This "Comprehensive Privacy Policy" (hereinafter referred to as the "Policy") delineates the stringent practices of axiTrust Private Limited (hereinafter referred to as "axiTrust", "we", "our", "us") concerning the collection, utilization, storage, sharing, security, and disposition of Personal Data and other information. It applies specifically to interactions with our technological offerings.
axiTrust is an Indian technology company specializing in providing advanced consulting and technological services, operating primarily as a RegTech and InsurTech platform. Our flagship offering, axiTrust™, is an innovative software-as-a-service (SaaS) platform designed to facilitate the issuance and underwriting processes for surety bonds.

This Policy governs your engagement with and use of the following digital properties owned and operated by axiTrust:

1. www.axitrust.com (the “Site”): Our public-facing online portal for marketing, resource provision, and support.
2. axiTrust™ (the “Platform”): Our secure, cloud-based environment through which authorized entities manage the lifecycle of surety bonds.

By accessing, browsing, registering for, logging into, or otherwise utilizing the Site or the Platform, you expressly confirm that you have read, comprehended, and unequivocally assented to the practices and terms articulated within this Policy. Your continued use subsequent to any modifications signifies your ongoing acceptance thereof. If you do not concur with any stipulated term, you are enjoined from using our services.

1.1. Our Commitment to Data Protection & The Digital Personal Data Protection Act, 2023 (DPDP Act)

axiTrust, operating as a dynamic startup committed to innovation within the InsurTech domain, places paramount importance on data privacy and security. While the Digital Personal Data Protection Act, 2023 (DPDP Act) has been enacted and published in the Official Gazette, certain detailed rules, regulations, and specific implementation guidelines are presently under development or subject to ongoing clarification by the relevant authorities.
axiTrust is actively and diligently striving to align its data processing practices with the principles and provisions of the DPDP Act and all other pertinent Indian legislative mandates. Our compliance efforts are continuous and represent our best endeavor to secure your Personal Data and uphold your privacy rights amidst an evolving regulatory framework. This Policy reflects our steadfast commitment to transparent and responsible data stewardship, ensuring that our users can conduct their activities with confidence in our data protection measures, even as we navigate the progressive implementation phases of new legal requirements.

Quick-Read Commitments:

Data Minimisation: We rigorously collect and process only that Personal Data which is strictly necessary for specified, explicit, and lawful purposes.
No Commercial Exploitation of Data: We categorically state that we do not monetize, sell, rent, or lease your Personal Data to third parties for advertising or any commercial objectives extraneous to the provision and enhancement of our legitimate services.
Indian Data Residency: Our core cloud infrastructure and data processing activities are primarily situated within India (specifically, AWS Mumbai: ap-south-1) to underpin compliance with local regulations and data sovereignty principles.
Data Principal Rights: We are committed to facilitating the exercise of your rights as a Data Principal, encompassing access, correction, erasure (subject to legal obligations), or portability of your Personal Data, in accordance with applicable laws.
Non-Solicitation: No content, functionality, or representation within the Site or the Platform, nor within this Policy, shall be construed as an invitation, solicitation, offer, or advice to purchase, sell, or facilitate insurance or financial products. axiTrust functions exclusively as a technology platform and consulting service provider.

 

2. Scope & Audience Matrix

To ensure comprehensive understanding of data handling practices, we delineate the following categories of users interacting with axiTrust:

​

 

 

 

 

 

 

 

 

​

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

​

Unless contextually specified otherwise, all categories enumerated above are collectively referred to as "Users" within this Policy.

3. Legal & Regulatory Grounding

3.1 axiTrust operates exclusively within the territorial jurisdiction of India and rigorously adheres to the following foundational legal instruments and regulatory guidelines. Our adherence underpins our commitment to robust data protection and regulatory compliance, particularly as an InsurTech platform.

