Active security incident? Call our 24/7 hotline: +91 84474 25125

Privacy Policy

Last updated: April 18, 2026 · Compliant with India's Digital Personal Data Protection Act, 2023 (DPDPA)

NexaSource Solutions Private Limited ("NexaSource," "we," "our," or "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit nexasource.io or engage our cybersecurity services.

This policy is primarily framed under India's Digital Personal Data Protection Act, 2023 ("DPDPA"), under which NexaSource acts as a Data Fiduciary and you (the individual) are the Data Principal. We also align with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) for visitors from those jurisdictions.

1. Personal Data We Collect

Data You Provide Directly

  • Contact details: name, work email, phone number, job title, company name
  • Engagement details: company size, industry, security requirements, current vendors, IT infrastructure context shared during scoping calls
  • Account & commercial data: login credentials for any portal, billing address, GSTIN, purchase orders (payment instruments are processed by PCI-DSS compliant third-party processors; we do not store full card numbers)
  • Communications: emails, support tickets, recorded consent for newsletter and marketing

Data Collected Automatically

  • Device & network data: IP address, browser type, OS, device identifiers, approximate location derived from IP
  • Usage data: pages visited, time on page, clickstream, referring URL
  • Cookies & similar technologies: see Section 6 below

2. Lawful Basis & Purposes of Processing

Under the DPDPA we process your personal data on one of two lawful bases: (a) your consent, freely given for a specific purpose disclosed at the point of collection, or (b) for a legitimate use (Section 7 of the DPDPA), such as fulfilling a request you have voluntarily made or complying with law. The specific purposes are:

  • Responding to quote requests, scoping enquiries, and support tickets
  • Delivering, configuring, and managing the cybersecurity products and services you have purchased
  • Issuing invoices, processing payments, and meeting tax / GST obligations
  • Sending operational and security notifications related to active engagements
  • With separate opt-in consent: sending the Threat Intelligence Brief and other marketing communications (you can withdraw consent at any time)
  • Improving our website and services through aggregated, non-identifying analytics
  • Detecting, preventing, and investigating fraud, abuse, and security incidents
  • Complying with legal obligations under Indian law (including the Information Technology Act, 2000, the Companies Act, 2013, and the DPDPA itself)

3. How We Share Personal Data

We do not sell your personal data. We share it only as follows:

  • OEM and licensing partners: Palo Alto Networks, Fortinet, Cisco, Microsoft, CrowdStrike, and other authorised OEMs for license provisioning, entitlement, and support - limited to the data strictly necessary
  • Sub-processors / Data Processors: hosting (cloud providers), email delivery (e.g., Resend), CRM, ticketing, and analytics vendors engaged under written contracts that bind them to confidentiality and DPDPA-equivalent obligations
  • Professional advisors: auditors, legal counsel, and bankers under confidentiality
  • Legal & regulatory disclosures: when required under Indian law or by an order of a competent court, the Data Protection Board of India, CERT-In, or other lawful authority
  • Business transfers: in connection with a merger, acquisition, restructuring, or sale of assets, with continued protection of your data

4. Cross-Border Data Transfers

Some of our sub-processors operate outside India. Under Section 16 of the DPDPA, we may transfer personal data outside India to any country except those specifically restricted by the Central Government via notification. Where data is transferred to the EU/UK/US, we additionally rely on Standard Contractual Clauses (SCCs) or equivalent safeguards. A current list of sub-processor locations is available on request from our Grievance Officer.

5. Data Security

We implement reasonable security safeguards as required under Section 8(5) of the DPDPA:

  • AES-256 encryption for data at rest and TLS 1.2/1.3 for data in transit
  • Role-based access control, principle of least privilege, and multi-factor authentication for all administrative access
  • 24×7 monitoring through our own SOC, with formal incident response procedures
  • Regular vulnerability assessments and periodic penetration testing
  • Documented vendor risk management and contractual security obligations on sub-processors

Breach notification: In the event of a personal data breach, we will notify the Data Protection Board of India and each affected Data Principal in the form and manner prescribed under the DPDPA, without undue delay.

6. Cookies & Tracking

We use cookies and similar technologies for essential site functionality and, with your consent where required, analytics. Categories used:

  • Strictly necessary cookies: required for the site to function (e.g., session, security)
  • Analytics cookies: aggregated traffic measurement (loaded only after consent in jurisdictions that require it)
  • Preference cookies: remember your settings

You can disable or delete cookies via your browser settings; some site features may not work without strictly necessary cookies.

7. Your Rights as a Data Principal (DPDPA)

Under the DPDPA you have the following rights, exercisable free of charge by writing to our Grievance Officer (Section 13):

  • Right to access a summary of your personal data being processed and the processing activities undertaken (Section 11)
  • Right to correction, completion, updating, and erasure of your personal data (Section 12)
  • Right to grievance redressal - a readily available means to raise complaints with us (Section 13)
  • Right to nominate another individual to exercise your rights in the event of your death or incapacity (Section 14)
  • Right to withdraw consent at any time, as easily as it was given (Section 6(4)-(6)). Withdrawal does not affect the lawfulness of processing carried out before withdrawal

If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India established under Chapter V of the DPDPA.

For visitors from the EU/UK (GDPR): you additionally have rights to data portability, to object to processing, and to lodge a complaint with your local supervisory authority. For California residents (CCPA/CPRA): you have the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information - we do not sell or share your information as defined under the CCPA.

8. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by Indian law. Marketing-list data is retained until you withdraw consent. Engagement and contract data is typically retained for the duration of our relationship plus seven (7) financial years to meet tax, GST, and statutory audit requirements. Once retention purpose is exhausted, data is securely deleted or irreversibly anonymised, in accordance with Section 8(7) of the DPDPA.

9. Children's Data

Our services are not directed to children. Under Section 9 of the DPDPA, a "child" means an individual under 18 years of age. We do not knowingly collect personal data from children or persons with disabilities (lacking the capacity to consent) without verifiable parental or lawful-guardian consent. If you believe we have collected such data inadvertently, please contact our Grievance Officer and we will delete it.

10. Third-Party Links

Our website may link to third-party sites. We are not responsible for their privacy practices and encourage you to review their policies separately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be highlighted on this page and, where appropriate, communicated by email. The "Last updated" date at the top reflects the latest version.

12. Grievance Officer & Contact

In accordance with Section 8(9) of the DPDPA and Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the contact details of our Grievance Officer are:

  • Grievance Officer: [Name to be appointed]
  • Email (Grievances & Data Principal Requests): grievance@nexasource.io
  • Privacy queries: privacy@nexasource.io
  • Postal address: NexaSource Solutions Private Limited, B-128, First Floor, Sector-2, Gautam Buddha Nagar, Noida, Uttar Pradesh 201301, India
  • Phone: +91 84474 25125

We will acknowledge complaints within 72 hours and respond substantively within 30 days, in line with Indian regulatory expectations.