Silicon Comnet Pvt. Ltd. is committed to transparent, lawful and secure handling of personal data across our website, cybersecurity services, training programmes and digital platforms.
Silicon Comnet Pvt. Ltd.
Digital Personal Data Protection Act, 2023 (No. 22 of 2023) │DPDP Rules, 2025 (G.S.R. 846(E))
Effective Date: 22 May 2026│Version: 2.0 │Replaces Version 1.2
| Read this with our Privacy Notice. This Privacy Policy must be read together with our standalone Privacy Notice (siliconcomnet.com/privacy-notice), which is the separate notice issued under Section 5(1) of the Act and Rule 3 of the Rules before requesting your consent. The Notice sets out the minimum mandatory disclosures; this Policy provides the full operational framework for our data processing activities. Where any provision of this Policy conflicts with the Notice, the Notice prevails for the purpose of consent. |
|---|
Silicon Comnet Pvt. Ltd. (CIN: U72900DL2012PTC234926), with its Registered Office at 16/8, 3rd Floor, Arya Samaj Road, Karol Bagh, New Delhi, 110005 and Branch Office at C-43, 2nd Floor, Sector 8, Noida, Uttar Pradesh, is a cybersecurity technology company specialising in Cyber Exposure Management, Data-Centric Security Solutions, Advisory and Managed Services, and Knowledge Services (through SiliconUniv, our training division).
This Privacy Policy (“Policy”) describes how we collect, use, share, retain, and protect your personal data when you: (a) visit our website (www.siliconcomnet.com) or any sub-domains; (b) use our cybersecurity services; (c) enrol in training programmes through SiliconUniv; (d) participate in Silicon Challenge events (siliconchallenge.com); (e) apply for a career with us; or (f) interact with us via email, phone, LinkedIn, or in person.
Territorial scope: This Policy applies to the processing of digital personal data within India (Section 3(a) of the Act) and to processing outside India in connection with offering goods or services to Data Principals within India (Section 3(b)). It does not apply to: (i) personal data processed for purely personal or domestic purposes (Section 3(c)(i)); or (ii) personal data made publicly available by you or under a legal obligation (Section 3(c)(ii)).
We are the Data Fiduciary for all personal data described in this Policy. Our contact details are:
| Organisation | Silicon Comnet Pvt. Ltd. |
|---|---|
| CIN | U72900DL2012PTC234926 |
| Registered Office | 16/8, 3rd Floor, Arya Samaj Road, Karol Bagh, New Delhi — 110005 |
| Branch Office | C-43, 2nd Floor, Sector 8, Noida, Uttar Pradesh |
| Website | www.siliconcomnet.com |
| Privacy Email | privacy@siliconcomnet.com |
| General Enquiries | reach@siliconcomnet.com │ +91 931 142 5007 |
| Training Enquiries | +91 931 071 9612 |
| Contact Person [S.8(9); R.9] | Gaurav Goswami, Principal Consultant │privacy@siliconcomnet.com │+91 931 142 5007 |
| Grievance Officer [S.13; R.14(3)] | Gaurav Goswami│grievance@siliconcomnet.com│+91 931 142 5007 |
The Contact Person’s business contact information is published on our website and is referenced in every response to a Data Principal’s communication exercising rights under the Act, as required by Rule 9.