3.2 Digital Personal Data Protection Act, 2023 (DPDP Act): This pre-eminent legislation governs the processing of digital personal data in India. Our operational frameworks are designed to align with its principles, notably:

3.2a Lawful Processing Principles (§§ 4-8): Every data processing activity is meticulously mapped to a permissible ground, primarily Consent, Contract, Legal Obligation, or Legitimate Interest.
3.2b Data Principal Rights (§§ 11-15): We uphold and actively facilitate the rights of Data Principals ("Users") concerning their Personal Data.
3.2c Obligations of Data Fiduciary (§§ 9-10): We are committed to implementing reasonable security safeguards, maintaining data quality, executing timely breach notifications and appointing a dedicated Grievance Officer.

3.3 Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules): These foundational statutes establish the baseline for cyber-security, data protection, and the handling of Sensitive Personal Data or Information (SPDI) in India. Relevant provisions include:

Section 43A: Addresses compensation for failure to protect data in the event of negligence in maintaining reasonable security practices.
Section 67C: Mandates the preservation and retention of information by intermediaries.
Section 79: Conditions governing the exemption from liability for intermediaries concerning third-party content.
Section 10A: Ensures the validity and enforceability of electronic contracts.

3.4 IRDAI (Outsourcing of Activities by Insurers) Regulations, 2017 & IRDAI (Information and Cyber Security) Guidelines, 2023 (or its latest version): As a technology service provider facilitating processes for the insurance sector, axiTrust strictly adheres to these regulations, particularly when functioning as an outsourced service provider. This encompasses crucial aspects such as stringent data security protocols, confidentiality obligations, audit rights, and robust business continuity planning.

3.5 Indian Contract Act, 1872: Governs the enforceability of contracts, underpinning our Terms of Use and contractual agreements with users.

4. The Data We Collect & Its Purpose

Our Role as Data Fiduciary and Data Processor: For data provided directly by Visitors to the Site and for Authorised User account management data (e.g., login credentials, contact information), axiTrust functions as a Data Fiduciary, determining the purposes and means of processing.

For data uploaded or otherwise processed by Authorised Users on the Platform in connection with the underwriting, issuance, and management of surety bonds (particularly data concerning Principals and Beneficiaries), axiTrust operates as a Data Processor on behalf of the Insurer(s), who retain their primary role as Data Fiduciaries. In such instances, the Insurer bears the onus of obtaining necessary consents and ensuring the legality of data processing, while axiTrust processes data strictly in accordance with the Insurer's documented instructions and its contractual obligations.

We collect Personal Data solely for defined, legitimate purposes, adhering rigidly to data minimization principles.

4.1. Data Provided Directly & Voluntarily by You

This category encompasses information you actively choose to submit to us:
1. Identity & Contact Data: Name, designation, business email address, phone number, employer/organization details and physical address. This is primarily for establishing Authorised User accounts, facilitating communication, and delivering our services. It also includes information from Visitors submitting inquiries via web forms or chatbot interfaces.
2.Regulatory & Organizational Evidence: For Authorised Users representing Insurers or Principals (as provided by Insurers), this may include Permanent Account Number (PAN), Goods and Services Tax Identification Number (GSTIN), Company Identification Number (CIN), Articles/Memorandum of Association (AoA/MoA), board resolutions, compliance certificates, and audited financial statements. This is collected for Know Your Business (KYB) and Know Your Customer (KYC) purposes, as mandated by regulatory requirements and contractual agreements.
3.Underwriting & Transactional Content: For Authorised Users, this includes bond request forms, financial statements, project contracts, completion certificates, and documents containing limited Personal Data of principals (e.g., names of key signatories). This data is indispensable for the core functionality of the Platform.
4.Voluntary Engagement Data: Information furnished when participating in surveys, registering for webinars, subscribing to newsletters, submitting support tickets, or contributing to community forums. This data is collected with your explicit consent or based on our legitimate business interest to enhance service quality, engage our user base, and for thought leadership activities.

