SoftDocket

Legal

Compliance statement

Our public summary of the regulations, standards, and controls SoftDocket operates under. Last updated June 25, 2026.

SoftDocket Technologies Private Limited ("SoftDocket") operates as a B2B SaaS provider for real-estate, hospitality, retail, and IoT-enabled operations in India. This statement summarises the regulatory regimes and control standards we comply with, and how we evidence that compliance to customers and auditors.

1. Data protection regimes

  • DPDP 2023 (India) — lawful basis, purpose limitation, consent management, DPO, data principal rights, breach notification within 72 hours.
  • GDPR (EU customers) — lawful basis, SCC-backed cross-border transfers, DPA, sub-processor list, 72-hour breach notification.
  • IT Act 2000 + IT Rules 2011 (India) — reasonable security practices, sensitive personal data handling.

2. Payment + financial regulations

  • RBI PA-PG framework — SoftDocket does not hold customer funds; payments are routed through licensed PA-PG partners (Razorpay).
  • GST Act 2017 — SoftDocket issues GST-compliant invoices; customer invoicing engine produces e-invoices where applicable (turnover threshold).
  • RERA — the Builder ERP product surfaces RERA-required disclosures and project escrow tracking, but escrow handling itself stays with the customer’s bank.

3. Security standards

  • SOC 2 Type II — control framework in place; first audit window scheduled per the public security page.
  • ISO 27001-aligned ISMS — internal policies and controls mapped to Annex A; certification on Enterprise customer request.
  • OWASP ASVS L2 — baseline for application security; annual third-party pen-test per RELEASE_PLAN §H.9.
  • NIST CSF — used as the reference framework for the security program.

4. Accessibility

SoftDocket’s public website and operator product target WCAG 2.2 AA. We publish an accessibility statement per major release and welcome reports at [email protected].

5. Sub-processors + data flows

A current list of sub-processors (cloud, payments, communications, analytics) is maintained and shared under DPA. Cross-border transfers from EU customers are governed by the latest EU Standard Contractual Clauses.

6. Audits + evidence

Enterprise customers receive on request: SOC 2 report (under NDA), CAIQ + SIG Lite responses, current pen-test summary, sub-processor list, ISO 27001 ISMS scope, DPA, MSA, and BCP / DR plan summary.

7. Report a concern

Security issues: [email protected]. Privacy issues: [email protected]. Compliance questions: [email protected].

This statement is a marketing-grade summary, not a contractual representation. Contractual obligations are governed by the MSA + DPA executed with each customer.