This Data Breach Notification Policy describes how Servyn AI detects, assesses, and responds to personal data breaches, and how we notify affected parties as required under DPDPA 2023 S.8(6) and the SPDI Rules 2011.
This Policy applies to all personal data processed through the Servyn AI platform, including data held in our Supabase database, backup systems, and any data held by Sub-Processors.
A personal data breach is any accidental or unlawful event that results in:
Not all security incidents are data breaches. A server error that does not expose personal data is an incident, not a breach.
Upon becoming aware of a potential breach, Servyn AI will:
| Severity | Description | Example |
|---|---|---|
| Low | Limited impact; no SPDI exposed; contained quickly | A single user account password reset email sent to wrong address |
| Medium | Some personal data exposed; limited number of individuals; quickly contained | A bug temporarily exposed job records of one company to another company's admin |
| High | SPDI exposed (Aadhaar, PAN, salary, bank details); large number of individuals; potential for harm | Database credentials compromised; bulk export of payroll data by unauthorised party |
| Recipient | Timeline | Trigger |
|---|---|---|
| Affected Customer (company admin) | Within 24 hours of Servyn AI becoming aware | Any Medium or High severity breach affecting that customer's data |
| Data Protection Board of India (DPBI) | Within 72 hours of Servyn AI becoming aware | Any breach likely to result in harm to Data Principals (once DPBI is operational) |
| Affected Data Principals | Promptly after DPBI notification, as directed by DPBI | As required by DPBI direction or when notification is necessary to protect Data Principals |
| Internal record | Immediately upon detection | All incidents, regardless of severity |
When Servyn AI notifies a Customer of a breach, the notification will include:
Notification will be sent via email to the registered admin email address and, for High severity breaches, also via WhatsApp.
If not all information is available within 24 hours, Servyn AI will send an initial notification with available information and follow up with complete information as soon as reasonably practicable.
Servyn AI will notify the Data Protection Board of India (DPBI) within 72 hours of becoming aware of a breach that is likely to result in harm to Data Principals, as required under DPDPA 2023 S.8(6).
The DPBI notification will be submitted via the DPBI's official online portal (dataprivacy.gov.in) once it is operational, and will contain all information required under the DPDPA 2023 rules.
Servyn AI will cooperate fully with any DPBI inquiry or investigation arising from a breach notification.
Servyn AI will notify affected Data Principals (individual employees and customers whose data was breached) when:
Because employee and customer data is entered by the Customer (the Data Fiduciary), Servyn AI will coordinate with the Customer on the content and delivery of Data Principal notifications. The Customer is responsible for contacting their employees and customers using contact details they hold.
Following any Medium or High severity breach, Servyn AI will:
As a Data Fiduciary under DPDPA 2023, you also have breach notification obligations to your employees and customers. When Servyn AI notifies you of a breach:
If you suspect a data breach or security incident involving the Servyn AI platform, report it immediately:
Rahul Birwadkar — Grievance Officer
📧 founder@servynai.in — Subject: "Security Incident Report"
📞 +91 97684 46498 (call or WhatsApp for urgent matters)
Available: Mon–Sat, 9 AM – 7 PM IST. For critical incidents outside these hours, call directly.