4.2. Data Gathered Automatically

Upon your interaction with our Site or Platform, certain technical and usage data is automatically collected:

1.Device & Connection Data: Your Internet Protocol (IP) address, browser type and version, operating system, screen resolution, referring Uniform Resource Locator (URL), device identifiers. This data assists in ensuring system compatibility, fortifying security, and performing analytical functions.
2.Usage Telemetry Data: Information pertaining to your usage patterns on our Site and Platform, including timestamps, button clicks, page dwell-time, features accessed, and error reports. Such error reports are meticulously designed to exclude any embedded Personal Data. This data is instrumental in understanding user behavior, optimizing user experience (UX), and facilitating technical diagnostics.
3.Cookie Categories & Tracking Technologies:

3.a.Essential/Strictly Necessary Cookies: These are fundamental for the inherent functionality and security of the Site and Platform, enabling critical features such as session management (e.g., session ID), security tokens (e.g., CSRF token), and multi-factor authentication (MFA) challenges. These cookies are indispensable and cannot be disabled.
3.b.Functional Cookies: These enhance user experience by enabling personalized features, such as recalling language preferences, dark-mode settings, or other user interface customizations. Your explicit consent is obtained for the placement of these cookies where legally mandated.
3.c.Analytics Cookies: We deploy first-party analytics solutions (e.g., Google Analytics, with IP address anonymization and truncation, typically to /24) to gain insights into user interaction patterns. Identifiers are pseudonymized to safeguard your privacy. Consent is sought prior to setting these cookies.
3.d.You are afforded granular control over your cookie preferences via a consent banner displayed upon your initial visit. You may revisit the /cookie-settings page on our Site at any juncture to modify these preferences.

4.3. Data We Avoid by Design (Adherence to Data Minimisation)

Consistent with our commitment to strict data minimization principles, we proactively abstain from collecting certain categories of data unless its collection is absolutely indispensable for regulatory compliance or the explicit provision of a defined service function:

4.3.a: We do not intentionally collect Sensitive Personal Data in categories such as birthdates, health information, biometric data, or full payment card numbers (we only hold payment token references if applicable for billing purposes).
4.3.b: We do not deploy or permit third-party advertising cookies or social-media trackers that profile users across non-axiTrust sites. Our analytics are solely for internal service enhancement and do not inform any advertising strategies.

5. Purposes, Lawful Bases & Minimum Retention

The following table itemizes the specific legitimate purposes for which we process Personal Data, explicitly linking each to its corresponding lawful basis under the DPDP Act, and stipulating the minimum retention periods.

​

​

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

​

​
6. How We Share Information

We disclose Personal Data exclusively on a strict need-to-know basis, ensuring that robust contractual safeguards and technical controls are rigorously implemented. We reiterate that we do not engage in the sale or commercial rental of your Personal Data to third parties.

6.1. Recipient Categories & Safeguards:

We collaborate with and engage carefully selected third-party service providers, which act as Data Processors or sub-processors, to perform essential functions on our behalf and sustain our operations. These include:
6.1.a. Cloud Infrastructure Providers: For hosting our Platform, data storage, and compute resources. Our primary provider is Amazon Web Services India Pvt Ltd (AWS) for all core infrastructure services (AppRunner, RDS, S3, CloudWatch, etc.), with data primarily processed and stored in India.
Safeguards: ISO 27001, SOC 2 Type II certifications; AES-256 encryption at rest; TLS 1.3+ encryption in transit; DPDP-compliant Data Processing Addendum (DPA); strict adherence to IRDAI outsourcing clauses.
6.1.b.Electronic Signature & Digital Stamping Providers: For facilitating legally compliant electronic signatures and digital stamping processes. We utilize GreySwift Pvt Ltd (Leegality), an NPCI-linked service provider.
Safeguards: Compliance with IT Act § 3A for e-signatures; SHA-256 checksum for document integrity; comprehensive audit trails; DPDP-compliant DPA.
6.1.c.Communication Services (SMS & Email Gateways): For sending critical transactional SMS messages and emails (e.g., account verification, bond-related notifications). We utilize MSG91 and SendGrid Inc.
Safeguards: Data residency options where available (e.g., for SMS in India); adherence to Standard Contractual Clauses (SCCs) for cross-border data transfers; at-rest encryption; TLS 1.2+ encryption in transit; opt-out headers for marketing communications; compliance with TRAI DND regulations for SMS.
6.1.d.Meeting Scheduling Platforms (Optional): Should you elect to use our embedded scheduling tools to book appointments. We utilize Calendly India LLP or Google India Pvt Ltd
Safeguards: Calendly and Google operates as an independent Data Fiduciary for the data you provide directly to it. Our integration merely embeds their widget, with data flows occurring directly between you and Calendly/Google under their own privacy policy.
6.1.e.Optical Character Recognition (OCR) & Document Parsing (Optional): For automated data extraction from documents to streamline form completion or data validation processes. We may utilize Docsumo Tech Pvt Ltd.
Safeguards: DPDP-compliant DPA; commitment to automated deletion of processed data after a defined, short period post-processing; robust security measures.
6.1.f.System Monitoring & Logging: For performance oversight, error tracking, and security incident detection. We utilize Datadog, Inc.
Safeguards: Data residency options in supported regions; adherence to relevant data protection regulations (e.g., GDPR, CCPA, and stated commitment to DPDP principles); robust access controls and encryption for collected telemetry and log data.
6.1.g.Internal Tools with Limited Data Access: We employ tools such as Google Workspace (for email, document collaboration) and Notion (for internal knowledge management, project management, and support ticket orchestration). While these are primarily for internal operational efficiency, any limited Personal Data from customer inquiries (e.g., within support ticket content) processed through them is subject to strict internal access controls and governed by robust contractual agreements. Such PII processed via these tools is minimal and confined to specific, defined purposes.

