AceOne HR
AceOneHREnterprise Suite

Legal

Data Processing & Security Statement

Last updated: June 02, 2026

This statement explains the technical and organisational measures AceOne HR uses to keep customer data secure. It complements the Privacy Policy and is referenced by our standard data-processing agreement with customers.

1. Roles

For employee data uploaded by a customer organisation, that customer is the data fiduciary (or "controller") and Aceone Futuristic OPC Private Limited is the data processor. We process the data only on the customer's documented instructions and as needed to deliver the agreed service.

2. Hosting and data location

Production data is hosted in India. Backups are stored in the same region. Sub-processors used outside India are limited and disclosed on request — they are only used where unavoidable (for example, transactional email delivery) and only under data-processing terms consistent with the DPDP Act.

3. Encryption

  • In transit: TLS 1.2 or higher for all client / server / device-to-server traffic. HSTS enforced on the production domain.
  • At rest: database volumes and backups are encrypted with industry-standard AES-256.
  • Secrets: credentials, API keys, and tokens are stored in a secret manager, never in source code.
  • Biometric templates: stored as derived hashes / references only — raw biometric templates are not retained server-side.

4. Tenant isolation

AceOne HR is multi-tenant by design. Each customer organisation runs in its own logical tenant with strict row-level isolation enforced at the application and database layers. Cross-tenant access is denied by default and audit-logged when it does occur (for example, when our support staff act on a customer's behalf with their written consent).

5. Access control

  • Role-based access control (RBAC) inside the application — HR Admin, Manager, Employee, etc.
  • Permission-based fine-grained authorisation on every sensitive endpoint.
  • Multi-factor authentication available for all admin-tier roles; required for finance-tier roles.
  • Session fingerprinting + automatic session revocation on suspicious activity.
  • Production database access for our engineers is gated by short-lived credentials and is fully audit-logged.

6. Audit trails

Every state-changing action against employee, attendance, leave, or payroll records is recorded in a tamper-evident audit log including the actor, timestamp, and field-level before/after values. Audit logs are read-only to customers and retained for the period set by the customer's plan and any applicable statutory minimum.

7. Backups and disaster recovery

  • Automated nightly full backups + transaction log shipping.
  • Backups are encrypted and stored in a separate region.
  • Documented restore procedure with periodic test restores.

8. Retention and deletion

Active customer data is retained for as long as the customer remains subscribed. Raw biometric device logs are purged on a configurable schedule (default 90 days). After cancellation, customers have a 30-day export window before data is deleted; statutory records the customer is legally required to retain may be held longer in encrypted form on their behalf.

9. Sub-processors

We use a small, documented set of sub-processors (hosting, transactional email, error monitoring, payment gateway). Each is bound by a data-processing agreement that includes confidentiality, security, and breach-notification clauses consistent with the DPDP Act. A current list is available on request.

10. Breach response

On confirmation of a personal-data breach affecting customer data we will:

  • Notify the affected customer organisation without undue delay — and within 72 hours where the DPDP Act so requires.
  • Notify the Data Protection Board of India in accordance with the DPDP Act and rules.
  • Cooperate with the customer on customer-facing notifications to data principals.

11. Engineering practices

  • Least-privilege coding standards and code review before merging to main.
  • Dependency scanning and patching cadence.
  • Production environment separated from development and staging environments.
  • Documented incident-response runbook.

12. Customer responsibilities

Security is shared. Customers are responsible for:

  • Granting access only to people who need it and revoking it promptly when roles change.
  • Enforcing strong passwords and turning on multi-factor authentication.
  • Collecting valid consent before enabling biometric capture, location capture, or photo capture for their employees.
  • Promptly notifying us at sales@aceonehr.com of any suspected compromise of their tenant.

13. Audits

Enterprise customers can request a security questionnaire and a copy of our most recent third-party security review. On-site audits can be arranged for enterprise contracts on reasonable notice.

14. Contact

Security questions, audit requests, and incident reports should be sent to sales@aceonehr.com.

This document is published by Aceone Futuristic OPC Private Limited — the company that operates the AceOne HR product — from its registered office at Office No. 214, Vishal Chamber, Opp. GIP Mall, Sector-18, Noida, Uttar Pradesh – 201301, India. Questions about this policy can be sent to sales@aceonehr.com.

This policy is a beta-stage draft. Statutory IDs (GSTIN, CIN, Udyam) will be added as they are issued. We recommend reviewing with your own legal counsel before relying on it for high-value engagements.