DPDP Compliance Statement
FactWise Technologies Private Limited — Digital Personal Data Protection Act 2023
1. Overview
India's Digital Personal Data Protection Act 2023 ("DPDP Act") came into force on 11 August 2023. It is India's first comprehensive personal data protection law and establishes a framework for the processing of digital personal data, the rights of data principals, and the obligations of data fiduciaries and data processors.
FactWise Technologies Private Limited ("FactWise", "we", "us") operates a source-to-pay procurement platform used by manufacturing and enterprise companies across India. We are committed to full compliance with the DPDP Act — both as a Data Fiduciary (for data we control) and as a Data Processor (for data we process on behalf of our customers).
This statement should be read alongside our Privacy Policy, Terms of Service, and Cookie Policy.
2. Roles Under the DPDP Act
2.1 FactWise as Data Fiduciary
FactWise is a Data Fiduciary for personal data it determines the purpose and means of processing, including:
- Personal data of its own employees
- Personal data of account holders, billing contacts, and admin users of the Platform
- Personal data of website visitors to factwise.io
- Any personal data processed for FactWise's own business purposes (marketing, fraud prevention, platform improvement)
As a Data Fiduciary, FactWise determines the purpose and means of processing this data and is directly responsible for compliance.
2.2 FactWise as Data Processor
FactWise is a Data Processor for personal data that its customers (buyers, procurement teams, finance departments) control, including:
- Vendor and supplier personal data uploaded by customer organisations
- Procurement data entered by customer employees (requisitioners, approvers, finance users)
- Any other personal data where the customer determines the purpose and means of processing
As a Data Processor, FactWise processes this data only on the instructions of the customer (Data Fiduciary) and in accordance with the applicable Data Processing Agreement.
2.3 Significant Data Fiduciary Readiness
The DPDP Act empowers the Central Government to designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on volume, sensitivity, or risk of data processed. FactWise monitors developments in SDF designation and maintains readiness to comply with additional obligations — including Data Protection Officer appointment, Data Protection Impact Assessments, algorithmic audits, and data localisation restrictions — if designated.
3. Lawful Basis for Processing
The DPDP Act requires that personal data be processed on a lawful basis. FactWise relies on the following bases:
| Processing Activity | Data Subjects | Lawful Basis |
|---|---|---|
| Account creation and management | Account holders | Contract — necessary to provide the Platform |
| Billing and invoicing | Billing contacts | Contract; Legal obligation (tax law) |
| Vendor/supplier data processed for customers | Vendors, suppliers | Legitimate use (on instruction of customer Data Fiduciary) |
| Procurement analytics (anonymised) | All users | Legitimate use |
| Security and fraud prevention | All users | Legitimate use |
| Marketing to prospective customers | Leads and prospects | Consent |
| Responding to support queries | Users | Contract / Legitimate use |
| Legal compliance and regulatory reporting | As applicable | Legal obligation |
3.1 Consent Management
Where consent is the lawful basis, FactWise ensures that consent is:
- Free — not bundled with unrelated conditions; no detriment for refusal of non-essential processing
- Specific — obtained for a defined and clearly stated purpose
- Informed — accompanied by a clear notice explaining the data, purpose, and data principal's rights
- Unambiguous — obtained through an affirmative action (not pre-ticked boxes, silence, or inaction)
Consent records are maintained (timestamp, purpose, version of notice) and can be produced on request.
3.2 Notice Requirement (Section 5, DPDP Act)
Before or at the time of collecting personal data, FactWise provides a notice in clear and plain language specifying:
- The personal data being collected
- The purpose for which it is being processed
- How data principals can exercise their rights
- How to raise a grievance
4. Data Principal Rights
The DPDP Act grants the following rights to data principals (individuals whose personal data is processed). Contact privacy@factwise.io to exercise any right. FactWise responds within 30 days.
4.1 Right to Information (Section 11)
Data principals have the right to know whether their personal data is being processed, a summary of data held, and the identities of all Data Processors and recipients.
How to exercise: Email privacy@factwise.io. For vendor/supplier data managed by a customer organisation, contact that customer directly — FactWise will assist in forwarding requests.
4.2 Right to Correction and Erasure (Section 12)
Data principals have the right to correct inaccurate or incomplete personal data, and to request erasure of data no longer necessary for the purpose for which it was collected.
