Privacy Policy —
how we handle
your data.

The data controller

VIGIL is a security and resilience intelligence platform developed and operated by Anshin Risk and Resilience Consulting Private Limited, incorporated in India and trading globally as ARRC Global.

For the purposes of applicable data protection law — including India's Digital Personal Data Protection Act 2023 (DPDP Act), the EU General Data Protection Regulation (GDPR), and Singapore's Personal Data Protection Act (PDPA) — Anshin Risk and Resilience Consulting Private Limited is the data controller and data fiduciary for personal data processed through the VIGIL platform and website.

What we stand by

Before the legal detail, the principles that govern everything else:

• Minimum necessary. We collect only what is needed to deliver the platform and fulfil legal obligations. Nothing more.
• Purpose limitation. Data collected for one purpose is not repurposed. If we need to use your data differently, we tell you and seek consent where required.
• Client data is client data. Intelligence and site data uploaded or generated by enterprise clients belongs to those clients. We do not analyse, mine, or repurpose it for any use outside the contracted service.
• No third-party AI. VIGIL's intelligence processing is fully in-house. Client data is never transmitted to an external AI provider, large language model, or third-party processing engine.
• Transparency by default. We will tell you what we hold, why, and how long we keep it — without you having to ask.
• Security is not optional. Appropriate technical and organisational measures are applied to all data, proportionate to its sensitivity.

Data collected — and how

VIGIL collects data in two distinct contexts: from visitors to the platform website, and from registered users of the VIGIL platform. These are handled separately.

Website visitors (vigil.arrcglobal.com)

• Information you provide when submitting a contact or demonstration request: name, email address, job title, organisation name, and any details you include in a free-text field.
• Technical data collected automatically: IP address, browser type and version, device type, pages visited, time and duration of visit. Collected via cookies and analytics tools (see Section 10).

Registered platform users

• Account data: name, business email address, job title, organisation name, and role within the platform (administrator, analyst, viewer).
• Authentication data: encrypted credentials and session tokens. Passwords are never stored in plaintext.
• Platform activity data: actions performed within the platform (assessments created, reports generated, settings changed), timestamps, and session metadata. This data is used for security audit trails and platform improvement.
• Client-uploaded intelligence data: site information, documents, and data uploaded by enterprise clients to support assessments. This is client data — see Section 5.

Purpose and legal basis

We process personal data only for the purposes listed below, each with its legal basis under applicable law.

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on individuals.

How enterprise client data is handled

Enterprise clients of VIGIL upload site intelligence, assessment data, documents, and related materials to the platform. This client data is subject to the terms of the applicable Data Processing Agreement (DPA) executed between ARRC Global and the client organisation.

The following principles apply to all client data without exception:

• Ownership remains with the client. Client data is not owned by ARRC Global. It is held by ARRC Global solely to provide the contracted service.
• No repurposing. Client data is not analysed, mined, aggregated, or used for any purpose outside the specific engagement for which it was uploaded.
• No third-party AI transmission. VIGIL's assessment and intelligence processing engine is built and operated entirely in-house. Client data is never transmitted to an external AI provider, third-party language model, cloud AI service, or any external processing system. All computation occurs within VIGIL's own infrastructure.
• Isolation. Data belonging to one client organisation is logically isolated from data belonging to any other client organisation within the platform.
• Return and deletion. On termination of a client subscription, client data is made available for export and then deleted from VIGIL's systems within the timeframe specified in the applicable DPA. Standard deletion period is 30 days post-termination unless the DPA specifies otherwise.

Where data is held and how it is protected

Infrastructure. All VIGIL platform data is hosted on dedicated infrastructure operated by Hetzner Online GmbH, with servers located in Germany (European Union). Data at rest is encrypted using AES-256. Data in transit is encrypted using TLS 1.3. No data is stored on public cloud platforms or shared hosting environments.

Security controls in place:

• Multi-factor authentication (MFA) required for all internal system and platform administrative access
• Role-based access control (RBAC) — users access only the data and functions their role requires
• Encrypted backups with regular recovery testing
• Central logging and audit trails for all data access and modification events
• Source code repository access controls and secrets management
• Dependency scanning and endpoint protection on all internal systems

Penetration testing. The VIGIL platform undergoes independent Vulnerability Assessment and Penetration Testing (VAPT) by a CERT-In empanelled security firm. Enterprise clients may request the executive summary of the most recent VAPT report under NDA.

Incident response. ARRC Global maintains a documented Incident Response Plan. In the event of a confirmed data breach affecting personal data, affected data subjects and relevant supervisory authorities will be notified within the timeframes required by applicable law — and in no case later than 72 hours of confirmed discovery for GDPR-notifiable incidents.

ARRC Global is progressing toward ISO 27001 certification for information security management. Our controls are designed to meet or exceed that standard now.

