Data protection overview

1. Roles: controller, processor, and you

When your organization uses Support Master to operate commerce (orders, customers, employees, integrations), you are typically the controller (or equivalent under local law, such as a fiduciary or business under India’s Digital Personal Data Protection Act, 2023) for Customer Data you submit. Support Master generally acts as a processor or service provider, processing Customer Data only on your instructions and to provide the service—unless we determine purposes and means independently (for example certain account, billing, and security telemetry we control as a vendor).

You are responsible for lawful collection from data subjects, notices, consents or other bases, and for configuring the product (roles, retention exports, integrations) to meet your obligations.

2. Categories of data in scope

Depending on modules and integrations, the service may process:

• Identity and account data — names, work emails, roles, authentication events.
• Operational commerce data — order, inventory, payment references, logistics, support tickets, and similar payloads you route through the platform.
• Technical and security data — IP addresses, device identifiers, logs, and diagnostics used to secure and operate the service.

Special categories of data or highly regulated datasets should only be introduced when explicitly agreed in writing and supported by appropriate controls.

3. Security measures (summary)

We implement administrative, technical, and organizational measures intended to protect confidentiality, integrity, and availability. These commonly include:

• Role-based access control and least-privilege engineering access;
• Encryption in transit (TLS) and encryption for data at rest where supported by the service architecture;
• Logging and monitoring for security-relevant events;
• Change management and vulnerability handling processes;
• Vendor due diligence for material subprocessors.

Specific controls, certifications, and audit reports may be shared under NDA or as listed in your enterprise security appendix—this page does not list every technical control or imply a particular certification unless separately confirmed in writing.

4. Hosting and locations

Production data may be processed in data center regions selected for your deployment or as described in your Order Form. Backup and disaster recovery may involve replication within the same provider ecosystem. Exact regions and replication behavior are confirmed during implementation.

5. Subprocessors

We use subprocessors (for example cloud infrastructure, email delivery, monitoring) who process personal data on our behalf under written agreements requiring appropriate confidentiality and security. Enterprise customers may receive a subprocessor list and notice process as set out in the DPA or Order Form.

6. International transfers

Where personal data moves across borders, we use mechanisms appropriate under applicable law (such as standard contractual clauses or adequacy decisions) when required. Your DPA may specify transfer tools for your jurisdiction.

7. Retention and deletion

We retain Customer Data for as long as your account is active and for a period afterward as needed for backups, legal holds, audit, or contract terms. Deletion and export windows after termination are defined in your agreement and operational runbooks. Some residual copies may persist in encrypted backups for a limited period before aging out.

8. Incident response

We maintain procedures to detect, investigate, and remediate security incidents. Where a personal data breach requires notification to you or regulators under law or contract, we will inform you without undue delay in accordance with those obligations. Customers should provide accurate security contacts on file.

9. Your obligations as a customer

To support mutual compliance, you should:

• maintain accurate admin contacts and escalation paths;
• provision users with appropriate roles and offboard leavers promptly;
• avoid uploading data you are not entitled to process;
• review integration mappings so sensitive fields are not exposed unnecessarily;
• cooperate on data subject requests that require your verification as controller.

10. DPDP, GDPR, and other frameworks

We design the service to be configurable for common enterprise requirements. Compliance with India’s DPDP Act, the EU GDPR, or other regimes depends on your use case, data types, and implementation. We do not provide legal advice; your counsel should map obligations to your workflows and our DPA.

11. Audits and questionnaires

We respond to reasonable security and privacy questionnaires for enterprise procurement. Large audit exercises may be scheduled and may be subject to confidentiality and frequency limits in your agreement.

12. Contact

For data protection inquiries, DPA requests, or subprocessor questions, contact us via contact or the trust/privacy mailbox provided in your Order Form.