(A) SecureRoot Risk Advisory LLP (“SecureRoot”, “the Firm”, “we”, “our”, “us”) is a limited liability partnership registered under the Limited Liability Partnership Act, 2008, carrying on the business of cybersecurity advisory, vulnerability assessment and penetration testing (“VAPT”), governance, risk and compliance (“GRC”), managed detection and response (“MDR”), and allied professional services.
(B) In the course of its operations, SecureRoot processes Personal Data of clients, prospective clients, website visitors, employees, contractors, job applicants, and other natural persons (collectively, “Data Subjects”).
(C) This Privacy Policy (“Policy”) has been prepared to satisfy the transparency and information obligations imposed on Data Fiduciaries and Data Controllers under applicable data-protection law, including but not limited to: (i) the Digital Personal Data Protection Act, 2023 (“DPDPA”) and rules made thereunder; (ii) Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and, as retained in UK domestic law, the UK GDPR read with the Data Protection Act 2018 (collectively “UK GDPR”); (iii) the California Consumer Privacy Act 2018, as amended by the California Privacy Rights Act 2020 (“CCPA/CPRA”); and (iv) the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) to the extent not superseded by DPDPA.
(D) Where there is a conflict between the requirements of different applicable laws, the Firm shall, in respect of Data Subjects domiciled in or whose data is processed in a particular jurisdiction, comply with the law of that jurisdiction to the extent it imposes stricter or additional requirements.
1.1 In this Policy, unless the context otherwise requires, the following terms have the meanings ascribed to them below. Terms not defined herein shall bear the meaning assigned to them in the applicable law cited.
“Consent” — Freely given, specific, informed, and unambiguous indication of a Data Subject’s agreement to the processing of their Personal Data, including by a clear affirmative action. Under DPDPA, consent must be given through a clear affirmative act after a notice complying with § 5 of the DPDPA.
“Controller” / “Data Fiduciary” — The natural or legal person who, alone or jointly with others, determines the purposes and means of processing of Personal Data. SecureRoot acts as Controller/Data Fiduciary in respect of data processed for its own purposes and as Processor/Data Processor in respect of client Personal Data processed pursuant to a Data Processing Agreement.
“Data Processing Agreement” (“DPA”) — A written agreement between SecureRoot and a client or sub-processor governing the terms on which Personal Data is processed, as required by Article 28 GDPR and § 8(2) DPDPA.
“Data Subject” — An identified or identifiable natural person whose Personal Data is processed by SecureRoot. For CCPA purposes, equivalent to “Consumer”.
“Personal Data” / “Personal Information” — Any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR and § 2(t) DPDPA. Includes information that, alone or in combination with other information, can reasonably be used to identify a natural person.
“Processing” — Any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction (Art. 4(2) GDPR; § 2(x) DPDPA).
“Processor” / “Data Processor” — A natural or legal person that processes Personal Data on behalf of the Controller, pursuant to a DPA.
“Sensitive Personal Data” / “Special Category Data” — Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data concerning a person’s sex life or sexual orientation (Art. 9 GDPR). Under DPDPA, includes financial data, health data, official identifiers, biometric data, caste or tribe, and religious or political belief (§ 2(t) read with Sch. I DPDPA). Under CCPA/CPRA, “Sensitive Personal Information” as defined in Cal. Civ. Code § 1798.140(ae).
“Sub-Processor” — A third-party processor engaged by SecureRoot to carry out processing activities on behalf of a client Controller, in accordance with Art. 28(2)-(4) GDPR and applicable DPDPA provisions.
1.2 References to statutory provisions include any amendment, re-enactment, or subordinate legislation made thereunder. References to “includes” and “including” are not exhaustive.
