Legal

Compliance & Regulatory

Vector Flow's commitment to data protection, AI ethics, and regulatory compliance — from India's DPDPA to the EU's GDPR and global AI governance frameworks.

Last updated: June 2026

Table of Contents

§Our Compliance Framework§DPDPA 2023 (India)§GDPR (EU/UK)§Information Security§Ethical AI§Financial Compliance§Environmental§Sub-Processors§DPA Requests§Contact
01 — Framework

Our Compliance Framework

Vector Flow is committed to operating in accordance with the highest standards of data privacy, information security, and ethical AI development. We maintain a proactive compliance posture across all jurisdictions in which we operate, and we regularly review our practices against evolving legal and regulatory requirements.

Compliance Team: Our dedicated compliance and legal function is led by our CEO and reports directly to the board. For compliance enquiries, contact compliance@vectorflowsoft.com.
02 — DPDPA

Digital Personal Data Protection Act, 2023 (India)

India's Digital Personal Data Protection Act (DPDPA) 2023 governs the processing of digital personal data in India. Vector Flow complies with the DPDPA in the following ways:

  • Data Fiduciary Obligations: We identify purposes, obtain valid consent, and provide clear notice before collecting personal data
  • Purpose Limitation: We process personal data only for the specific purposes for which consent was obtained
  • Data Minimisation: We collect only the personal data necessary for the stated purpose
  • Data Principal Rights: We support rights to access, correct, and erase personal data, and the right to grievance redressal
  • Grievance Officer: We have appointed a Grievance Officer as required under the Act (see Section 10 for contact details)
  • Data Localisation: We comply with any applicable data localisation requirements for sensitive personal data categories
  • Significant Data Fiduciary: We monitor our status as a potential Significant Data Fiduciary and will implement additional obligations if required
  • Children's Data: We do not knowingly collect personal data from individuals under 18 and implement age-gating where required
03 — GDPR

General Data Protection Regulation (EU/UK)

For personal data of EU and UK data subjects, Vector Flow complies with the GDPR and UK GDPR respectively:

  • Legal Basis: We identify and document a lawful basis for each category of personal data processing (consent, contract, legitimate interests, legal obligation)
  • Privacy by Design: We embed privacy considerations into product and service design from the outset
  • Data Subject Rights: We honour all GDPR data subject rights — access, rectification, erasure, restriction, portability, and objection — within statutory timeframes
  • Data Processor Agreements: We offer a standard Data Processing Agreement (DPA) for clients who process EU/UK personal data using our services
  • International Transfers: Data transferred from the EU/UK is protected by Standard Contractual Clauses (SCCs) and other appropriate safeguards
  • Records of Processing: We maintain an internal Record of Processing Activities (RoPA) as required under Article 30 GDPR
  • Data Protection Impact Assessments: We conduct DPIAs for high-risk processing activities
  • Breach Notification: We maintain documented incident response procedures and notify relevant supervisory authorities within 72 hours of becoming aware of a reportable breach
04 — Security

Information Security

Vector Flow maintains a comprehensive information security programme aligned with ISO 27001 standards:

  • Encryption: TLS 1.3 for all data in transit; AES-256 for all data at rest
  • Access Control: Role-based access control (RBAC), multi-factor authentication, and least-privilege principles across all systems
  • Vulnerability Management: Regular vulnerability scanning, patch management, and annual third-party penetration testing
  • Secure Development: OWASP-aligned secure coding practices, mandatory code review, and static analysis in CI/CD pipelines
  • Employee Training: Annual security awareness training and phishing simulations for all staff
  • Business Continuity: Documented business continuity and disaster recovery plans with regular testing
  • Third-Party Risk: Due diligence assessment of all technology vendors and sub-processors before engagement
05 — Ethical AI

Ethical AI & Responsible Development

Vector Flow is committed to developing and deploying AI responsibly. Our Ethical AI principles:

