Privacy Policy

Digital North is an automotive cybersecurity firm. We process two distinct categories of personal information: information about people who interact with us directly (website visitors, prospective clients, contacts at client organisations), and operational data that clients entrust to us under engagement contracts (which may include vehicle data covered by separate Data Processing Agreements). This policy explains how we handle both. We have tried to write it the way an engineer would read it.

Who we are

Digital North is an automotive cybersecurity engineering firm headquartered in India and operating globally. Our work covers vehicle security operations (VSOC), automotive cloud infrastructure, and post-quantum cryptography migration for connected vehicle platforms. We work with original equipment manufacturers (OEMs), Tier 1 suppliers, fleet operators, and the regulatory bodies that approve them.

Throughout this policy, "we," "us," and "our" refer to Digital North. "You" refers to a person whose personal information we hold, whether you are a website visitor, a contact at a client or partner organisation, a job applicant, or an individual whose data we process on behalf of an automotive client.

The two roles we play with data

Different data protection laws use slightly different terms for these roles. The substance is the same.

• Controller (under GDPR, UK GDPR) or Data Fiduciary (under India's Digital Personal Data Protection Act 2023). We act as a controller for information we collect directly: website visitor data, contact form submissions, job applications, and information about contacts at our client and partner organisations.
• Processor (under GDPR, UK GDPR) or Data Processor (under DPDP). We act as a processor when an automotive client engages us to operate on their systems. This includes vehicle telemetry ingested by our VSOC, V2X certificate events, OTA pipeline metadata, and any other operational data the client passes to us under a written engagement.

This policy primarily describes our activities as a controller. Our activities as a processor are governed by the Data Processing Agreement (DPA) we sign with each client and by the client's own privacy policy. Individuals whose data we process on behalf of a client should direct privacy enquiries to that client in the first instance; we will work with the client to respond.

What we collect when we act as a controller

We collect only what we need to run our business and deliver our services. As a controller, this is:

• Contact details you provide through forms on this site, by email, or during business conversations. This typically includes your name, work email address, organisation, job title, phone number, country, and the content of your message or enquiry.
• Engagement records for organisations that work with us, including names and roles of project contacts, meeting notes, contract correspondence, and invoicing details. This information is necessary to deliver our services and to manage the client relationship.
• Recruitment data if you apply for a role, including the contents of your CV or resume, references you provide, and notes from interviews.
• Website technical data about your visit, including your IP address, the pages you visit, your browser type, and approximate geographic location. This is collected by Cloudflare, which serves and protects this site.

What we may process on behalf of clients

When an automotive client engages us, the engagement contract and accompanying DPA define what data we are permitted to process and for what purpose. Depending on the engagement, this may include:

• Vehicle telemetry from connected vehicles, including engineering signals from the CAN bus, OTA update telemetry, V2X message metadata, and security event logs from in-vehicle systems.
• Certificate and key material handled within the V2X PKI infrastructure we help operate or migrate.
• Personnel and access records from client systems where security operations require visibility, governed by the principle of least privilege and the client's own access policies.

Whether any of this data constitutes "personal information" in your jurisdiction depends on whether the data can be linked to an identified or identifiable individual. Vehicle identifiers, geolocation traces, and driver behaviour signals can be personal information; aggregated statistics and anonymised security events typically are not. We treat anything that might be personal information as personal information until we are certain otherwise.

We do not use client data for our own commercial purposes. We do not train models on client data without explicit contractual authorisation. We do not sell client data. We do not use client data to enrich our own services for other clients.

How we use information we hold as a controller

We use the information we collect for:

• Responding to enquiries you send us and following up on business conversations.
• Delivering the services you have engaged us to provide and managing the contractual relationship.
• Recruiting, including reviewing applications and contacting candidates.
• Keeping our website and internal systems secure, preventing abuse, and diagnosing technical issues.
• Meeting legal, regulatory, accounting, and audit obligations, including obligations that arise under automotive regulations such as UNECE R155 type-approval evidence requirements.
• Improving our services in ways that do not depend on identifying individuals.

We do not sell your personal information. We do not use it for behavioural advertising. We do not engage in profiling that produces legal or similarly significant effects on you.

Legal bases we rely on

Where GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract, when we use information to deliver services you or your organisation have engaged us to provide.
• Legitimate interests, when we process business contact information to communicate with prospective or current clients, to operate and secure our systems, and to develop our services. We balance our legitimate interests against your rights and freedoms and do not rely on this basis where it would be inappropriate.
• Compliance with a legal obligation, when we are required to retain or disclose information by law or by an applicable regulator.
• Consent, where the law requires it. Where we rely on consent, you may withdraw it at any time.

Where India's DPDP Act applies, our processing is grounded in your provision of personal data to us for a clearly notified purpose, in legitimate business uses recognised by the Act, and in any specific consent we may seek for particular purposes.

Cookies and analytics

This website uses minimal cookies. Strictly necessary cookies are set by Cloudflare for security, abuse prevention, and performance reasons. We do not currently use third-party advertising or behavioural tracking cookies, and we do not currently run a third-party analytics service that profiles visitors.

If we add analytics in future, this policy will be updated, and where the law requires consent, we will request it through a clear cookie banner before any non-essential cookies are set. You will be able to decline non-essential cookies without losing access to the site's core content.

