ARTICLE I: INTERPRETATION AND DEFINITIONS

1.1. For the purposes of this Privacy & Data Sovereignty Protocol (hereinafter referred to as the "Protocol"), the following definitions shall apply with full force and effect throughout the entirety of the Client's engagement with RiskFortress Intelligence Private Limited (hereinafter referred to as "RiskFortress," "the Company," "We," "Us," or "Our"):

1.2. "Client" shall mean and include any natural person, body corporate, partnership firm, limited liability partnership, trust, Hindu Undivided Family, association of persons, or any other legal entity that has executed a Master Service Agreement with RiskFortress, or has otherwise engaged the services of RiskFortress through any electronic or physical medium, including but not limited to the submission of intake forms, execution of non-disclosure agreements, or verbal engagements subsequently confirmed in writing.

1.3. "Intelligence Data" shall mean and encompass all information, data, documents, records, communications, and materials of whatsoever nature, whether in physical, electronic, digital, or any other format, that are collected, processed, analyzed, synthesized, or generated by RiskFortress in the course of providing services to the Client, including but not limited to: (a) raw data obtained from open-source intelligence (OSINT) vectors; (b) proprietary analytical outputs; (c) risk assessment matrices; (d) threat forecasting models; (e) geospatial intelligence products; (f) human intelligence reports; (g) technical surveillance countermeasures findings; (h) due diligence reports; and (i) any derivative works or analytical products created therefrom.

1.4. "Forensic Artifacts" shall mean and include all digital, physical, documentary, or testimonial evidence collected, preserved, analyzed, or documented by RiskFortress in the course of conducting investigations, audits, assessments, or any other evidentiary collection activities, including but not limited to: (a) digital forensic images; (b) chain of custody documentation; (c) metadata extractions; (d) communication intercepts lawfully obtained; (e) witness statements; (f) surveillance records; (g) document authenticity assessments; and (h) expert reports prepared for potential legal proceedings.

1.5. "Sovereign Data" shall mean and refer to any and all information that pertains to the Client's organizational structure, business operations, financial affairs, family matters, personal security arrangements, strategic initiatives, competitive intelligence, trade secrets, proprietary methodologies, and any other information that the Client has designated as confidential, sensitive, or requiring enhanced protection measures, regardless of whether such designation is express or implied from the nature of the information or the circumstances of its disclosure.

1.6. "Sensitive Personal Data or Information" (as defined under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011) shall include: (a) passwords; (b) financial information such as bank account, credit card, debit card, or other payment instrument details; (c) physical, physiological, and mental health condition; (d) sexual orientation; (e) medical records and history; (f) biometric information; (g) any detail relating to the above clauses as provided to body corporate for providing service; and (h) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

1.7. "Processing" shall mean any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.8. "Data Principal" shall mean the individual to whom the personal data relates and where such individual is: (a) a child, includes the parents or lawful guardian of such a child; (b) a person with disability, includes her lawful guardian, acting on her behalf.

1.9. "Data Fiduciary" shall mean any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data, and in the context of this Protocol, RiskFortress acts as a Data Fiduciary with respect to Client data processed in accordance with this Protocol and applicable law.

ARTICLE II: COLLECTION OF NON-PUBLIC INFORMATION

2.1. RiskFortress, in the furtherance of its intelligence and risk advisory mandate, collects and processes Sensitive Personal Data and Information as defined under applicable Indian law, including but not limited to: (a) biometric data including fingerprints, facial recognition data, voice patterns, and gait analysis where necessary for identity verification and access control; (b) financial information including bank statements, tax records, investment portfolios, asset declarations, and transactional histories for the purpose of financial due diligence and fraud detection; (c) geo-spatial data including location histories, movement patterns, frequented locations, and travel itineraries for threat assessment and protective intelligence purposes.

2.2. RiskFortress utilizes passive telemetry and open-source intelligence (OSINT) vectors for the collection of publicly available information, digital footprint analysis, and reputation assessment. Such collection methods include but are not limited to: (a) analysis of publicly accessible social media profiles and digital publications; (b) monitoring of public court records, regulatory filings, and government databases; (c) aggregation of news media references and press coverage; (d) examination of corporate registry filings and directorship records; (e) assessment of property records and encumbrance certificates; and (f) review of academic credentials and professional certifications from publicly accessible sources.

2.3. The Client expressly acknowledges and consents that RiskFortress may, in the course of providing contracted services, collect information from third-party sources, commercial databases, government records, and other lawfully accessible repositories, and that such collection is integral to the provision of comprehensive intelligence and risk advisory services.

