Privacy Policy

• "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023.
• "Sensitive Personal Data or Information (SPDI)" means personal data as defined under the IT (SPDI) Rules, 2011, including passwords, financial information, health data, biometric data, and sexual orientation.
• "Customer Data" means all data, files, software, content, and information uploaded, stored, transmitted, or processed by you through our Cloud, Datacenter, or Data Protection services.
• "Data Fiduciary" / "Data Controller" means the entity that determines the purpose and means of processing of personal data. With respect to website and business data, this is Serverstock.
• "Data Processor" means the entity that processes personal data on behalf of the Data Controller. With respect to Customer Data hosted on our infrastructure, this is Serverstock.
• "Data Principal" / "Data Subject" means the individual to whom personal data relates.
• "Consent Manager" means a person registered with the Data Protection Board of India who acts as a single point of contact for the Data Principal to manage consent, as envisaged under the DPDP Act.
• "Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, dissemination, restriction, erasure, or destruction.

• Contact & Business Information: Name, email address, phone number, company name, designation, company size, industry, and geographic location, collected when you fill out contact forms, request quotes, or register for events.
• Account Credentials: Username, encrypted password, and security preferences for client portal access.
• Service Configuration Data: Infrastructure requirements, server specifications, backup schedules, DR configurations, and cloud architecture preferences provided during onboarding.
• Billing & Payment Information: Company legal name, billing address, GSTIN, PAN, bank account details, and UPI IDs. Note: Credit/debit card numbers are processed exclusively by our PCI-DSS compliant payment gateway partners; we do not store full card numbers.
• Support Communications: Tickets, emails, chat transcripts, phone call records (if consented), and any files shared during support interactions.
• Career Application Data: Resume, cover letter, educational qualifications, employment history, and references submitted through our careers page.

• Usage & Analytics Data: IP address, browser type and version, operating system, device type, screen resolution, pages visited, time spent on pages, referral URL, clickstream data, and session identifiers.
• Log Data: Server access logs, error logs, authentication logs, and API call logs generated during your interaction with our services and portals.
• Cookies & Similar Technologies: As detailed in Section 13 and our separate Cookies Policy.

• Technology Partners: Data received from cloud platform partners (AWS, Azure), backup platform partners (Veeam, Acronis), and datacenter facility partners (Yotta) necessary to provision, monitor, and manage your services.
• Payment Processors: Transaction confirmation and payment status from our payment gateway partners.
• Public Sources: Publicly available business information from company registries, LinkedIn, or industry directories for sales and marketing purposes.

4.1 Consent (DPDP Act Section 6)

Where required, we obtain your free, specific, informed, and unambiguous consent before processing your personal data. Consent is obtained through:

• Clear opt-in checkboxes on contact forms and newsletter subscriptions
• Cookie consent banner with granular preferences
• Explicit service agreements for data processing activities

4.2 Legitimate Uses Without Consent (DPDP Act Section 7)

The DPDP Act permits processing without consent for certain "legitimate uses," including:

• Contractual Necessity: Processing necessary to fulfill our service agreements with you (e.g., provisioning servers, configuring backups, managing your cloud environment).
• Legal Obligation: Processing required to comply with Indian law, court orders, or regulatory requirements.
• Voluntary Provision: Where you voluntarily provide data and have not restricted its use.
• Employment Purposes: Processing of employee or applicant data for HR purposes.
• Public Interest & Safety: Processing for medical emergencies, public order, or disaster management as specified under the Act.

6.1 Managed Cloud Services

• Data Processed: System logs, performance metrics, configuration data, and access control lists of your cloud environment.
• Access: Our L3 engineers access your environment only as necessary for monitoring, incident response, and maintenance as defined in your service agreement.
• Customer Data: Your application data, databases, and workloads hosted on managed cloud infrastructure are processed strictly under your instructions. We do not access, mine, analyze, or monetize Customer Data.
• Multi-Tenancy Isolation: In shared environments, strict logical separation is maintained between customer workloads using network segmentation, separate storage volumes, and role-based access controls.

