AboutBlogCareersContactExplore SpaceSync →
Security & Trust

Security & Trust Policy

How Sooru handles, hosts, and protects data — across India, the EU, the UK, and the United States.

Last updated: 14 June 2026

Jurisdiction: India, with cross-jurisdictional compliance across the European Union, the United Kingdom, and the United States.

Governing legislation: the Digital Personal Data Protection Act, 2023 (India); the General Data Protection Regulation (EU) 2016/679; the UK GDPR and the Data Protection Act 2018; and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (United States).

Part I — Introduction and Scope

1. About This Document

1.1 This Security and Trust Policy ("Policy") sets out the principles, practices, and technical and organisational measures adopted by Sooru AI Private Limited, operating under the brand name Sooru.ai ("we", "us", "our", or the "Company"), with respect to the security, hosting, and protection of personal data and related information processed through our website and associated services.

1.2 This Policy is intended to provide users, clients, prospective partners, and enterprise counterparties with a clear and transparent account of how we approach data security, infrastructure management, regulatory compliance, and responsible disclosure.

1.3 This Policy should be read in conjunction with our Privacy Policy, which governs the categories of personal data we collect, the purposes for which such data is processed, the legal bases relied upon, and the rights available to data subjects under applicable law.

1.4 For detailed security documentation, data-processing agreements, or enterprise-level security reviews, please contact our team at hi@sooru.ai, and your enquiry will be directed to the appropriate owner within our organisation.

2. Applicability and Territorial Scope

2.1 This Policy applies to all personal data and technical data processed by the Company in connection with: (a) the operation of our website and digital properties; (b) communications received through our website contact forms and related channels; and (c) data processed on behalf of enterprise clients, partners, and other counterparties.

2.2 Our data practices are designed to comply with the following legal frameworks, as applicable:

  • (a) India: the Digital Personal Data Protection Act, 2023 ("DPDP Act"), as may be supplemented by rules and regulations issued thereunder by the Central Government and the Data Protection Board of India;
  • (b) European Union: the General Data Protection Regulation (EU) 2016/679 ("EU GDPR"), together with applicable Member State implementing legislation;
  • (c) United Kingdom: the UK General Data Protection Regulation ("UK GDPR") as retained in domestic law, and the Data Protection Act 2018;
  • (d) United States: applicable state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and such other state-level privacy statutes as may be applicable to our operations.

2.3 Where the requirements of multiple jurisdictions apply simultaneously to a given processing activity, the Company shall apply the standard that affords the greater degree of protection to data subjects, unless doing so would be inconsistent with applicable mandatory law.

Part II — Data Security

3. Data Security Principles

3.1 The Company is committed to implementing appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, disclosure, or any other form of unlawful processing.

3.2 Our data security framework is built upon the following core principles:

  • (a) Confidentiality: personal data is accessible only to those personnel and systems that have a legitimate operational need to access it;
  • (b) Integrity: personal data is maintained in an accurate and complete state and is protected against unauthorised modification;
  • (c) Availability: personal data and associated systems are maintained in a manner that ensures reasonable operational continuity and resilience;
  • (d) Accountability: the Company maintains records and processes sufficient to demonstrate compliance with applicable data-protection obligations.

4. Encryption

4.1 All personal data transmitted to or from our systems is encrypted in transit using industry-standard transport layer security protocols. This applies to data exchanged between users and our website, between our services and third-party sub-processors, and across internal service communication channels.

4.2 All personal data stored within our systems is encrypted at rest. Encryption keys are managed in accordance with security best practices applicable to our infrastructure environment.

4.3 The use of encryption is designed to ensure that, even in the event of unauthorised access to underlying storage or network infrastructure, personal data remains protected from disclosure.

5. Access Controls and Least-Privilege Principle

5.1 Access to personal data and to the systems that process it is controlled on a least-privilege basis. This means that each internal service, system component, and personnel role is granted only the minimum level of access necessary to perform its designated function.

5.2 Access permissions are scoped to what each service requires and are reviewed periodically to ensure they remain appropriate. Access rights are revoked or adjusted promptly upon a change in role, responsibility, or operational necessity.

5.3 Where access to sensitive systems or personal data is required, appropriate authentication controls are applied, commensurate with the sensitivity of the data and the risk profile of the relevant processing activity.

Part III — Infrastructure

6. Cloud Infrastructure and Hosting

6.1 Our services are hosted on reputable, managed cloud infrastructure provided by established third-party cloud service providers. The Company has selected its infrastructure providers on the basis of their security certifications, operational reliability, and compliance with applicable data-protection standards.

6.2 Our infrastructure is subject to continuous monitoring across our operational environments. This monitoring is designed to detect anomalies, potential security incidents, and performance degradation in a timely manner, enabling prompt investigation and remediation.

6.3 Regular backups of data are maintained across our environments. Backup procedures are designed to support recovery in the event of data loss, corruption, or system failure, consistent with the Company's operational continuity requirements.

