Data Protection

1. Our Commitment

AscentPassport is built on the principle that your career data belongs to you. We designed our platform from the ground up with privacy as a core requirement, not an afterthought. This page explains in detail how we implement data protection across every layer of the platform — technical, organisational, and legal.

We believe data protection is not just about legal compliance. It is about building a platform that employees can genuinely trust with some of the most sensitive information they possess — their identity documents and career history.

2. Regulatory Frameworks

AscentPassport operates globally and is designed to comply with the following data protection frameworks:

Jurisdiction	Law	DSR Deadline	Breach Notification
India	DPDP Act 2025	30 days	72 hours to Data Protection Board
European Union	GDPR	30 days (extendable to 90)	72 hours to supervisory authority
United Kingdom	UK GDPR / DPA 2018	30 days (extendable to 90)	72 hours to ICO
United States	CCPA / CPRA / FCRA	45 days (CCPA) / 30 days (FCRA)	72 hours (California AG)
Canada	PIPEDA / Bill C-27	30 days	As soon as feasible
Australia	Privacy Act 1988 / APPs	30 days	30 days to OAIC
UAE	Federal DL No. 45/2021	30 days	72 hours
Saudi Arabia	PDPL	30 days	72 hours

3. Data Controller and DPO

AscentPassport Technologies Pvt Ltd is the Data Controller (and Data Fiduciary under DPDP) for all personal data processed on the AscentPassport platform. Our Data Protection Officer and Grievance Officer is responsible for overseeing compliance with this framework and can be reached at privacy@ascentpassport.com.

Employers who access candidate verification data through the platform act as independent Data Controllers for their own hiring processes and are responsible for complying with applicable data protection law in their own jurisdiction.

4. Legal Basis for Processing

We process personal data under the following legal bases. Each processing activity has a documented legal basis in our internal Record of Processing Activities (ROPA):

• Consent: Collection and encryption of national identity numbers (PAN, SSN, passport), cross-border data transfers, third-party AI processing, and optional features such as marketing communications. Consent is specific, informed, freely given, and unambiguous. It is recorded with a timestamp, IP address, and the exact text shown at the time of consent.
• Contract performance: Creating and maintaining your APID, running AI verification agents, facilitating HR outreach, calculating AP Score, and all core platform functionality necessary to deliver the service you have signed up for.
• Legitimate interests: Fraud prevention, duplicate account detection, platform security monitoring, immutable audit logging, and aggregated performance analytics. We conduct and document legitimate interest assessments for each of these purposes.
• Legal obligation: Maintaining audit logs for regulatory accountability, responding to lawful government requests, honouring data subject rights within legally mandated timeframes, and retaining financial records.

5. Technical Security Measures

The following technical controls are implemented across the AscentPassport platform:

• Field-level encryption at rest: National identity numbers (PAN, SSN), passport numbers, and date of birth are encrypted at the database field level using Fernet symmetric encryption. Separate encryption keys are used for each geographic region (India, USA, EU, UK, etc.), meaning a compromise of one region's key does not expose data from another region.
• Blind index search: Encrypted fields are searchable using one-way HMAC-SHA256 hashes. The plain text value is never exposed during a database search operation.
• Key management: Encryption keys are stored in environment variables on the server and are never committed to source code, version control, or configuration files. Keys are rotated periodically with zero-downtime re-encryption of existing records.
• Transport security: All data in transit between users and the platform is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. Strict Transport Security (HSTS) headers are set with a one-year max-age.
• Security headers: Every response includes X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and a restrictive Permissions-Policy header disabling camera, microphone, geolocation, and payment APIs.
• Intrusion detection and blocking: Automated blocking of known malicious scanner user agents, WordPress probes, PHP exploit attempts, path traversal attacks, and WebDAV probes via Nginx and Fail2Ban. Repeat offenders are permanently IP-banned.
• Rate limiting: Login attempts, OTP requests, and API endpoints are rate-limited to prevent brute-force attacks.
• Admin security: The Django admin interface is accessible only via a non-public, non-guessable URL. Admin accounts require strong passwords.
• Dependency management: All software dependencies are tracked and updated regularly. Security patches are applied promptly.