How to exercise: Platform account holders may update data in Settings. All others: email privacy@factwise.io. Where erasure is declined due to a legal retention obligation, FactWise will provide written reasons.
4.3 Right to Nominate (Section 14)
Data principals may nominate another individual to exercise DPDP Act rights on their behalf in the event of their death or incapacity.
How to exercise: Email privacy@factwise.io with the nominee's details and a signed declaration.
4.4 Right to Grievance Redressal (Section 13)
Data principals may raise formal grievances about FactWise's data processing. Every grievance will be acknowledged within 72 hours and substantively resolved within 30 days.
How to exercise: Email privacy@factwise.io. If unresolved satisfactorily, data principals may approach the Data Protection Board of India once operational.
5. Data Fiduciary Obligations
Personal data is processed only for the purposes for which it was collected. FactWise does not use procurement data submitted by a customer for any other purpose without a valid lawful basis.
FactWise processes only the personal data necessary for stated procurement workflows. The platform is architected to minimise collection — only what is operationally required is stored.
FactWise takes reasonable steps to ensure accuracy. Users may correct their own data through platform settings. Accuracy of vendor/supplier data entered by customers is the customer's responsibility.
Personal data is retained only for the period necessary. Automated deletion is enforced for data past its retention period. Full retention schedule is published in the Privacy Policy.
AES-256 encryption at rest, TLS 1.3 in transit, SOC 2 Type II certification, role-based access controls, annual penetration testing, and an immutable audit log.
FactWise maintains records of data categories processed, processing purposes, processor engagements, consent records, rights requests, and security incidents.
6. Cross-Border Data Transfers
The DPDP Act permits cross-border transfers of personal data to countries notified by the Central Government. Until a formal whitelist is published:
- Default: All personal data of Indian data principals is processed and stored in India (AWS ap-south-1, Mumbai). No default cross-border transfer occurs.
- Sub-processors outside India: Where FactWise uses sub-processors located outside India (e.g. error monitoring tools), only the minimum necessary technical data is transferred, and such sub-processors are bound by data processing agreements with equivalent protections.
FactWise will update this section as cross-border transfer rules are notified under the DPDP Act.
7. Processing of Children's Data
The DPDP Act imposes strict obligations on processing personal data of children (under 18 years). FactWise:
- Does not knowingly collect or process personal data of children
- Does not target the FactWise platform at children
- The platform is designed exclusively for enterprise procurement users
- If FactWise becomes aware that a child's data has been processed, it will immediately delete that data and notify the relevant customer
8. Data Processor Obligations
When FactWise acts as a Data Processor for enterprise customers, it:
- Processes personal data only on documented instructions from the customer
- Ensures all FactWise personnel with access to customer data are bound by confidentiality obligations
- Implements appropriate technical and organisational security measures
- Does not engage sub-processors without the customer's prior consent
- Assists the customer to fulfil data principal rights requests
- Deletes or returns all personal data on termination of the customer relationship (within 90 days)
- Notifies the customer of any security incident affecting the customer's personal data within 72 hours
9. Grievance Redressal
FactWise has designated a data protection contact for grievance redressal under Section 13 of the DPDP Act.
Grievance process:
- Submit your grievance by email to privacy@factwise.io
- Include your name, contact details, description of the grievance, and the resolution you are seeking
- FactWise will acknowledge within 72 hours
- FactWise will provide a substantive response within 30 days
- If unresolved, FactWise will escalate internally and revert within a further 14 days
- If still unresolved, you may approach the Data Protection Board of India once operational
FactWise is committed to resolving all data protection grievances fairly, promptly, and at no cost to the data principal.
10. Updates to This Statement
This Compliance Statement will be updated as:
- The DPDP Act's implementing rules are notified by the Central Government
- The Data Protection Board of India becomes operational and issues guidance
- FactWise's practices change
Significant updates will be communicated by email to account administrators.
11. Related Documents
| Document | Location |
|---|---|
| Privacy Policy | factwise.io/privacy-policy |
| Terms of Service | factwise.io/terms-of-service |
| Cookie Policy | factwise.io/cookie-policy |
FactWise Technologies Private Limited is committed to the letter and spirit of India's Digital Personal Data Protection Act 2023. This statement reflects our practices as of 1 January 2026 and will be updated as the regulatory framework develops.
For all DPDP-related enquiries: privacy@factwise.io