Privacy & Data Processing Policy

AV Services · Arun Valecha · Mumbai, India · Last updated: 26 May 2026

1. Identity of the Data Controller

AV Services is a sole proprietorship owned and operated by Arun Valecha, registered in Mumbai, Maharashtra, India.

For the purposes of the EU General Data Protection Regulation (GDPR) (EU) 2016/679, AV Services acts as a data processor when accessing client-managed infrastructure, and as a data controller in respect of client contact and billing information.

For the purposes of India’s Digital Personal Data Protection Act 2023 (DPDPA) and the Digital Personal Data Protection Rules 2025, AV Services is a Data Fiduciary in respect of the personal data of its clients and their representatives.

2. Scope of This Policy

This policy applies to:

1. Personal data of client contacts (name, email, phone, company role) collected during engagement initiation and ongoing service delivery.
2. Data encountered incidentally on client server infrastructure during the provision of Linux server management, monitoring, patching, backup management, security hardening, and incident response services.
3. Data held in AV Services’ internal records including service reports, incident logs, and billing records.

3. Categories of Data Processed

AV Services may process the following categories of data in the course of service delivery:

• Client representative names, email addresses, and phone numbers
• Server hostnames, IP addresses, and configuration data
• System logs, access logs, and audit trails
• Backup contents (incidentally, as part of backup verification and restoration testing)
• Application configuration files (which may contain database credentials or API keys belonging to the client)
• Incident descriptions and resolution records

AV Services does not intentionally collect, store, or process end-customer personal data belonging to the client’s customers. Any such data encountered incidentally during server access is not retained, copied, or transmitted.

4. Lawful Basis for Processing (GDPR Article 6)

Processing of client contact data is carried out on the basis of:

• Article 6(1)(b) GDPR — processing necessary for the performance of a contract to which the data subject is party (the service retainer agreement).
• Article 6(1)(f) GDPR — legitimate interests of AV Services in maintaining service records, billing history, and incident documentation.

Processing of data encountered on client infrastructure is carried out solely on the basis of Article 6(1)(b) GDPR: contractual necessity — access to server infrastructure is required to deliver the agreed service.

5. Processor Obligations (GDPR Article 28)

Where AV Services acts as a data processor on behalf of a client who is a data controller (including EU/EEA-based clients subject to GDPR), AV Services:

1. Processes personal data only on documented instructions from the client.
2. Ensures that persons authorised to process the data are bound by confidentiality obligations.
3. Implements appropriate technical and organisational security measures per Article 32 GDPR (see Section 8).
4. Does not engage sub-processors without prior written consent of the client.
5. Assists the client in fulfilling data subject rights requests to the extent possible given the nature of the service.
6. Deletes or returns all personal data to the client upon termination of service, per the client’s choice.
7. Makes available all information necessary to demonstrate compliance with Article 28 obligations.

A formal Data Processing Agreement (DPA) compliant with GDPR Article 28 and incorporating standard contractual clauses where required is available on request.

6. Confidentiality and Non-Disclosure

All client data — including server configurations, credentials, business data, and incident details — is treated as strictly confidential. AV Services does not disclose client data to any third party except:

1. Where required by applicable Indian law or a lawful order of a competent authority.
2. To backup engineers (Mumbai-based, under standing confidentiality obligations) in the event of a declared emergency requiring service continuity.

A standard Non-Disclosure Agreement (NDA) is available on request prior to engagement. To request a copy, email arun@avservices.in with subject line “NDA Request”.

7. Access Revocation and Offboarding

Upon termination of a retainer or on-demand engagement, AV Services will within 5 business days:

1. Remove all SSH keys, credentials, and remote access provisioned during the engagement from AV Services’ records.
2. Confirm in writing (email) that access has been revoked on the AV Services side.
3. Return or permanently delete any copies of client configuration files, credentials, or server documentation held in AV Services’ records, per the client’s written instruction.

Clients are advised to independently rotate all credentials and revoke all SSH public keys associated with AV Services following engagement termination. AV Services will provide a list of all SSH public key fingerprints provisioned during the engagement to facilitate this.

8. Security Measures (GDPR Article 32)

Technical measures:

• All remote server access via SSH with public key authentication only (password authentication disabled)
• Client credentials stored in encrypted form
• No client credentials transmitted over unencrypted channels
• Per-client documentation stored in isolated, access-controlled storage
• Audit logging of all access sessions where technically feasible

Organisational measures:

• Access to client systems limited to Arun Valecha as primary engineer
• Backup engineers granted access only under declared emergency conditions with client notification
• Service records retained only for the duration necessary for billing and compliance purposes
• Annual review of access credentials and documentation for active retainer clients

9. Data Retention

10. International Data Transfers (GDPR Chapter V)

AV Services is based in India. Where a client’s infrastructure is located outside India and remote access from India constitutes an international transfer of personal data under GDPR Chapter V, AV Services will execute standard contractual clauses (SCCs) as approved by the European Commission upon client request, incorporated into the engagement agreement or a standalone DPA.

11. Data Subject Rights (GDPR Articles 15–22)

Individuals whose personal data is processed by AV Services in its capacity as data controller have the following rights under GDPR:

To exercise any of these rights, contact: arun@avservices.in or +91 92205 60056. AV Services will respond to verified requests within 30 days.

12. DPDPA 2023 / DPDP Rules 2025 (India)

In respect of personal data of Indian data principals, AV Services complies with the Digital Personal Data Protection Act 2023 and the Digital Personal Data Protection Rules 2025, including:

• Processing personal data only for the purpose for which it was collected (service delivery and billing)
• Implementing reasonable security safeguards
• Notifying the Data Protection Board of India and affected data principals of a personal data breach where required by law
• Honouring data principal rights to access, correction, erasure, and grievance redressal

Grievance officer (DPDPA): Arun Valecha · arun@avservices.in · +91 92205 60056 · Response time: within 48 hours of receipt. See also: DPDP compliance for Linux server owners in India.

13. Changes to This Policy

This policy may be updated periodically. The date at the top of this page reflects the most recent revision. Active retainer clients will be notified of material changes by email.

14. Contact

For data protection queries, NDA requests, DPA requests, or data subject rights requests: