Kansoft
Legal

GDPR Compliance Statement

How Kansoft Solutions Pvt. Ltd. complies with the EU GDPR, UK GDPR, and Swiss FADP across our website, our marketing activities, and the services we deliver to clients.

Last updated: 23 April 2026

Kansoft Solutions Pvt. Ltd. (“Kansoft,” “we,” “us,” or “our”) is committed to protecting the personal data of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK General Data Protection Regulation, the UK Data Protection Act 2018, and the Swiss Federal Act on Data Protection (FADP).

This Statement explains the steps we have taken to comply with these laws across our website operations, our marketing activities, and the services we deliver to clients. It applies whether Kansoft acts as a “controller” of personal data (for example, in respect of website visitors, marketing contacts, and prospects) or as a “processor” of personal data on behalf of our clients (for example, when delivering software development, IT staffing, application modernization, or cloud migration services that involve processing personal data on the client’s behalf).

Scope of this Statement. This Statement is an overview of Kansoft’s GDPR posture. The detailed rights and processing information for website visitors, marketing contacts, prospects, and other individuals is set out in our Privacy Policy. The terms governing our processing of personal data on behalf of clients are set out in the Data Processing Addendum (DPA) executed alongside the relevant services agreement.

1. Our role under the GDPR

Kansoft processes personal data in two distinct capacities:

1.1 As a controller

Kansoft acts as the controller of personal data we collect about:

  • Visitors to our website kansoftware.com, including form submissions, downloads, and behavioural data.
  • Marketing contacts and newsletter subscribers.
  • Sales prospects, including data obtained through outreach, business contact databases, and referrals.
  • Job applicants and candidates.
  • Client and partner contacts in the course of managing the business relationship.

In this capacity, we determine the purposes and means of processing and we are directly responsible for compliance with the GDPR. Our processing in this capacity is described in our Privacy Policy.

1.2 As a processor

When Kansoft delivers services to a client and the client’s instructions involve processing personal data on the client’s behalf — for example, building or maintaining an application that handles end-user data — the client is the controller and Kansoft acts as a processor. In this capacity, we process personal data only on documented instructions from the client and in accordance with the relevant Data Processing Addendum and Article 28 of the GDPR.

2. Data protection principles

Kansoft adheres to the seven data protection principles set out in Article 5 of the GDPR. We process personal data:

  • Lawfully, fairly, and transparently: we identify a valid legal basis for every processing activity and tell individuals what we do with their data.
  • For specified, explicit, and legitimate purposes: we do not use personal data for purposes incompatible with those for which it was originally collected.
  • In a way that is adequate, relevant, and limited to what is necessary: we collect only the data we need (data minimisation).
  • Accurately and, where necessary, up to date: we take reasonable steps to keep records current and to correct or delete inaccurate data.
  • Stored for no longer than necessary: we apply documented retention periods and delete or anonymise data when those periods end.
  • With appropriate security: we use technical and organisational measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction, or damage.
  • With accountability: we maintain records demonstrating our compliance and we can provide them to supervisory authorities on request.

Where Kansoft acts as a controller, we rely on one or more of the following legal bases under Article 6 of the GDPR:

  • Performance of a contract — to provide services you have requested, prepare proposals, and manage the client relationship.
  • Legitimate interests — for B2B marketing to corporate role-holders, website analytics, security monitoring, and improving our services. We carry out a balancing assessment in each case.
  • Consent — for non-essential cookies, certain marketing communications where consent is required, and processing of any special-category data.
  • Legal obligation — to comply with tax, accounting, employment, anti-money-laundering, and other regulatory obligations.
  • Vital interests — only in exceptional circumstances to protect the life or safety of an individual.

We do not engage in automated decision-making that produces legal or similarly significant effects on individuals.

4. Data subject rights

Individuals in the EEA, the UK, and Switzerland have the following rights in relation to personal data Kansoft holds about them:

  • Right of access (Article 15): to obtain confirmation of whether we process your data and a copy of it.
  • Right to rectification (Article 16): to have inaccurate or incomplete data corrected.
  • Right to erasure (Article 17): to have your data deleted in certain circumstances.
  • Right to restriction of processing (Article 18): to limit how we use your data in certain circumstances.
  • Right to data portability (Article 20): to receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): to object to processing based on legitimate interests, and to object to direct marketing at any time.
  • Right to withdraw consent (Article 7): where processing is based on consent, you can withdraw it at any time.
  • Right not to be subject to automated decision-making (Article 22): we do not currently make such decisions.
  • Right to lodge a complaint (Article 77): with your national supervisory authority.

To exercise any of these rights, contact us at privacy@kansoftware.com. We respond within one month of receiving a verifiable request, extendable by two further months for complex requests, in accordance with Article 12 of the GDPR.

5. International data transfers

Kansoft is headquartered in India. Personal data of individuals in the EEA, the UK, and Switzerland may be transferred to India and to other countries where we or our service providers operate. Where these countries have not been recognised as providing an adequate level of data protection, we put in place appropriate safeguards under Chapter V of the GDPR, including:

  • EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers from the EEA.
  • The UK International Data Transfer Agreement, or the UK Addendum to the EU SCCs, for transfers from the United Kingdom.
  • Recognised safeguards under the Swiss FADP for transfers from Switzerland.
  • Supplementary technical and organisational measures (such as encryption, access controls, and contractual restrictions) where required following a transfer impact assessment.

Copies of the safeguards in place can be requested at privacy@kansoftware.com.

