Your data, the law, and us.

Data residency

Customer data is stored in AWS regions consistent with the customer's geography. India customers: AWS Asia Pacific (Mumbai), ap-south-1. Future US customers: us-east-1. Data does not cross borders without explicit configuration or customer opt-in.

India DPDP (Digital Personal Data Protection Act, 2023)

We process personal data lawfully, minimally, and only for the purposes you authorize. Our DPDP posture:

• Consent-based processing for all personal data
• Data minimization: we collect only what is needed for the operations you ask us to run
• Right to access, correction, erasure honored within 30 days of request
• Data fiduciary obligations met; we do not process children's data
• Breach notification commitment: 72 hours to data subjects and the Data Protection Board

GDPR posture (for EU users in Phase 3)

We are not yet processing EU personal data. When we expand to EU customers, we will publish a Data Processing Addendum, appoint an EU Representative, and align controls with GDPR Articles 28 and 32. Customers in the meantime should not upload EU personal data to Medulla AI without prior conversation.

Sub-processors

We rely on a small set of vetted sub-processors:

• Amazon Web Services - infrastructure (compute, storage, database)
• Anthropic - LLM inference (Claude family)
• NVIDIA - NeMo Guardrails for safety controls
• Google / Microsoft - source data only (Gmail / Outlook OAuth-scoped reads)

Customers are notified 30 days in advance of any new sub-processor addition.

Data Protection Officer

For India DPDP and future GDPR purposes, the DPO is the founder, Aarohi Kulkarni. Contact: dpo@usemedulla.ai.

Your obligations

Medulla AI helps you meet your compliance obligations - but it does not replace your CA, CS, or legal counsel. Final accountability for filings, payments, and corporate actions stays with the founder. We provide the tracking, drafting, and reminders; you provide the signature.