient phone number, message content (templated)	End-to-end encryption (WhatsApp), Meta Business Terms
SMS Gateway Provider	Sending SMS notifications	Recipient phone number, message content	TRAI DLT compliance, provider security policies

9.2. Contractual Obligations of Data Processors

All Data Processors engaged by the Company are contractually required to:

• Process personal data only on documented instructions from the Company
• Ensure that persons authorized to process the personal data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Not engage sub-processors without prior authorization from the Company
• Assist the Company in responding to Data Principal rights requests
• Notify the Company without undue delay upon becoming aware of a personal data breach
• Delete or return all personal data upon termination of the service agreement
• Make available information necessary to demonstrate compliance with data protection obligations

9.3. Data Processor Monitoring

The Company periodically reviews the data protection practices of its Data Processors to ensure ongoing compliance. This includes reviewing their published security policies, certifications, and any reported incidents.

10 Data Principal Rights

10.1. Under Chapter III of the Digital Personal Data Protection Act, 2023, every individual whose personal data is processed through BrainBit-SOMS (referred to as "Data Principal") has the following rights:

Right	DPDP Act Reference	Description	How to Exercise
Right to Access	Section 11	Obtain a summary of personal data being processed and the processing activities undertaken by the Data Fiduciary.	Contact Institute admin; use Parent/Student Portal; email to info@brainbitinfotech.com
Right to Correction	Section 12(1)	Correct inaccurate or misleading personal data, complete incomplete data, and update outdated data.	Request through Institute admin or email to Company
Right to Erasure	Section 12(2)	Erase personal data that is no longer necessary for the stated purpose (subject to retention obligations).	Request through Institute admin or email to Company
Right to Grievance Redressal	Section 13	File a complaint with the Company's Grievance Officer regarding data processing concerns.	See Grievance Redressal Policy
Right to Nominate	Section 14	Nominate an individual to exercise Data Principal rights in case of death or incapacity.	Written request to info@brainbitinfotech.com
Right to Withdraw Consent	Section 6(4)	Withdraw previously given consent at any time. Withdrawal does not affect lawfulness of prior processing.	Contact Institute admin or email to Company

10.2. Processing of Rights Requests

• All rights requests shall be acknowledged within 48 hours of receipt
• Verifiable requests shall be fulfilled within 30 (thirty) days
• Where a request requires coordination with the subscribing Institute (e.g., data correction in academic records), we shall facilitate the request and track it to completion
• If a request is refused (e.g., erasure conflicting with legal retention obligations), the Data Principal shall be informed of the reasons and their right to file a complaint with the Data Protection Board of India

10.3. Duties of Data Principals

Under Section 15 of the DPDP Act, 2023, Data Principals also have the following duties:

• Comply with applicable laws when exercising rights under the DPDP Act
• Not register a false or frivolous complaint with the Data Protection Board
• Provide authentic and verifiable information when submitting personal data or making rights requests
• Not impersonate another person when providing personal data
• Not suppress any material information when providing personal data for any document, ID, or proof of identity/address

11 Data Retention Schedule

11.1. In compliance with Section 8(7) of the DPDP Act, 2023, personal data is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. The following retention schedule applies:

Data Category	Retention Period	Legal / Business Basis	Action After Expiry
Active student academic records	Duration of enrollment + 5 years	Academic record-keeping requirements; RTE Act, 2009; State education regulations	Permanent deletion
Student financial/fee records	8 years from date of last transaction	Income Tax Act, 1961 (Section 149 - reassessment period); GST Act	Permanent deletion
Staff employment records	Duration of employment + 5 years	Labour law compliance; Industrial Disputes Act; EPF Act	Permanent deletion
Staff payroll and salary records	8 years from the relevant financial year	Income Tax Act, 1961; EPF & MP Act, 1952; ESI Act, 1948	Permanent deletion
Student attendance records	Duration of enrollment + 3 years	Academic management; RTE Act compliance	Permanent deletion
Staff attendance and leave records	Duration of employment + 3 years	Employment records; leave encashment calculations	Permanent deletion
Fee payment transaction records (Razorpay)	8 years from transaction date	Income Tax Act; Payment and Settlement Systems Act, 2007; RBI guidelines	Permanent deletion
Communication logs (SMS, Email, WhatsApp)	2 years from date of communication	Operational records; dispute resolution	Permanent deletion
Login and audit logs	1 year from date of log entry	Security monitoring; IT Act compliance	Permanent deletion
Portal activity logs	1 year from date of activity	Security and usage monitoring	Permanent deletion
Website enquiry data	2 years from date of submission	Business follow-up; marketing (with consent)	Permanent deletion
Post-termination Institute data	90 days from subscription termination	Contractual obligation (data export window)	Permanent and irreversible deletion
Generated report cards and certificates	Duration of enrollment + 10 years	Long-term academic record requirement; student welfare	Permanent deletion
CSRF tokens and session data	Duration of session (or maximum 24 hours)	Security functionality	Automatic expiry and deletion

