Legal Documentation

Data Residency Statement

Document CodeDPDP-LEGAL-DRS-001

Version1.0

DateJune 2026

ClassificationPublic — to be published at dpdpone.com/data-residency

Governing lawLaws of India — Digital Personal Data Protection Act 2023

Issued byStratops Solutions Pvt Ltd, Bengaluru, Karnataka, India

1.Our Commitment

DPDPOne's data residency commitment

All personal data and compliance data processed by the DPDPOne platform is stored exclusively within India. No Customer Data is transferred to or stored in any server, database, or data centre located outside the Republic of India, except as specifically disclosed in Section 5 of this statement.

2.Primary Data Storage Infrastructure

Cloud provider	Amazon Web Services (AWS)
Region	ap-south-1 — Mumbai, Maharashtra, India
Services used	Amazon EC2 (compute), Amazon S3 (file storage)
Database	Supabase — hosted on AWS ap-south-1 Mumbai
Certification	AWS ap-south-1 is ISO 27001:2022 certified
Physical location	AWS data centres, Mumbai, India

3.Data Categories Covered by This Statement

The following categories of data are stored exclusively in India on DPDPOne's AWS Mumbai infrastructure:

Customer account data — organisation name, user names, email addresses, login credentials
Assessment data — gap assessment answers, compliance scores, action plans
RoPA records — Records of Processing Activities created by the Customer
Rights request data — Data Principal rights requests and response records
Breach incident records — breach reports, notification logs, investigation records
Evidence Library documents — all files uploaded by the Customer
Compliance calendar entries — scheduled obligations and reminders
Billing and subscription records — payment history, plan details
Audit logs — all platform activity logs

4.Sub-Processor Data Residency

DPDPOne uses the following sub-processors. All process data within India except as noted:

Sub-Processor	Service	Location	Data Processed
Amazon Web Services	Infrastructure	India (ap-south-1)	All Customer Data
Supabase	Database	India (via AWS Mumbai)	All Customer Data
Razorpay	Payments	India	Payment data only
ZeptoMail (Zoho)	Email	India	Email addresses, notification content
Anthropic PBC	AI features	United States	Limited — see Section 5

5.Disclosed Exception — Anthropic Claude API

Disclosed cross-border data transfer

DPDPOne uses the Anthropic Claude API to power AI-assisted privacy notice drafting and action plan personalisation. Anthropic PBC is headquartered in the United States.

What is transmitted:

Organisation name and sector type — to personalise generated notices
Compliance gap identifiers — to personalise action plan recommendations

What is never transmitted:

Personal data of any Data Principal (individuals)
Employee names, email addresses, or contact details
Health, financial, or other sensitive personal data
Rights request details or breach incident details
Evidence Library files or documents
Any data that can identify a natural person

Customers who do not use the Notice Generator or AI action plan features do not trigger any data transfer to Anthropic. All other DPDPOne modules operate entirely within India.

Anthropic's data handling: Anthropic does not use API input or output data to train its AI models by default. Data transmitted to the API is not retained by Anthropic beyond processing the specific request. Anthropic's API data processing terms are available at anthropic.com/legal.

6.What Data Residency Means in Practice

DPDPOne's data residency commitment means:

Your compliance data — RoPA records, assessment results, breach reports, rights request logs — never leaves India.
Backup copies of Customer Data are stored within the same AWS Mumbai region.
DPDPOne engineering and support staff may access Customer Data remotely for support and maintenance purposes. All such access is logged and conducted by personnel bound by confidentiality obligations.
In the event of a disaster recovery scenario, Customer Data is restored from backups within the same AWS Mumbai region.
DPDPOne does not sell, transfer, or share Customer Data with any party outside India for any commercial purpose.

7.Verification and Updates

This statement is reviewed and updated:

Annually as part of DPDPOne's compliance review cycle
When DPDPOne changes infrastructure providers or regions
When new sub-processors are engaged that affect data residency
When material changes are made to the Anthropic API integration

The version number and date at the head of this document indicate the current version. Customers with active subscriptions will be notified of material changes to this statement.

8.Contact

Name	Mahadev Thukaram
Role	Founder — DPDPOne / Designated Data Protection Contact
Organisation	Stratops Solutions Pvt Ltd, Bengaluru, Karnataka
Email	hello@dpdpone.com
Website	dpdpone.com/data-residency

Data Residency Statement v1.0 · June 2026 · Stratops Solutions Pvt Ltd · hello@dpdpone.com

Data Processing Agreement →Privacy Policy →