DPDP Compliance (Ours)
How Ciruss OS adheres to India's Digital Personal Data Protection Act, 2023, both as a Data Fiduciary and a Data Processor.
The Digital Personal Data Protection (DPDP) Act, 2023 mandates strict rules for processing personal data in India. At Ciruss OS, compliance is built into our core architecture.
Our Role as a Data Processor
When providing services to D2C brands, Ciruss OS acts as a Data Processor. The brand using our platform is the Data Fiduciary. Our commitments include:
- Processing personal data strictly upon the instructions of the Data Fiduciary.
- Implementing robust technical and organizational measures to safeguard data.
- Assisting Fiduciaries in fulfilling Data Principal rights (e.g., right to access, right to erasure).
- Reporting any personal data breach to the Fiduciary and the Data Protection Board as required.
- Ensuring that our sub-processors adhere to the same stringent DPDP standards.
Our Role as a Data Fiduciary
Regarding our own customers (the brands and their authorized users signing up for Ciruss OS), we act as a Data Fiduciary. Our commitments include:
- Collecting personal data only with clear, explicit, and itemized consent.
- Providing clear notice detailing the purpose of data collection.
- Only collecting data that is strictly necessary for providing the Ciruss OS service.
- Respecting the rights of our users to access, correct, or erase their personal data.
- Establishing an effective grievance redressal mechanism.
Data Localization
While the DPDP Act currently allows data transfers to non-restricted countries, we have preemptively decided to host 100% of our infrastructure within India (AWS Mumbai). This ensures absolute peace of mind for Indian merchants and ensures that critical customer data never leaves Indian jurisdiction.
Need a signed DPDP addendum?
If you are a customer on our Growth or Scale plans, you can request a formally signed DPDP Data Processing Addendum for your records.
Contact hello@ciruss.in →