  • Transparency: We document model architectures, training datasets, and known limitations in Model Cards provided with every AI deliverable
  • Fairness & Bias Mitigation: We evaluate models for bias across protected characteristics (gender, race, religion, age, disability) and actively work to mitigate identified disparities
  • Explainability: Where operationally feasible, we provide explainable AI outputs — including feature attribution, confidence scores, and decision rationales
  • Human Oversight: We design AI systems with appropriate human-in-the-loop mechanisms for high-stakes decisions
  • No Prohibited Use Cases: We will not develop AI for mass surveillance, social scoring, manipulation of political opinion, or autonomous lethal weapons
  • EU AI Act Alignment: We monitor EU AI Act requirements and are preparing to classify and document our AI systems under the risk-tier framework ahead of applicable enforcement dates
  • NITI Aayog Principles: Our AI practices align with the responsible AI principles published by NITI Aayog (India's national AI strategy body)
06 — Financial

Financial & Corporate Compliance

  • GST Compliance: We are a registered GST entity in India and comply with all applicable GST filing and remittance obligations
  • Anti-Bribery: We maintain a zero-tolerance policy on bribery and corruption, aligned with India's Prevention of Corruption Act and the UK Bribery Act where applicable
  • AML/KYC: We implement Know Your Customer (KYC) checks for high-value contracts and comply with applicable anti-money laundering obligations
  • Export Controls: We screen clients and projects for compliance with applicable export control laws, including Indian export regulations and US Export Administration Regulations (EAR) for certain AI technologies
  • Companies Act: Vector Flow Private Limited is incorporated under the Companies Act, 2013 (India) and maintains all statutory filings
07 — Environmental

Environmental Responsibility

AI computing is energy-intensive. Vector Flow is committed to minimising our environmental footprint:

  • Cloud Efficiency: We use cloud providers with publicly committed renewable energy targets and high power usage effectiveness (PUE) ratings
  • Model Efficiency: We design models for computational efficiency, not just performance — favoring smaller, more efficient architectures where accuracy requirements allow
  • Carbon Awareness: We work with clients to understand and document the estimated carbon footprint of AI inference in production systems
  • Green Procurement: Environmental practices are included in our third-party vendor assessment criteria
08 — Sub-Processors

Sub-Processors

Vector Flow uses the following categories of sub-processors for service delivery. A current and complete list is available upon request to compliance@vectorflowsoft.com:

  • Cloud Infrastructure: AWS, Google Cloud Platform, Microsoft Azure — for compute, storage, and database services
  • Email & Communications: For transactional email, support, and marketing communications
  • Payment Processing: Stripe, Razorpay, PayU — for payment card and UPI processing
  • Analytics: Google Analytics — for anonymised website usage analytics
  • CRM & Support: For client relationship management and ticketing

All sub-processors are assessed for data protection compliance before engagement and are bound by contractual data processing obligations equivalent to those we accept from our clients.

09 — DPA

Data Processing Agreement (DPA)

Enterprise clients and clients processing EU/UK personal data using Vector Flow's services may require a formal Data Processing Agreement (DPA) under GDPR Article 28.

To request our standard DPA:

  1. Email legal@vectorflowsoft.com with subject line "DPA Request — [Company Name]"
  2. Include your company name, registered address, and the Vector Flow services you use
  3. We will provide a draft DPA within 5 business days
Our standard DPA incorporates the EU Commission's Standard Contractual Clauses (June 2021) and UK International Data Transfer Addendum (IDTA) as applicable.
10 — Contact

Compliance Contact

Compliance & Legal: compliance@vectorflowsoft.com

Grievance Officer (DPDPA 2023):
Name: Arjun Mehta, CEO
Email: grievance@vectorflowsoft.com

DPA & Legal Requests: legal@vectorflowsoft.com

Privacy: privacy@vectorflowsoft.com

Compliance Enquiry?

Our compliance team responds to all enquiries within 2 business days.

Contact Compliance Privacy Policy