6. Organisational Security Measures

• Role-based access control: Platform access is strictly role-separated. Employees cannot access employer data. Employers can only access candidate data for candidates they have been authorised to view. Admin access is limited to named individuals.
• Principle of least privilege: Internal team members have access only to the data and systems necessary for their specific responsibilities.
• Data minimisation: We collect only the personal data necessary for the purposes described in this policy. We do not collect data speculatively.
• Privacy by design: New features are reviewed for privacy implications before development begins. Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing activities.
• Vendor assessment: All third-party service providers are assessed for security and privacy compliance before engagement and are bound by data processing agreements.
• Incident response plan: We maintain a documented incident response plan covering breach detection, containment, notification, and remediation. The plan is reviewed and tested periodically.

7. Encryption Architecture

Our field-level encryption implementation works as follows:

• Encryption algorithm: Fernet symmetric encryption (AES-128-CBC with PKCS7 padding, HMAC-SHA256 for authentication). Fernet tokens are URL-safe base64-encoded and include a timestamp, making them both tamper-evident and time-aware.
• Regional key separation: Each geographic region (IN, US, EU, UK, CA, AU, AE, SA) has its own Fernet encryption key stored as a server-side environment variable. A user's data is encrypted with the key corresponding to their data region. This provides geographic key isolation.
• Blind index for search: To allow searching on encrypted fields (e.g. checking if a PAN is already registered), we compute a one-way HMAC-SHA256 hash of the normalised value using a separate per-region secret. This index is stored alongside the encrypted value and is used for lookup. It is computationally infeasible to reverse a blind index to its original value.
• Zero-downtime key rotation: We use MultiFernet (multiple active keys) to support key rotation. During rotation, new data is encrypted with the new key while existing data encrypted with the old key remains readable. After re-encryption of all records, the old key is retired.
• Access logging: Every decryption of a sensitive encrypted field (read operation) is written to an immutable SensitiveDataAccessLog with the model, field name, and timestamp. This log cannot be deleted and is retained for the full retention period of the underlying data.

8. Consent Management

AscentPassport maintains a full consent audit trail for every user. Each consent record captures:

• The exact text shown to the user at the time of consent (stored verbatim).
• A SHA-256 hash of the consent text for tamper detection.
• The privacy policy version in effect at the time of consent.
• The timestamp, IP address, and browser user agent of the consent action.
• The jurisdiction applicable at the time of consent.

Consent records are permanently protected from deletion and are retained for 7 years as a legal audit trail. Users can view, manage, and withdraw their consent preferences at any time from the Privacy Settings page.

When the privacy policy is updated, existing users are prompted to review and re-confirm their consent before continuing to use the platform.

9. Data Subject Rights Engine

AscentPassport has a built-in Data Subject Rights management system. When you submit a request from your Privacy Settings page, the system:

• Assigns a unique reference number (e.g. DSR-000001).
• Automatically calculates the legal response deadline for your jurisdiction.
• Sends a confirmation email to you with your reference number and deadline.
• Notifies our privacy team for action.
• Tracks the request through to completion with a full audit trail.

High-sensitivity requests (erasure, data portability, FCRA dispute) require identity verification before processing. You can check the status of your request at any time from your Privacy Settings page.

The following request types are supported by jurisdiction:

• All users: Access, correction, erasure, restriction of processing, data portability.
• India (DPDP): Nomination of representative, grievance redressal.
• EU / UK (GDPR): Objection to processing, review of automated decision.
• US (CCPA): Opt out of sale, limit use of sensitive data, non-discrimination.
• US (FCRA): Dispute of inaccurate information, copy of consumer report, adverse action response.

10. Data Retention Framework

Our data retention schedule is governed by legal requirements in each jurisdiction and is enforced automatically by our daily retention management system. Records are anonymised (not deleted) when their retention period expires, to preserve platform statistical integrity while removing all personal identifiers.

Data Category	India	US	EU / UK	CA / AU
Employment records	3 years	7 years (FCRA)	3 years	3 years
PAN / Aadhaar	2 years	N/A	N/A	N/A
SSN / National ID	N/A	7 years (FCRA)	3 years	3 years
Passport numbers	3 years	3 years	3 years	3 years
Consent records	7 years	7 years	5 years	5 years
Audit logs	5 years	7 years	5 years	5 years
Session data	30 days	30 days	30 days	30 days

Records under active legal hold are exempt from automated anonymisation until the hold is released.

