Data Protection Policy

We process personal data only on lawful grounds — consent, contract, legal obligation, or legitimate interest — and always inform users about how their data is used.

Data collected for a specific purpose is not used for any other purpose without fresh consent or a compatible legal basis.

We collect only the data that is strictly necessary to deliver our services. We do not collect data "just in case".

We take reasonable steps to ensure personal data is accurate and up to date. Users can correct their data at any time via their account settings.

Personal data is retained only as long as necessary for the stated purpose or as required by law, after which it is securely deleted or anonymised.

We implement appropriate technical and organisational measures to protect data against unauthorised access, loss, destruction, or damage.

Disha Education Pvt. Ltd. is responsible for and can demonstrate compliance with all data protection principles.

• AES-256 encryption for data at rest
• TLS 1.3 for all data in transit
• Role-based access control (RBAC) with least-privilege principle
• Multi-factor authentication for all administrative accounts
• Regular automated vulnerability scans and annual penetration tests
• Intrusion detection and real-time security monitoring
• Automated data backup with geo-redundant storage
• Secure software development lifecycle (SSDLC) practices

• Mandatory data protection training for all staff
• Data Protection Impact Assessments (DPIAs) for high-risk processing
• Vendor due diligence and Data Processing Agreements (DPAs) with all processors
• Incident response plan with 72-hour breach notification capability
• Regular internal audits and compliance reviews
• Appointed Data Protection Officer (DPO)