Legal

Data Policy

Effective: April 2026 · Version 1.1 · Supersedes all prior versions

Amendment notice: For existing clients and active VextIntel subscribers, material changes take effect 30 days after written notice by email. For new engagements, changes take effect on the effective date shown above.

Privacy Policy Terms of Service Refund Policy Delivery Policy Data Policy Cookies Policy Security Policy Responsible Disclosure

DPDP Act 2023IT Act 2000ISO 27001 AlignedICAI Data StandardsGDPR-Equivalent

This Data Policy governs how Vext Audit Capital, a division of SkyDasher Tech LLP, processes, stores, protects, and manages all data in the course of professional operations. As a firm that audits other organisations' data protection practices, we hold ourselves to the highest data governance standard and publish this policy with full transparency.

1. Data Fiduciary, Data Processor, and Data Processing Agreements

Under the DPDP Act 2023, the Firm acts as a Data Fiduciary when determining the purpose of processing personal data from website visitors, subscribers, and client contacts. When processing personal data on behalf of a client during an audit engagement, such as employee data during an HR compliance review or customer data during a DPDP readiness assessment, the Firm acts as a Data Processor and the client is the Data Fiduciary.

Data Processing Agreement requirement: For every engagement where the Firm will process personal data on behalf of a client, a Data Processing Schedule must be annexed to the engagement letter before commencement. This Schedule sets out: the categories of personal data to be processed; the purpose and duration of processing; the Firm's obligations as Data Processor; and the client's obligations as Data Fiduciary. No such processing will commence without an executed Data Processing Schedule. This requirement is mandatory and cannot be waived.

2. Categories of data processed

Contact data: Name, email, phone number, designation, and company affiliation
Business and financial data: Financial records, GST returns, IT infrastructure documents, export documentation, and compliance materials shared during engagements
Subscription data: Email address, company, country, and frequency preference for VextIntel subscribers, collected with explicit consent including timestamp and policy version
Website usage data: Anonymised IP address and browsing behaviour via Google Analytics
Payment data: Transaction references via Razorpay PCI-DSS compliant infrastructure. The Firm does not store card numbers, UPI VPAs, or banking credentials.

3. Legal basis for processing

Contract: For all data necessary to deliver services under an engagement letter or SOW
Consent: For newsletter subscriptions and marketing: explicit, timestamped, and withdrawable at any time
Legal obligation: For records required under applicable law including Indian tax law, Companies Act, LLP Act, ICAI standards, and equivalent obligations applicable to international engagements
Legitimate interest: For anonymised website analytics and fraud prevention

4. Data minimisation and purpose limitation

The Firm collects only the minimum data necessary for each specific purpose. Data collected for one purpose will not be used for any unrelated purpose without explicit consent. Client data is used exclusively to deliver the relevant engagement.

5. Data storage, localisation, and third-party processors

All data is stored primarily within India using Google Workspace. Third-party processors: Google Workspace (ISO 27001, SOC 2, PCI-DSS); Razorpay (PCI-DSS Level 1, ISO 27001); Vercel (SOC 2 Type 2); Make.com (ISO 27001). All processors are bound by data processing agreements. The Firm does not use any processor that does not hold at minimum ISO 27001 certification or equivalent.

6. Data retention

Audit work papers and engagement files: 8 years from engagement completion (ICAI and Income Tax Act)
Client correspondence: 3 years from last engagement
Payment records: 8 years (RBI and Income Tax Act)
Subscriber data: Until unsubscribe, then deleted within 30 days
Website analytics: 26 months

Erasure requests are accommodated except where retention is required by law. Where legally required retention overrides an erasure request, the Firm will confirm this in writing and restrict processing to the minimum necessary for the retention obligation.

7. Breach notification: B2B client-specific SLA

In the event of a confirmed or suspected data breach: (a) the Firm will contain the breach within 1 hour of discovery; (b) where the breach involves client business data processed under an engagement, the client will be notified within 24 hours of the breach being confirmed to enable the client to meet their own statutory notification obligations to their data subjects and regulators; (c) where required by applicable law, including DPDP Act 2023 for Indian data, GDPR for EU/UK data, and equivalent laws for other jurisdictions, the relevant data protection authority will be notified within 72 hours; (d) all breaches are documented in the Security Incident Register.

8. Your rights and contact

Data rights under DPDP Act 2023 are set out in the Privacy Policy. Contact support@vextaudit.com with subject "Data Policy Query".

Data Protection Contact | Vext Audit Capital
Email: support@vextaudit.com · Response within 2 Business Hours