11. International Data Transfers

AscentPassport's primary servers are located in India. If you access the platform from outside India, your data is transferred to and processed in India. We implement the following safeguards for cross-border transfers:

• EU and UK users: Transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and adopted by the UK ICO respectively.
• All other jurisdictions: Transfers are conducted under equivalent contractual safeguards and in accordance with applicable local law.
• Sensitive data: National identity numbers, passport numbers, and dates of birth are only transferred cross-border with explicit user consent, which can be withdrawn at any time from the Privacy Settings page.
• Regional encryption key isolation: Even when data is processed in a single geographic location, encryption keys are kept regionally isolated. Indian user data encrypted with India-specific keys is cryptographically isolated from other regions' data.

12. Data Breach Response

In the event of a personal data breach, we follow a documented incident response plan:

• Detection and containment: Immediate isolation of affected systems, revocation of compromised credentials, and preservation of forensic evidence.
• Assessment: Determination of the scope of the breach, categories of data affected, number of individuals affected, and likely consequences.
• Regulatory notification: Notification to the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by applicable law). For Australia, notification to the OAIC within 30 days where the breach is likely to result in serious harm.
• User notification: Notification to affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures being taken.
• Remediation: Root cause analysis, implementation of additional controls, and documentation of lessons learned.

All breach records are maintained in our DataBreachRecord system with full timeline documentation, authority notification tracking, and legal hold management.

13. Third Party Processors

We use the following categories of third-party processors, all of whom are bound by data processing agreements:

• Email delivery: Used for transactional emails including OTP codes, verification alerts, and DSR confirmations. Processors do not have access to your identity documents or encrypted fields.
• AI inference: Used for employment verification analysis. Data passed to AI services is limited to employment descriptions and does not include national identity numbers, passport numbers, or financial data.
• Infrastructure hosting: Our servers are hosted on infrastructure that meets ISO 27001 or equivalent security standards.
• Analytics: Google Analytics (GA4) is used for aggregated, anonymised usage analytics. IP addresses are anonymised before transmission to Google. No personal identifiers are shared with Google Analytics.

We do not use advertising networks, data brokers, or any processor that uses your data for commercial profiling.

14. Audit and Accountability

AscentPassport maintains the following accountability mechanisms:

• Record of Processing Activities (ROPA): A documented inventory of all processing activities, legal bases, data categories, retention periods, and third-party processors — maintained in accordance with GDPR Article 30.
• Consent audit trail: Every consent decision is permanently logged and cannot be altered or deleted.
• Sensitive data access log: Every read of an encrypted sensitive field is logged with model, field, and timestamp.
• DSR tracking: Every data subject request is assigned a reference number and tracked through to completion with deadline enforcement.
• Retention enforcement log: Every automated retention action (anonymisation, deletion) is recorded in an immutable log.
• Breach record: Every suspected or confirmed breach is documented with full timeline, scope, and notification status.

These logs are available to supervisory authorities on request and to users on request (in anonymised or aggregated form as appropriate).

15. Contact the DPO

For any data protection queries, concerns, or to exercise your rights:

• Email (preferred): privacy@ascentpassport.com
• Privacy Settings (self-service): ascentpassport.com/accounts/privacy-settings/ — submit access, correction, erasure, and portability requests with automatic tracking and legally enforceable deadlines.
• Grievance redressal (DPDP): We will acknowledge within 48 hours and resolve within 30 days.
• Postal: Data Protection Officer, AscentPassport Technologies Pvt Ltd, Ahmedabad, Gujarat 380015, India.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:

• India: Data Protection Board of India (once operational under DPDP Act 2025)
• EU: Your local Data Protection Authority (list at edpb.europa.eu)
• UK: Information Commissioner's Office — ico.org.uk
• US (California): California Privacy Protection Agency — cppa.ca.gov
• Canada: Office of the Privacy Commissioner — priv.gc.ca
• Australia: Office of the Australian Information Commissioner — oaic.gov.au