2.1 For the purposes of the DPDPA, GDPR, UK GDPR, CCPA/CPRA, and all other applicable data-protection laws, the Data Fiduciary / Controller / Business is:
SecureRoot Risk Advisory LLP
Registered Office / Head Office: Kanpur, Uttar Pradesh, India
Corporate Office: Greater Noida, Uttar Pradesh, India
Data Protection Contact: privacy@secureroot.co
Website: www.secureroot.co
2.2 SecureRoot has designated a Grievance Officer as required under § 13 DPDPA and Rule 5(9) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Details are set out in § 16 below.
2.3 Where SecureRoot processes Personal Data as a Processor on behalf of a client Controller, the applicable privacy notice is that of the client Controller. SecureRoot shall process such data solely in accordance with the instructions of the client Controller and the executed DPA.
3.1 This Policy applies to all Personal Data processed by SecureRoot in its capacity as Data Fiduciary / Controller, including data collected through: (a) our Website (www.secureroot.co); (b) client engagement and onboarding processes; (c) marketing and business-development activities; (d) recruitment; and (e) corporate and HR functions.
3.2 This Policy does not apply to anonymised or aggregated data from which no individual can reasonably be identified. Where Personal Data is processed by SecureRoot as a Processor under a client’s DPA, the client Controller’s privacy notice governs Data Subject rights and disclosures.
3.3 Jurisdictional scope:
| Category | Examples | Source |
|---|---|---|
| Identity Data | Full name, date of birth, employee/contractor ID, gender (if provided voluntarily) | Registration forms, contracts, HR records |
| Contact Data | Work/personal email, telephone, postal address, LinkedIn URL | Website forms, emails, business cards |
| Professional Data | Employer name, job title, department, professional qualifications | Engagement letters, CVs, LinkedIn |
| Authentication Data | Usernames, hashed passwords, MFA tokens (client portals) | Portal registration |
| Financial & Billing Data | GST/PAN, bank account details, invoice address, purchase history | Engagement onboarding, AP/AR process |
| Contractual Data | Signed agreements, SOWs, NDAs, scope-of-work definitions | Engagement documentation |
| Communications Data | Email content, meeting notes, support tickets, call recordings | Direct interactions |
| Recruitment Data | CV/résumé, cover letter, references, certifications, right-to-work documents | Job applications |
4.4.1 SecureRoot does not collect Sensitive Personal Data / Special Category Data / Sensitive Personal Information as routine business practice. Such data is processed only where: (a) required by law; (b) necessary for the defence or establishment of legal claims; or (c) explicitly consented to in writing by the Data Subject for a specific, documented purpose (e.g., healthcare-sector VAPT requiring the processing of protected health information).
4.4.2 When Sensitive Personal Data is processed, SecureRoot applies enhanced safeguards including: data minimisation, encryption, strict access controls, and, where GDPR applies, completion of a Data Protection Impact Assessment (“DPIA”) under Art. 35 GDPR.
5.1 The table below sets out each purpose for which SecureRoot processes Personal Data, the categories of data involved, and the applicable legal basis under each jurisdiction. Where multiple bases apply, the primary basis is listed first.
| Purpose | Data Categories | DPDPA Basis | GDPR / UK GDPR Basis | CCPA Applicability |
|---|---|---|---|---|
| Delivery of contracted cybersecurity services (VAPT, GRC, MDR, consulting) | Identity, Contact, Professional, Contractual, Technical | Contractual necessity (§ 4(1)(b)) | Art. 6(1)(b) — contract performance | Business purpose (§ 1798.140(e)) |
| Client portal access and account management | Identity, Contact, Authentication | Contractual necessity | Art. 6(1)(b) | Business purpose |
| Invoicing, billing, tax, and financial record-keeping | Identity, Contact, Financial | Legal obligation; Contractual necessity | Art. 6(1)(b) and (c) — legal obligation | Business purpose |
| Marketing, newsletters, and business-development communications | Identity, Contact, Professional | Consent (§ 4(1)(a)) | Art. 6(1)(a) consent (EU/UK); Art. 6(1)(f) legitimate interest (B2B) | Consumer opt-out right applies (§ 1798.120) |
| Website analytics and UX improvement | Usage, Cookie/Tracking, Device | Consent where identifiable; Legitimate use | Art. 6(1)(a) consent; Art. 6(1)(f) otherwise | Business purpose |
| Responding to enquiries, support, and complaints | Identity, Contact, Communications | Contractual necessity; Consent | Art. 6(1)(b); Art. 6(1)(f) | Business purpose |
| Recruitment and human resources | Identity, Contact, Recruitment | Pre-contractual; Consent | Art. 6(1)(b) pre-contractual steps; Art. 6(1)(c) legal obligation | Business purpose; HR exemption |
6.1 SecureRoot retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying legal, accounting, or reporting requirements.
