General Data Protection Regulation
ARAGENEX SOLUTIONS
GDPR COMPLIANCE POLICY
OUR COMPLIANCE FOR GDPR
Based on the directives set across the General Data Protection Regulation (EU) 2016/679 (“GDPR”), this compliance policy sets out the steps that Aragenex Solutions Private Limited (hereinafter referred to as “Aragenex Solutions”) is taking to ensure full compliance with the European Union’s General Data Protection Regulation (GDPR).
This regulation is designed to protect an individual’s personal data. In addition to giving EU/EEA/UK citizens control of their personal data, the GDPR also aims to unify data protection laws across the European Union and the European Economic Area (EEA).
GDPR PRINCIPLES WE COMPLY WITH
In accordance with the directives laid down in GDPR Article 5, below are the GDPR principles that Aragenex Solutions complies with for all personal data:
✅ Collected for specified, explicit and legitimate purposes
✅ Adequate, relevant and limited to what is necessary in relation to the purposes
✅ Accurate and kept up-to-date
✅ Kept for no longer than necessary
✅ Processed in a manner that ensures appropriate security
✅ Accountability – We can demonstrate compliance with all principles
OUR ROLES UNDER GDPR
As Data Processor
When providing services to our clients (website development, mobile app development, e-commerce solutions, digital marketing, IT resource augmentation), Aragenex Solutions acts as a Data Processor as per Article 4 of the GDPR.
Our responsibilities as Data Processor:
- Process personal data only on documented instructions from the data controller (our client)
- Ensure personnel processing data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the controller in responding to data subject rights requests
- Notify the controller without undue delay of any personal data breach
- Delete or return all personal data to the controller after the end of service provision
- Make available all information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by the controller
As Data Controller
For our own business operations (marketing, HR, customer relationship management), Aragenex Solutions acts as a Data Controller as per Article 4 of the GDPR.
Our responsibilities as Data Controller:
- Determine the purposes and means of processing personal data
- Obtain appropriate consents from data subjects where required
- Provide transparent privacy notices to data subjects
- Facilitate data subject rights (access, rectification, erasure, etc.)
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
- Report personal data breaches to supervisory authorities within 72 hours
- Maintain records of processing activities (Article 30)
PROCEDURES IMPLEMENTED (ARTICLE 5 & 6 COMPLIANCE)
1. HIGH LEVEL DATA FLOW MAPS
We maintain comprehensive high-level data flow maps for all processing activities where we act as a data processor on behalf of our clients (Article 4 of the GDPR).
Purpose of Data Flow Maps:
- Help our clients understand how their data flows within the Aragenex Solutions environment
- Identify who has access to the data
- Document data lifecycle from collection to disposal
- Demonstrate transparency and accountability
- Support compliance with Article 30 (Records of Processing Activities)
Data Flow Map Components:
- Data sources and entry points
- Data categories and subjects
- Processing activities and systems used
- Data storage locations and methods
- Personnel with data access
- Data recipients and third-party transfers
- Data retention and deletion processes
2. GDPR DATA MAPS
In accordance with GDPR compliance requirements, it is important for Aragenex Solutions and our clients to understand what data falls under GDPR and how to handle it appropriately.
We use GDPR Data Map templates to provide Aragenex Solutions and our clients with a clear understanding of exactly what data we possess and how that data moves through our organization.
Key elements maintained in our data maps:
A. How Was the Data Collected?
We document the source and method of data collection:
- Website contact forms and inquiry submissions
- Client-provided data for project work
- Email and phone communications
- Job applications through our careers portal
- Business card exchanges and networking events
- Third-party sources (with appropriate legal basis)
- Social media interactions
- Cookie and analytics data from our website
B. What Personal Data is Aragenex Solutions Collecting?
We collect personal data of data subjects as per GDPR guidelines, which DOES NOT include:
❌ Processing of mission-critical personal data
❌ Processing of special category personal data (Article 9: health, race, religion, biometric, genetic data, etc.)
❌ Processing of children’s data (Article 8: under 16 years)
❌ Processing of data concerning criminal convictions and offences (Article 10)
Personal Data We Collect:
Standard Personal Data:
- Name, email address, phone number
- Company name, job title, business address
- IP address, browser information, device data
- Website usage and analytics data
- Business communications and correspondence
- Resumes/CVs (for recruitment)
- Financial information (for invoicing and payments)
Legal Basis for Processing:
- Consent (Article 6(1)(a)) – For marketing communications
- Contract Performance (Article 6(1)(b)) – For service delivery
- Legal Obligation (Article 6(1)(c)) – For tax and regulatory compliance
- Legitimate Interests (Article 6(1)(f)) – For business operations, fraud prevention, security
C. Why is the Data Being Collected?
When Acting as Data Processor: The reason for collecting personal data lies with our data controller (our client), typically for:
- Service delivery (website/app development, e-commerce, digital marketing)
- Project management and execution
- Technical support and maintenance
- As per client instructions and contract
When Acting as Data Controller: We collect data for:
- Business marketing and lead generation purposes
- Customer relationship management
- HR and recruitment activities
- Service improvement and analytics
- Legal and regulatory compliance
- Financial administration (invoicing, payments, accounting)
D. How is the Data Stored, Processed, and Who Has Access?
As per GDPR compliance {Article 4(2) and (6)}, it is important to document how data is stored, processed, and who has access.
