DruptoQuiz LogoDruptoQuiz
Data Breach Notification Policy

Last updated: 07-01-2026

This Data Breach Notification Policy outlines the procedures and responsibilities of Drupto Consultants Pvt Ltd ("we," "us," or "our") in the event of a personal data breach affecting users of DruptoQuiz (the "Platform"). This policy is designed to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and other applicable data protection laws.

1. Introduction

As a Data Fiduciary under the DPDP Act, we are committed to protecting the personal data of our users. This policy establishes a clear framework for detecting, reporting, assessing, and responding to personal data breaches in a timely and transparent manner.

2. Definition of Personal Data Breach

A "personal data breach" means any unauthorized or accidental access, acquisition, disclosure, alteration, loss, or destruction of personal data that compromises its confidentiality, integrity, or availability. This includes, but is not limited to:

  • Unauthorized access to databases or storage systems containing personal data
  • Accidental disclosure of personal data through email, API, or other communication channels
  • Loss or theft of devices containing personal data
  • Ransomware or malware attacks that encrypt or exfiltrate personal data
  • Insider threats where employees or contractors misuse access to personal data

3. Internal Reporting Procedures

All employees, contractors, and third‑party service providers must immediately report any suspected or confirmed personal data breach to the Data Protection Officer (DPO) within 24 hours of discovery. Reports should include:

  • Nature of the breach (what happened, when, and how)
  • Categories and approximate number of data subjects affected
  • Types of personal data involved (e.g., email, name, payment details)
  • Likely consequences and potential risks to data principals
  • Immediate containment measures taken

Reports can be submitted via email to saurabh.chandra@druptoconsultants.com or through the internal incident reporting portal.

4. Risk Assessment Criteria

Upon receiving a breach report, the DPO will conduct a risk assessment to determine the severity and impact of the breach. The assessment will consider:

  • Sensitivity of data: Whether special categories of personal data (e.g., biometric data, financial information) are involved
  • Volume of data: Number of data principals affected
  • Likelihood of harm: Potential for identity theft, financial loss, reputational damage, discrimination, or other adverse effects
  • Duration of exposure: How long the data was accessible to unauthorized parties
  • Mitigation measures: Effectiveness of immediate containment actions

Based on this assessment, the breach will be classified as low, medium, or high risk.

5. Notification to Regulatory Authorities

We will notify the relevant data protection authorities of any personal data breach in accordance with applicable laws:

5.1. Data Protection Board of India (DPDP Act)

In accordance with Section 8(6) of the DPDP Act, 2023, we will notify the Data Protection Board of India of any personal data breach that is likely to result in harm to data principals. Such notification will be made within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in harm to data principals.

The notification to the Board will include:

  • Description of the nature of the personal data breach
  • Categories and approximate number of data principals concerned
  • Likely consequences of the breach
  • Measures taken or proposed to be taken to address the breach
  • Contact details of the Data Protection Officer

6. Notification to Affected Individuals

Where a personal data breach is likely to result in harm to data principals, we will also notify the affected individuals without undue delay. Notifications will be clear, concise, and provided in plain language through one or more of the following channels:

  • Email: Direct email to the registered email address of affected users
  • In‑app notices: Prominent notification within the DruptoQuiz platform
  • Website announcement: Public notice on our official website
  • SMS: For critical breaches involving high‑risk data

The notification to affected individuals will include:

  • Description of the breach in general terms
  • Date or estimated period of the breach
  • Types of personal data involved
  • Steps individuals can take to protect themselves (e.g., changing passwords, monitoring accounts)
  • Contact information for further assistance

7. Post‑Breach Review, Documentation, and Corrective Actions

Following containment and notification, we will conduct a thorough post‑breach review to:

  • Identify the root cause of the breach
  • Evaluate the effectiveness of existing security controls
  • Implement corrective and preventive measures to avoid recurrence
  • Update security policies, procedures, and training as needed
  • Document lessons learned and share them with relevant stakeholders

7.1. Documentation Requirements

We will maintain an internal register of all personal data breaches, including:

  • Facts relating to the personal data breach
  • Effects and consequences of the breach
  • Remedial actions taken
  • Documentation demonstrating compliance with notification obligations

This register will be made available to data protection authorities upon request and will be used for internal auditing and continuous improvement of our data protection measures.

7.2. Corrective Actions

Corrective actions may include technical improvements (e.g., enhanced encryption, access controls), procedural changes (e.g., revised incident response plans), and additional employee training. All corrective actions will be tracked to completion and verified for effectiveness.

9. Designation of Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing data protection strategy, ensuring compliance with data protection laws, and managing the breach response process. The DPO's responsibilities include:

  • Monitoring compliance with the DPDP Act and other applicable laws
  • Acting as the primary point of contact for data protection authorities and individuals
  • Coordinating breach detection, reporting, assessment, and notification
  • Providing guidance and training to employees on data protection matters
  • Conducting periodic privacy impact assessments

10. Contact Information for Breach Reporting

If you suspect a personal data breach involving DruptoQuiz, or if you have questions about this policy, please contact our Data Protection Officer immediately:

Data Protection Officer
Drupto Consultants Pvt Ltd
Email: saurabh.chandra@druptoconsultants.com
Phone: +91-6388063038 (available during business hours)
Address: JAIPURIA INNOVATION AND INCUBATION CENTRE, Hahnemann Rd, Vineet Khand, Gomti Nagar, Lucknow, Uttar Pradesh 226010

For general inquiries about data protection, you may also contact our Grievance Officer at saurabh.chandra@druptoconsultants.com.

11. Policy Review and Updates

This Data Breach Notification Policy will be reviewed at least annually or whenever significant changes in legislation, technology, or business operations occur. Updates will be posted on this page with a revised "Last updated" date.

By using DruptoQuiz, you acknowledge that you have read and understood this policy and agree to our handling of personal data breaches as described herein.