Does SARVAYA sign NDAs before engagements?

Yes. Every engagement begins with a mutual NDA. We also sign client-specific NDAs when provided. White-label engagements carry an additional attribution-blocking clause.

Can SARVAYA sign a Data Processing Agreement (DPA)?

Yes. A DPA template is available on request for clients processing personal data under GDPR, UK GDPR, or India's DPDP Act. We also counter-sign client-provided DPAs.

How long does SARVAYA retain client data?

Production source code and delivered assets are retained for the life of the engagement plus 12 months for support continuity. Communications and draft artifacts are retained for 24 months. Clients can request earlier deletion in writing.

How does SARVAYA handle AI tools and client data?

AI coding and reasoning tools are used under zero-data-retention modes where available (Claude API, OpenAI API with opt-outs). Client production secrets, PII, and proprietary datasets are never pasted into consumer chat interfaces. A per-project AI governance note is available on request.

Who are SARVAYA's subprocessors?

Our standard subprocessor list includes Vercel (hosting), Cloudflare (CDN and DNS), Google Workspace (email and docs), GitHub (version control), and Anthropic/OpenAI/Google (AI model providers, under zero-retention where available). A current list is shared before contract signing.

Trust & Compliance

Security & Data Protection

How we handle client data, AI governance, confidentiality, subprocessors, data retention, and DPA requests. Last reviewed: April 2026.

1. Our Commitment

SARVAYA (operating from Jaipur, Rajasthan, India) builds websites, AI agents, and automations for clients across India, the United States, the United Kingdom, the EU, and the UAE. Every engagement is governed by a mutual NDA, a written Statement of Work, and - where applicable - a Data Processing Agreement (DPA).

This page is a living summary of our posture. It is not a substitute for a signed contract; it is the reference that saves you 30 minutes in a security questionnaire.

2. Confidentiality & NDAs

Default NDA: A mutual NDA is signed before any commercially sensitive material is shared.
Client-provided NDAs: We counter-sign your NDA as standard when provided.
White-label engagements: Attribution is blocked end-to-end. No client-facing material, repo metadata, or deployment footprint references SARVAYA without written permission.
Staff: All contributors are under individual confidentiality agreements covering source, data, and client identity.

3. Data Processing Agreement (DPA)

A SARVAYA DPA template is available on request. It covers:

Roles (Controller / Processor) and lawful basis
Categories of personal data and processing purposes
Sub-processor use, notification, and right to object
Transfer mechanisms (SCCs for EEA / UK transfers where relevant)
Security measures (Section 5) and breach-notification timelines
Data subject rights assistance and deletion on termination

We also counter-sign client-provided DPAs. To request a copy, email dev.sharma@sarvaya.in with subject line "DPA request".

4. AI Governance

We use modern AI tooling to deliver faster and cleaner work. We apply the following rules so that the speed never comes at the cost of your data:

Zero-retention APIs by default: Claude API (Anthropic) and OpenAI API are used with zero-data-retention modes where available. Outputs are not used for model training.
No production secrets in consumer chat UIs: API keys, PII, and proprietary datasets are never pasted into ChatGPT, Claude.ai, Gemini, or similar consumer chat surfaces.
Human review: AI-generated code is read, tested, and merged by a human engineer. Nothing ships AI-to-prod unreviewed.
Model inventory: For regulated engagements, we provide a written list of models used, where they run, and what they see.
Prompt isolation: Client-specific prompts and retrieval corpora are scoped per-project; no cross-client embedding stores.

5. Security Measures

Access

Multi-factor authentication on GitHub, Google Workspace, Vercel, Cloudflare, and all model-provider accounts.
Principle of least privilege. Client-production credentials are scoped and rotated on project close.
Hardware-backed SSH keys and managed secret vaults for production deploys.

Transport & Storage

All hosted surfaces served over TLS 1.2+ with HSTS.
Repositories are private by default. Production environment variables live in managed secret stores, never in repos.
Laptops are full-disk encrypted with automatic locking.

Operational

Dependency pinning and automated vulnerability scanning on all production repos.
Pre-deployment checklist includes a security and PII review.
Incident response: a confirmed data incident is communicated to the client within 72 hours, aligned with GDPR Art. 33 expectations.

6. Subprocessors

Our standard subprocessors - the vendors we rely on to operate - are listed below. A project-specific list is shared before contract signing. Clients are notified in writing 30 days before any material change.

Vendor	Purpose	Data accessed	Region
Vercel	Web hosting & edge	Site content, logs	Global (US / EU edge)
Cloudflare	DNS, CDN, WAF	Request metadata	Global
Google Workspace	Email, Docs, Drive	Business comms	US / EU
GitHub	Source control	Source, issues	US
Anthropic (Claude)	AI reasoning & code	Scoped prompts (no retention)	US
OpenAI	AI reasoning & code	Scoped prompts (no retention)	US
Google (Gemini, GA4)	AI + site analytics	Scoped prompts; anonymized analytics	US / EU
Supabase / Neon	Managed database (per-project)	App data (client-controlled region)	Client-selected
Stripe / Razorpay	Payments (where enabled)	Transaction data	Per provider

7. Data Retention & Deletion

Production source & delivered assets: retained for the life of the engagement plus 12 months for support continuity.
Communications & draft artifacts: retained for 24 months.
Credentials: revoked or rotated within 7 days of project close.
On request: clients may request earlier deletion in writing. A written certificate of destruction is provided for regulated engagements.

8. International Transfers & Jurisdiction

SARVAYA is headquartered in Jaipur, Rajasthan, India. Disputes are subject to the exclusive jurisdiction of the courts in Jaipur. For EEA / UK clients, we execute Standard Contractual Clauses (SCCs) as part of our DPA. For US-based clients, we typically operate on the client's MSA with an attached SARVAYA security addendum.

9. Responsible Disclosure

If you believe you have found a security issue in anything SARVAYA owns or operates, email dev.sharma@sarvaya.in with subject line "Security disclosure". We acknowledge within 48 hours and do not pursue good-faith researchers who operate within this policy.

10. Contact & Document Requests

For security questionnaires, DPAs, subprocessor lists, or an AI governance one-pager, reach out:

Email: dev.sharma@sarvaya.in
WhatsApp: +91 9371553524
LinkedIn: linkedin.com/company/sarvaya

Need Paperwork?

Request Our DPA, NDA, or AI Governance Brief

Sent in under 24 hours - pre-reviewed and ready for your legal team.

Request Documents

Trusted & Verified