Paywize LogoPaywize
Sign In

Data Residency

Find out where your data is stored, processed, and protected\u2014ensuring compliance with local and international data residency laws.

1. Objective

This policy defines Paywize's approach to storing and processing data in compliance with applicable Indian regulations and international standards, including those from the Reserve Bank of India (RBI), National Payments Corporation of India (NPCI), ISO/IEC 27001:2013, and PCI DSS 4.0. The goal is to ensure customer data sovereignty, security, and regulatory alignment across all services including Payouts, UPI, IMPS, BBPS, and Card-based transactions.

2. Scope

This policy applies to

  • All customer, partner, and transaction-related data processed by Paywize
  • Data handled by third parties acting on behalf of Paywize
  • All systems (cloud, on-premise), environments, and services processing sensitive data

3. Key Principles

3.1 Data Localization (RBI-Compliant)

  • In accordance with RBI Circular DPSS.CO.OD.No.2785/06.08.005/2017-18 (April 2018), all payment system data is stored exclusively in India.
  • Includes: complete transaction data, PII, instructions, timestamps, IP, metadata, and audit logs.
  • Foreign processing for settlement is permitted only if approved by RBI, and such data must be deleted within 24 hours.

3.2 NPCI Compliance

  • For services involving UPI, IMPS, BBPS, RuPay, Aadhaar-based payments:
  • All related data is processed only in NPCI-certified environments hosted in India.
  • No raw UPI/BBPS/IMPS transaction data, metadata, or tokens are transferred or replicated to foreign systems.
  • Logs and backups are geofenced to ensure India-only storage and disaster recovery (DR).

3.3 PCI DSS Alignment (For Card Data)

  • Paywize complies with PCI DSS 4.0 for any system processing cardholder data.
  • Sensitive data handling includes:
  • No storage of CVV/CVC post-authorization.
  • PAN and cardholder data encrypted with AES-256.
  • Card data is tokenized to reduce storage.
  • Access to cardholder data is restricted, logged, and monitored.
  • PCI zones are segmented within infrastructure.

4. Types of Data Covered

The following data categories are covered by this policy

  • Personally Identifiable Information (PII)
  • Know Your Customer (KYC) documents
  • Transaction & payment system data (payouts, UPI, IMPS, BBPS, VPA, card)
  • Webhook logs, API requests/responses
  • Merchant/business registration and onboarding data
  • Logs, audit trails, device info, and geolocation data

5. Data Storage Infrastructure

  • All infrastructure is hosted in RBI and ISO 27001 certified data centers located in India.
  • DR and high availability (HA) zones are also confined to India
  • No data is stored, replicated, or backed up outside Indian territory unless explicitly allowed by regulation and anonymized/tokenized appropriately.

6. Cross-Border Data Transfers

  • Regulated data is never transferred outside India, except
  • When explicitly permitted by regulators (e.g., tokenized analytics)
  • With approval from the Data Protection Officer (DPO) and documented risk assessment
  • Contracts with processors include
  • Standard Contractual Clauses (SCCs)
  • Binding Data Processing Agreements (DPA) with localization terms

7. Vendor & Third-Party Compliance

  • Vendors processing data must
  • Host systems in India
  • Comply with ISO 27001, PCI DSS (where applicable), and RBI guidelines
  • Annual audits are conducted, covering
  • Residency validation
  • Encryption and access control practices
  • Log retention and privacy compliance

8. Access Control & Monitoring

  • Access to sensitive data is limited via Role-Based Access Control (RBAC).
  • All access events are logged, monitored, and regularly reviewed.
  • Real-time alerts are triggered on anomalous or unauthorized data movement.

9. Data Retention & Deletion

  • Data retention aligns with RBI, NPCI, and Income Tax rules: typically 5–8 years.
  • Secure deletion (NIST 800-88 standard) of expired, withdrawn, or inactive records.
  • Data subject deletion requests are processed unless conflicting with regulatory retention obligations.

10. Governance & Auditing

  • The Chief Information Security Officer (CISO) and DPO oversee implementation.
  • Policy is reviewed annually or following major regulatory changes.
  • Aligned ISO 27001 clauses include
  • A.8.2.1 (Classification of Information)
  • A.9.1.2 (Access to Networks and Services)
  • A.13.2.1 (Information Transfer Policies)
  • A.12.4 (Logging and Monitoring)

11. Enforcement & Disciplinary Action

Upon receiving directions under Section 51A of the Unlawful Activities (Prevention) Act, 1967, Paywize shall immediately freeze/unfreeze merchant accounts and funds without prior notice and in strict compliance with regulatory directives.

  • Policy violations may result in
  • Suspension or termination of employee/vendor access
  • Legal and regulatory reporting
  • Penalties in accordance with IT Act, RBI, or GDPR (if applicable)