Legal

DPDP Compliance

How Workclave supports compliance with India's Digital Personal Data Protection Act 2023 — collection scope, consent, data principal rights, retention, and breach notification.

Last updated: April 2026Questions? help@mecverse.comPrivacy PolicySecurity

1. Scope and applicability

  • India's Digital Personal Data Protection Act 2023 (DPDP Act) regulates the processing of digital personal data of individuals within India and Indian citizens abroad.
  • Workclave processes personal data of employees, administrators, and workspace members on behalf of its customers (data fiduciaries). Workclave acts as a data processor in this relationship.
  • This page summarises how Workclave's product architecture, data practices, and contractual commitments are designed to support customer compliance with the DPDP Act.
  • This page is for informational purposes only and does not constitute legal advice. Customers should consult a qualified legal practitioner for obligations specific to their organisation.

2. Data we collect and why

  • Account and identity data: name, email address, role, and authentication metadata — collected to provision workspace access and secure the product.
  • Attendance and session data: session start/end times, project attribution, break intervals, approval status, and manager actions — the core operational data of the product.
  • Device and connection data: IP address, browser/device type, and access timestamps — collected for security monitoring, fraud detection, and audit trail integrity.
  • Support and communication data: form submissions, email correspondence, and procurement requests — retained only for the duration needed to resolve the request.
  • We do not collect biometric data. Workclave uses email/password and OTP-based authentication only. No fingerprint or facial recognition data passes through the platform.

3. Consent and lawful basis

  • Under the DPDP Act, processing of personal data requires either consent of the data principal or a legitimate use as defined in the Act. Workclave's core product operates under the employment and contractual relationship basis.
  • Where Workclave collects data from individuals directly (sign-up forms, demo requests), we obtain consent through affirmative action and maintain records of that consent.
  • Marketing communications are opt-in only. Individuals can withdraw consent for marketing at any time using the unsubscribe mechanism in each communication.
  • Workspace administrators are responsible for ensuring their organisation has an appropriate lawful basis for processing employee attendance data through Workclave.

4. Data principal rights

  • Right to information: individuals can request information about what personal data Workclave holds about them, the purposes of processing, and who it has been shared with.
  • Right to correction and erasure: individuals can request correction of inaccurate personal data or erasure of data where retention is no longer necessary.
  • Right to grievance redressal: complaints about data handling can be submitted to help@mecverse.com. We respond to verifiable requests within 30 days.
  • Right to nominate: individuals can nominate another person to exercise rights on their behalf in the event of incapacity, as provided under the DPDP Act.
  • Workclave may verify identity before processing requests to prevent unauthorised access to third-party data.

5. Data retention

  • Account and session data is retained for the duration of the active subscription, plus a 90-day post-termination window to allow data export.
  • After the post-termination window, data is permanently deleted from production systems and backup rotation within 30 days.
  • Support and communication records are retained for up to 2 years to resolve disputes and for legal compliance purposes.
  • Audit log data (access events, approval actions) is retained for 12 months to support Labour Code compliance requirements and client billing audits.
  • Customers can request early deletion by submitting a written request to help@mecverse.com. We will confirm deletion within 30 days.

6. Subprocessors

  • Workclave uses a limited set of third-party subprocessors to deliver the service, including cloud infrastructure (hosting, databases), transactional email delivery, and optional analytics.
  • All subprocessors are bound by data processing agreements that require equivalent data protection standards.
  • Customers can request the current list of subprocessors by writing to hello@mecverse.com.
  • We notify customers of material changes to the subprocessor list at least 14 days in advance. Customers who object to a new subprocessor may terminate without penalty during the notice period.

7. Data localisation and transfers

  • Workclave's primary infrastructure is hosted in data centres with adequate data protection controls.
  • We do not transfer Indian employee personal data to jurisdictions without equivalent data protection standards.
  • Where transfers occur for subprocessing (e.g. transactional email delivery), we ensure appropriate contractual safeguards are in place.
  • Customers with specific data residency requirements should contact hello@mecverse.com to discuss available options.

8. Security controls supporting DPDP

  • All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 on all production storage.
  • Access to personal data is role-restricted. Workclave staff access production data only for incident response, with documented justification.
  • We maintain access logs for all administrative actions on production systems, reviewed regularly as part of our security programme.
  • See the Security page for the full list of technical and organisational measures.

9. Breach notification

  • In the event of a personal data breach likely to result in harm to data principals, Workclave will notify affected customers without undue delay and within 72 hours of becoming aware.
  • Notification will include the nature of the breach, categories of data affected, likely consequences, and remediation measures taken or proposed.
  • Customers remain responsible for notifying the Data Protection Board of India and affected data principals as required under the DPDP Act.

10. Screenshot monitoring and passive surveillance

  • Workclave does not offer screenshot capture, keystroke logging, or any form of passive employee monitoring.
  • Session-based tracking in Workclave is employee-initiated — individuals actively start and end sessions. No background monitoring occurs.
  • This design choice is intentional and aligns with the DPDP Act's proportionality principle: processing should be limited to what is necessary for the stated purpose.
  • Customers deploying any third-party monitoring tools alongside Workclave remain responsible for compliance with the DPDP Act's consent and notice requirements for those tools.

11. Data Processing Addendum (DPA)

  • Enterprise customers and procurement teams can request a signed Data Processing Addendum that formally documents controller/processor obligations, subprocessors, breach notification timelines, and deletion commitments.
  • The DPA is available at no additional cost for all paid plans.
  • To request the DPA package, contact hello@mecverse.com with subject line 'DPA Request'. We send the document within 2 business days.

12. Contact

  • DPDP-related questions, data subject requests, DPA review, or compliance documentation: help@mecverse.com
  • Enterprise and procurement enquiries: hello@mecverse.com
  • We aim to respond to all verifiable data protection requests within 30 days.

Need a Data Processing Addendum or have a compliance question? hello@mecverse.com — we respond same business day.