11.2. Early Erasure Requests

Data Principals may request erasure of their personal data before the scheduled retention period expires. Such requests shall be honoured unless:

• Retention is required by applicable law (e.g., financial records under the Income Tax Act)
• Retention is necessary for the establishment, exercise, or defence of legal claims
• Retention is necessary for compliance with statutory or regulatory obligations of the subscribing Institute

Where early erasure cannot be fulfilled, the Data Principal shall be informed of the reasons and the expected date of deletion.

12 Cross-Border Data Transfer Restrictions

12.1. Current Position: All personal data collected and processed through BrainBit-SOMS is stored and processed on servers located within the territory of India. The Company does not currently transfer personal data outside India.

12.2. Statutory Framework: Under Section 16 of the DPDP Act, 2023, the Central Government may, by notification, restrict the transfer of personal data to any country or territory outside India. The Company shall comply with any such restriction.

12.3. Conditions for Future Transfer: In the event that cross-border data transfer becomes necessary (e.g., for cloud infrastructure redundancy, disaster recovery, or engagement of international Data Processors), the Company shall:

• Transfer data only to countries or territories not restricted by notification of the Central Government under Section 16(1) of the DPDP Act
• Ensure that the recipient country or entity provides an adequate level of data protection
• Execute appropriate contractual safeguards with the overseas recipient
• Update this Policy and the Privacy Policy to disclose the transfer and the recipient country
• Notify all affected Institutes and provide them an opportunity to object
• Obtain fresh consent from Data Principals where required

12.4. Sub-Processors: The Company's current Data Processors (Razorpay, SMTP providers, WhatsApp Business API) process data within India. If any Data Processor stores or processes data outside India, the Company shall verify compliance with Section 16 of the DPDP Act before engagement and disclose the same in this Policy.

13 Compliance Framework

13.1. BrainBit-SOMS is designed and operated in compliance with the following Indian laws, rules, and regulations:

Law / Regulation	Relevance to BrainBit-SOMS	Key Compliance Areas
Digital Personal Data Protection Act, 2023 (DPDP Act)	Primary data protection law governing processing of digital personal data in India	Consent management, Data Fiduciary obligations, children's data protection, Data Principal rights, breach notification, cross-border transfer restrictions
Information Technology Act, 2000 (IT Act)	Governs electronic transactions, cybersecurity, and computer-related offences	Reasonable security practices (Section 43A), CERT-In incident reporting (Section 70B), data protection in electronic form, penalties for unauthorized access
IT (SPDI) Rules, 2011	Rules for handling Sensitive Personal Data or Information	Collection of SPDI with consent, reasonable security practices, data transfer restrictions, grievance officer appointment
CERT-In Directions, 2022	Mandatory cybersecurity reporting requirements	6-hour breach reporting, log retention, NTP synchronization
Right of Children to Free and Compulsory Education Act, 2009 (RTE Act)	Governs school operations and student record-keeping in India	Student enrollment records, attendance records, academic performance tracking, non-discrimination in data processing
Income Tax Act, 1961	Requires retention of financial records for specified periods	Fee records, salary records, TDS compliance, payroll data retention
Employees' Provident Funds & Miscellaneous Provisions Act, 1952	Governs staff provident fund data	PF numbers, salary components, employer/employee contributions
Payment and Settlement Systems Act, 2007	Governs online payment processing via Razorpay	Payment data handling, RBI compliance, PCI-DSS standards
Indian Contract Act, 1872	Governs contractual relationships with Institutes and Data Processors	Subscription agreements, Data Processor agreements, enforceability of terms
Consumer Protection Act, 2019	Protects subscriber Institutes as consumers of SaaS services	Service delivery standards, unfair trade practices, grievance redressal