Third parties who may process data

VIGIL's core assessment and intelligence processing engine is entirely in-house. We do not use external AI providers or processing engines for client data. A limited number of infrastructure and operational service providers may process personal data in the course of providing their services to ARRC Global.

All sub-processors are bound by data processing agreements that require them to process personal data only as instructed, maintain appropriate security standards, and not engage further sub-processors without prior authorisation. Enterprise clients may request the current sub-processor list as part of the DPA process.

We do not sell, rent, or trade personal data to any third party. Ever.

Cross-border data flows

ARRC Global operates from India, with a subsidiary being established in Singapore, and serves clients across Asia Pacific, the Middle East, and Europe. Platform data is hosted in Germany (EU). The following applies to international data transfers:

• India to EU: Data stored on EU-based servers (Germany) benefits from EU data protection standards under GDPR. This is the primary hosting jurisdiction for VIGIL.
• EU data subjects: Where personal data of individuals located in the European Economic Area (EEA) or United Kingdom is processed, ARRC Global relies on Standard Contractual Clauses (SCCs) as the transfer mechanism where required.
• India DPDP Act: Cross-border transfers of personal data of Indian residents are conducted in accordance with the requirements of the Digital Personal Data Protection Act 2023 and any rules notified thereunder.
• Singapore: Where data flows involve Singapore, transfers are conducted in accordance with Singapore's Personal Data Protection Act (PDPA) and applicable adequacy or contractual frameworks.

Clients with specific data residency requirements — for example, requirements that data not leave a particular jurisdiction — should raise this during commercial discussions. ARRC Global will accommodate documented residency requirements where technically and commercially feasible.

What you can ask of us

Depending on your jurisdiction, you hold the following rights in respect of your personal data. We honour these rights regardless of whether they are technically mandatory in your specific jurisdiction — because they are the right standard to hold ourselves to.

• Access. Request a copy of the personal data we hold about you.
• Correction. Request correction of inaccurate or incomplete data.
• Deletion. Request deletion of your personal data (the "right to be forgotten"), subject to legitimate grounds for retention such as legal obligations.
• Restriction. Request that we restrict processing of your data in certain circumstances.
• Portability. Receive your personal data in a structured, machine-readable format, where technically feasible and legally applicable.
• Objection. Object to processing carried out on the basis of legitimate interest, including direct marketing.
• Withdraw consent. Where processing is based on consent, withdraw that consent at any time. Withdrawal does not affect the lawfulness of prior processing.
• Grievance redressal (India DPDP). Raise a complaint or grievance with ARRC Global's Data Protection Point of Contact.
• Supervisory authority complaint. Lodge a complaint with your local data protection supervisory authority if you believe your rights have not been respected.

Platform users: For data held within the VIGIL platform on behalf of an enterprise client organisation, data subject requests should in the first instance be directed to the client organisation's designated administrator, who acts as the primary point of contact for data held under that client's account.

How cookies are used on this website

The VIGIL website uses cookies for three purposes only. We do not use advertising cookies, tracking cookies, or cookies that build cross-site behavioural profiles.

Analytics and functional cookies are set only with your consent, which you can provide, manage, or withdraw at any time using the cookie preference banner displayed on your first visit. You can also control cookies directly through your browser settings. Disabling all cookies may affect the function of certain website features but will not affect access to publicly available content.

How long we keep your data

When data reaches the end of its retention period, it is securely deleted or anonymised in a manner that prevents reconstruction. Deletion requests submitted under Section 9 will be processed within 30 days, subject to any applicable legal retention obligations.

Age restriction

The VIGIL platform is an enterprise intelligence tool intended solely for professional use by organisations and their authorised employees. It is not directed at, designed for, or intended to be used by individuals under the age of 18. We do not knowingly collect personal data from anyone under 18.

If we become aware that personal data of a person under 18 has been collected, we will delete it promptly. If you have reason to believe this has occurred, please contact us at contact@arrcglobal.com.

How we handle changes

We will update this policy when our practices change, when the law requires it, or when we can provide greater clarity. The effective date at the top of this page reflects the most recent revision.

For material changes that affect how we process personal data, we will notify registered platform users by email at least 14 days before the change takes effect. For non-material clarifications, the updated policy will be published on this page without advance notice.

Continued use of the VIGIL website or platform after a policy update constitutes acceptance of the revised terms, subject to any rights you hold to object to specific processing activities.

Questions, rights requests & complaints

For any question about this policy, to exercise a data subject right, or to raise a concern about how your data is handled, contact us directly. We do not use automated response systems for privacy enquiries — a human will respond.

If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority — for example, your national Data Protection Authority (EU) or the Information Commissioner's Office (UK). If you are located in India, you may raise a complaint with the Data Protection Board of India once constituted under the DPDP Act 2023.