6.2. Due Diligence & Contractual Obligations:

Prior to engaging any third-party processor or sub-processor, axiTrust conducts thorough due diligence to critically assess their security practices, data protection compliance frameworks, and industry reputation. All our appointed processors are bound by legally enforceable Data Processing Agreements (DPAs) or equivalent contractual instruments that unequivocally mandate them to:

1.Process Personal Data strictly according to our documented instructions.
2.Implement and maintain appropriate technical and organizational security measures.
3.Uphold absolute confidentiality.
4.Immediately notify us of any actual or suspected security breaches.
5.Refrain from engaging further sub-processors without our explicit prior written authorization and the establishment of a reciprocal DPA.
6.Return or securely delete Personal Data upon the termination of services, as per our instructions.

6.3. Other Disclosure Scenarios:

6.3.a.Legal & Regulatory Compliance: We may be compelled to disclose Personal Data if mandated by law, court order, or formal request from a governmental or regulatory authority (e.g., IRDAI, law enforcement agencies).
6.3.b.Business Transfers: In the event of a merger, acquisition, asset sale, or analogous corporate transaction, your Personal Data may be transferred to the acquiring entity. Such transfer will be contingent upon the acquiring entity's commitment to protect your data with safeguards consistent with this Policy.
6.3.c.Protection of Rights: We reserve the right to disclose data when we deem it genuinely necessary to safeguard our legitimate rights, property, or safety; or the rights, property, or safety of our users or other stakeholders.

7. Third-Party Links & Embedded Content

The Site or Platform may, from time to time, incorporate or link to external websites, academic research papers, official government circulars, industry reports, or partner portals. These external destinations are operated by third parties over whom axiTrust exercises no control regarding their privacy practices. You acknowledge and accede that axiTrust explicitly disclaims any and all liability for the content, accessibility, accuracy, or privacy practices of such external websites or resources. We strongly advise that you meticulously review the privacy policies of any third-party websites or services you elect to visit before volunteering any Personal Data thereto.

 

8. Aggregated, Statistical & De-Identified Data

We reserve the right to transform certain operational metrics and usage data into aggregated, statistical, or de-identified formats. For instance, we may publish insights such as "average bond issuance turnaround time – 2.3 days" or industry-wide trends. Such data is processed in a manner that precludes the re-identification of any individual, thereby falling outside the ambit of "Personal Data" as defined by the DPDP Act. We retain the unrestricted right to use, share, or disseminate such aggregated or de-identified insights publicly or with regulatory bodies and industry associations to demonstrate market efficiencies, inform policy development, or for broader business intelligence.