6.2 Retention periods by data category (indicative):
6.3 At the end of the retention period, Personal Data is either deleted, anonymised beyond reconstruction, or archived to secure cold storage with restricted access. Where data is anonymised, it may continue to be used for statistical and research purposes.
7.1 SecureRoot does not sell Personal Data. Personal Data may be disclosed only in the following circumstances:
7.2 SecureRoot maintains a current register of sub-processors. Clients may request the current sub-processor list by writing to privacy@secureroot.co.
8.1 Where Personal Data is transferred outside the Data Subject’s jurisdiction, SecureRoot ensures appropriate safeguards are in place, including:
8.2 Under DPDPA § 16, transfers of Digital Personal Data outside India are permitted to any country not specifically restricted by notification of the Central Government.
9.1 SecureRoot, as a cybersecurity firm, applies the security controls it recommends to clients to its own data-processing operations. Specific measures include:
10.1 In the event of a Personal Data Breach, SecureRoot will:
11.1 Subject to applicable law and verification of identity, Data Subjects have the following rights:
| Right | Legal Source | Response Deadline |
|---|---|---|
| Right of Access | Art. 15 GDPR; § 11 DPDPA; Cal. Civ. Code § 1798.110 | 1 month (GDPR); 30 days (DPDPA); 45 days (CCPA, extendable) |
| Right to Rectification | Art. 16 GDPR; § 12 DPDPA | 1 month (GDPR); 30 days (DPDPA) |
| Right to Erasure (“Right to be Forgotten”) | Art. 17 GDPR; § 13 DPDPA; Cal. Civ. Code § 1798.105 | 1 month (GDPR); 30 days (DPDPA); 45 days (CCPA) |
| Right to Restriction of Processing | Art. 18 GDPR | 1 month |
| Right to Data Portability | Art. 20 GDPR | 1 month |
| Right to Object to Processing | Art. 21 GDPR | Immediate (marketing); 1 month (other) |
| Right Not to be Subject to Automated Decision-Making | Art. 22 GDPR | 1 month |
| Right to Withdraw Consent | Art. 7(3) GDPR; § 6(4) DPDPA | Immediate |
| Right to Lodge a Complaint | Art. 77 GDPR; § 27 DPDPA | N/A — direct to authority |
| Right to Nominate a Representative (DPDPA) | § 14 DPDPA | N/A |
| Right to Opt-Out of Sale / Sharing (CCPA) | Cal. Civ. Code § 1798.120 | 15 business days |
| Right to Limit Use of Sensitive Personal Information (CCPA/CPRA) | Cal. Civ. Code § 1798.121 | 15 business days |
| Right to Non-Discrimination (CCPA) | Cal. Civ. Code § 1798.125 | N/A |
11.2 Exercise of Rights. To exercise any right, submit a written request to privacy@secureroot.co with: (a) full name and contact details; (b) the right(s) you wish to exercise; and (c) sufficient information to identify the Personal Data concerned. SecureRoot may require reasonable identity verification before acting on the request. No fee is charged unless requests are manifestly unfounded or excessive (Art. 12(5) GDPR).