ARTICLE III: PURPOSE OF PROCESSING (NEED-TO-KNOW BASIS)

3.1. RiskFortress processes Client data and Intelligence Data exclusively for the following specified, explicit, and legitimate purposes, adhering strictly to the principle of purpose limitation:

3.1.1. Risk Mitigation: The identification, assessment, quantification, and mitigation of risks including but not limited to operational risks, strategic risks, reputational risks, legal risks, compliance risks, financial risks, and security risks facing the Client's organization, assets, personnel, or interests.

3.1.2. Threat Forecasting: The predictive analysis and modeling of potential threats, adverse events, and risk scenarios utilizing proprietary algorithms, machine learning models, and expert human analysis to provide early warning intelligence and proactive protective recommendations.

3.1.3. Legal Admissibility: The collection, preservation, and documentation of evidentiary materials in a manner that ensures chain of custody integrity, forensic soundness, and admissibility in judicial and quasi-judicial proceedings before courts, tribunals, and arbitral bodies in India and internationally recognized jurisdictions.

3.2. RiskFortress does not sell, trade, rent, or otherwise commercially exploit Client data or Intelligence Data. Any disclosure of such data is strictly limited to the purposes specified herein and as required by applicable law.

ARTICLE IV: DATA RETENTION & DIGITAL SHREDDING

4.1. All Client Intelligence Data is stored on secure, access-controlled infrastructure utilizing air-gapped systems for the most sensitive categories of information. Our data storage architecture employs multiple layers of physical, logical, and cryptographic security controls designed to prevent unauthorized access, modification, or exfiltration.

4.2. The Kill Policy: All Client intelligence data shall be cryptographically purged utilizing AES-256 secure deletion protocols within seven (7) years from the date of final service delivery (being the maximum statutory retention period under applicable laws including the Limitation Act, 1963) or upon contract termination, whichever occurs earlier, unless: (a) a longer retention period is required by applicable law or regulatory mandate; (b) the data is required for pending or anticipated legal proceedings; (c) the Client provides written instructions for earlier deletion; or (d) the data has been anonymized such that the Client cannot be identified.

4.3. Upon activation of data purging protocols, RiskFortress shall issue a Certificate of Destruction to the Client confirming the secure and irreversible destruction of all Client data in our possession, custody, or control, including backup copies maintained in disaster recovery systems.

ARTICLE V: DISCLOSURE TO THIRD PARTIES AND LAW ENFORCEMENT

5.1. RiskFortress maintains an unwavering commitment to Client confidentiality and data sovereignty. Disclosure of Client data or Intelligence Data to third parties, including law enforcement agencies and government authorities, shall occur only under the following strictly limited circumstances:

5.1.1. Pursuant to a valid order, warrant, or subpoena issued by a Court of competent jurisdiction, including the Supreme Court of India, High Courts, or subordinate courts exercising lawful authority, and only after exhausting all available legal remedies to challenge or narrow the scope of such order where doing so is in the Client's interest and legally permissible.

5.1.2. RiskFortress shall not voluntarily disclose Client information in response to informal requests, letters of inquiry, or demands from police authorities, regulatory bodies, or government agencies that do not meet the threshold of a lawful court order. The Client shall be promptly notified of any such demands or requests unless such notification is prohibited by law.

5.1.3. Where disclosure is necessary to prevent imminent threat to life, bodily harm, or national security, and such disclosure is the minimum necessary to address the immediate threat.

5.2. RiskFortress shall maintain detailed logs of all disclosure requests received and actions taken in response thereto, which logs shall be made available to the Client upon reasonable request.

ARTICLE VI: DATA PRINCIPAL RIGHTS

6.1. In accordance with the Digital Personal Data Protection Act, 2023, Data Principals have the right to: (a) obtain confirmation as to whether their personal data is being processed; (b) access a summary of personal data being processed and the processing activities; (c) request correction and erasure of inaccurate or incomplete data; (d) nominate another individual to exercise rights in the event of death or incapacity; and (e) obtain grievance redressal through designated channels.

6.2. Requests for exercise of Data Principal rights shall be directed to our Data Protection Officer at: dpo@riskfortress.in

ARTICLE VII: AMENDMENTS AND GOVERNING LAW

7.1. RiskFortress reserves the right to amend, modify, or update this Protocol at any time. Material changes shall be communicated to active Clients through registered email or secure portal notification not less than thirty (30) days prior to the effective date of such changes.

7.2. This Protocol shall be governed by and construed in accordance with the laws of the Republic of India. Any disputes arising hereunder shall be subject to the exclusive jurisdiction of the courts at Greater Noida, Uttar Pradesh.