Introduction

In its everyday business operations Frammer AI Pvt Ltd (FAIPL) makes use of a variety of data about identifiable individuals, including data about:

• Current, past, and prospective employees

• Customers

• Users of its websites

• Subscribers

• Other stakeholders

The Data protection including data Governance/ Data Quality Management/ data monitoring outlines the principles, responsibilities, processes and procedures for ensuring the effective management, quality and monitoring of data within FAIPL. The policy aims to establish a framework that supports accurate, reliable, secure and compliant data practices throughout the organization.

In collecting and using this data, the organization is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it. Allocate roles and responsibilities based on approved job descriptions and business process activities.

This control applies to all systems, people and processes that constitute the organization's information systems, including board members, directors, employees, suppliers and other third parties who have access to FAIPL systems.

Refer to Change Management Policy for more details.

The following policies and procedures are relevant to this document:

• Information Classification Procedure

• Information Labelling Procedure

• Acceptable Use policy

• Electronic Messaging Policy

• Internet Acceptable Use Policy

• Information Security Incident Response Procedure

• Information Security Roles, Responsibilities and Authorities

• Breach Notification Letter to Data Subjects

• Personal Data Breach Notification Form

Data Protection Policy

Data Governance Framework Requirements

1. Data Ownership and Stewardship: Assign data owners and stewards responsible for data quality, integrity, and compliance with data policies.

2. Data Classification and Handling: Classify data based on its sensitivity and define appropriate handling, storage, and sharing procedures. Refer to Information Classification Procedure.

3. Data Lifecycle Management: Implement processes for data creation, collection, processing, storage, archiving, and disposal.

4. Data Lineage and Documentation: Maintain accurate documentation and metadata about data assets. Document the source, transformations, and usage of data to ensure transparency and traceability.

5. Data Access and Security: Establish access controls, authentication, and authorization mechanisms to ensure data security and privacy.

6. Data Documentation and Metadata: Maintain accurate metadata and documentation for all data assets, including data definitions, lineage, and usage.

7. Data Quality Management: Implement measures to ensure data accuracy, completeness, reliability, and consistency.

8. Data Training and Awareness: Provide training to employees on data governance practices, data handling procedures, and the importance of data quality.

9. Data Integration and Interoperability: Ensure that data is integrated and shared seamlessly across different systems and departments while maintaining data consistency and accuracy.

10. Data Ethics and Accountability: Establish ethical guidelines for data usage, ensuring that data is used responsibly and ethically. Hold individuals and departments accountable for data-related actions.

11. Data Incident Management: Define procedures for reporting and responding to data breaches or incidents. Establish protocols for notifying relevant parties and authorities.

12. Data Governance Tools: Implement tools and technologies that support data governance activities, such as data quality software, metadata management systems, and data cataloguing solutions.

13. Continuous Improvement: Regularly review and refine data governance processes to adapt to changing business needs, technology advancements, and regulatory requirements.

14. FAIPL is obligated to develop, approve and publish a personal data privacy policy, provided that this policy includes the types of personal data of users that will be processed, the purpose for that, whether it will be shared with other parties, the duration of its retention, and the procedures for protecting it, the rights of users in relation to their personal data, and how to exercise those rights.

15. Our application Frammer AI does not share any user data with any third party AI platforms and all processing is done through API’s on our dedicated servers for a client. None of the data being uploaded by Frammer is stored by Frammer for any period longer than as specified in the agreement with the user. Frammer does not share, store or use any user data other than for the express purposes as specified in the agreement with the User, for which consent has been acquired.

Data Quality Management and Monitoring Requirements

1. Data Profiling and Assessment: Regularly assess data quality using profiling tools to identify anomalies, inconsistencies, and inaccuracies.

2. Data Cleansing and Enrichment: Implement data cleansing and enrichment processes to rectify identified data quality issues.

3. Data Validation and Verification: Establish validation rules to ensure data accuracy during input and processing.

4. Data Monitoring and Reporting: Monitor data quality metrics, create reports, and track trends to proactively address data quality issues.

5. Data Quality Audits: Conduct periodic data quality audits to evaluate compliance with data quality standards.

6. Data Quality Improvement Plans: Develop and execute improvement plans to enhance data quality based on assessment results.