The specific categories and data elements we collect are set out in our Privacy Notice. In summary:
| Category | Key Data Elements | Collection Method |
|---|---|---|
| Identity Data | Full name, designation, job title, company name, photograph (events) | Contact forms, registrations, applications, events, business cards |
| Contact Data | Email, mobile number, postal address, LinkedIn URL | Forms, email, LinkedIn, business cards |
| Professional Data | Company, industry, role, cybersecurity interests, technology stack | Service inquiry forms, consultations |
| Financial Data | Payment details (NEFT/IMPS), invoice details, GST number, PAN | Training payments, service contracts, vendor onboarding |
| Employment / Career Data | CV/resume, qualifications, certifications, work experience, cover letter, expected salary, interview notes | siliconcomnet.com/career, email, recruitment platforms |
| Technical Data | IP address, browser type and version, device type, OS, screen resolution, referring URL, ISP | Automatic collection via server logs and cookies |
| Usage / Analytics Data | Pages visited, time on page, click patterns, scroll depth, session recordings, heat maps | Microsoft Clarity, Google Analytics, server logs |
| Communication Data | Emails, phone call logs, webinar chat transcripts, feedback, testimonials | Direct correspondence, support, and webinar platforms |
| Cookie / Tracking Data | Cookie identifiers: _ga, _ga_7HHF7KEB2F, _clck, _clsk, CLID, ANONCHK, MR, MUID, SM, laravel_session, XSRF-TOKEN | Cookies, see Cookie Policy at siliconcomnet.com/cookie-policy |
| Event / Training Data | Event registrations, attendance, certification records, assessment scores, and webinar participation | Event forms, LMS platforms, Silicon Challenge (siliconchallenge.com) |
Every request we make to you for consent is accompanied or preceded by our standalone Privacy Notice published at siliconcomnet.com/privacy-notice. That Notice informs you of: (i) the personal data and the purpose for which it is to be processed; (ii) how you may exercise your right to withdraw consent (Section 6(4)) and your right to grievance redressal (Section 13); and (iii) how you may make a complaint to the Data Protection Board of India.
Where we process your personal data based on your consent, that consent:
is free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action;
is limited to the personal data necessary for the specified purpose, we do not collect data beyond what is needed;
is not obtained through pre-ticked boxes, implied consent through continued browsing, bundled consent, or any other non-affirmative mechanism;
You may withdraw consent at any time. The ease of withdrawal is comparable to the ease with which consent was given (Section 6(4)). Withdrawal methods are described in our Privacy Notice. Important: (a) withdrawal does not affect the lawfulness of processing before withdrawal (Section 6(5)); (b) we will inform you of the consequences before acting on your withdrawal; (c) upon withdrawal, we will, and will cause our Data Processors to, cease processing within a reasonable time, unless processing without consent is separately authorised under the Act (Section 6(6)).
You may give, manage, review, or withdraw your consent through a Consent Manager registered with the Data Protection Board under Rule 4. Where you use a Consent Manager, that entity acts on your behalf under the obligations prescribed in Schedule I of the Rules.
We process personal data only on one of the following lawful bases:
| Lawful Basis | Legal Provision | Processing Activities |
|---|---|---|
| Consent | Section 6(1) | New service engagements (where consent is requested), marketing and promotional communications, website analytics cookies, event registrations, and training enrolments |
| Voluntary Provision | Section 7(a) | Inquiries submitted through contact forms, email, or phone, where you voluntarily provide your personal data for a specified purpose and have not indicated any objection to its use |
| Legal Obligation | Section 7(d) | Tax compliance (TDS, GST), statutory filings, company law obligations, responses to court orders, Data Protection Board directions, and law enforcement requests |
| Employment | Section 7(i) | Payroll, attendance, benefits administration, PF/ESI statutory compliance, background verification (post-offer), prevention of corporate espionage, protection of confidential information |
Note on minimum collection: In all cases, we limit the collection and processing of personal data to what is necessary for the specified purpose (Section 6(1)). We do not process personal data for a purpose beyond that for which it was collected without obtaining fresh consent or a separate lawful basis.
We do not sell your personal data. We do not share it with any party for purposes unrelated to those described in this Policy. Personal data is shared only in the following circumstances, and only to the extent necessary:
We engage third-party Data Processors under valid contracts that: (a) restrict processing to our documented instructions; (b) require reasonable security safeguards; and (c) impose obligations consistent with the Act and Rules. Current key Data Processors include:
Google LLC (Google Analytics, Google Workspace) — United States
Microsoft Corporation (Microsoft Clarity, Azure services) — United States
Payrollinfo.in (Payroll and HR administration) — India
Payment gateway provider (Training payment processing) — India (PCI-DSS compliant; we do not store full card details)
We may share personal data with our technology partners (Fortinet, Palo Alto Networks, Thales, Akamai, EC-Council, Versa Networks, Pentera, ManageEngine, Forcepoint) where necessary for joint service delivery, certification management, training coordination, or event management. These partners act as independent Data Fiduciaries or joint processors, as the case may be, and processing is governed by contractual arrangements with each partner.
We may disclose personal data to government authorities, regulators (including the Income Tax Department, GST authorities, EPFO, ESIC, and the Registrar of Companies), courts, or the Data Protection Board, as required or permitted by applicable law.
