Security & Processing

Data Processing Policy

How we handle data flows, execute technical safeguards, and manage subprocessors. Last updated: May 20, 2026.

1Our Data Roles & Scope

To manage software systems and product delivery, devinit.in operates under two distinct roles depending on the nature of our engagement:

🏢 devinit.in as a Data Controller

We act as a Data Controller for information we collect directly from visitors on our website, inquirers booking consultations, and marketing leads. We determine the purpose and means of this processing.

⚙️ devinit.in as a Data Processor

When building web apps, setting up custom CMS integrations (e.g. Next.js + Strapi), or providing maintenance support for client applications, we act as a Data Processor. We process project-related user data strictly according to the client's written Statement of Work (SOW) or Service Agreement. Our clients remain the Data Controllers of their own system data.

2Core Processing Principles

All data processed under our control is guided by these industry-standard principles:

✓ Minimization & Limit

We collect and process only the minimal data required for our development and launch operations.

✓ Integrity & Safety

We protect data using technical controls, encryption, and secure deployment keys.

✓ Transparency

We maintain open communications regarding how data is logged, accessed, and archived.

✓ Specific Purposes

We never reuse client database access or system data for unrelated analytics or external tasks.

3Authorized Subprocessor Categories

To deliver scalable platforms, we collaborate with third-party infrastructure and service providers. These subprocessors fall into the following categories:

Subprocessor Category	Typical Service Scope	Data Guard / Safeguards
Cloud Hosting & CDN	Hosting web apps (Vercel, AWS, DigitalOcean)	ISO 27001, SOC 2, and end-to-end encryption
CRM & Lead Management	Managing client requests, documents, and leads	Data access limits, secure OAuth validation
Email & Communication	Scheduling calendars, sending project updates	Transport Layer Security (TLS), DMARC security
Payment Processors	Processing invoices, subscription setup	PCI-DSS compliance, tokenized transaction keys

4International Data Transfers

Since our services rely on global cloud networks (such as AWS, Vercel, and GitHub), your data may be transferred to and processed in countries outside your residence (including the United States, European Union, and India).

Transfer Safeguards: When transferring data across borders, we verify that subprocessors employ standard contractual clauses (SCCs) or hold recognized security certifications to ensure your data maintains an equivalent level of legal protection.

5Audits, cooperation & Breach Protocol

Incident Notification: In the highly unlikely event of a security breach affecting client database systems under our direct maintenance management, we will notify affected clients immediately (normally within 48-72 hours of verification) to coordinate patch mitigation.

Compliance Cooperation: We assist our clients in completing their data protection impact assessments (DPIAs) by providing documentation regarding our Next.js + Strapi development architecture, deployment configurations, and system access policies.