Compliance
Compliance Is Not
an Afterthought
StudAI BOS is built for organizations operating in India's evolving regulatory landscape. DPDP Act compliance, data localization, and audit-ready evidence generation are architectural decisions — not add-on features.
India's data protection law
DPDP Act Compliance
The Digital Personal Data Protection Act, 2023 establishes new obligations for organizations processing personal data of Indian citizens. StudAI BOS is designed to help you meet these obligations structurally — not through checklists, but through architectural enforcement.
Data Fiduciary Duties
StudAI BOS provides the tooling for organizations acting as data fiduciaries: purpose limitation enforcement, data minimization controls, and processing limitation policies configurable per data category.
Data Principal Rights
Built-in workflows for data access requests, correction requests, and erasure requests. Requests are tracked, timestamped, and resolved within configurable SLA windows with full audit trails.
Consent Management
Granular consent collection and tracking framework. Records what was consented to, when, through which channel, and allows withdrawal at any time. Consent state is checked before processing.
Grievance Officer Framework
Configurable grievance officer designation per organization. Grievance requests are routed, tracked, and resolved through governed workflows with SLA enforcement.
Data sovereignty
Data Localization — Azure India Regions
Your data stays in India. No exceptions. No routing through international endpoints. No ambiguity about jurisdiction.
Azure Central India
Primary data center for all compute, storage, and database operations. Located in Pune, Maharashtra.
Azure South India
Disaster recovery and geo-redundant backups. Located in Chennai, Tamil Nadu. Automatic failover with zero data loss.
Explicit Consent Only
No data leaves Indian jurisdiction without explicit organizational consent and a documented data transfer agreement.
Audit logging
Every action. Every receipt. Hash-verified.
Audit logging in StudAI BOS is not a “log file.” It's a cryptographic chain where each audit event references the SHA-256 hash of the previous event. Modification, deletion, or insertion of events breaks the chain and is immediately detectable.
90-Day Minimum Retention
All audit events retained for a minimum of 90 days. Exportable in JSON and CSV formats. Hash verification available on demand.
365-Day Extended Retention
Full year of audit log retention. Custom retention policies available for regulated industries. Automated export to your own storage if required.
Hash-verified integrity: Any auditor can independently verify the integrity of the audit chain by recomputing hashes. No trust in our system required — the math is verifiable.
Access controls
RBAC + ABAC + SoD — with evidence generation
Access controls are not just enforced — they're documented. Every authorization decision generates evidence that auditors can review.
RBAC
Role-based access control with predefined and custom roles. Each role has explicit permissions per module and per action. Role assignments are logged and auditable.
ABAC
Attribute-based policies add contextual authorization. Policies evaluate department, amount, time, geography, and custom attributes. ABAC decisions are recorded with the evaluated conditions.
Separation of Duties
Requestor ≠ Approver ≠ Executor. SoD constraints are enforced at the workflow engine level. Violations are blocked — not just flagged. Every SoD validation generates a compliance evidence record.
Certification
SOC 2 Roadmap
StudAI BOS is currently pursuing SOC 2 Type II certification. Our architecture was designed from inception with SOC 2 trust service criteria in mind: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
We maintain an internal controls framework aligned with AICPA standards. Enterprise customers can request a copy of our readiness assessment and current control matrix under NDA.
Completed
Architecture design with SOC 2 controls
Completed
Internal controls documentation
Completed
Hash-chained audit trail implementation
In Progress
SOC 2 Type I readiness assessment
Planned
SOC 2 Type I audit
Planned
SOC 2 Type II observation period
Data retention
Configurable policies. Right to deletion.
Retention Policies
Organizations can configure data retention periods per data category. When retention expires, data is purged through a governed deletion workflow that itself generates an audit record. Deletion is verifiable — not just a status flag.
Right to Deletion
Data principal erasure requests are processed through a tracked workflow. Deletion cascades across all modules where the data appeared. A confirmation receipt is generated documenting what was deleted, when, and from which systems. The deletion receipt is retained even after the data is purged.
Subprocessors: A complete list of subprocessors involved in data processing is maintained and available as part of our Data Processing Agreement (DPA). Request our DPA →
Compliance questions?
We have answers.
Our compliance team is available to walk through our DPDP Act framework, share our SOC 2 readiness documentation, and complete your vendor security questionnaire.