Legal counsel, auditors, and consultants engaged by us are bound by confidentiality obligations.
Where personal data processed by us is likely to be used to make a decision that affects you or disclosed to another Data Fiduciary, we ensure its completeness, accuracy, and consistency before such use or disclosure.
Third-party links: Our website may contain links to third-party platforms. We are not responsible for their privacy practices. We encourage you to review their policies before providing personal data.
Personal data processed by us may be transferred outside India to Data Processors or partners as described in Section 6 above. Such transfers are made subject to the requirements that the Central Government may specify under Rule 15 of the Rules by general or special order.
Current cross-border transfers:
Google Analytics / Google Workspace: Data processed in the United States and other Google data centre locations.
Microsoft Clarity / Azure: Data processed in Microsoft’s global data centres.
EC-Council: Certification and training data may be processed in the United States.
LinkedIn: Where you interact with our LinkedIn presence, data is processed in the United States.
These transfers are governed by Data Processing Agreements with each provider, which include obligations on security, breach notification, and data use restrictions. We monitor and will comply with any transfer restrictions or mechanisms notified by the Central Government under Section 16 of the Act.
| Key Retention Principles from the Act and Rules Section 8(7)(a): We erase personal data upon consent withdrawal or as soon as it is reasonable to assume the specified purpose is no longer being served, whichever is earlier — unless retention is required by law. Section 8(7)(b): We cause our Data Processors to erase personal data made available to them when the above conditions are met. Rule 8(1): Prescribed minimum retention periods in Schedule III apply ONLY to e-commerce entities (≥2 crore registered users), online gaming intermediaries (≥50 lakh registered users), or social media intermediaries (≥2 crore registered users). Silicon Comnet Pvt. Ltd. is none of these. No minimum retention period under Rule 8(1) applies to us. Rule 8(2): At least 48 hours before erasing personal data, we inform you that such data will be erased, unless you log in or initiate contact with us for the specified purpose. Rule 8(3): All Data Fiduciaries (including us) must retain personal data, associated traffic data, and processing logs for a MINIMUM of 1 (one) year from the date of processing, for the purposes specified in the Seventh Schedule of the Rules. This is a statutory floor, not a business retention period. |
|---|
Our Retention Schedule:
| Personal Data Category | Retention Period | Legal Basis | Erasure Method |
|---|---|---|---|
| Contact / Inquiry form submissions | Until purpose served (inquiry answered, no further engagement) + minimum 1 year for processing logs [R.8(3)] | S.8(7)(a) | Secure deletion from CRM and server logs |
| Career applications — unsuccessful | Until hiring decision communicated + minimum 1 year for processing logs [R.8(3)] | S.8(7)(a); S.7(a) | Secure deletion from the recruitment system and email |
| Career applications — hired / employees | Duration of employment + further period as required by applicable labour, tax, and social security law (PF Act, IT Act, Shops & Establishments Act). Processing logs: minimum 1 year [R.8(3)]. | S.7(i); applicable statutory requirements | Secure deletion from HRMS after the statutory period |
| Training / Certification enrolment data | Duration of training programme + further period required for certification records. Processing logs: minimum 1 year [R.8(3)]. | S.8(7)(a); certification audit requirements | Anonymisation or secure deletion |
| Marketing communications (consent-based) | Until consent is withdrawn (S.6(4)) or purpose no longer served (S.8(7)). Processing logs: minimum 1 year [R.8(3)]. | S.6(1); S.6(4); R.8(3) | Secure deletion; instant unsubscribe link in every email |
| Website analytics and cookie data | As per individual cookie expiry set out in our Cookie Policy. Processing logs: minimum 1 year [R.8(3)]. | S.6(1) — consent via cookie banner; R.8(3) | Cookie expiry or deletion via Cookie Preferences |
| Event and webinar registration data | Until purpose served (event concluded) + minimum 1 year for processing logs [R.8(3)]. | S.8(7)(a); R.8(3) | Secure deletion from event platform and CRM |
| Financial and invoice data (GST, TDS, PAN) | 8 years from the end of the relevant financial year, or such longer period as may be required under applicable law or for the establishment, exercise, or defence of legal claims | Compliance with legal obligations under applicable laws, including the Income Tax Act, 1961 and the CGST Act, 2017; retention permitted for compliance with law under the DPDP Act, 2023 | Secure deletion from the accounting system after the statutory period |
| Cybersecurity service delivery data | Duration of contract + period required by the contract or applicable law. Processing logs: minimum 1 year [R.8(3)]. | S.8(7)(a); contractual obligation | Secure deletion per contract terms |
| Processing logs, traffic data, and access logs (all categories) | Minimum 1 year from date of processing [R.8(3); Seventh Schedule]. Thereafter erased unless further retention is required under applicable law. | R.8(3) — mandatory minimum; Rule 6(1)(e) | Secure deletion from log management system |
| Consent records (proof of consent) | Retained for as long as processing continues based on that consent, and for a reasonable period thereafter to discharge the burden of proof under S.6(10). No specific period is prescribed under the Act or Rules. | S.6(10) — burden of proof on Data Fiduciary | Secure deletion after processing ceases and the burden-of-proof period ends |
Deletion by Data Processors (Section 8(7)(b)): Upon erasure of your personal data, we instruct and confirm that all Data Processors who have processed that data on our behalf also erase it.