Sharing your information

We share information only when one of the following applies:

• With service providers and sub-processors that operate parts of our infrastructure, under appropriate confidentiality and data protection terms. The categories of sub-processor we use are listed below.
• With automotive clients, where you have contacted us in connection with a specific engagement and the client is a necessary party to the conversation.
• With professional advisers such as auditors, accountants, or lawyers, where necessary to run the business or meet a legal obligation.
• With regulators and authorities where required by law or in support of legitimate type-approval, vulnerability disclosure, or law enforcement processes. UNECE R155 requires manufacturers to report certain cyber incidents to type-approval authorities; where we hold relevant information for a client, we may be asked to support that reporting.
• In the context of a corporate transaction such as a merger, acquisition, financing, or asset sale, with continued protection of your information by the receiving party.

Sub-processors and infrastructure providers

We use the following categories of sub-processor in the operation of our business. We maintain a current list of named sub-processors and will provide it to enterprise clients on request as part of due diligence.

• Cloud infrastructure for our website, internal applications, and (where contracts permit) client-operating environments.
• Edge security and content delivery, currently Cloudflare, for serving and protecting this website.
• Email and collaboration tools for business communications and document handling.
• Customer relationship and support tooling for managing prospect and client communications.
• Code and infrastructure repositories for engineering work, with access controls aligned to client and internal sensitivity.
• Identity, authentication, and key management services that underpin secure access to all of the above.

We perform diligence on each sub-processor's security and privacy posture, sign appropriate data protection terms, and review the arrangement periodically. When we work as a processor for an automotive client, we name our sub-processors in the relevant DPA and seek prior approval where the contract requires it.

International transfers

We operate globally and our sub-processors may be located in jurisdictions different from yours. Where personal information is transferred across borders, we use lawful transfer mechanisms appropriate to the destination, including:

• European Commission adequacy decisions, where the destination country is recognised as providing an adequate level of protection.
• Standard Contractual Clauses (SCCs) approved by the European Commission, together with any supplementary measures required by case law and regulator guidance.
• UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, for transfers out of the United Kingdom.
• Transfer impact assessments, where appropriate, to confirm that the safeguards in place are effective in the destination jurisdiction.

Under India's DPDP Act, the Government of India may notify countries to which personal data may not be transferred. We monitor any such notifications and adapt our processing accordingly.

Where your data is stored

Our primary business operations are based in India, with backups and infrastructure components hosted in geographically distributed regions chosen for security, latency, and resilience. We choose providers that offer recognised security and privacy certifications, including ISO/IEC 27001, SOC 2 Type II, and where appropriate ISO/IEC 27701. Where a client requires data to be processed only in a specific region, we agree to those constraints in the engagement contract.

How long we keep it

We keep personal information only for as long as it is needed for the purpose we collected it, unless a longer retention period is required by law, contract, or a legitimate business need. Typical retention periods include:

• Enquiries that do not become engagements: up to 24 months from last contact.
• Client engagement records: for the duration of the engagement and for a period afterwards consistent with contractual, audit, and statutory requirements (commonly 7 years for financial and contractual records).
• Recruitment records: typically 12 months after the outcome of an application, longer if you ask us to keep your details on file for future roles.
• Website security logs: short retention, typically under 90 days, except where a longer period is needed to investigate an incident.
• Vehicle and operational data processed for clients: retained for the period defined in the engagement DPA, then deleted or returned.

Your rights

Depending on where you live, you may have rights to:

• Access the personal information we hold about you.
• Have inaccurate or incomplete information corrected.
• Have your information deleted in certain circumstances.
• Restrict or object to certain processing.
• Withdraw consent, where we rely on consent as our legal basis.
• Receive a portable copy of certain information you have provided to us.
• Lodge a complaint with the data protection authority in your country.

To exercise any of these rights, contact us at privacy@digitalnorth.in. We will respond within the timeframe required by applicable law, typically within 30 days, and we may need to verify your identity before acting on your request. If your information is held by us only in the capacity of a processor for an automotive client, we will direct you to that client and support their response.

Security

We apply administrative, technical, and physical safeguards proportionate to the sensitivity of the information we hold. Our engineering practices include least-privilege access controls, multi-factor authentication, encryption in transit and at rest, periodic access reviews, secure software development practices, and a documented incident response process. For client engagements involving vehicle data, additional controls are agreed in the engagement and may include dedicated environments, hardware-backed key management, and audit logging aligned with ISO/SAE 21434 and UNECE R155 expectations.

No system is perfectly secure. If we become aware of a security incident affecting personal information, we will notify affected individuals, clients, and regulators as required by law, and we will work to contain, investigate, and remediate the issue.

Data protection contact

For privacy enquiries, exercise of rights, or to request our current sub-processor list, contact our data protection function at privacy@digitalnorth.in.

We have appointed an internal lead responsible for data protection matters. Where the law requires a formal Data Protection Officer or Data Protection Representative to be appointed in a specific jurisdiction, we will publish the relevant contact details here.

Changes to this policy

We may update this policy as our services, the law, or industry expectations evolve. The date at the top of the page reflects the most recent revision. Material changes will be communicated through this website or, where appropriate, directly to clients.

Contact

Questions about this policy, or about how we handle your information, can be sent to privacy@digitalnorth.in.