Data Protection and Privacy Policy

A LETTER FROM OUR CHIEF EXECUTIVE

On the personal data entrusted to us

Personal data is among the most sensitive things anyone entrusts to a business. As we build the infrastructure of India's digital and AI economy, we are conscious that we hold personal data of our own, and that our customers run systems containing the personal data of millions of people on our infrastructure. That trust is at the heart of this policy.

For our Indian campuses, this policy is built around the Digital Personal Data Protection Act 2023, alongside the Information Technology Act 2000 and the rules made under it. Our international campuses follow the data-protection law that applies to them. We process personal data lawfully, fairly and securely, we honour the rights of the people it belongs to, and we treat customer personal data as their data, not ours.

Privacy is not a one-off compliance exercise. We design for privacy and security from the start, we measure how we are doing, and we hold ourselves accountable for getting it right. Every HyperNext employee and every partner working with us is expected to do the same.

Harsh MacwanChief Executive Officer, HyperNext Data Center Limited · on behalf of the Board · February 2024

DOCUMENT CONTROL

Status, ownership and version history

Field	Detail
Policy title	Data Protection and Privacy Policy
Classification	Public
Version	1.0
Effective date	February 2024
Policy owner	Office of the Data Protection Officer
Approved by	The Board of HyperNext Data Center Limited
Next review	February 2025, or earlier on material or legal change
Applies to	All HyperNext entities, their people and processors acting on their behalf

Version history

Version	Summary of change
1.0	February 2024, initial issue, approved by the Board of HyperNext Data Center Limited.

Purpose, scope and applicability

This policy governs how HyperNext collects, uses, stores, shares, transfers and protects personal data, both the data we determine the use of and the data we process on behalf of our customers. It sets the minimum standard across the group, against which subordinate procedures and contractual terms are aligned.

Law and standards

For our Indian campuses, Indian law applies, principally the Digital Personal Data Protection Act 2023, together with the Information Technology Act 2000 and the rules made under it. Our international campuses follow the data-protection law that applies to them, which may include the European Union General Data Protection Regulation and other comparable laws. Where a customer or law sets a stricter standard than this policy, the stricter standard applies.

The policy is implemented through subordinate standards on consent and notice, data subject rights, breach management, retention, cross-border transfers and supplier engagement.

Who it applies to

All HyperNext entities, their permanent and temporary employees, contingent workers and contractors.
Processors and sub-processors who handle personal data on our behalf.
Any system, service or facility through which personal data is collected, processed or stored by HyperNext.

Our role: data fiduciary and data processor

Under the Digital Personal Data Protection Act 2023, HyperNext acts in two roles. Our duties differ in each, and this policy makes the distinction explicit.

Role	When we are in it	What we are accountable for
Data Fiduciary	Personal data we determine the purpose and means of processing for: employees, candidates, suppliers' contacts and our own customer contacts.	Lawful basis, notice, consent management, rights of Data Principals, security, retention, breach notification and accountability.
Data Processor	Personal data hosted, transmitted or stored by customers on our infrastructure.	Acting only on documented customer instructions, securing the data, assisting the customer on rights and breach, and controlling sub-processors.

We do not use customer personal data for our own purposes, including for the training of any model.

Principles of processing

We process personal data according to a consistent set of principles, wherever we operate, that are aligned with the Digital Personal Data Protection Act 2023 and with internationally accepted norms.

Lawful, fair and transparent: processed on a valid legal basis and in a way people would reasonably expect.
Purpose limitation: collected for specified, explicit purposes and not used in incompatible ways.
Data minimisation: limited to what is necessary for the purpose.
Accuracy: kept accurate and, where needed, up to date; reasonable steps to correct errors.
Storage limitation: kept only as long as necessary, then deleted or anonymised.
Integrity and confidentiality: protected by appropriate technical and organisational safeguards.
Accountability: we can demonstrate our compliance through documentation, training, audit and review.

Lawful basis, consent and notice

Where we act as a Data Fiduciary, we process personal data on a lawful basis. Under the Digital Personal Data Protection Act 2023, that is principally the free, informed, specific, clear and unambiguous consent of the Data Principal, or a legitimate use permitted by the Act.

Notice

Before or at the time we ask for consent, a notice is provided in clear and plain language describing the personal data being processed, the purpose for which it is processed, how a Data Principal can exercise their rights and how to make a complaint.

Consent

Where consent is the basis, it is collected through clear, affirmative action, with separate consent for separate purposes where it makes sense, and can be withdrawn as easily as it was given. We record consents, withdrawals and the version of the notice on which they were given. Where the law provides for a Consent Manager, we are able to interoperate with one.

Legitimate uses

Where we rely on a legitimate use permitted by the Act, for example employment matters, compliance with a court order, or response to a medical emergency, we do so only within the limits the Act sets.

Children

The personal data of children, and of persons with disabilities for whom a lawful guardian acts, is handled with the additional care the Act requires, including verifiable parental or guardian consent and a prohibition on harmful tracking or targeted advertising.

Rights of data principals

Where HyperNext is the Data Fiduciary, we honour the rights the law gives to Data Principals. Where we are a processor, we support our customers in honouring those rights.

Requests are verified for identity, logged, tracked and answered within the timelines set by the law. Requests that are manifestly unfounded or excessive may be declined with reasons given to the Data Principal.