6.4 The Company periodically reviews its infrastructure arrangements to ensure that they remain appropriate in light of evolving security standards, changes in our service architecture, and the requirements of applicable law.

7. Sub-Processors and Infrastructure Partners

7.1 The Company relies upon a limited and carefully selected set of third-party service providers ("sub-processors") to support its operations. These providers perform functions including, but not limited to, cloud hosting, database management, email delivery, and analytics.

7.2 Each sub-processor is engaged under contractual terms that include appropriate data-protection provisions, consistent with the requirements of applicable law. Where required by applicable data-protection legislation, data-processing agreements or equivalent instruments are executed with sub-processors prior to the commencement of processing activities.

7.3 Sub-processors are selected on the basis of their ability to provide sufficient guarantees regarding the implementation of appropriate technical and organisational security measures. The Company takes reasonable steps to verify that sub-processors maintain these standards on an ongoing basis.

7.4 A list of our current sub-processors, or further information regarding our sub-processor arrangements, is available upon request. Enterprise clients and partners requiring detailed sub-processor documentation in connection with a data-processing agreement or security review are invited to contact us at hi@sooru.ai.

7.5 In cases where sub-processors are located outside India, the Company shall ensure that such transfers are conducted in accordance with the applicable provisions of the DPDP Act, 2023, including any restrictions or conditions prescribed by the Central Government in relation to cross-border data transfers, and in accordance with the requirements of the EU GDPR, UK GDPR, and CCPA/CPRA as applicable.

Part IV — Regulatory Compliance

8. Data Protection Compliance Framework

8.1 The Company designs its data practices with reference to the requirements of the following applicable legal frameworks:

  • (a) Digital Personal Data Protection Act, 2023 (India): the DPDP Act establishes the framework for the processing of digital personal data in India. The Company, in its capacity as a Data Fiduciary under the DPDP Act, is committed to processing personal data only for lawful purposes, with the consent of Data Principals where required, and in accordance with the obligations imposed upon Data Fiduciaries under the Act. The Company acknowledges the rights of Data Principals, including the right to access information, the right to correction and erasure, and the right to grievance redressal, as prescribed under the DPDP Act.
  • (b) EU General Data Protection Regulation (EU GDPR): where the EU GDPR applies to our processing activities, the Company implements the principles of lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability, as set out in the Regulation. The Company maintains appropriate mechanisms for the exercise of data-subject rights under the EU GDPR.
  • (c) UK GDPR and Data Protection Act 2018: the Company's data practices are designed to comply with the UK GDPR as it applies to the processing of personal data of individuals in the United Kingdom, and with the supplementary provisions of the Data Protection Act 2018. The Company maintains appropriate safeguards for international transfers of personal data from the United Kingdom.
  • (d) CCPA/CPRA (California, United States): where the CCPA/CPRA applies to our processing of personal information of California residents, the Company implements appropriate practices to honour consumer rights under that legislation, including the right to know, the right to delete, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination. The Company does not sell personal information as that term is defined under the CCPA/CPRA.

8.2 The Company's compliance framework is subject to periodic review and updating to reflect amendments to applicable law, the issuance of guidance by competent regulatory authorities, and changes in our processing activities.

9. Data Minimisation and Purpose Limitation

9.1 The Company collects only such personal data as is necessary for the specific purpose for which it is collected. We do not collect personal data speculatively or in excess of what is required for our stated operational purposes.

9.2 When you contact us through our website, we collect only the information necessary to respond to your enquiry and to maintain the integrity of our contact forms, including by protecting them from automated spam submissions.

9.3 Personal data collected through our website is stored securely and is not used for purposes incompatible with those for which it was originally collected, except where permitted or required by applicable law.

9.4 Further detail regarding the categories of personal data we collect, the purposes of processing, the legal bases relied upon, and the applicable retention periods is set out in our Privacy Policy.

Part V — How We Handle Your Data

10. Data Collected Through Website Contact

10.1 When you interact with us through our website — including by submitting a contact form, making an enquiry, or otherwise communicating with us — we collect only the personal data that is necessary to: (a) respond to your enquiry or communication in an effective and timely manner; and (b) protect our contact forms and digital channels from spam, automated abuse, and other forms of misuse.

10.2 All personal data collected through website interactions is stored securely, in accordance with the technical and organisational security measures described in this Policy.

10.3 We do not use personal data collected through website contact forms for unsolicited marketing communications, nor do we sell, rent, or otherwise transfer such data to third parties for their own commercial purposes.

10.4 Your rights in respect of personal data collected through our website — including your rights of access, correction, erasure, and grievance redressal under the DPDP Act, 2023, and equivalent rights under the EU GDPR, UK GDPR, and CCPA/CPRA — are described in our Privacy Policy. To exercise any such rights, or to raise a concern regarding our data practices, please contact us at hi@sooru.ai.

Part VI — Enterprise and Partner Engagements

11. Enterprise Security Reviews and Data-Processing Agreements

11.1 The Company recognises that enterprise clients and prospective partners may require detailed security documentation, data-processing agreements, or formal security reviews as a condition of, or prior to, entering into an engagement with us.