Storage and Processing:
- Location: Primary data centers in EU/EEA (AWS Ireland, Google Cloud Europe) for EU client data
- Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
- Systems: Secure cloud infrastructure (AWS, Google Cloud, Microsoft Azure)
- Backups: Encrypted backups stored securely with 90-day retention
- Access Controls: Role-Based Access Control (RBAC) with Multi-Factor Authentication (MFA)
Personnel with Access:
- Project managers and developers (for client project data – need-to-know basis only)
- Marketing team (for marketing database – with appropriate consents)
- HR team (for employee and recruitment data)
- Finance team (for financial and billing data)
- IT security team (for system administration and security monitoring)
- Data Protection Officer (for compliance oversight and auditing)
Access Principles:
- Principle of least privilege
- Regular access reviews (quarterly)
- Immediate access revocation upon role change or termination
- All access logged and monitored
- Confidentiality agreements signed by all personnel
E. When is This Data Disposed?
As per GDPR compliance, it is important to document when and how Aragenex Solutions disposes of personal data.
As Data Processor (for Client Projects):
All personal data collected on behalf of the data controller shall be disposed:
✅ Within 3 months (90 days) from the date it has been delivered to the controller, OR
✅ As per the agreed duration with the controller in the Data Processing Agreement
Whichever is shorter.
Additional Disposal Procedures:
- Upon client request for immediate deletion
- Upon termination of Data Processing Agreement
- Secure deletion from all systems including backups within the specified timeframe
- Deletion logs maintained for audit purposes
- Certificates of deletion provided to clients upon request
As Data Controller (for Our Own Data):
| Data Category | Retention Period | Disposal Method |
|---|---|---|
| Marketing data | Until consent withdrawn | Secure deletion within 30 days |
| Client business communications | 7 years after project completion | Automated secure deletion |
| Employee records | 7 years after employment termination | Secure deletion per HR policy |
| Financial records | 7 years (tax law requirement) | Secure deletion after retention period |
| Website analytics | 26 months | Automated deletion |
| System logs | 90 days | Rolling deletion |
Secure Disposal Methods:
- Cryptographic erasure
- Overwriting (DoD 5220.22-M standard)
- Deletion from all servers, backups, and replicas
- Physical media shredding (if applicable)
- Verification and logging of all deletions
F. Do We Have Consents from the Data Subjects?
As per GDPR Article 7 (Conditions for Consent), wherever Aragenex Solutions acts as a Data Controller (as defined in GDPR Article 4), we shall only process or acquire the personal information of data subjects where we have received appropriate consents from the data subjects.
Our Consent Management Practices:
✅ Freely Given – Genuine choice and control, no bundled consent
✅ Specific – Separate consent for different processing purposes
✅ Informed – Clear information about what data subject is consenting to
✅ Unambiguous – Clear affirmative action required (no pre-ticked boxes)
✅ Verifiable – We maintain records of consent including when, how, and what was consented to
✅ Withdrawable – Easy mechanism to withdraw consent at any time
Consent Documentation:
- Date and time of consent
- Method of consent (checkbox, email confirmation, etc.)
- Information provided at time of consent
- Specific purposes consented to
- Withdrawal history (if applicable)
Consent Mechanisms:
- Opt-in checkboxes on website forms
- Double opt-in for email marketing
- Clear consent language in plain English
- Separate consents for different processing activities
- Unsubscribe links in all marketing communications
G. Right to Withdraw Consent
As per Article 7(3) GDPR (Conditions for Consent), the data subject shall have the right to withdraw his or her consent at any time.
Aragenex Solutions strictly adheres to this policy. As a data subject, you have full rights to withdraw your consent at any time.
3. DATA PROCESSING REGISTER (ARTICLE 30)
As an adherence to GDPR compliance, Aragenex Solutions fully complies with the important rules required as a data processor and/or as a data controller from time to time.
As part of these requirements, Aragenex Solutions maintains a comprehensive Data Processing Register in accordance with Article 30 of GDPR (Records of Processing Activities).
