Compliance Statements (GDPR, HIPAA, DPDP, CCPA)

EasyOTP (Operated by Braintech Corporation Private Limited)

Effective: August 2025

1. Introduction

This Annex provides regulatory compliance statements for EasyOTP products (Auth, A2P, Scan). It outlines how Braintech Corporation Private Limited (“Braintech”) supports Vendors in meeting their compliance obligations under applicable global data protection laws.

2. GDPR (General Data Protection Regulation)

• Role: Braintech acts as a Data Processor, with Vendors as Data Controllers.
• Lawful Basis: Processing based on Vendor instructions, user consent, or contractual necessity.
• Data Subject Rights: Access, correction, erasure, portability, objection, and withdrawal of consent are supported.
• Transfers: Cross-border transfers protected by SCCs.
• Records: Maintains processing records per Article 30.
• Breach Notification: Commitment to notify Vendors without undue delay.

3. HIPAA (Health Insurance Portability and Accountability Act)

• Role: Where EasyOTP handles Protected Health Information (PHI), Braintech acts as a Business Associate.
• Safeguards: Administrative, technical, and physical safeguards implemented per HIPAA Security Rule.
• Breach Notification: Vendors notified per HIPAA Breach Notification Rule.
• Subcontractors: Bound by equivalent HIPAA obligations via flow-down agreements.
• BAA: A Business Associate Agreement (Annex B) is incorporated where applicable.

4. DPDP Act 2023 (India)

• Role: Braintech acts as a Data Processor; Vendors are Data Fiduciaries.
• Consent: Explicit user consent obtained via EasyOTP interfaces before sharing PII.
• Localization: Indian user data stored within India.
• User Rights: Access, correction, erasure, and withdrawal of consent supported.
• Breach Notification: Obligations fulfilled per DPDP timelines.

5. CCPA/CPRA (California, U.S.)

• Role: Braintech acts as a Service Provider.
• Limitations: Vendor data not sold, shared, or used for purposes beyond service delivery.
• Consumer Rights: Support for right to know, delete, and opt-out of sharing.
• Security: Data safeguarded with appropriate technical and organizational measures.
• Contracts: This Agreement ensures service provider obligations are binding.

6. Other Frameworks

Braintech aligns with other frameworks where applicable, including:

• Singapore PDPA (Personal Data Protection Act)
• UK GDPR
• Canadian PIPEDA
• Other regional privacy laws as required by Vendor operations.

7. Version Control

Version	Date	Description of Changes	Approved By
1.0	Aug 2025	Initial release of Compliance Statements (GDPR, HIPAA, DPDP, CCPA)	Legal/Compliance