6.2 Data Protection & DRaaS

• Data Processed: Backup metadata (job names, schedules, retention policies, restore point timestamps), backup status reports, and DR runbooks.
• Backup Data: The actual backup data (VM snapshots, file-level backups, database dumps) is stored encrypted in the designated repository and is never accessed by Serverstock personnel except during an authorized restore operation initiated by you.
• Encryption: All backup data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Encryption keys are managed per our key management policy; customer-managed encryption keys (CMEK) are available upon request.
• Retention: Backup retention periods are configured as per your service agreement. Upon service termination, backup data is deleted as per Section 8.

6.3 Datacenter & Colocation Services

• Data Processed: Facility access logs (biometric and card-based), CCTV recordings (at datacenter facilities operated by our partners), power consumption metrics, and network traffic metadata.
• Physical Security Data: Visitor logs and authorized personnel records are maintained as required by datacenter facility security policies and applicable CERT-In requirements.
• Customer Hardware: For colocation customers, Serverstock does not access or process data stored on your hardware unless explicitly authorized under a managed services agreement.
• Environmental Monitoring: Temperature, humidity, power, and UPS data is collected for operational purposes and SLA reporting only.

7.1 Service Delivery Partners

Cloud infrastructure providers (AWS, Azure), datacenter facility operators (Yotta Data Services), backup platform vendors (Veeam, Acronis), monitoring tool providers, and payment processors, strictly for delivering the services you have subscribed to. All partners are bound by confidentiality agreements and data processing addenda.

7.2 Professional Advisors

Lawyers, auditors, accountants, and insurance providers who require access to personal data in the course of providing their professional services to Serverstock.

7.3 Legal & Regulatory Disclosures

We may disclose personal data when required to: (a) comply with applicable law, regulation, or court order; (b) respond to lawful requests from Indian government authorities (including under the IT Act, 2000); (c) report cybersecurity incidents to CERT-In as mandated; (d) protect the rights, property, or safety of Serverstock, our customers, or the public.

7.4 Business Transfers

In connection with a merger, acquisition, corporate reorganization, or sale of assets. In such event, we will notify affected customers and ensure the acquiring entity agrees to respect the commitments made in this Privacy Policy.

7.5 Affiliates

With current or future affiliates of Serverstock Datacenter Private Limited, subject to the same data protection obligations described in this policy.

• Active Client Data: For the duration of the service agreement plus 3 years after termination (for legal, accounting, and audit purposes).
• Prospective Client Data: Inquiry and quote data retained for 2 years from last interaction, then anonymized or deleted.
• Billing & Tax Records: 8 years from the end of the relevant financial year, as required under the GST Act, Income Tax Act, and Companies Act, 2013.
• Support Tickets & Communication Logs: 3 years from resolution date.
• Website Analytics Data: Aggregated and anonymized within 26 months.
• Marketing Consent Records: For the duration of consent plus 3 years as proof of consent.
• Job Application Data: 1 year from the date of application (or longer if you consent to being considered for future roles).
• System Logs & Security Logs: 180 days minimum, as mandated by CERT-In Directions (April 2022). Extended to 5 years for ICT system logs per CERT-In requirements.
• Customer Backup Data: As per the retention schedule in your service agreement. Upon service termination, backup data is retained for 30 days for retrieval, then permanently deleted within 60 days.

• Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest across all storage systems, including backup repositories.
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), privileged access management (PAM), and the principle of least privilege across all systems.
• Network Security: Enterprise-grade firewalls, intrusion detection and prevention systems (IDS/IPS), DDoS mitigation, network segmentation, and VPN-secured management access.
• Endpoint Protection: Managed antivirus, endpoint detection and response (EDR), and centralized patch management.
• Monitoring: 24/7 Security Operations Center (SOC) monitoring with SIEM-based alerting for anomalous activities, unauthorized access attempts, and security events.
• Key Management: Secure key management practices with hardware security modules (HSMs) where required. Customer-managed encryption keys (CMEK) available upon request.