Roles and Responsibilities

1. Data Governance Committee: Responsible for overseeing data governance initiatives, setting policies, and resolving data-related issues.

2. Data Quality Manager: Oversees data quality management, collaborates with data stewards, and ensures data quality improvement.

3. Data Stewards: Responsible for data accuracy, quality, and compliance within their respective data domains.

4. Data Users: Responsible for inputting accurate data, reporting data quality issues, and adhering to data handling procedures.

Data Protection and Privacy Considerations

Data governance and data quality management must align with data protection principles outlined in the organization's Data Protection Policy. The personal data of the users is protected in a way that guarantees its privacy, and prevents unauthorized access to it leaked, tampered with, or misused. The use and processing of personal data must adhere to legal and ethical requirements and as listed below.

Privacy and Personal Data Protection Policy

1. Digital Personal Data Protection Act, 2023 (DPDPA)

   
   The Digital Personal Data Protection Act (DPDPA) of 2023 is one of the most significant pieces of legislation affecting the way that FAIPL carries out its information processing activities. Significant fines are applicable if a breach is deemed to have occurred under the DPDPA, which is designed to protect the personal data of citizens. It is FAIPL policy to ensure that our compliance with the DPDPA and other relevant legislation is always clear and demonstrable.

   The Digital Personal Data Protection Act (DPDPA) is a comprehensive legal framework that regulates the collection, processing, and transfer of personal data. It establishes rights for individuals, obligations for organizations, and mechanisms for enforcement, aiming to protect individuals' privacy and enhance data security in India.

   All the policies defined below include but are not limited to the way the platform uses any Google user data, should it have access to any of such user data.

   Frammer AI complies with the Google API Services User Data Policy including the Limited Use requirements. Frammer Ai’s use and transfer of information received from Google APIs is governed by the Google API Services User Data Policy , including the Limited Use requirement. The policies can be accessed here

   
   Definitions

   
   The most fundamental definitions with respect to this policy are as follows:

   • Personal data is defined as: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a names, personal identification numbers, addresses, and contact numbers, license numbers, records, personal belongings, bank account and credit card numbers, still or moving user photos, and other personal data, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

   • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

   • Personal data breaches mean personal data disclosure, publishing, acquisition, and authorizing access thereto without legal basis intentionally or accidentally.

   • Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

   
   Principles Relating to Processing of Personal Data

   
   There are several fundamental principles for protection for data protection and privacy. These dictate that personal data shall:

   • Maintain the privacy of the customer's personal data and protect the rights in accordance with the best practices.

   • Increase customers' trust in services that depend on processing of personal data.

   • Establish principles and legal foundations for personal data protection.

   • Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’) to ensure that no unjustified negative impact on the user's interests and for clear purpose.

   • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes such as for fulfilling the legal, regulatory, and contractual requirements.

   • Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ('data minimization').

   • The cybersecurity requirements for protecting and handling data and information must include at least the following:

     • Data and information ownership.

   • The cybersecurity requirements for protecting and handling data and information must be reviewed periodically.

   • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay ('accuracy').

   • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ('integrity and confidentiality').

   • The third parties involved or the customers when requested shall be shared the privacy policy. We shall ensure the third parties are abiding by the privacy requirements on a continuous basis.

   • Users shall be able to familiarize themselves with the DPDPA before processing their personal data.

   • Users shall be able to obtain a copy of their personal data in electronic format, as authorized by commission.

   • FAIPL must periodically check the commitment of all contracting parties to data processing.

   • A database must be created that includes all basic information for delivery agents, including the dates of their joining the FAIPL and the actions taken towards them related to deletion or ban from the platform and the dates for the same.

   • Develop proposals to implement the information security risk treatment plan, supported by suitable business cases that include consideration of funding and allocation of roles and responsibilities.

   
   FAIPL must ensure that it complies with all these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems. The operation of an information security management system (ISMS) standard is a key part of that commitment. Determine the classified data, according to the relevant legislation, that can be used, accessed, or dealt with through remote work systems.

   
   What Data Do We Collect and Its Purpose

   
   What data we collect?

   
   We may receive your personal data as part of the services or for communication. The personal data, whatever its source or form, would expressly identify the individual or make it possible to identify it directly or indirectly, and includes name, personal identification number, addresses, contact numbers, license numbers, records and personal property, bank account and credit card numbers, fixed or moving images of the individual, and other data of a personal nature. The personal data of users is processed for specific and clear purposes for the user. Provide sufficient and skilled resources to support the communication process.

