Legal
Data Protection Framework
A technical and organisational summary of how SideCash.ai protects personal data, complementing the Privacy Policy.
This document is a high-quality working draft prepared for product development. It must be reviewed and approved by qualified Indian legal counsel (including DPDP Act 2023 compliance review) before production use. Last updated: 9 July 2026.
1. Legal basis and alignment
SideCash.ai is designed around the Digital Personal Data Protection Act, 2023 (DPDP): purpose-limited collection, granular consent with records, data minimisation, security safeguards, breach notification readiness, and grievance redressal. Formal DPDP compliance certification and legal sign-off are pending and tracked in our production checklist.
2. Data categories and minimisation
We separate data by sensitivity: account/profile data, masked identity references (for example PAN last 4 digits), encrypted identity values, payout references, work product, and audit metadata. Interfaces default to the least sensitive representation that does the job; full values exist only where a payment or verification system needs them.
3. Access control model
Access is enforced server-side by a capability model: role determines capabilities, and attribute checks (team, region, project, workflow state, sensitivity) bound their reach. Notable rules:
- Team leads and ops managers: masked identity data only, within their teams or regions.
- Finance: payout ledgers and batches with masked identities; no KYC document browsing.
- Compliance: KYC review with document access that requires a written reason and is always audited.
- Directors: analytics and approvals; sensitive document viewing is not part of the role.
- Founder break-glass access exists, still passes capability checks, and is logged at critical risk level.
4. Retention schedule
Placeholder schedule pending legal review:
- Account and profile data: life of account + 90 days.
- Identity verification records: as required by KYC/AML rules (placeholder).
- Payout and tax records: statutory retention (placeholder, typically 7-8 years).
- Project recordings: per client contract, with worker deletion rights before client approval.
- Audit logs: minimum 3 years (placeholder).
5. Security measures
- TLS for all traffic; secure headers; deny-by-default authorisation.
- Encrypted fields for identity and payout values (KMS-backed envelope encryption in production).
- Masked display everywhere outside restricted systems.
- Comprehensive audit logging with sanitisation so full identifiers can never enter logs.
- MFA for internal admin roles, rate limiting, and WAF planned before production (see checklist).
6. Breach response
We maintain an incident register with severity and ownership. In the event of a personal data breach we will notify the Data Protection Board of India and affected users as required by the DPDP Act. The full incident response runbook is part of the production hardening checklist.
7. Processors and clients
External providers (verification, payments, storage, communications) operate under data processing agreements (placeholders in this release). Clients receive project data under contracts that prohibit re-identification attempts and restrict use to the stated purpose.