 

9. Data Retention & Secure Disposal

We retain Personal Data strictly for the duration necessary to fulfill the specific purposes for which it was collected, to comply with our explicit legal obligations, to resolve any outstanding disputes, and to enforce our contractual agreements. Upon the expiration of the retention period, or when data is no longer legitimately required, it is securely disposed of using appropriate, industry-standard methods.

​​

​

​

​

​

​

​

​

​

​

​

 

 

 

 

 

10. Your Rights as a Data Principal & Exercise Mechanism

As a Data Principal under the Digital Personal Data Protection Act, 2023 (DPDP Act, §§ 11-15), you are vested with the following significant rights concerning your Personal Data processed by axiTrust. We are unequivocally committed to facilitating the effective exercise of these rights in consonance with our best efforts to comply with the DPDP Act and other relevant statutes:

10.1.Right to Access: You may solicit a comprehensive transcript of your Personal Data held by us, alongside information concerning the processing activities undertaken.
10.2.Right to Correction/Update: You possess the right to demand the rectification of inaccurate or incomplete Personal Data, or the updating of outdated fields.
10.3.Right to Erasure (Right to be Forgotten): You may request the erasure of your Personal Data when it is no longer requisite for the purposes for which it was initially collected, or in instances where you withdraw consent and no other lawful basis substantiates its retention. This right is strictly subject to extant legal obligations and paramount legitimate grounds for data retention.
10.4.Right to Data Portability: You may request to receive your Personal Data in a structured, commonly utilized, and machine-readable format, and if technically feasible, to transmit that data to another Data Fiduciary.
10.5.Right to Nomination: You are entitled to nominate an individual to exercise your rights under the DPDP Act on your behalf in the unfortunate event of your demise or incapacitation.
10.6.Right to Grievance Redressal: Should you be dissatisfied with our response to your data rights request, you retain the prerogative to lodge a complaint with the Data Protection Board of India.

How to Exercise Your Rights:
To formally exercise any of these enumerated rights, please submit your request, explicitly stating the specific right you wish to invoke, coupled with sufficient details to unambiguously identify you and your relevant data. Direct your communication to our appointed Grievance Officer via email at compliance@axitrust.com or by registered postal mail at the address provided in Section 12 of this Policy.
Response Time: We undertake to acknowledge your request within 7 calendar days of receipt. We shall diligently endeavor to respond to and fulfill your request within 20 calendar days of receipt, contingent upon the successful verification of your identity and the inherent complexity of the request. Should an extension of this timeframe be necessary, we shall furnish you with explicit reasons for the delay and a revised estimated timeline.
Your Duties as a Data Principal (DPDP Act, § 15):
While exercising your fundamental rights as a Data Principal, please note your corresponding duties as stipulated by the DPDP Act, which include:
1.Adhering strictly to the provisions of applicable laws when exercising your rights.
2.Refraining from lodging vexatious, false, or frivolous grievances or complaints.
3.Ensuring the accuracy and completeness of the information you provide to us.

​

11. Security Architecture & Operational Controls

axiTrust prioritizes the inviolable security and confidentiality of your Personal Data. We implement and continuously enhance robust technical, physical, and administrative safeguards meticulously engineered to shield information from unauthorized access, accidental loss, illicit misuse, unauthorized alteration, or malicious destruction. Our comprehensive security posture comprises:

