India DPDP Act Compliance Policy

1. Overview

India's Digital Personal Data Protection Act, 2023 governs processing of digital personal data of Indian citizens. GlideRun, as a company providing services to Indian and global markets, acts as a Data Fiduciary for its own business data where the Act applies.

This policy explains how GlideRun aligns DPDP obligations with its EU-focused automation services.

2. GlideRun's Role

GlideRun acts as Data Fiduciary when it determines the purpose and means of processing for its own website, marketing, and business relationship data.

GlideRun acts as Data Processor when it processes customer data under contract and customer instructions under DPDP Act Section 8.

3. Lawful Basis

Processing is based on consent under Section 6 or legitimate use under Section 7, including employment, legal obligation, state functions, and research where applicable.

Consent must be granular, withdrawable, and provided in plain language. CompliVibe's Bhashini Consent Module supports multi-language consent flows where required.

4. Data Principal Rights

Data Principals have the right to access information under Section 11, correction and erasure under Section 12, grievance redressal under Section 13, and nomination under Section 14.

Requests may be sent to dpdp@gliderun.ai. GlideRun targets response within 72 hours for DPDP requests.

5. Cross-Border Transfers

The DPDP Act restricts transfer of personal data to countries not permitted by the Indian government. GlideRun monitors transfer restrictions and customer routing choices continuously through CompliVibe-supported controls.

Transfers to EU hosting regions are governed by customer agreements, SCCs where relevant, and documented customer instructions.

6. Data Localisation

Indian personal data processed for Indian customers is stored on AWS Mumbai (ap-south-1) by default. Cross-border transfer occurs only where contractually authorised and supported by appropriate transfer safeguards.

7. Breach Notification

Where a personal data breach occurs, GlideRun will notify the Data Protection Board and affected Data Principals within 72 hours where required by DPDP obligations.

CompliVibe's Evidence Vault is used to establish breach scope, chronology, affected systems, and remediation actions.

8. Grievance Officer

Name: [Placeholder — required under DPDP Act]. Contact: grievance@gliderun.ai. Response time: 72 hours.

Unresolved grievances may be escalated to the Data Protection Board of India.

9. Cross-Framework Alignment

GlideRun's DPDP compliance is cross-mapped to EU AI Act and GDPR obligations using CompliVibe's 719-obligation mapping engine.

Customers operating across India and EU markets can use a single evidence and control program across both jurisdictions.