One-pager · For DPOs, counsel + trustees · As of 2026-05-26 · v1.0 — pending counsel review before public launch

Deshika.xyz DPDP posture.

A single printable summary of how Deshika operates under India’s Digital Personal Data Protection Act, 2023. Hand this to your DPO, your counsel, or your trustee. This v1.0 reflects our operating posture; the binding text is the Data Processing Agreement attached to your school’s contract.

Roles

Data Fiduciary
The school — never Deshika. The school is the Data Fiduciary under DPDP §2(i). Deshika is the Data Processor under §2(k). This is the operating-frame for everything below.
Data Processor
Deshika Technologies Pvt Ltd — processes data only on the school's written instruction (DPA). We do not determine purposes. We do not retain. We do not repurpose.
Data Principal
The student (and, for under-18s, the parent acting as legal guardian). The school's enrolment-stage consent flow captures the parent's authorization per the Schedule IV exemption.

Lawful basis (DPDP §4 + Schedule IV)

Basis used
Schedule IV exemption — Clause 4 (educational institutions): tracking, behavioural monitoring, and targeted advertising restrictions DO NOT apply for processing necessary for the legitimate purposes of the educational institution. Plus parent consent at enrolment.
Purposes covered
Academic activity · child safety · clinical care. Nothing else. Specifically NOT covered: marketing, advertising, profiling for non-academic ends, third-party data sale, model training using child data.
What we will NOT do
Use student data to train any general-purpose AI model. Sell or share data with third parties. Run targeted advertising. Build behavioural profiles for non-academic purposes. Defer to the vendor's own terms over the school's DPA.

Data residency + hosting

Primary hosting
AWS Mumbai (ap-south-1) with a Hyderabad (ap-south-2) failover. All student-data at-rest in India.
Cross-border transfer
None for routine processing. If a model call needs to leave India (e.g. for advanced reasoning models without an Indian endpoint), the school's DPA must whitelist that vendor in advance. Parent notified at enrolment. The default is in-India.
Encryption
TLS 1.3 in transit. AES-256 at rest. Per-school keys; no shared encryption namespace across schools.

Children's-data readiness (live 13 May 2027)

Verifiable Parental Consent
Two flows: DigiLocker-anchored digital VPC for parents who use it; assisted-VPC (counsellor-read-aloud + thumbprint + teacher-witness) for parents who don't. Both legally equivalent.
Opt-out path
The school must provide a non-AI learning alternative for any opted-out child. We help design the alternative; the school administers it. Opt-out cannot trigger any penalty, exclusion, or disadvantage.
SDF threshold
If your school holds >10,000 student records (the likely Significant Data Fiduciary threshold under the Rules), additional obligations apply — named DPO, data-protection impact assessment, independent audit. Our SDF-readiness kit ships with the engagement.

Data principal rights

Access
Parent can request what data is held about their child. Response within 30 days, free, in plain language. Route via your school's DPO.
Correction
Parent can request correction of incorrect data. We update across all derived stores within 7 working days of school's instruction.
Erasure
Triggered automatically when the child leaves the school (30-day retention then erase) OR on parent request when consent is withdrawn for non-essential processing. Cryptographic erasure via per-school key revocation; backups follow same cycle.
Grievance
First-level: school's DPO. Escalation: Deshika DPO at bishwarup@deshika.xyz (24-hour SLA). Final: Data Protection Board of India.

Safety + incident response

Distress signals
Three-tier protocol (T1/T2/T3). T1: AI surfaces Tele-MANAS 14416 + Vandrevala 1860-2662-345 + breaks character. T2: counsellor notified <1 hour. T3 (imminent danger): counsellor + principal + parent within minutes. Privacy: counsellor sees that a flag fired and the tier; only sees actual words at T3.
Breach notification
School informed within 4 hours of breach detection. Data Protection Board notified within 72 hours per DPDP §8(6). Public notification at the Board's discretion.
Audit log
School's named DPO has read-access to full audit log of all AI interactions, all consent state changes, all data-access requests. Logs immutable for 1 year, then erased.

Independent verification

Penetration test
Annual third-party pen-test by a CERT-In empanelled auditor. Report shared with school's DPO on request under NDA.
SOC 2 Type II
In progress. Target completion Q4 2026. Available on signed NDA from Q1 2027.
ISO 27001
Certification audit scheduled Q2 2027.

Contacts

Deshika DPO
bishwarup@deshika.xyz · Response within 24 hours for school-DPO inquiries. Phone on signed engagement.
Founder
Bishwarup Das · contact form · Reads every DPO escalation personally.
Registered office
Deshika Technologies Pvt Ltd · Bangalore, Karnataka, India · CIN [⚑ founder confirm at incorporation]

This is a posture summary, not legal advice. Your school's specific DPDP obligations depend on your scale, your medium of instruction, your state regulations, and your existing data-handling practices. This document is fact-of-publication 2026-05-26; for the latest version see deshika.xyz/safety/dpdp-one-pager.

© 2026 Deshika Technologies Pvt Ltd · Deshika.xyz — AI your school can stand behind.

Got a specific DPDP question?

Email our DPO. We respond within one business day. For school IT leads, counsel, or trustees who want to validate posture before recommending to the board.

Email our DPO