DPDP Act 2023 compliance

India's Digital Personal Data Protection Act 2023 (DPDP Act) governs how the personal data of Indian individuals is collected, processed, and protected. In most SalesPort deployments, our client — the dairy, FMCG, or government organisation that runs distribution — is the Data Fiduciary that decides why and how personal data is processed. Sort String Solutions LLP acts as a Data Processor, handling that data on the client's instructions under a contract.

This page explains, in plain language, how the platform is built to support our clients' DPDP obligations and what we commit to as a processor. It is a statement of posture, not legal advice; enterprise clients receive the specific data-processing terms in their service agreement.

Inside a distribution deployment, the personal data typically includes the names, phone numbers, and locations of field-sales staff; retailer and distributor contact details; and, in dairy procurement, farmer identity and bank-payment details. On our marketing website, we separately collect the contact details you submit through demo and enquiry forms — covered by our privacy policy.

Personal data in SalesPort is processed only for the operational purposes the client configures — recording visits and orders, calculating farmer payments, running schemes, and the reporting those depend on. Access is role-scoped so each user sees only what their role requires, and privileged actions are written to audit logs.

Production data for Indian clients is hosted on AWS in the Mumbai region (ap-south-1), so personal data of Indian data principals remains resident in India. Per-client database isolation keeps one client's data within its own boundary.

The DPDP Act gives individuals rights to access, correct, and erase their personal data, and to grievance redress. SalesPort supports our clients in honouring these requests — data can be located, corrected, exported, and deleted within a deployment. Where you interact with Sort String directly (for example, through a website form), you can exercise these rights by contacting our grievance address below.

Personal data is retained for as long as the client relationship and applicable statutory requirements (for example, GST and accounting records) require, after which it is deleted or returned. On contract exit, client data — including personal data — is exported in a usable format and removed from active systems per the agreement.

We use a defined set of sub-processors (cloud hosting, payment gateways, SMS/voice, WhatsApp messaging, accounting and ERP integrations) listed and kept current in our Trust Center. Security controls — encryption in transit and at rest, RBAC, backups, and audit logging — are described on our security page.

If a personal-data breach affecting client data occurs, our process is to contain and assess it and notify affected clients with the facts available, in line with the expectations of the DPDP Act, followed by a written summary once resolved.