AuthBridge is engaged to provide verification services (the “Services”) to its clients (“Clients”). For the purpose of compliance with relevant data privacy laws, the Client is the Data Controller/Fiduciary and unless otherwise notified, AuthBridge shall be the Data Processor and undertake processing of the personal data on its client’s behalf and under its instructions.

The purpose of this privacy statement is to explain how AuthBridge Research Services Private Limited & its subsidiaries (“AuthBridge” “we,” “us,” or “our,” if not explicitly referring to one company)) collect, process, store, use, transfer, and protect your Personal Data (as defined herein after) for providing service to our clients’ customers via this application.

AuthBridge is committed to protecting the privacy and confidentiality of Personal Data about its Clients, candidates, its employees, partners and customers and ensuring that any Personal Data including the Personal Data supplied by/ collected on behalf of its clients or otherwise generated by its business activities is collected and processed fairly and lawfully.

This Statement applies to AuthBridge, AuthBridge’s clients or individuals who furnish the Personal Data to AuthBridge’s client or on behalf of AuthBridge’s client, directly submit to AuthBridge on this platform. This policy is applicable on the Personal Data collected for customer, on behalf of the client, for whom the services of TruthScreen have been taken.

Applicable Data Protection Law: Applicable Data Protection Laws means the relevant local and/ or international laws/ regulations basis the jurisdiction where the individual resides or located, whose personal data is processed by an organisation. Some of the applicable data privacy laws to AuthBridge are General Data Protection Regulation (GDPR) and Digital Personal Data Protection Act (DPDPA).

Personal Data: Personal Data is any data relating to an identified or identifiable natural person. This Personal Data may be further categorised as below, basis the jurisdictional Data Protection Laws:

- Sensitive Personal Data: Sensitive Personal Data is a specific set of “special categories” that must be treated with extra security.

Data subject/ Data Principal/ Individual: Means any identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity. This may include the below, as per the jurisdictional Data Privacy Law:

- a child, includes the parents or lawful guardian of such a child;

- a person with disability, includes her lawful guardian, acting on her behalf.

Here the individual, who is the customer to AuthBridge’s client and whose verification is to be done for such client’s services via TruthScreen is the Data Subject (Verification Subject).

Processing: Means any operation or set of operations that is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction.

Data Controller/ Fiduciary: Means a person, company or other body which determines the purposes and means of processing the personal information.

Consent: Means any freely given, specific, informed and unambiguous indication of an individual permission by which he or she signifies/ indicates agreement to the processing of personal data relating to him or her.

Data Processor: Means a person, company or other body who processes data on behalf of Data Controller/ FIduciary.

Sub-processor: Means a person, company or other body used by the Data processor to assist in its processing of personal data for a controller.

Personal Data Breach: Means a security event leading to the accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information.

Personal Data collected on TruthScreen application may vary as per Client’s scope of work agreed with AuthBridge. The Personal Data collected via TruthScreen will include but not be limited to:

• Individual details (such as -Name, Date of Birth, Gender)
• Birth country, Birth City
• Contact number (mobile, residence), E-mail ID
• family details (parents’ name)
• address details.
• Identity details/ document (Passport/Driving License/PAN card/Voter card/Aadhaar)
• Professional Membership/ Registration number
• Photograph
• Electronic signature
• IP address, GPS
• UAN
• Electricity bill Service number
• Vehicle registration number
• Ration card number
• Marital status

TruthScreen may collect following Sensitive Personal Data, including but not limited to:

• credit and financial details
• Biometric data (for facial recognition)

Personal Data is collected from the Verification Subject or from the Client directly on the platform - TruthScreen or via Application Program Interface (“API”) or indirectly through other business process application serving the Clients.

In some cases, the Personal Data processing for screening might generate some additional Personal Data as an output of the processing which is also protected under this Privacy Policy.

It is the responsibility of the client (Data Controller/ Fiduciary) to obtain the Consent for the purposes of the verification to be done via this platform.

In general, our client (i.e., the entity for which you are the customer) is the Data Controller/ Fiduciary of personal data and determines the means and purposes for processing your personal data.

Our client determines the lawful basis for such processing being Data Controller/Fiduciary. AuthBridge strictly processes the data in accordance with its client's contractual instructions.

AuthBridge, with partnerships globally, may need to transfer individual’s Personal Data to third party service providers including overseas' partners/ entities, verification sources as necessary for the performance of a lawful contract in accordance with its clients. Any such information transferred shall be subject to appropriate data privacy regulations and shall be strictly in accordance with the contractual obligations as agreed between us and our clients.

