FastOPay (FOP) – Data Privacy &  
Client Information Protection  
Policy  
1. Purpose  
This policy establishes the principles, standards, and controls adopted by FastOPay ("FOP") to  
protect personal, financial, and confidential data of its clients, users, employees, and partners.  
The objective is to ensure compliance with applicable data protection laws, safeguard sensitive  
information, and mitigate legal, regulatory, operational, and reputational risks.  
This policy serves as an internal governance document for audit and assurance purposes and may  
also be referenced as part of client disclosures and disclaimers.  
2. Scope  
This policy applies to:  
All FastOPay employees, contractors, consultants, and temporary staff  
All client, employee, vendor, and third-party data processed by FastOPay  
All FastOPay systems, platforms, applications, dashboards, reports, APIs, and  
integrations  
3. Definitions  
Personal Data: Any information relating to an identified or identifiable individual.  
Sensitive Personal Data / Financial Data: Bank account details, UPI IDs, transaction  
data, identification numbers, credentials, or any information requiring a higher level of  
protection.  
Client Data: Any data provided by or generated on behalf of FastOPay clients.  
Processing: Collection, storage, use, transmission, disclosure, or deletion of data.  
4. Regulatory & Legal Compliance  
FastOPay is committed to complying with all applicable local data protection and privacy  
regulations, including but not limited to:  
Information Technology Act, 2000 and applicable Rules (India)  
Digital Personal Data Protection Act, 2023 (India)  
RBI and NPCI guidelines applicable to payment systems and intermediaries  
General Data Protection Regulation (GDPR), where applicable  
Other applicable data protection, privacy, and financial regulations in jurisdictions where  
clients operate  
Where FastOPay processes data on behalf of multinational clients, it shall act as a data  
processor/service provider and implement reasonable technical and organizational measures to  
support client compliance obligations across jurisdictions.  
5. Data Collection & Use Limitation  
FastOPay shall collect only the minimum data necessary to provide payment, expense  
management, reporting, and related services.  
Data shall be processed strictly for legitimate business purposes such as transaction  
processing, expense approvals, audit trails, regulatory reporting, and budget analytics.  
Client data shall not be used for marketing or secondary purposes without explicit  
authorization.  
6. Data Ownership & Confidentiality  
All client data remains the sole property of the respective client.  
FastOPay acts as a data processor and custodian and does not claim ownership rights over  
client information.  
All client data shall be treated as confidential and shall not be disclosed except as  
permitted under this policy, contractual terms, or applicable law.  
7. Access Control & User Responsibilities  
Access to data is granted strictly on a role-based and need-to-know basis.  
Strong authentication mechanisms, including multi-factor authentication where  
applicable, shall be enforced.  
Users are responsible for safeguarding their credentials and must not share access details.  
Privileged access shall be reviewed periodically and revoked upon role change or exit.  
8. Data Security Measures  
FastOPay implements administrative, technical, and physical safeguards, including but not  
limited to:  
Encryption of data at rest and in transit  
Secure key management practices  
Network security controls and firewalls  
Regular vulnerability assessments and penetration testing  
Secure development and change management practices  
9. Payment & Financial Data Protection  
UPI and bank transfer data shall be processed in accordance with RBI and NPCI  
guidelines.  
FastOPay does not store sensitive authentication data such as UPI PINs.  
Transaction logs are maintained for audit and reconciliation purposes with restricted  
access.  
10. Third-Party & Vendor Management  
Third parties with access to FastOPay data must be subject to appropriate due diligence  
and contractual data protection obligations.  
Data shared with vendors shall be limited to what is strictly necessary.  
Vendors must implement security controls comparable to FastOPay standards.  
11. Data Retention & Deletion  
Data shall be retained in accordance with legal, regulatory, and contractual requirements.  
Upon termination of services, client data shall be returned or securely deleted, subject to  
statutory retention obligations.  
Secure deletion methods shall be used to prevent unauthorized recovery.  
12. Data Breach & Incident Management  
All actual or suspected data breaches must be reported immediately to the designated  
FastOPay internal authority.  
FastOPay maintains an incident response framework to assess, contain, remediate, and  
document data incidents.  
Client and regulatory notifications shall be made where required by law or contract.  
13. Employee Awareness & Training  
All employees and contractors shall receive periodic training on data privacy and  
information security.  
Confidentiality and data protection obligations form part of employment and engagement  
agreements.  
14. Monitoring, Audit & Assurance  
Compliance with this policy is subject to periodic internal audits and independent  
reviews.  
Non-compliance may result in disciplinary action, contractual remedies, or legal  
consequences.  
15. Client Disclaimer (Internal & Client-Facing)  
FastOPay implements commercially reasonable administrative, technical, and organizational  
measures to safeguard client data. While FastOPay strives to maintain high standards of data  
security and privacy, no system can be guaranteed to be entirely free from risk. FastOPay shall  
not be held liable for data breaches or losses arising from factors beyond its reasonable control,  
provided it has complied with applicable laws, regulatory requirements, and this policy.  
16. Policy Review & Updates  
This policy shall be reviewed periodically by the Legal, Compliance, and Information Security  
functions to reflect changes in regulatory requirements, geographic expansion, business  
operations, and emerging data privacy risks.  
Approved by: FastOPay Authorized Personnel  
Applies from: [Effective Date]