Data Processing Register
Public summary · Last updated 17 May 2026 · Security policy · Privacy policy
This page summarises the categories of personal data Srida IT processes as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDPA) and provides the equivalent of an Article 30 record for stakeholders. The full internal register — including precise retention periods, cross-border transfer details, sub-processors, and DPIA links — is available on request to regulators and accredited auditors at dpo@sridait.com.
| Category | Fields | Purpose | Retention | Legal basis |
|---|---|---|---|---|
| Candidate identity | Full name, email, mobile (encrypted at rest), LinkedIn / GitHub URL | Account creation, programme eligibility, AI screening, contact | For lifetime of account; auto-purged 18 months after last login (with 30-day warning) or immediately on user request | DPDPA: consent (Section 6) — captured at registration with version, timestamp, IP |
| Application content | Resume file, education history, work experience, certifications, professional summary, skills, applied programme | AI screening, human review, programme selection | For lifetime of account; resumes on rejected applications auto-purged 6 months after rejection | DPDPA: consent — same as identity above |
| Authentication metadata | Password hash (bcrypt cost 12), session tokens (sha256 hash only), 2FA setting, OTP hashes (HMAC), IP + user-agent of login | Account security, fraud detection, login throttling | Session rows deleted on logout / expiry; OTPs deleted 10 minutes after issuance; login audit retained 12 months | DPDPA: legitimate interests (security) |
| Payment evidence | UPI reference number, screenshot upload (filename, MIME, hash), amount, status, admin review notes | Programme administration fee accounting, audit | 7 years (statutory financial-records retention under Indian Income Tax Act) | DPDPA: legal obligation |
| Assessment artefacts | Trust Engineer Phase 1–4 answers, scores, integrity events (tab-switch, paste, typing rhythm) | Candidate evaluation, selection | Tied to application lifetime; aggregated metrics retained 3 years | DPDPA: consent (assessment specifically disclosed in AI screening notice) |
| Audit log | user_id, action, IP, timestamp, hash-chained for tamper-evidence | Security, DPDPA accountability, dispute resolution | 5 years | DPDPA: legal obligation + legitimate interests |
| Email queue | Recipient address, subject, body, send status | Transactional email delivery (welcome, status updates, OTP, password reset) | Successful sends purged after 30 days; failures kept indefinitely for forensic review | DPDPA: consent + legitimate interests |
Sub-processors
- Hostinger — hosting infrastructure (web, MySQL, mail relay). Data location: EU / Asia (Hostinger SOC 2 Type II report on file).
- Email delivery — via Hostinger SMTP or PHP
mail()fallback.
Cross-border transfers
None of the data described above is transferred outside India in the ordinary course. Hostinger data centre region is configured to keep processing within Asia-Pacific. Any future change will be disclosed here and in our privacy policy with at least 30 days' notice.
Your rights
You can exercise your access, rectification, erasure, and portability rights from your dashboard at /dashboard/account or by emailing dpo@sridait.com from the registered address. We respond within 5 working days.