AuthBridge does not disclose Personal Data to any third party unless such disclosures would be necessary for AuthBridge provision of its business functions or for the provision of the service to the Client(s). Such necessary disclosures would occur strictly in accordance with applicable laws and may include:

- AuthBridge’s Internal employees to undertake and fulfil its business activities.
- AuthBridge’s third party service providers/ verification source/ third-party websites for providing the support in aiding the verification process.
- Any other Institutions you are registered with or where your records are available/ obtained from
- Where AuthBridge is under an obligation to disclose Personal Data to any governmental or statutory body to comply with applicable laws, regulations, regulatory requests/notices in the public interest.

• AuthBridge is certified to ISO/IEC 27001:2013 and this international standard defines the requirements for an Information Security Management System (ISMS) and is also SoC-2 Type II certified. AuthBridge’s processes and security controls provide an effective framework for protecting our clients’ and our business information, including personal data.
• We maintain organizational and technical measures for all the personal data we hold. We have protocols, controls, and relevant policies; procedures; and guidelines to maintain these controls, considering the risks associated with the categories of personal data and the processing we undertake.
• We regularly monitor our systems to mitigate possible vulnerabilities and attacks. However, we cannot guarantee or warrant the security of any information transmitted via our websites.
• Our website and the server on which it is hosted is at AWS Mumbai. There are reasonable and appropriate controls also at AWS to secure your data against any accidental or unlawful loss, access or disclosure. For more details visit https://aws.amazon.com/privacy/
• We employ procedures, including contractual obligations, and require all third parties to respect the security of personal data about you and to treat it in accordance with the law. We do not grant permission for our third-party service providers to use personal data about you for their own purposes and only grant permission for them to process personal data about you for specified purposes and in accordance with our instructions.

You have the following rights with respect to your Personal Data that we process, subject to the conditions and restrictions set out under the applicable laws and basis the jurisdiction in which you reside.

• Right to access: You are entitled to obtain a copy of your personal information, together with an explanation of the categories of data being processed, the purposes of such processing, and the details of third parties to whom the data may have been disclosed.
• Right to rectification: You are entitled to correct or update your personal information available with us.
• Right to object to and / or restrict processing: You have the right to object to and / or restrict the processing or sharing of your data in some circumstances such as restrict the processing of personal data for criminal checks, or for direct marketing purposes.
• Right to data portability: You are entitled to obtain and reuse your personal information. You can either obtain the information from us and provide it to a third party or ask us to transfer your personal information directly to a third party.
• Right to withdraw or opt-out: You have right to withdraw your consent for any or all of the purposes for which your personal data has been collected provided at any time by contacting us.
• Right to not be discriminated against for exercising your individual rights regarding your personal data.
• Right to nominate (in the manner prescribed by the Central govt.) any other individual to exercise the above-mentioned rights, in the event of the death or incapacity (unsoundness of mind or infirmity of body) of the data principal.
• Right to complain and obtain redressal: You have the right to lodge a complaint with the competent supervisory authority, depending upon your jurisdiction, to obtain redressal.

Under privacy legislation your rights are exercisable against the Data Controller/ Fiduciary.i.e, AuthBridge’s Client and therefore you should direct your requests to them at the address they provide to you.

On receiving the communications from its clients about your request, AuthBridge will act upon the same in accordance with the applicable law.

The CIR users, for the purpose of exercising their data subject right, can directly raise a request with AuthBridge, AuthBridge being the authorised agent of such CIR users.

AuthBridge does not undertake processing of personal data belonging to a minor (as defined under the applicable data privacy regulations), expect in cases, where its clients have obtained due consent from the parent/lawful guardian of the minor in accordance with the applicable regulations.

As AuthBridge collects your Personal Data only on behalf of its client, it is retained as per the retention period agreed with such client by way of a written agreement.

We commit to handle your Personal Data in a way that provides you trust and confidence. However, if at any time you have concerns over the handling of your Personal Data you are encouraged to contact your employer/AuthBridge's client you have engagement with.

If you wish to contact AuthBridge for any privacy related query/concern, please send an email at privacy@authbridge.com Or mail to:

AuthBridge’s Data Privacy Office (Dept-Compliance)
AuthBridge Research Services Pvt. Ltd.
Plot No. 123, II Floor, Udyog Vihar,
Phase IV – Gurgaon – 122 015
Haryana, India