Data Processing Register Contents:
As Data Controller:
- Name and contact details of controller and Data Protection Officer
- Purposes of the processing
- Description of categories of data subjects
- Description of categories of personal data
- Categories of recipients (including international transfers)
- International data transfers and safeguards
- Retention periods
- General description of technical and organizational security measures
As Data Processor:
- Name and contact details of processor, each controller, and Data Protection Officer
- Categories of processing carried out on behalf of each controller
- International data transfers and safeguards
- General description of technical and organizational security measures
Register Maintenance:
- Updated in real-time as processing activities change
- Reviewed quarterly for accuracy
- Available for inspection by supervisory authorities
- Accessible to Data Protection Officer at all times
- Linked to data flow maps and DPIAs
DPO Responsibilities:
- Monitor GDPR compliance across the organization
- Advise on data protection obligations
- Conduct Data Protection Impact Assessments (DPIAs)
- Cooperate with supervisory authorities
- Act as contact point for data subjects and supervisory authorities
- Maintain data processing registers
- Handle data subject rights requests
- Investigate data breaches
DATA SUBJECT RIGHTS
Aragenex Solutions facilitates all GDPR data subject rights:
✅ Right of Access (Article 15) – Obtain copy of personal data
✅ Right to Rectification (Article 16) – Correct inaccurate data
✅ Right to Erasure (Article 17) – Request deletion of data
✅ Right to Restriction (Article 18) – Limit processing
✅ Right to Data Portability (Article 20) – Receive data in machine-readable format
✅ Right to Object (Article 21) – Object to processing (especially direct marketing)
✅ Right to Withdraw Consent (Article 7(3)) – Withdraw consent at any time
✅ Right to Lodge a Complaint – Complain to supervisory authority
Response Time: Within 1 month (extendable by 2 months if complex)
How to Exercise Rights:
📧 Email: dpo@aragenexsolutions.com | privacy@aragenexsolutions.com
🌐 Online: www.aragenexsolutions.com/privacy-request
📞 Phone: +91 9545413131
SECURITY MEASURES (ARTICLE 32)
Aragenex Solutions implements appropriate technical and organizational measures:
Technical Measures: ✓ Encryption (AES-256 at rest, TLS 1.3 in transit)
✓ Multi-Factor Authentication (MFA)
✓ Role-Based Access Control (RBAC)
✓ Firewalls and Intrusion Detection Systems
✓ Regular vulnerability scanning and penetration testing
✓ Secure backup and disaster recovery
Organizational Measures: ✓ Staff GDPR training (annual mandatory training)
✓ Confidentiality agreements for all personnel
✓ Clean desk and clear screen policies
✓ Access reviews (quarterly)
✓ Data Protection Impact Assessments (DPIAs)
✓ Incident response and breach notification procedures
Certifications: ✓ ISO 27001:2013 – Information Security Management
✓ ISO 27701:2019 – Privacy Information Management
✓ SOC 2 Type II Compliance
DATA BREACH NOTIFICATION (ARTICLES 33 & 34)
To Supervisory Authority (Article 33):
- Within 72 hours of becoming aware of a breach
- Include nature of breach, data affected, likely consequences, and measures taken
To Data Subjects (Article 34):
- Without undue delay if breach poses high risk
- In clear and plain language
- Include DPO contact, likely consequences, and mitigation recommendations
As Data Processor:
- Notify data controller (our client) without undue delay upon becoming aware of any breach
- Provide all information necessary for controller to meet their notification obligations
INTERNATIONAL DATA TRANSFERS (CHAPTER V)
When transferring personal data outside the EU/EEA/UK:
✅ Standard Contractual Clauses (SCCs) – EU 2021 SCCs implemented
✅ Transfer Impact Assessments (TIAs) – Conducted for non-adequate countries
✅ Adequacy Decisions – Transfers to approved countries (UK, Canada, Japan, etc.)
✅ Supplementary Measures – Enhanced encryption and contractual protections
✅ Data Localization – EU data stored primarily in EU/EEA
RELATED DOCUMENTS
For detailed information, please refer to:
📄 GDPR Privacy Notice – www.aragenexsolutions.com/privacy-notice
📄 GDPR Privacy Policy – www.aragenexsolutions.com/privacy-policy
📄 Cookie Policy – www.aragenexsolutions.com/cookie-policy
📄 Data Processing Agreement (DPA) – Available upon request
CONTACT INFORMATION
Data Protection Officer:
📧 Email: dpo@aragenexsolutions.com
📞 Phone: +91 91 954 541 3131
📧 General Privacy: privacy@aragenexsolutions.com
🌐 Website: www.aragenexsolutions.com/privacy
General Inquiries:
Company:Aragenex Solutions.
Address:310, Finswell IT Park, Viman Nagar
City:Pune, Maharashtra 411014 India.
📧 Email: info@aragenexsolutions.com
📱 WhatsApp: +91 91 9545413131
🌐 Website: www.aragenexsolutions.com
ARAGENEX SOLUTIONS
Empowering Global Businesses Through Digital Innovation
© 2026 Aragenex Solutions. All Rights Reserved.
