Data Policy

4.1 Purpose and scope

This Data Policy is published by Versoaltima India Pvt. Ltd. and explains how Ask VAI, an internal organizational tool, handles organizational data, operational data, AI-assisted processing, retention, backups, security, integrations, audit logs, and deletion. It is intended for administrators, users, security reviewers, regulators, and our internal teams. It supplements the Privacy Policy and Limited Terms of Product Use.

4.2 Data categories

(a) Organization data

• organization profile, approved email domains, and account status

(b) User data (Personal Data under DPDP Act)

• name, business email, phone number (if provided), role, team, department
• manager relationship, authentication status

(c) Ticket and operations data

• ticket details, statuses, severity, blockers, owners, dates, revenue impact
• project / customer references, third-party-system references, UAT and go-live details
• comments, remarks, and full audit trail

(d) Community Pulse data

• ideas, anonymous concerns, help requests, and comments
• concern author identifiers are stored server-side for abuse audit only and are never returned in any API response or shown to any user, including ORG_ADMIN

(e) KPI and configuration data

• custom KPI names, dropdown values, workflow states, field configurations
• dashboard settings, role permissions

(f) Imported data

• Excel tracker records, import logs, mapping decisions, rejected rows, normalization results

(g) System data

• logs, security events, audit records, error reports, performance metrics, API access records

4.3 Data classification

• Public: information intentionally published, such as website content
• Internal: operational information used by our team to provide the Service
• Organization confidential: tickets, KPI configs, dashboards, imports, HR records, requirements, meeting content, internal reports, Community Pulse content
• Personal Data: names, emails, roles, ticket ownership, comments, audit events
• Sensitive Personal Data or Information (SPDI under SPDI Rules 2011): passwords, authentication data, financial information (only if entered by users — discouraged), security logs

4.4 Data minimization

We collect and process only data reasonably necessary to provide, secure, maintain, and improve the Service, per Section 4(1)(b) of the DPDP Act and Rule 5(3) of the SPDI Rules. Users must not upload unnecessary sensitive personal data, health data, financial account data, government-issued identifiers (Aadhaar, PAN, passport, etc.), biometric data, or special-category data unless a lawful basis exists and the product feature requires it. The organization is solely responsible for the lawful basis of any data uploaded.

4.5 Authentication and password handling

• The platform never sends plain-text passwords by email or any other channel
• Permitted flows: invite link, email verification, password-reset link, temporary one-time token
• Passwords stored only as bcrypt hashes (cost factor ≥ 12); never plain text
• Password-reset tokens: time-limited to 1 hour, single-use, rate-limited per IP and per account
• Email-verification and invite tokens: time-limited to 7 days, single-use, rate-limited
• OTPs (where used): 6-digit, time-limited to 10 minutes, single-use, locked after 5 failed attempts
• Multi-factor authentication is supported and recommended for administrative roles
• CSRF protection on all mutation endpoints
• Rate limiting enforced at API and login endpoints

4.6 Access control

• Users access only their organization's data unless explicitly authorized
• Tenant-isolation organizationId scoping enforced at the application layer on every read and write
• Product Admin access is restricted, named, audited, and reviewed quarterly
• Org Admin actions are logged
• CxO dashboards respect organization boundaries
• Resource-level analytics are visible only to authorized roles
• Cross-organization access attempts return 404 (not 403) to avoid information leakage

4.7 Audit logging (180-day minimum retention)

The platform maintains audit logs that are retained for a minimum of 180 days as required by paragraph (iv) of the CERT-In Direction dated 28 April 2022. System clocks are synchronized with NTP servers as required by paragraph (iii). Logs cover:

• login events (success and failure, source IP, user agent)
• password reset and OTP activity
• organization approval / rejection / suspension
• user creation, deletion, status changes, and role changes
• KPI definition and option changes
• ticket creation, update, closure, deletion, status changes, and comments
• Excel import activity (preview and commit)
• account status changes
• concern moderation events (hide, unhide, mark reviewed, close, convert)
• help request criticality changes (with reason)