• Security Policies: Comprehensive information security management policies aligned with ISO/IEC 27001:2022 framework.
• Employee Screening: Background verification and non-disclosure agreements for all employees with access to customer data or infrastructure.
• Security Training: Mandatory annual security awareness training for all staff, including phishing simulation exercises.
• Vendor Assessment: Security due diligence and contractual safeguards for all third-party service providers.
• Security Audits: Regular vulnerability assessments, penetration testing (at least annually), and compliance audits.
• Incident Response: Documented incident response plan with defined roles, communication protocols, and post-incident review processes.

• Multi-layered physical access controls (mantraps, biometric readers, smart card access)
• 24/7 CCTV surveillance with a minimum 90-day recording retention at facility
• Security personnel on-site 24/7/365
• Visitor management system with pre-authorization requirements
• Environmental monitoring (fire suppression, flood detection, temperature/humidity control)

• Right to Access (Section 11): You have the right to obtain a summary of your personal data being processed by us, including the identities of all Data Processors and Data Fiduciaries with whom your data has been shared.
• Right to Correction & Erasure (Section 12): You may request correction of inaccurate or misleading personal data, completion of incomplete data, updating of outdated data, and erasure of personal data no longer necessary for the purpose it was collected.
• Right to Grievance Redressal (Section 13): You have the right to register a grievance with our Grievance Officer. If not satisfied, you may approach the Data Protection Board of India.
• Right to Nominate (Section 14): You have the right to nominate another individual who may exercise your data protection rights in the event of your death or incapacity.
• Duties of Data Principals (Section 15): While exercising your rights, you are expected to comply with applicable laws, not register false or frivolous complaints, and provide authentic information.

• Right to Restriction of Processing: Request us to limit how we process your data in certain circumstances.
• Right to Data Portability: Receive your personal data in a structured, commonly-used, machine-readable format and transmit it to another controller.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing, including profiling, that produce legal effects. Note: Serverstock does not currently engage in automated decision-making that produces legal effects.

Grievance Officer
Serverstock Datacenter Private Limited
Plot No 46, Office No 2 A, Anandrupa Apartment,
Parijat Nagar, Mahatma Nagar Road, Nashik – 422005, Maharashtra, India
Email: grievance@serverstock.co
Phone: +91 93222 199 26

Primary Indian Legislation

• Digital Personal Data Protection Act, 2023 (DPDP Act): India's comprehensive data protection law governing the processing of digital personal data. Serverstock complies with all obligations applicable to Data Fiduciaries, including consent management, data breach notification, rights of Data Principals, and cross-border data transfer restrictions.
• Information Technology Act, 2000: The foundational legislation governing electronic commerce and cybersecurity in India, including provisions on data protection (Section 43A), cyber offenses, and intermediary obligations.
• IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Prescribes security practices for bodies corporate handling SPDI, including requirements for privacy policies, consent, and reasonable security practices aligned with ISO/IEC 27001.
• CERT-In Directions (April 28, 2022): Mandatory cybersecurity incident reporting within 6 hours, maintenance of ICT system logs for 180 days (within Indian jurisdiction), synchronization of system clocks with NTP servers, KYC norms for VPS/cloud/VPN service providers, and retention of customer registration data for 5 years after service cancellation.

Sector-Specific Compliance

• GST Act & Income Tax Act: Retention of billing, invoicing, and financial records for the prescribed periods.
• Companies Act, 2013: Corporate governance and record-keeping obligations applicable to Serverstock as a private limited company.
• Consumer Protection Act, 2019: Fair trade practices and consumer rights applicable to our B2B and B2C engagements.
• Indian Contract Act, 1872: Governing the contractual framework of our service agreements and data processing arrangements.

International Standards & Frameworks

• GDPR (EU General Data Protection Regulation): For our operations involving EU/EEA data subjects, we comply with GDPR requirements including lawful basis for processing, data subject rights, data protection impact assessments, and cross-border transfer mechanisms.
• ISO/IEC 27001:2022: Our information security management practices are aligned with this international standard.
• SOC 2 Type II: Our infrastructure and operations are architecturally aligned with SOC 2 Trust Service Criteria (Security, Availability, Confidentiality).
• PCI-DSS: We do not directly handle cardholder data; payment processing is delegated to PCI-DSS certified payment gateway partners.