13.2. Compliance Monitoring

The Company undertakes the following activities to ensure ongoing compliance:

• Periodic internal reviews of data protection practices against the requirements of the DPDP Act and IT Act
• Assessment of new features and modules for data protection impact before deployment
• Monitoring of regulatory developments, including notifications, rules, and guidelines issued by the Central Government and the Data Protection Board of India
• Updating policies, procedures, and technical measures in response to changes in the legal landscape
• Maintenance of compliance documentation and records for regulatory inspection

14 Accountability & Record-Keeping

14.1. The Company maintains comprehensive records to demonstrate compliance with data protection obligations. These records include:

14.1.1. Processing Records

• Categories of personal data processed and the purposes of processing
• Categories of Data Principals (students, parents, staff, administrators)
• Categories of recipients to whom personal data is disclosed (Data Processors)
• Retention periods for each category of data
• Description of technical and organizational security measures implemented

14.1.2. Consent Records

• Records of consent mechanisms deployed by the Platform (admission forms, portal registration, Terms acceptance)
• Guidance provided to Institutes on obtaining verifiable parental consent for children's data
• Records of consent withdrawal requests and actions taken

14.1.3. Breach Records

• Register of all personal data breaches, including those that did not meet the notification threshold
• Details of each breach: nature, scope, impact, remedial actions, notifications made
• Post-incident review reports and lessons learned

14.1.4. Data Principal Rights Records

• Log of all Data Principal rights requests received (access, correction, erasure, grievance)
• Outcomes and response timelines for each request
• Reasons for refusal (where applicable) and communication to the Data Principal

14.1.5. Data Protection Impact Assessments (DPIA)

• Impact assessments conducted for new modules, features, or changes to data processing activities
• Assessment outcomes and risk mitigation measures adopted
• Periodic review of existing processing activities

15 Training & Awareness

15.1. The Company recognizes that effective data protection depends not only on technical measures but also on the awareness and competence of all personnel involved in data processing.

15.1.1. Internal Training

• All employees and contractors of BrainBit Infotech Private Limited who handle personal data receive data protection training upon onboarding
• Annual refresher training on data protection principles, the DPDP Act, and the Company's data protection policies and procedures
• Specialized training for development personnel on secure coding practices, including prevention of SQL injection, XSS, CSRF, and other common vulnerabilities
• Incident response training for designated personnel to ensure rapid and effective breach management

15.1.2. Institute Awareness

• Guidance materials are provided to subscribing Institutes on their obligations as joint Data Fiduciaries
• Institutes are advised on best practices for obtaining verifiable parental consent for children's data
• Institutes are informed of their responsibility to manage user access, revoke access for departing staff, and maintain data accuracy
• Platform documentation includes data protection guidance for Institute administrators

15.1.3. User Awareness

• Clear privacy notices are displayed at data collection points (admission forms, portal registration, enquiry forms)
• This Policy, the Privacy Policy, and related legal documents are publicly accessible on the Company's website
• In-app notifications are used to communicate data protection-related updates to users

16 Policy Review

16.1. This Data Protection Policy shall be reviewed and updated:

• Annually: At minimum once every 12 months, or more frequently as required
• Upon Legal Changes: Within 30 days of any material change in applicable data protection laws, including notifications, rules, or guidelines issued under the DPDP Act, 2023 or the IT Act, 2000
• Upon Significant Changes: When there are significant changes to data processing activities, platform architecture, or third-party Data Processor arrangements
• Post-Breach: Following any personal data breach, as part of the post-incident review process

16.2. Material updates to this Policy shall be communicated to:

• All subscribing Institute administrators via email
• All platform users via in-app notification upon login
• General public via the updated Policy on the Company's website with the revised "Last Updated" date

16.3. Continued use of the Platform following publication of an updated Policy constitutes acceptance of the revised terms. Institutes and users who disagree with material changes may terminate their subscription in accordance with the Terms of Service.

17 Contact Information

For complaints that are not resolved through our internal grievance mechanism, Data Principals may approach the Data Protection Board of India established under Section 18 of the Digital Personal Data Protection Act, 2023.