This Privacy Policy describes how AuthBridge Research Services Private Limited & its subsidiaries (collectively referred to as “AuthBridge” ) collect, process, use, store and protect the personal data collected as part of its Due Diligence Services. AuthBridge may also process the Personal Data (as defined herein after) to maintain quality and efficiency of the services.

AuthBridge is committed to protecting the privacy and confidentiality of Personal Data of its Clients and their vendors/partners and ensuring that any Personal Data supplied by its Clients or collected on behalf of its Clients is processed fairly, lawfully and in a transparent manner.

The Personal Data collected for providing Vendor Due Diligence Services may belong to an individual or a business or an entity (as the case may be). However, this Privacy Policy applies to the data belonging to an individual/identifiable individual only.

Thus, this Policy applies to the processing of Personal Data of an individual submitted directly by the individual, or by an entity (or by a representative of such entity) or by AuthBridge client via this online application or through email or any other mode.

Personal Data means any data relating to identified or identifiable natural person (Personal Data)

AuthBridge generally collects/receives the following Personal Data for Vendor Due Diligence Services:

• Name (of company director, owner, partner, authorized representatives etc.)
• Contact Number, E-mail ID
• Address Details
• Identity Details
• Professional Reference
• Date of Birth
• DIN (received from MCA)

Sensitive Personal Data means a “special category” of Personal Data.

AuthBridge collects the below mentioned Sensitive Personal Data for providing Vendor Due Diligence Services

• Credit and financial details (Bank Account Number, Bank Statement)

Hereafter, Personal Data and Sensitive Personal Data shall collectively be called as “Personal Data”.

The extent of Personal Data collected for an individual would vary depending on the Vendor Due Diligence checks agreed with the Client.

AuthBridge obtains Personal Data in an authorized manner for legitimate business purposes only. Personal Data is collected via triggering a link to the authorized person over an email to further login and fill the online form or it may be shared over email in some scenarios.

The responsibility of informing the individuals (whose Data is being shared) and obtaining their consent for processing their Personal Data for undertaking Vendor Due Diligence lies exclusively with the Vendor Entity and AuthBridge client who is furnishing such Personal Data to AuthBridge. Client and Vendor entity must ensure compliance to applicable laws. Moreover, wherever an individual is also directly submitting self-details on AuthBridge online application, notification is shared, and consent is obtained.

AuthBridge shall undertake verification of the details of the owner, proprietor, director or any other concerned person of such Vendor Entity (“Verification subject”), submitted by the Vendor Entity, only on instruction of its clients and in line with contractual agreement.

The Personal Data collected through this application is used only for the purpose of providing Vendor Due Diligence Services i.e. undertaking verification of the Verification Subjects. The records of processing activities are maintained by AuthBridge.

In the event AuthBridge undertakes any trend analysis of verification results and discrepancies, no Personal Data is used by AuthBridge for such analysis.

AuthBridge shares the Personal Data collected for verification with its authorized employees to perform the Service-related tasks.

In general, Vendor Due Diligence is conducted by AuthBridge using our proprietary database and research methodologies.

In case any check as agreed by the Client requires sharing of Data with any third party, it may be shared only if it is necessary for the performance of a lawful contract between AuthBridge and its Client(s). AuthBridge always binds its employees and third-party service providers to confidentiality and privacy agreement for processing the Data for authorized purpose only and having similar/high standard of protection with respect of such Personal data.

AuthBridge is committed to handling Data of any Verification Subject in a way that provides the Client’s and Vendor Entities comfort and confidence. AuthBridge is a certified ISO/IEC 27001:2013 organization and has appropriate technical and organizational information security measures in line with the international standard and applicable privacy regulations.

AuthBridge IT infrastructure is hosted on Amazon Web Services (AWS), a cloud computing platform with end to end security and privacy controls. AuthBridge has a legal contract and confidentiality contract signed with the cloud service provider. The access on the servers/data is limited to authorized personnel of AuthBridge only.

Any Personal Data is classified as Confidential(PI) as per AuthBridge information classification policy. Periodic risk assessment activity is conducted by AuthBridge and based on assessment, suitable security controls are identified and implemented to protect Data from any unauthorized disclosure, access, loss, misuse, or alteration.

The various security measures consist of privacy controls such as purpose limitation, data minimization, Personnel Security including background checks & Privacy awareness, Physical security and IT security controls including but not limited to access controls, system security, network security, communication security, application security, encryption, multi-factor authentication, vulnerability assessments, log monitoring, Incident Management and Internal/ External Audits etc.

As AuthBridge collects any Personal Data only on behalf of its Client, it is retained as per the retention period defined by/agreed with the Client or as per AuthBridge’s retention policy if not defined by the Client.

AuthBridge neither knowingly collect personally identifiable data from anyone under the age of 18 (minors) nor provide any services to them. We request the Vendor Entity or AuthBridge’s Client to meet the applicable legal compliances and let us know in advance if Data of any minor is being shared with AuthBridge for any purpose.

To withdraw consent or request to update/delete any Personal Data or any other related query, we encourage the Vendor Subject/Entity to speak to the AuthBridge’s Client they have the engagement with. On receiving such requests from the Client, AuthBridge will immediately act upon the same.

If the Data of EU (European Union) subject is being shared with AuthBridge, the EU Data Subject shall have the following rights with respect to their Data, subject to conditions and restrictions set out in the applicable laws-

• To know about their Data being processed or request a copy
• To request the correction/update, erasure of the Data, or the restriction of the processing
• To object to AuthBridge’s processing of the Data or to withdraw consent
• To lodge a complaint with the applicable regulatory/ supervisory authority

If a Data Subject wish to exercise any of the above rights under the applicable law, such Data Subject will be required to contact the Vendor Entity (who has shared such data with AuthBridge) or to connect with the AuthBridge's Client they are/were engaged with. On receiving the communications from its Clients about the request, AuthBridge will immediately act upon the same in accordance with the applicable law.

If you have any further query on this privacy policy, then please send email to our Privacy office at privacy@authbridge.com

AuthBridge may review and update this privacy policy from time to time. To keep the concerned parties informed, AuthBridge will amend the revision date on top of this policy.