[🇮🇳 Data Sovereignty]
Data Residency & Sovereignty.
All SpacePe customer data resides exclusively within the territory of India. Zero data leaves Indian borders - enforced by architecture, not just policy.
🏗️
Infrastructure Location
Physical and logical location of all customer data.
✓Primary data center: Mumbai, Maharashtra (AWS ap-south-1) - all production workloads, databases, application servers, and real-time payment processing infrastructure
✓Disaster recovery: Hyderabad, Telangana (AWS ap-south-2) - synchronous replication for critical financial data, asynchronous replication for all other data categories
✓All database replicas, point-in-time backups, incremental snapshots, and long-term archives stored exclusively within Indian AWS regions - no cross-region replication configured or permitted
✓CDN edge nodes deployed within India for static asset delivery and API acceleration - international CDN PoPs are not used for any request carrying customer data
✓Encryption keys generated, stored, rotated, and destroyed exclusively within AWS CloudHSM clusters in Indian regions - key material never exists outside Indian jurisdiction
✓Annual third-party infrastructure audit by CERT-In empaneled auditor verifies physical and logical data residency compliance across all production and DR systems
⚖️
Regulatory Alignment
Compliance with Indian data localization mandates across regulators.
✓RBI Data Localization Circular (April 2018, RBI/2017-18/153): Full compliance - all payment system data including end-to-end transaction details stored and processed exclusively in India
✓Digital Personal Data Protection Act 2023: All Data Fiduciary and Data Processor obligations met with Indian-only processing. Data Processing Agreements specify Indian-jurisdiction processing for enterprise customers.
✓CERT-In Directions (April 2022): All logs, incident data, and cyber security event records maintained within India with mandatory 180-day retention. Incident reporting complies with 6-hour notification requirement.
✓SEBI Circular on Cloud Services (March 2023): Financial market data processed in compliance with SEBI's cloud framework including data residency, access controls, and mandatory audit requirements
✓IRDAI Guidelines on Information and Cyber Security: Insurance-related financial data processing meets IRDAI's data handling, retention, and localization requirements for all insurer customers
✓TRAI and DoT Guidelines: Communication metadata including SMS OTPs and notification delivery logs handled per Department of Telecommunications guidelines for Indian data processing
🔒
Technical Enforcement
How data sovereignty is enforced at the infrastructure level - not policy documents.
✓Network-level enforcement: VPC configurations, security groups, and network ACLs block all egress to non-Indian IP ranges for any traffic containing customer data - enforced at infrastructure layer
✓Encryption key sovereignty: All AES-256 keys and TLS 1.3 certificates generated within and never exported from AWS CloudHSM clusters in Indian regions - FIPS 140-2 Level 3 validated hardware
✓Database connection controls: All connection strings, replica configurations, and backup destinations hardcoded to Indian-region endpoints - Infrastructure-as-Code templates enforce region constraints
✓Sub-processor controls: All third-party sub-processors with customer data access contractually bound to Indian-only processing via DPAs with explicit residency clauses and right-to-audit provisions
✓Continuous monitoring: Automated compliance scanning every 6 hours checks all infrastructure resources for data residency violations - any non-Indian resource triggers immediate alert and auto-remediation
✓Independent annual audit: CERT-In empaneled auditor verifies zero international data transfer covering network traffic analysis, DNS patterns, third-party API calls, and backup storage locations
📋
Enterprise Guarantees
Contractual commitments for regulated and enterprise customers.
✓Data residency clause included by default in all Enterprise and Business tier contracts - specifies Indian-only processing, storage, and backup with no exceptions
✓Dedicated Indian-region infrastructure available for banking, insurance, and government customers requiring physical isolation beyond shared multi-tenant architecture
✓Customer right to audit: Enterprise customers may commission data residency audit with 30 calendar days written notice - SpacePe provides access to infrastructure documentation and data flow diagrams
✓Breach of data residency commitment constitutes material contract breach entitling customer to termination without penalty, data export assistance, and contractually specified remedies
✓Quarterly compliance reports provided to Enterprise customers documenting infrastructure location, sub-processor compliance status, and automated scan results
✓Upon termination: certified data deletion within 30 days with written Data Deletion Certificate confirming all customer data permanently destroyed from Indian infrastructure