11.1.Information Security Management System (ISMS): We maintain an ISMS aligned with the rigorous ISO 27001 standards, subjecting it to annual surveillance audits to ensure perpetual improvement and compliance.
11.2.Zero-Trust Architecture: We operate on an uncompromising zero-trust security model, wherein every access request and system interaction is mandatorily authenticated, authorized, and continuously validated, irrespective of its originating network or perceived trust zone.
11.3.Granular Network Segmentation: Services are logically segmented with draconian network access controls and stringent firewall rules.
11.4.Principle of Least Privilege & Role-Based Access Control (RBAC): Access to Personal Data and critical systems is strictly limited based on pre-defined job functionalities and specific roles. Multi-Factor Authentication (MFA) is coercively enforced for all internal and external access to sensitive systems. Privilege escalation necessitates documented approval workflows and multi-person authorization.
11.5.Continuous Vulnerability Management: We conduct perpetual vulnerability scanning, rigorous penetration testing (inclusive of OWASP Top-10 and SANS 25 checks), and routine security reviews by proficient independent third parties to proactively identify and rapidly remediate potential security vulnerabilities.
11.6.Immutable & Tamper-Evident Logs: All system and application logs are collected centrally, stored in an immutable, cryptographically secured format, and transmitted to dedicated logging solutions (e.g., AWS CloudWatch, S3 Glacier Vault Lock) to prevent any unauthorized modification and ensure comprehensive, auditable trails.
11.7.Disaster Recovery (DR) & Business Continuity Planning (BCP): We maintain resilient DR and BCP strategies, encompassing active/standby configurations across multiple Availability Zones within our designated Mumbai region. Our Recovery Point Objective (RPO) is configured to be ≤ 15 minutes, and Recovery Time Objective (RTO) is ≤ 60 minutes for critical service restoration. Offsite backups are robustly secured and subjected to regular testing.
11.8.Encryption Standards: All Personal Data is encrypted both in transit (via mandatory TLS 1.3+ for all data in motion) and at rest (using AES-256 encryption across our cloud environment).
11.9.Employee Safeguards: All axiTrust personnel undergo background verification checks. They are bound by stringent non-disclosure agreements (NDAs) and participate in mandatory, recurrent training on data privacy, cybersecurity best practices, and DPDP Act compliance.

 

12. Communications Choices

We respect your communication preferences and provide transparent mechanisms for you to manage them:

12.1.Service-Critical Messages: We reserve the right to send you essential operational communications (e.g., critical updates on service availability, vital security alerts, amendments to policy, account-related notifications). These communications are indispensable for the continuous provision and security of our services and will be transmitted irrespective of your marketing preferences.
12.2.Marketing & Thought-Leadership Communications: For newsletters, event invitations, webinar announcements, and other thought-leadership content, we strictly adhere to an opt-out consent model. Every such email communique will incorporate a clear, one-click unsubscribe link. All SMS promotions will scrupulously adhere to the directives of the Telecom Regulatory Authority of India (TRAI) Do Not Disturb (DND) registry.
12.3.Cookie Preferences: Upon your initial visit to the Site, a comprehensive cookie consent banner will be presented, empowering you to customize your cookie preferences. You may revisit the /cookie-settings page on our Site at any given time to modify your choices.

 

13. Grievance Officer & Data Protection Officer (DPO)

We have duly appointed a dedicated Grievance Officer, who also fulfills the responsibilities of our Data Protection Officer. This individual is primarily accountable for addressing your privacy-related concerns and ensuring our adherence to the Digital Personal Data Protection Act, 2023, and other applicable data protection laws.

Name: Adesh Singh
Email: compliance@axitrust.com
Address: 1st Floor, MGF Metropolis, MG Road, Gurugram, Haryana - 120002, India
Working Hours: Monday – Friday, 10:00 to 18:00 IST (excluding public holidays)
The Grievance Officer is vested with powers under DPDP Act § 10 and IT Act § 79A to:
1.Efficiently address and resolve grievances lodged by Data Principals.
2.Oversee and ensure compliance with internal data protection policies and procedures.
3.Coordinate the timely and accurate notification of Personal Data breaches to the Data Protection Board of India and affected Data Principals.
4.Serve as the primary liaison with the Data Protection Board and other pertinent regulatory authorities on all matters pertaining to data protection.

 

 

Annex A – Sub-Processor Register 

​

​

axiTrust engages the following sub-processors to assist in the efficient and secure provision of our services. This register is maintained meticulously to provide transparency regarding regional data processing locations and the key contractual and technical safeguards in place with each sub-processor.

A complete, real-time sub-processor list is available for your inspection at: www.axitrust.com/legal/sub-processors

We are committed to notifying all Authorised Users via email or in-app notification at least 30 days in advance before onboarding any new sub-processor that will process Personal Data, thereby providing a reasonable opportunity to object.​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​