DPDP Act Compliance
Digital Personal Data Protection Act, 2023 · Last updated July 2026
This page summarises how CredAssist supports its customers' obligations under India's Digital Personal Data Protection Act, 2023 (DPDP) and the DPDP Rules, 2025.
Our role: Data Processor
For borrower and transaction data uploaded by a customer, the customer NBFC or firm decides the purpose and means of processing and is the Data Fiduciary. CredAssist processes that data only on the customer's documented instructions and is a Data Processor. We enter into a Data Processing Agreement (DPA) with every customer that sets out, contractually:
- India data residency — application data is hosted on infrastructure physically located in India.
- Purpose limitation — client data is used solely to deliver the analyses the customer runs, never for our own purposes, never across tenants, never for advertising.
- Security safeguards — encrypted transport, per-tenant isolation, hashed credentials, access logging with at least one-year retention, and least-privilege operational access.
- Breach notification — we notify the affected customer without undue delay on becoming aware of a personal data breach affecting their data, with the information they need for their own notifications to the Data Protection Board and Data Principals.
- Sub-processor transparency — our infrastructure providers are disclosed in the DPA, and changes are notified.
- Deletion and return — customers can delete uploads and runs in-product at any time; on exit, data is deleted or returned on written instruction.
- Audit support — we support customer audits and regulator inspection rights as required by RBI outsourcing directions applicable to our customers.
What customers remain responsible for
As Data Fiduciaries, customers remain responsible for the lawful basis of their processing: obtaining borrower consent or relying on a legitimate use, issuing notices, honouring Data Principal rights (access, correction, erasure, grievance), and their own breach notifications. CredAssist provides the tooling and contractual support to make those obligations practical to meet.
Data Principals (borrowers)
If your personal data was uploaded to CredAssist by a lender, that lender is the Data Fiduciary for your data. Please direct any access, correction or erasure request to the lender; we act on their instructions and will support the fulfilment of your request. If you believe your data is being processed on our systems unlawfully, you may also write to team@credassist.co.in and we will route the matter to the relevant customer without delay.
Contact
Data protection questions, DPA requests, and vendor due-diligence questionnaires: team@credassist.co.in.
The DPDP Rules, 2025 phase in through 2026–2027. We track the compliance timeline and update our practices and this page as obligations come into force. This summary is provided in good faith and does not constitute legal advice.