6. Our commitments as a processor

When Kansoft processes personal data on behalf of a client under Article 28 of the GDPR, we commit to:

  • Process personal data only on the client’s documented instructions, including with regard to international transfers, unless required by law.
  • Ensure that all personnel authorised to process the client’s personal data are bound by contractual or statutory confidentiality obligations.
  • Implement appropriate technical and organisational security measures, taking into account the nature, scope, context, and purposes of processing.
  • Engage sub-processors only with the client’s prior general or specific authorisation, and impose equivalent data protection obligations on them by contract.
  • Assist the client, where reasonably possible, in responding to data subject requests.
  • Assist the client in ensuring compliance with their security, breach notification, data protection impact assessment, and prior consultation obligations.
  • At the client’s choice, delete or return all personal data at the end of the services and delete existing copies, unless we are required to retain them by law.
  • Make available all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits, including inspections, conducted by the client or an auditor mandated by the client.

These commitments are reflected in the Data Processing Addendum that Kansoft executes with clients whose engagements involve processing of personal data.

7. Technical and organisational measures

Kansoft implements appropriate security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

Access control and authentication

  • Role-based access controls and the principle of least privilege.
  • Multi-factor authentication for administrative access to systems holding personal data.
  • Secure password policies and regular credential rotation.

Encryption

  • Encryption of data in transit using TLS.
  • Encryption of data at rest where appropriate, in accordance with industry standards.

Network and infrastructure security

  • Firewalls, intrusion detection, and continuous security monitoring.
  • Regular vulnerability scanning and patch management.
  • Hardened server and database configurations.

Operational security

  • Documented information security policies aligned with internationally recognised frameworks (e.g., ISO/IEC 27001 principles).
  • Background checks and security training for personnel.
  • Vendor due diligence and contractual security obligations.

Incident response

  • Documented incident response and breach notification procedures.
  • Procedures to notify supervisory authorities and affected individuals within the timeframes required by Article 33 and Article 34 of the GDPR.

Business continuity

  • Backup and recovery procedures with regular testing.
  • Disaster recovery and business continuity planning.

8. Sub-processors

Kansoft may engage sub-processors to support the delivery of services to clients. Where we act as a processor, we maintain a list of authorised sub-processors and provide it to clients on request. Each sub-processor is subject to a written contract that imposes data protection obligations equivalent to those in our agreement with the client.

We notify clients of any intended additions or replacements of sub-processors in accordance with the relevant Data Processing Addendum, giving the client an opportunity to object on reasonable data protection grounds.

9. Records of processing activities

Kansoft maintains records of processing activities in accordance with Article 30 of the GDPR, including:

  • The categories of processing carried out as a controller and as a processor.
  • The purposes of the processing.
  • The categories of data subjects and personal data.
  • The categories of recipients.
  • Any international transfers and the safeguards applied.
  • Retention periods.
  • A general description of the technical and organisational security measures.

10. Personal data breach notification

Kansoft has procedures in place to detect, investigate, and respond to personal data breaches. Where Kansoft acts as a controller, we notify the competent supervisory authority of a personal data breach within 72 hours of becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of natural persons. Where the breach is likely to result in a high risk, we also notify affected individuals without undue delay.

Where Kansoft acts as a processor, we notify the client without undue delay after becoming aware of a personal data breach affecting the client’s data, in accordance with the Data Processing Addendum.

11. Data Protection Impact Assessments

Where a processing activity is likely to result in a high risk to the rights and freedoms of natural persons, Kansoft carries out a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR. We assist clients with their own DPIAs to the extent the processing relates to services we provide.

12. Data Protection Officer and EU Representative

Kansoft has appointed a privacy contact responsible for monitoring compliance with applicable data protection laws, advising on obligations, and serving as the point of contact for individuals and supervisory authorities.

Where required by Article 27 of the GDPR (or its UK equivalent), Kansoft will appoint a representative in the European Union and, if applicable, in the United Kingdom. Details of any such representative will be set out in our Privacy Policy.

13. Staff training and awareness

Kansoft personnel receive data protection and information security training appropriate to their role, including induction training for new joiners and periodic refresher training. Personnel with access to personal data are bound by confidentiality obligations that survive termination of their engagement with Kansoft.

14. Supervisory authorities

Individuals in the EEA, the UK, and Switzerland have the right to lodge a complaint with a supervisory authority if they believe that our processing of their personal data infringes applicable data protection law. The relevant authorities include:

  • In the European Economic Area: the data protection authority of your country of residence, place of work, or where the alleged infringement occurred. A list is available at edpb.europa.eu.
  • In the United Kingdom: the Information Commissioner’s Office (ICO) at ico.org.uk.
  • In Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority — please contact us first at privacy@kansoftware.com.

15. Updates to this Statement

We review and update this GDPR Compliance Statement periodically to reflect changes in our practices, our processing activities, and applicable law. The “Last updated” date at the top of this page indicates when it was last revised.

16. Contact us

For any questions about this Statement, our GDPR compliance posture, or to request a copy of our Data Processing Addendum or other compliance documentation, please contact:

  • Email: privacy@kansoftware.com
  • Postal address: Kansoft Solutions Pvt. Ltd., G1-10, IT Park, MIA Extension, Udaipur, Rajasthan 313001, India

Related policies

Read how we handle data across every Kansoft touchpoint.

Privacy Policy Terms of Use Cookie Policy GDPR Compliance Contact Us