We implement reasonable security safeguards to prevent personal data breaches, having regard to the nature and volume of personal data we hold. As a cybersecurity company, we apply the following measures mandated under Rule 6(1):
Rule 6(1)(a) — Data security measures: AES-256 encryption at rest; TLS 1.3 in transit; tokenisation for sensitive identifiers; data masking in non-production environments; obfuscation where appropriate.
Rule 6(1)(b) — Access control: Role-based access control with least privilege; multi-factor authentication for all system access; privileged access management; quarterly access reviews; immediate deprovisioning upon exit.
Rule 6(1)(c) — Logging, monitoring, and review: Comprehensive personal data access logging; SIEM with anomaly detection; automated alerting for suspicious patterns, enabling detection, investigation, and remediation of unauthorised access.
Rule 6(1)(d) — Business continuity: 3-2-1 backup strategy; monthly restore tests; defined RTO/RPO; disaster recovery capability.
Rule 6(1)(e) — Log retention: Personal data access logs, traffic data, and processing logs are retained for a minimum of 1 (one) year to enable detection of unauthorised access, investigation, and remediation, unless applicable law requires a longer period.
Rule 6(1)(f) — Data Processor contracts: All Data Processing Agreements with our Data Processors include mandatory provisions for reasonable security safeguards, consistent with this Rule.
Rule 6(1)(g) — Technical and organisational measures: Regular risk assessments; vulnerability assessments and penetration testing; patch management; secure development lifecycle; privacy-by-design reviews; incident response plan; employee data protection training.
A “personal data breach” means any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability (Section 2(u)).
In the event of a breach:
Notification to you (Rule 7(1)): We will notify each affected Data Principal without delay through their registered communication channel, informing them of: (a) the nature, extent, and timing of the breach; (b) likely consequences relevant to them; (c) mitigation measures implemented or being implemented; (d) safety measures they may take; and (e) contact details of our Contact Person for queries.
Notification to the Data Protection Board (Rule 7(2)): We will notify the Board without delay with an initial description of the breach (Rule 7(2)(a)), followed within 72 hours by a detailed report covering: updated breach information; facts, events, and causes; mitigation measures; findings on the person who caused the breach; remedial measures to prevent recurrence; and a report of Data Principal notifications (Rule 7(2)(b)(i)–(vi)).
Our services and website are directed at businesses and cybersecurity professionals. We do not knowingly collect or process personal data of children (individuals under 18 years of age — Section 2(f)).
If we become aware that we have inadvertently collected a child’s personal data without verifiable parental consent in accordance with Section 9(1) and Rule 10, we will promptly erase such data and notify the parent or guardian where feasible.
We do not: (a) process children’s personal data in a manner likely to cause a detrimental effect on their well-being (Section 9(2)); or (b) engage in tracking, behavioural monitoring, or targeted advertising directed at children (Section 9(3)).
Where personal data processed by us is likely to be: (a) used to make a decision that affects you; or (b) disclosed to another Data Fiduciary, we ensure its completeness, accuracy, and consistency before such use or disclosure. We encourage you to inform us of any changes to your personal data so that our records remain up to date.