Access: a summary of the personal data we process about them and the processing activities undertaken.
Correction and completion: of inaccurate, misleading or incomplete personal data; and updating where required.
Erasure: of personal data that is no longer necessary for the purpose, subject to legal retention obligations.
Grievance redressal: a readily available channel to raise concerns, with a defined response timeline.
Nomination: the right to nominate another individual to exercise rights in the event of death or incapacity.

Data protection by design and by default

We design new services, products and changes so that privacy is the default outcome, not an after-thought, and so that personal data is protected throughout its life.

Data-protection impact assessments for new or significantly changed processing that may pose higher risk to Data Principals.
Minimisation of data collection, retention and access from the outset.
Privacy-protective defaults: settings, sharing and visibility configured for the most protective option unless the Data Principal chooses otherwise.
Pseudonymisation, aggregation and de-identification where they reduce risk without losing utility.

Security safeguards

We protect personal data with reasonable security safeguards as the law requires and as good practice demands. The detail of those safeguards sits in our Information Security Policy, with which this policy works hand in hand.

Access on a need-to-know basis, with strong authentication and least-privilege authorisation.
Encryption of personal data in transit and at rest, and secure key management.
Logging, monitoring, tested backups and a tested ability to restore service.
Hardened systems, vulnerability and patch management on time-bound service levels.
Privacy and security considered together in design, change and incident management.

Processing on behalf of customers

Most of the personal data on our infrastructure belongs to our customers' systems. For that data, the customer is the Data Fiduciary and we are a processor. Our role is to handle it on their instructions, protect it, and help them meet their own obligations.

We process customer personal data only on documented instructions and under a written contract.
We do not access customer content except as needed to provide and secure the service, or as the law requires; any such access is approved, logged and reviewed.
We assist customers with security, breach notification and Data Principal rights.
We flow our obligations down to any sub-processor we engage, and we maintain a list of sub-processors available to customers.
On termination, we return or delete customer personal data on the customer's instructions, subject to legal retention obligations.

Cross-border transfers

Where personal data moves across borders, for example between our Indian and international campuses, we do so only where the law allows and with appropriate safeguards.

Transfers comply with the restrictions and conditions of the applicable law, including the Digital Personal Data Protection Act 2023 and the rules and notifications made under it for data originating in India. Customer instructions on data location are respected, and we are transparent with customers about where their data is processed.

Personal data breach management

A personal data breach is handled through our incident response process, with the additional steps the law requires.

We detect, contain and investigate the breach without delay.
Where we are the Data Fiduciary, we notify the Data Protection Board of India and affected Data Principals as the law requires.
Where we are a processor, we notify the affected customer promptly so they can meet their obligations.
We engage CERT-In where the law requires, and we cooperate with regulators and law enforcement where appropriate.
We review every breach and act to prevent recurrence; lessons are tracked to closure.

Retention and deletion

Personal data is kept only as long as it is needed for its purpose or as the law requires, and is then deleted or anonymised securely.

Retention periods are defined in a retention schedule maintained for each category of personal data we process as Data Fiduciary. For data we process on behalf of customers, retention and deletion follow the customer's instructions and contract. Media and equipment are sanitised securely at end of life, and the act of destruction is recorded.

Governance, grievance and assurance

Data protection is owned at executive level and overseen by the Board, with a clear way for people to raise concerns and independent assurance that we do what we say.

Role	Responsibility
Board / Audit and Risk Committee	Approve this policy and oversee privacy risk and incidents.
Data Protection Officer	Owns the privacy programme, advises the business, and acts as the contact for Data Principals and the Data Protection Board of India.
Grievance Redressal Officer	Receives and resolves Data Principal grievances within the timelines the law requires.
System and information owners	Apply privacy controls to the systems and information they own.
All staff and third parties	Handle personal data correctly and report concerns through the channels provided.

Training

Our people receive privacy training at induction and at least annually, with role-specific training for those who handle personal data routinely.

Assurance

Privacy controls are audited internally, and external assessments are conducted as customer and regulatory expectations require. The policy is reviewed at least annually and on legal change. Where HyperNext is notified that it is a Significant Data Fiduciary, the additional obligations of that designation are met.

DEFINITIONS & REFERENCES

Definitions and references

Key terms

Personal data: Any data about an identifiable individual.
Data Principal: The individual to whom personal data relates.
Data Fiduciary: The party that determines the purpose and means of processing personal data.
Data Processor: A party that processes personal data on behalf of a Data Fiduciary.
Processing: Any operation performed on personal data, from collection to deletion.
Consent Manager: A registered person enabling Data Principals to give, manage, review and withdraw consent.
Personal data breach: Any unauthorised processing of, accidental disclosure of or compromise of the security of personal data.

Laws

Digital Personal Data Protection Act 2023 (India), for our Indian campuses.
Information Technology Act 2000 and the rules made under it, including the Reasonable Security Practices Rules (India).
Applicable data-protection law for our international campuses, including the European Union General Data Protection Regulation where it applies.

Standards

ISO/IEC 27701 privacy information management, as a guiding reference.
ISO/IEC 27018, for personal data in public-cloud environments.

Privacy questions, or a request to exercise a right, can be sent to confidential@hypernxt.com.

Your data, respected.