4.8 AI data processing

• AI outputs are suggestions only; high-impact actions require human approval
• We do not use organization-confidential data or personal data to train any AI/ML model operated by us or any third-party provider without consent
• AI and large-language-model providers are bound by data-processing agreements that prohibit using our data for training, prohibit retention beyond the request-handling window, and require deletion of inputs and outputs after processing
• The list of AI providers is maintained on the Sub-processor List and updated as providers change, with at least 30 days advance notice for material changes
• The organization may opt out of AI features through configuration where available

4.9 Data retention schedule

4.10 Backups and disaster recovery

• Backups are encrypted and access-controlled
• Backup integrity is tested at least quarterly
• Backup retention is limited to 30 days
• Deleted data may remain in backups until backup expiry
• Restoration events are logged in audit logs

4.11 Data export

Org Admins or authorized organization representatives may request export of organizational data (tickets, KPI configurations, users and roles, audit logs, dashboard data, import history) in a commonly used machine-readable format, subject to security verification and technical feasibility. We will respond within 15 days and provide the export within 30 days of a verified request.

4.12 Data deletion

Authorized organization representatives may request deletion of organizational data on termination or upon written request. Deletion may be lawfully delayed where retention is required for: law enforcement, security investigation, fraud prevention, ongoing dispute, audit obligation, backup expiry, or tax law. When deletion is completed, data is irrecoverably deleted, securely overwritten, anonymized, or aggregated such that it no longer identifies any individual or organization-confidential record.

4.13 Sub-processors and service providers

We engage service providers for hosting, email delivery, AI processing, and related infrastructure. Self-hosted components — PostgreSQL, Meilisearch, and Valkey — run on infrastructure under our control. Each material sub-processor is bound by a written data-processing agreement compliant with Section 8(2) of the DPDP Act, requiring:

• processing only on our documented instructions
• confidentiality obligations on personnel
• reasonable security practices at least equivalent to ours
• assistance with Data Principal rights and breach response
• deletion or return of data on termination
• cooperation with audits

The current list of material sub-processors is published on the Sub-processor List. Material changes are notified at least 30 days in advance through the Service.

4.14 Incident response and breach notification

If we become aware of a confirmed personal data breach or cyber incident affecting organizational data, we will:

• report the cyber incident to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of becoming aware, per paragraph (ii) of the CERT-In Direction dated 28 April 2022
• notify the Data Protection Board of India and each affected Data Principal as required under Section 8(6) of the DPDP Act, within timelines and in the form prescribed by the Board
• notify affected users and the organization without undue delay (and in any case within 24 hours of confirmation), with information sufficient to enable compliance with applicable legal obligations
• contain, remediate, and document the incident
• publish a post-incident summary where appropriate

Suspected or confirmed incidents may be reported to grievance@askvai.in. Acknowledgement is provided within 24 hours.

4.15 Organization responsibilities

• ensure lawful basis under the DPDP Act for any user/personal data uploaded
• obtain Data Principal consent or rely on another valid ground before uploading
• assign roles carefully and maintain accurate user lists
• disable departed users promptly
• review AI suggestions before approval
• not upload unnecessary sensitive personal data
• handle employment/appraisal decisions in compliance with applicable Indian labour law

4.16 Internal access policy

Our personnel may access organizational data only when necessary to provide support, investigate security issues, maintain the Service, or comply with law. Internal access is role-limited; named-access only; logged in audit logs; subject to confidentiality agreements; and revoked when no longer needed. Production data access is reviewed at least quarterly.

4.17 Significant Data Fiduciary monitoring

We monitor whether thresholds for designation as a Significant Data Fiduciary under Section 10 of the DPDP Act are crossed. If designated, we will appoint a Data Protection Officer based in India, conduct periodic Data Protection Impact Assessments and audits, and meet additional obligations as prescribed.

4.18 Contact

For data-policy questions, first contact support@askvai.in. If there is no response within 15 days, escalate to the Grievance Officer at grievance@askvai.in.