Under the Act, you have the following rights. To exercise any right, use the channels set out at the end of this section. We publish the means for exercising these rights on our website as required by Rule 14(1)(a).
You may request: (a) a summary of personal data being processed by us; (b) a description of the processing activities; (c) the identities of all Data Fiduciaries and Data Processors with whom your data has been shared and a description of that sharing; and (d) any other information prescribed under Rule 14(2).
You may request: (a) correction of inaccurate or misleading personal data (Section 12(2)(a)); (b) completion of incomplete personal data (Section 12(2)(b)); (c) updating of outdated personal data (Section 12(2)(c)); and (d) erasure of personal data where retention is no longer necessary for the specified purpose or compliance with law (Section 12(3)).
You have the right to readily available means of grievance redressal in respect of any act or omission by us regarding the processing of your personal data or the exercise of your rights. We will acknowledge your grievance within 48 hours and resolve it within 30 (thirty) days from the date of receipt, as prescribed under Rule 14(3). Exhaustion of this mechanism is a prerequisite before approaching the Data Protection Board (Section 13(3)).
You may nominate one or more individuals to exercise your rights in the event of your death or incapacity (meaning unsoundness of mind or infirmity of body — Section 14(2)), using the means and furnishing the particulars required by us under Rule 14(4).
To exercise any right:
Email: privacy@siliconcomnet.com
Phone: +91 931 142 5007 — Monday to Friday, 10:00 AM – 6:00 PM IST
Identity verification (Rule 14(1)(b) and Rule 14(5)): You will need to provide your name and the email address or mobile number associated with your account with us.
When exercising your rights and interacting with us, you are required under the Act to:
Section 15(a): Comply with all applicable laws while exercising your rights under the Act.
Section 15(b): Not impersonate another person when providing personal data for a specified purpose.
Section 15(c): Not suppress any material information when providing personal data for any document, proof of identity, or proof of address issued by the State.
Section 15(d): Not register a false or frivolous grievance or complaint with us or the Board.
Section 15(e): Furnish only verifiably authentic information when exercising the right to correction or erasure.
Note: The duties listed above are statutory obligations under the DPDP Act, 2023 and are not requirements imposed by Silicon Comnet independently.
You may contact our Grievance Officer with any complaint or concern about our processing of your personal data:
| Grievance Officer Name & Designation: Gaurav Goswami, Principal Consultant – Data Protection Organisation: Silicon Comnet Pvt. Ltd. Address: 16/8, 3rd Floor, Arya Samaj Road, Karol Bagh, New Delhi — 110005 Email: grievance@siliconcomnet.com Phone: +91 931 142 5007 │ Monday–Friday, 10:00 AM – 6:00 PM IST |
|---|
We will acknowledge your grievance within 48 hours and resolve it within 30 (thirty) days from the date of receipt, as prescribed under Rule 14(3). If your grievance is not resolved within this period, or you are not satisfied with our response, you may file a complaint directly with the Data Protection Board of India (Section 13(3)).
If you are not satisfied with our response to your grievance, or your grievance is not resolved within 30 days, you have the right to file a complaint with the Data Protection Board of India. You must exhaust our grievance redressal mechanism before approaching the Board (Section 13(3)).
Board website: [To be updated once the Board’s operational portal is published by the Central Government]
We will cooperate fully with any inquiry initiated by the Board under Sections 27–28 of the Act.
This Policy and our Privacy Notice are available in English. You may request either document in any of the 22 languages listed in the Eighth Schedule to the Constitution of India by writing to privacy@siliconcomnet.com.
We may update this Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. Where a change materially affects your rights or the way we process your personal data, we will provide fresh notice and, where required by the Act, obtain fresh consent before the change takes effect. The version number and Effective Date at the top of this document indicate the most current version. We encourage you to review this Policy periodically.
For all privacy-related matters, including exercising your rights under the Act:
Contact Person (Section 8(9); Rule 9): Gaurav Goswami, Principal Consultant - Data Protection
Email: privacy@siliconcomnet.com
Phone: +91 931 142 5007
Address: Silicon Comnet Pvt. Ltd., 16/8, 3rd Floor, Arya Samaj Road, Karol Bagh, New Delhi — 110005
— End of Privacy Policy —
© Silicon Comnet Pvt. Ltd. | CIN: U72900DL2012PTC234926 | www.siliconcomnet.com