11.2 We are prepared to engage with enterprise clients and partners in connection with the following, as appropriate to the nature of the proposed engagement:

  • (a) the negotiation and execution of data-processing agreements ("DPAs") compliant with the requirements of applicable data-protection law, including the DPDP Act, 2023, EU GDPR, UK GDPR, and CCPA/CPRA, as relevant;
  • (b) security reviews and the provision of detailed technical and organisational security documentation;
  • (c) responses to vendor security questionnaires and due-diligence requests;
  • (d) such other documentation or assurances as may reasonably be required in connection with a proposed engagement.

11.3 To initiate a security review, request a data-processing agreement, or obtain detailed security documentation, please contact our team at hi@sooru.ai. All such requests will be directed to the appropriate owner within our organisation, and we will endeavour to respond promptly and comprehensively.

11.4 Nothing in this Policy shall be construed as constituting a data-processing agreement or as creating binding contractual obligations between the Company and any enterprise client or partner. Formal data-processing agreements and security undertakings shall be documented in separate written instruments executed by authorised representatives of the relevant parties.

Part VII — Vulnerability Disclosure

12. Responsible Disclosure Policy

12.1 The Company takes the security of its systems and the personal data they contain seriously. We welcome and encourage the responsible disclosure of security vulnerabilities identified by researchers, users, or other third parties.

12.2 If you believe you have identified a security vulnerability, weakness, or potential security issue affecting our systems, website, or services, we ask that you:

  • (a) report the issue to us promptly by email at hi@sooru.ai, providing sufficient detail to allow us to understand and reproduce the issue;
  • (b) refrain from exploiting the vulnerability beyond what is strictly necessary to demonstrate its existence;
  • (c) refrain from accessing, modifying, deleting, or disclosing any personal data or confidential information encountered in connection with the identified vulnerability; and
  • (d) refrain from disclosing the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate it.

12.3 We appreciate responsible disclosure and commit to the following upon receipt of a vulnerability report: (a) acknowledging receipt of your report promptly; (b) investigating the reported issue in good faith and in a timely manner; (c) communicating with you regarding the outcome of our investigation, to the extent permitted by applicable law and our security obligations; and (d) taking appropriate remedial action where a genuine vulnerability is confirmed.

12.4 The Company does not currently operate a formal bug-bounty programme. However, we are grateful to those who take the time to report security concerns responsibly, and we will endeavour to recognise such contributions appropriately.

12.5 Vulnerability reports should be submitted exclusively by email to hi@sooru.ai. Please do not report security vulnerabilities through public channels, social media, or general customer-support channels.

Part VIII — General Provisions

13. Updates to This Policy

13.1 This Policy may be updated from time to time to reflect changes in our data practices, security measures, applicable law, or regulatory guidance. The date of the most recent update is indicated at the head of this document.

13.2 We encourage users, clients, and partners to review this Policy periodically. Where material changes are made, we will take reasonable steps to bring such changes to the attention of relevant stakeholders.

13.3 Continued use of our website or services following the publication of an updated Policy constitutes acknowledgment of the updated terms, subject to the requirements of applicable law regarding consent and notice.

14. Contact and Grievance Redressal

14.1 For any queries, concerns, or requests relating to this Policy, our data security practices, or the exercise of data-subject rights, please contact us at:

  • Email: hi@sooru.ai
  • Organisation: Sooru AI Private Limited, operating as Sooru.ai
  • Registered Address: No. 816, 27th Main Road, Sector 1, HSR Layout, Bengaluru 560 102
  • Grievance Officer (India — DPDP Act, 2023): Michael Stanley, contactable at mike@sooru.ai

14.2 In accordance with the requirements of the DPDP Act, 2023, Data Principals who are residents of India and who wish to raise a grievance regarding the processing of their personal data may do so by contacting our Grievance Officer at the details set out above. We will endeavour to acknowledge and resolve all grievances within the timeframes prescribed under applicable law.

14.3 Data subjects in the European Union and the United Kingdom who are not satisfied with our response to a data-protection concern have the right to lodge a complaint with the competent supervisory authority in their jurisdiction.

14.4 California residents who wish to exercise their rights under the CCPA/CPRA may submit a request by contacting us at hi@sooru.ai, and we will respond in accordance with the timelines prescribed under applicable law.

15. General

15.1 This Policy is provided to give users, clients, and partners a clear and transparent account of our security and compliance approach.

15.2 This Policy does not create any legally binding obligations on the part of the Company beyond those arising from applicable mandatory law.

15.3 This Policy does not supersede, modify, or replace any separate contractual agreement, data-processing agreement, or service agreement entered into between the Company and any client, partner, or counterparty.

15.4 The Company may expand this Policy from time to time with additional technical documentation, sub-processor information, and formal compliance certifications as appropriate.

Sooru AI Private Limited, operating as Sooru.ai · hi@sooru.ai · No. 816, 27th Main Road, Sector 1, HSR Layout, Bengaluru 560 102. Last updated 14 June 2026.