Last updated: March 2026
Under the Digital Personal Data Protection Act 2023 and DPDP Rules 2025, InstaKYC is required to notify the Data Protection Board of India and affected users of any personal data breach within 72 hours of becoming aware of it.
1. What Constitutes a Data Breach
A personal data breach under the DPDP Act 2023 means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data. This includes:
- Unauthorized access to user accounts or databases
- Accidental exposure of personal data (KYC results, wallet data, mobile numbers)
- Ransomware or cyberattack affecting personal data
- Unauthorized sharing of verification results with third parties
- Loss or theft of devices containing personal data
- Insider misuse of personal data by employees or contractors
2. Our Internal Response Process
| Phase | Action | Timeline |
|---|
| Detection | Identify and confirm the breach; isolate affected systems | Immediately upon discovery |
| Assessment | Determine scope, nature, and affected data principals | Within 2 hours |
| Containment | Stop ongoing breach; preserve evidence; patch vulnerability | Within 4 hours |
| Notification — Board | Report to Data Protection Board of India | Within 72 hours |
| Notification — Users | Notify affected data principals via SMS/email | Within 72 hours |
| Remediation | Full investigation, security hardening, post-mortem report | Within 14 days |
3. What We Will Notify You About
In the event of a breach affecting your personal data, we will notify you with:
- Nature and extent of the breach
- Categories and approximate volume of personal data affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Steps you can take to protect yourself (e.g., change password, monitor accounts)
- Contact details of the Grievance Officer for further queries
4. How We Will Notify You
Breach notifications will be sent via:
- SMS to your registered mobile number (primary channel)
- Email to your registered email address (if available)
- In-app notification upon next login to InstaKYC dashboard
- Public notice on instakyc.in if a large number of users are affected
5. Reporting a Suspected Breach to Us
If you suspect your data has been compromised or you discover a security vulnerability in our platform, please report it immediately:
- Email: support@instakyc.in (Subject: "Security Breach Report")
- Phone: +91 9090686975
- Responsible Disclosure: We encourage security researchers to report vulnerabilities responsibly. We do not take legal action against good-faith security researchers.
6. Notification to Data Protection Board
InstaKYC will report all personal data breaches to the Data Protection Board of India as required under Section 8(6) of the DPDP Act 2023, regardless of the severity of the breach. The notification will include all details required under the DPDP Rules 2025.
7. Security Safeguards in Place
- SSL/TLS encryption on all data in transit
- Encrypted database storage for sensitive fields
- Role-based access controls — minimum necessary access principle
- Regular automated backups with offsite storage
- Server firewall and intrusion detection monitoring
- Periodic security audits and penetration testing
- Incident response plan reviewed annually
8. Post-Breach Review
Following any breach, InstaKYC will conduct a thorough post-incident review to identify root causes, assess the effectiveness of our response, and implement measures to prevent recurrence. A summary report will be made available to affected users upon request.
9. Contact
Grievance Officer / DPO: Chandra Mani Prasad
Email: support@instakyc.in
Phone: +91 9090686975
Address: Oriel Inc., 599, 17B, Phase 1, Surat Nagar, Gurugram, Haryana – 122001