11.3 Authorised Agents. Under CCPA, a California Consumer may designate an authorised agent to submit requests on their behalf via a signed power of attorney or written authorisation. SecureRoot may require direct verification from the Consumer in addition to verifying the agent’s authority.
12.1 Our Website uses cookies and similar technologies. Full details, categories, retention, and consent mechanisms are set out in the separate Cookie Policy (SRRA/LEGAL/CP/2026/10).
12.2 Consent for non-essential Cookies is obtained via a consent management platform (“CMP”) on first visit. Consent is granular (per category), recorded with timestamp and version, and revocable at any time via the Cookie Preferences link in the Website footer.
12.3 Where Google Analytics (or equivalent) is deployed, IP anonymisation is enabled. We do not permit analytics providers to use Website visitor data for their own purposes beyond service delivery.
13.1 SecureRoot’s services and Website are directed exclusively at professionals and business entities. We do not knowingly collect or process Personal Data of individuals under 18 years of age (or the applicable age of digital consent in the relevant jurisdiction: 16 in most EU/EEA Member States; 13 in the US by default under COPPA; 18 in India per § 3 DPDPA).
13.2 If SecureRoot becomes aware that it has inadvertently collected Personal Data from a minor without verifiable parental or guardian consent, it will delete such data promptly. If you believe a minor has submitted Personal Data, please notify us at privacy@secureroot.co immediately.
14.1 This section supplements the rest of this Policy and governs Personal Information of California residents. In the event of conflict between this section and the rest of the Policy for California residents, this section prevails.
| CCPA Category | Collected? | Sold / Shared? | Disclosed for Business Purpose? |
|---|---|---|---|
| A — Identifiers (name, email, IP, online identifiers) | Yes | No | Yes (IT/cloud providers, analytics) |
| B — Customer records | Yes | No | Yes (payment processors) |
| C — Protected classifications | Limited (recruitment only) | No | No |
| D — Commercial information | Yes | No | Yes (professional advisors, billing) |
| E — Biometric information | No | No | No |
| F — Internet / electronic network activity | Yes (cookies) | No | Yes (analytics with consent) |
| G — Geolocation data (precise) | No | No | No |
| H — Sensory data | No | No | No |
| I — Professional / employment information | Yes (recruitment, B2B) | No | Limited (background screening with consent) |
| J — Non-public education information | No | No | No |
| K — Inferences drawn from personal information | Limited (service personalisation) | No | No |
| L — Sensitive Personal Information (SPI) | Limited (with consent) | No | No |
14.3 Do Not Sell or Share. SecureRoot does not sell Personal Information as defined in Cal. Civ. Code § 1798.140(ad) and does not share Personal Information for cross-context behavioural advertising as defined in § 1798.140(ah). A “Do Not Sell or Share My Personal Information” request may nonetheless be submitted to privacy@secureroot.co and will be acknowledged within 15 business days.
14.4 Financial Incentives. SecureRoot does not offer financial incentives or price differentials in exchange for retention or sale of Personal Information (§ 1798.125).
14.5 Shine the Light. California Civil Code § 1798.83 permits California residents to request information about whether SecureRoot discloses Personal Information to third parties for their direct marketing purposes. SecureRoot does not share Personal Information for third-party direct marketing purposes.
15.1 Data Controller. SecureRoot Risk Advisory LLP is the Data Controller for Personal Data processed under GDPR / UK GDPR. Contact: privacy@secureroot.co.
15.2 Supervisory Authority. EU/EEA Data Subjects have the right to lodge a complaint with the supervisory authority of their Member State of habitual residence, place of work, or place of alleged infringement (Art. 77 GDPR). UK Data Subjects may complain to the Information Commissioner’s Office (ICO): ico.org.uk.
15.3 Profiling. SecureRoot does not carry out automated profiling with legal or similarly significant effects within the meaning of Art. 22 GDPR. Analytics activities that infer general service preferences do not constitute profiling with significant effects.
