DPDP Act 2023 Compliance

Toolsbots processes personal data only with lawful purpose, client consent frameworks, and security controls aligned to the Digital Personal Data Protection Act 2023 (DPDP Act).

Overview

Toolsbots processes personal data only with lawful purpose, client consent frameworks, and security controls aligned to the Digital Personal Data Protection Act 2023 (DPDP Act).

As a technology provider and data processor, Toolsbots supports clients who act as data fiduciaries. We implement technical and organisational measures so personal data is collected for specified purposes, stored minimally, protected in transit and at rest, and deleted or returned when engagements end.

Our AI projects include privacy impact assessment templates, lawful basis documentation, and subprocessors lists (cloud, LLM APIs) reviewed during discovery.

Technical controls we implement

Role-based access, encryption, audit logging, India-region hosting options, and PII detection in ML training pipelines.

  • AES-256 encryption at rest; TLS 1.2+ in transit
  • RBAC and SSO integration (SAML/OIDC) for enterprise apps
  • Immutable audit logs for data access and AI inference requests
  • Data residency on AWS ap-south-1, Azure Central India, or on-premise
  • Automated PII detection/redaction before model fine-tuning
  • Consent capture UI components for web and mobile
  • Retention policies with scheduled purge jobs

AI-specific DPDP considerations

LLM prompts, embeddings, and voice recordings may contain personal data — we classify, minimise, and document each processing activity.

RAG indices may embed employee or customer documents — access filters enforce purpose limitation. Voice AI pilots require explicit consent for recording and defined retention. We advise clients on whether outputs constitute personal data and how to honour erasure requests when vectors cannot be trivially unlinked (re-index strategies).

Data principal rights

Website visitors and job applicants may request access, correction, or deletion by contacting privacy@toolsbots.com.

We respond within applicable timelines and coordinate with client fiduciaries on joint projects. Grievance escalation paths are documented in client contracts.

Vendor and subprocessors

Cloud and LLM providers are assessed for DPA terms, data location, and breach notification obligations before integration.

Clients receive transparency on which third parties process data. On-premise and air-gapped options eliminate external LLM subprocessors where required — common in BFSI and defence programmes.

Breach notification and grievance redressal

Toolsbots maintains incident playbooks aligned to DPDP timelines and coordinates with client fiduciaries on joint programmes.

Security incidents affecting personal data trigger documented escalation within business hours, root-cause analysis, and remediation plans shared with affected fiduciaries. Website visitors may contact privacy@toolsbots.com for access, correction, or deletion requests. Grievance officers are identified in client contracts for enterprise engagements.

Records of processing and RoPA support

Toolsbots helps client fiduciaries document processing activities, lawful basis, and retention schedules during AI and software programmes.

Discovery workshops produce records of processing activities templates listing purposes, data categories, recipients, retention, and security measures. We update RoPA when subprocessors, hosting regions, or model vendors change. Enterprise clients receive change notifications on retainer when material updates affect their deployments.

Cross-border and fiduciary coordination

Joint programmes between Toolsbots and client fiduciaries define roles, breach notification, and data principal request handling in executed DPAs.

Website visitors contact Toolsbots directly for corporate site data. Client-project personal data requests route through the fiduciary with Toolsbots support as processor. We train client administrators on erasure and correction workflows including vector re-index strategies where embeddings cannot be trivially unlinked.

How these policies connect to delivery

Trust, security, and compliance documentation is embedded in every Toolsbots SOW — not separate slide decks.

Discovery workshops produce architecture diagrams, data flow maps, subprocessor lists, and acceptance tests referencing our Responsible AI charter, DPDP compliance overview, and AI security framework. Government and healthcare clients receive model cards, penetration test summaries, and training materials suitable for audit committees. Mid-market clients receive right-sized documentation without enterprise bureaucracy — but never empty promises about "AI magic."

Review delivery methodology, pricing ranges, and case study ROI metrics alongside these policies when evaluating Toolsbots for your programme. Procurement officers should attach these URLs to internal vendor diligence packs and security questionnaires.

Quarterly review and policy updates

We refresh trust documentation when regulations, model vendors, or deployment patterns change.

Toolsbots reviews responsible AI, security, and privacy policies at least quarterly and after material incidents or regulatory updates. Clients on retainer receive change summaries affecting their deployments — for example new LLM subprocessors, revised data residency options, or updated incident response timelines. Website policy pages show effective dates; enterprise contracts may include client-specific addenda superseding general summaries where negotiated.

Board and audit committee packs

Enterprise buyers receive documentation suitable for security questionnaires, vendor diligence, and responsible AI review.

Toolsbots supplies architecture diagrams, subprocessor registers, model cards, penetration test summaries, and incident response playbooks during enterprise sales cycles. Policies on this site are the public summary; executed contracts may include client-specific security schedules and data processing agreements superseding general website text where negotiated.

Incident communication with clients

Material security or AI safety incidents trigger documented client notification within agreed contractual timelines.

Toolsbots maintains incident severity definitions, escalation contacts, and communication templates for enterprise retainers. Public website policies summarise our posture; executed MSAs define notification windows, forensic cooperation, and remediation responsibilities. Government and healthcare clients receive post-incident root-cause summaries suitable for audit committees when personal or clinical data may be affected.

Third-party trust verification

Procurement teams should verify Toolsbots claims via case studies, Clutch/G2 profiles, GitHub repositories, and reference calls — not marketing copy alone.

We encourage buyers to validate BhoomiChain parcel counts, SecureSign branch deployments, and Doctshub clinic metrics through reference conversations and staging demos. Off-site review platforms and open-source contributions supplement on-site trust documentation. Link these URLs in vendor diligence packs alongside policies on this page.

Frequently asked questions

What is the DPDP Act 2023?

India's Digital Personal Data Protection Act 2023 governs how organizations collect, process, store, and delete personal data. It defines data fiduciaries, processors, consent requirements, purpose limitation, and data principal rights including access, correction, and erasure.

How does DPDP apply to AI systems?

LLM prompts, embeddings, voice recordings, and chat logs may contain personal data. AI deployments must document lawful basis, minimize collection, enforce access controls, disclose subprocessors (cloud and LLM APIs), and support erasure — including vector re-index strategies where needed.

What does Toolsbots do for DPDP compliance?

We implement RBAC, encryption, audit logging, India-region hosting, PII detection before model training, consent UI components, RoPA templates, and DPAs with subprocessors. Air-gapped LLM options remove external API processors for regulated programmes.

Who is the data fiduciary vs processor?

Clients are typically data fiduciaries for their citizen, patient, or customer data. Toolsbots acts as data processor under executed agreements — processing only per client instructions and documented purposes.

How do I request access or deletion of my data?

Website visitors and job applicants may contact privacy@toolsbots.com. For client-project data, requests route through the fiduciary with Toolsbots support as processor.

Contact Us