   
   It includes any process performed on personal data by any means, whether manual or automated, including collection, recording, preservation, indexing, arrangement, coordination, storage, modification, updating, integration, retrieval, use, disclosure, transmission, publication, data sharing or interconnection, blocking, scanning, and destruction.

   
   Automatic collection of information

   
   From our website we may automatically capture your Internet Protocol (IP) address when you visit. (Your Internet Protocol address is the number of the computer you are using, which allows other devices connected to the Internet to determine the destination of data from them, and to collect certain information such as browser type and search engine but without personally identifying you). The website’s use of your Internet protocol helps to diagnose problems that occur in its servers and helps it to perform the necessary statistics to measure the use of the Portal (the number of visitors and the language of the computer you use), and the Portal does not allow anyone outside the framework of its technical team to see the protocol your internet.

   
   Cookies

   
   Our website may store cookies on your computer when you visit. Cookies are pieces of data that uniquely identify you as a user and can be used to improve your knowledge of the website and better understand your needs and how you use the website. Most browsers are initially set up to accept cookies, and you can also reset your browser to refuse all cookies or to alert you when cookies are being sent.

   
   Geographical Location

   
   You may at times be required to consent to use of your geolocation to use some of the services offered by the website. Identifying users' geolocation will benefit from the availability of specific services on the Platform.

   
   Purpose

   
   Your personal data will not be processed without taking sufficient steps to verify its accuracy, completeness, novelty, and relevance to the purpose for which the provisions of the regulations collected it. Minimum personal data of users to achieve the purposes of data processing to be collected.

   The website applies the highest security standards to protect data and information. The sensitive data and any data that should be kept confidential under legal requirements are encrypted and subject to additional controls and procedures. Sensitive data includes an individual’s ethnic or tribal origin, religious, intellectual, or political belief, or indicates membership in civil associations or institutions, as well as criminal and security data, biometric data that identifies genetic data, insurance data, health data, location data, credit data and data indicating that the individual’s parents are anonymous or one of them.

   Our technical staff is only permitted to manage this information to provide such services of that is consistent with your needs. We never let any party other than authorized to know the personal or IP information.

   
   Rights of the Individual

   
   The data subject also has rights under the DPDPA. These consist of:

   • The right to be informed.

   • The right of access.

   • The right to rectification.

   • The right to erasure.

   • The right to restrict processing.

   • The right to data portability.

   • The right to object.

   • Privacy and Personal Data Protection Policy Public/ Employees.

   • Rights in relation to automated decision making and profiling.

   Any personal data shall be transferred in a commonly used electronic format with appropriate security measures in place.

   
   Consent

   
   Unless it is necessary for a reason allowable in the DPDPA, explicit consent must be obtained from a data subject to collect and process their data. In the case of children under the age of 18, parental consent must be obtained. Transparent information about our usage of their personal data must be provided to data subjects at the time that consent is obtained and their rights regarding their data explained, such as the right to withdraw consent. This information must be provided in an accessible form, written in clear language and free of charge.

   If the personal data is not obtained directly from the data subject, then this information must be provided within a reasonable period after the data is obtained and within one month. The office can exempt low-volume data-processing establishments from certain personal data protection requirements. Data must be accurate and updated when needed.

   As technology evolves, data handling practices and potential privacy risks also change. Therefore, organizations need to regularly review and update their privacy policies to reflect these changes.

   Keeping users informed about changes to the privacy policy is essential to maintain transparency, ensure compliance, and uphold user trust. Here are some important considerations regarding alerting users about privacy policy updates:

   • Clear Communication: Organizations should communicate privacy policy updates clearly and in a language that is easily understandable by users. Avoid using overly technical or legal language that might confuse users.

   • Notice Period: Provide users with a reasonable notice period before the updated privacy policy comes into effect. This gives users time to review the changes and make informed decisions.

   • Notification Methods: Organizations can use various methods to notify users about privacy policy updates, such as email notifications, pop-up messages on websites or apps, in-app notifications, or even direct mail for physical products or services.

   • Accessibility: Ensure that the notification about privacy policy updates is easily accessible. This might involve displaying the notification prominently on the organization's website or app's home page or in a dedicated section for policies.