16.1 Grievance Officer. In accordance with § 13(3) DPDPA, the following officer has been designated to receive and redress grievances of Data Principals:
Email: privacy@secureroot.co
Address: SecureRoot Risk Advisory LLP, Greater Noida, Uttar Pradesh, India
Acknowledgement: Within 48 hours of receipt
Resolution: Within 30 days (or such shorter period as the Board may prescribe)
16.2 Consent Notice. When collecting data by consent, SecureRoot shall provide a notice under § 5 DPDPA specifying: (a) the personal data sought and purpose; (b) the manner in which the Data Principal may exercise rights; and (c) the manner of making a complaint to the Data Protection Board of India. Such notice shall be made available in English and, on request, in any language listed in the Eighth Schedule to the Constitution of India.
16.3 Data Protection Board. A Data Principal who has not received satisfactory redressal from the Grievance Officer may appeal to the Data Protection Board of India in accordance with § 27 DPDPA.
16.4 Significant Data Fiduciary. SecureRoot monitors its processing activities to assess whether it meets the threshold criteria for classification as a Significant Data Fiduciary (§ 10 DPDPA). If so classified by the Central Government, SecureRoot will appoint a Data Protection Officer, conduct independent audits, and undertake algorithmic transparency obligations as prescribed.
17.1 Our Website may contain hyperlinks to third-party websites, plug-ins, and applications. Clicking on those links may allow third parties to collect or share data about you. We do not control third-party websites and this Policy does not apply to them. We encourage you to read the privacy notices of every website you visit.
17.2 Where our Website integrates third-party tools (e.g., LinkedIn Insight Tag, HubSpot forms), each integration is governed by the applicable third party’s privacy notice and our cookie consent mechanism. We do not permit third-party tools to use visitor data for purposes beyond those consented to.
18.1 SecureRoot reserves the right to update or amend this Policy at any time. The “Effective Date” at the top of this document reflects the date of the most recent revision.
18.2 Material changes — defined as changes affecting the legal basis for processing, the categories of data collected, the purposes of processing, or the rights of Data Subjects — will be notified to affected Data Subjects at least 30 days in advance by email (where an email address is held) and by a prominent notice on the Website. Non-material changes (e.g., typographic corrections, updated contact details) take effect immediately on publication.
18.3 Continued use of SecureRoot’s services following the effective date of a revised Policy constitutes acceptance of the revised terms, subject to any requirement to obtain fresh consent where required by law.
19.1 This Policy is governed by and construed in accordance with the laws of India, in particular the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and rules made thereunder. Nothing in this clause limits the mandatory rights of Data Subjects under GDPR, UK GDPR, or CCPA/CPRA in their respective jurisdictions.
19.2 Any dispute arising out of or in connection with this Policy that is not resolved by the Grievance Officer (§ 16.1 above) shall be submitted to the Data Protection Board of India (DPDPA) or the competent supervisory authority in the Data Subject’s jurisdiction (GDPR/CCPA). Courts in Gautam Buddha Nagar (Greater Noida), Uttar Pradesh shall have non-exclusive jurisdiction over matters not covered by statutory regulatory proceedings.
For all data-protection enquiries, rights requests, or complaints, please contact the Data Protection function of SecureRoot Risk Advisory LLP:
Email (primary): privacy@secureroot.co
Website: www.secureroot.co
Head Office: Kanpur, Uttar Pradesh, India
Corporate Office: Greater Noida, Uttar Pradesh, India
Response commitment: We acknowledge all data-protection requests within 48 hours and resolve substantive matters within the applicable statutory deadline.
No obligation. Our senior consultants will walk through your environment and share where the gaps are. Whether you work with us or not.
Cybersecurity that helps enterprises worldwide move from “hope we’re safe” to “we’ve got this.”
Follow us
Copyright © 2026 Secureroot Risk Advisory LLP. All rights reserved.