   • Informed Consent: Some privacy regulations require users to provide informed consent to updated privacy policies. This might involve having users actively acknowledge the changes before they can continue using the services.

   • Summary of Changes: Provide a summary of the key changes made to the privacy policy. This helps users quickly understand what aspects of data collection, processing, or protection have been updated.

   • Link to Full Policy: Include a link to the full updated privacy policy so that users can review the details if they wish.

   • User Education: Along with the notification, provide educational materials or explanations about why the updates were made and how they might affect users' data and privacy.

   • Opt-Out Option: If feasible and appropriate, provide users with the option to decline the updated privacy policy. However, this might result in the user not being able to use the services.

   • Frequency of Updates: Be mindful of the frequency of updates. Constantly bombarding users with updates might lead to user fatigue. Instead, consolidate changes and notify users when significant updates occur.

   • Consistency: Ensure consistency in the way you communicate updates across different channels and platforms to avoid confusion.

   • Mobile Apps: If your organization has a mobile app, be sure to follow guidelines set by app stores (such as Apple App Store and Google Play Store) regarding privacy policy updates and user notifications.

   • Record Keeping: Maintain records of when notifications were sent and how users were informed about the updates. This can be useful for demonstrating compliance if needed.

   
   Privacy by Design

   
   FAIPL has adopted the principle of privacy by design & will ensure that collecting or processing personal data will be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments. The privacy impact assessments shall be documented, reviewed, and maintained.

   The privacy impact assessment will include:

   • Consideration of how personal data will be processed and for what purposes.

   • Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s).

   • Assessment of the risks to individuals in processing personal data.

   • What controls are necessary to address the identified risks and demonstrate compliance with legislation.

   • Documented verification results.

   Use of techniques such as data minimization and pseudonymization will be considered where applicable and appropriate.

   
   Transfer of Personal Data

   I
   ntra-group international data transfers must be subject to legally binding agreements referred to as Binding Corporate Rules (BCR) which provide enforceable rights for data subjects.

   We are providing secure means to export and transfer data and virtual infrastructure. For more information, refer physical security policy.

   Personal data shall not be transferred to any third party without prior written consent of the customer.

   
   Data Retention

   
   We will retain and use personal data for the period necessary to comply with our legal obligations. We will destroy personal data as soon as the purpose of collecting it has expired. However, it may retain such data after the purpose of collecting it has expired if everything that leads to the specific knowledge of the owner has been removed in accordance with the controls specified by the regulations.

   We shall retain personal data even after the purpose of collecting it has expired in the following cases only:

   • If there is a systemic justification that must be retained for a specified period, in which case it shall be destroyed after the end of this period or the expiry of the purpose of its collection, whichever is longer.

   • If the personal data is closely related to a case before a judicial body and its retention is required for this purpose, in which case it is destroyed after the completion of the judicial proceedings of the case.

   • FAIPL is obligated to keep the personal data of the users for specified purposes and periods.

   
   Breach Notification

   
   It is FAIPL policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the DPDPA, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours or as per the applicable laws. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.

   Under the DPDPA, the penalty for a breach of duty can be up to INR 10,000. The Data Protection Board has the power to issue penalties up to INR 250 crore for breach in observing the obligation of a data fiduciary to take reasonable security safeguards to prevent personal data breach.

   
   Addressing Compliance to the DPDPA

   The following actions are undertaken to ensure that FAIPL always complies with the DPDPA:

   • The legal basis for processing personal data is clear and unambiguous.

   • All staff involved in handling personal data understand their responsibilities for following good data protection practice.

   • Training in data protection has been provided to all staff for competency.

   • Rules regarding consent are followed.

   • Routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively.

   • Regular reviews of procedures involving personal data are carried out whenever there is a change or at least annually and the changes shall be communicated to internal and external users appropriately and timely.

   • Privacy by design is adopted for all new or changed systems and processes.

   • The following documentation of processing activities is recorded:

     • Organization name and relevant details.

     • Purposes of personal data processing.

     • Categories of individuals and personal data processed.

     • Categories of personal data recipients.

     • Personal data retention schedules.

     • Relevant technical and organizational controls in place.

   
   These actions will be reviewed regularly as part of the information security management system's management review process.