Venture Suite LogoVentureSuite
  • Start Here
    Founder OverviewAccess ReadinessFounder Plans
    Raise
    Raise CapitalData Room
    Support
    AI ToolsFind Gov. FundingFind Grants
    Platform
    Platform OverviewIntelligence EngineGoverned Marketplace
    Resources
    Founder GuidesFundraising InsightsSuccess StoriesBlog
    Ready to get started?Get Demo
  • Start Here
    Investor OverviewInvestment StandardsMatching FrameworkMarketplace Controls
    Opportunities
    Browse DealflowCampaignsIndexed Companies
    Platform
    Platform OverviewGoverned MarketplaceIntelligence Engine
    Resources
    Join Angel CircleSuccess StoriesBlog
    Access
    Get Investors' Access
    Ready to get started?Get Demo
LoginGet Venture Suite
LoginGet Started
 Data Protection Policy — VentureSuite
Legal  ·  Data Protection Policy

Data
Protection.

Our comprehensive framework for protecting the personal and financial data of founders, investors, and all platform users. Built on DPDPA, IT Act, and international best practice.

Last Updated: 26 April 2026
Jurisdiction: India (Republic of India)
Operator: Venture Biz Care LLC
Applies to: VentureSuite Platform
Structured Capital Marketplace Verified Investors Only Deterministic Scoring India · GCC · Southeast Asia No Cold Inbound. Ever. Your Deck Is Never Shared Permissioned Data Rooms Platform Constitution Structured Capital Marketplace Verified Investors Only Deterministic Scoring India · GCC · Southeast Asia No Cold Inbound. Ever. Your Deck Is Never Shared Permissioned Data Rooms Platform Constitution
On This Page
01Legal Framework
02Data Controller & Processor
03Data Protection Principles
04SaaS Platform Data
05Financial & Confidential Data
06Security Architecture
07Breach Response
08Data Protection Impact
09Vendor Management
10Governance & Accountability
01

Legal Framework

VentureSuite's data protection practices are built on a comprehensive legal framework that incorporates Indian statutory requirements alongside international best practice standards.

🇮🇳
IT Act 2000 & SPDI Rules 2011
We comply with the Information Technology Act, 2000 and the SPDI Rules, which govern the collection and processing of sensitive personal data in India, including financial information and passwords.
📋
Digital Personal Data Protection Act 2023
We are implementing controls aligned with the DPDPA framework ahead of its full operationalisation, including consent management, data principal rights, and Data Protection Officer designation.
🌍
UAE PDPL (Federal Decree-Law 45/2021)
For GCC-based users, we align with the UAE Personal Data Protection Law, including requirements for data subject consent and cross-border transfer controls.
🔒
ISO 27001 Alignment
Our information security management practices are aligned with ISO/IEC 27001:2022 controls. Formal certification is in progress as part of our institutional compliance roadmap.
02

Data Controller & Processor

Understanding the roles of data controller and data processor is fundamental to our data protection framework:

RoleEntityResponsibilities
Data ControllerVenture Biz Care LLC (VentureSuite)Determines the purposes and means of processing personal data collected through the Platform. Bears primary legal responsibility for data protection compliance.
Joint ControllersFounders & Investors (for shared campaign data)Both parties exercise some control over data shared in the deal progression process. A shared responsibility framework applies to data room access and intro facilitation.
Data ProcessorsAWS, Razorpay, Postmark, PostHogProcess data only on our documented instructions. Bound by data processing agreements under IT Act / DPDPA Article 8 equivalent obligations.
Data PrincipalIndividual users (founders, investors, team members)Rights-bearing subjects whose personal data is processed. Entitled to exercise all rights under applicable law including access, correction, and erasure.

Data Protection Officer: VentureSuite has designated a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and compliance. The DPO can be reached at legal@theventuresuite.com.

03

Data Protection Principles

Our data processing activities are governed by the following core principles, applied consistently across all systems and operations:

01
Lawfulness, Fairness & Transparency
We process personal data only where we have a valid legal basis. We are transparent about our processing through this Policy and our Privacy Notice shown at point of collection.
02
Purpose Limitation
Data collected for one purpose is not repurposed for an incompatible use without obtaining fresh consent or establishing a new legal basis.
03
Data Minimisation
We collect and process only the minimum data necessary to achieve the stated purpose. Fields marked optional are genuinely optional. We conduct periodic data minimisation reviews.
04
Accuracy
We maintain accurate and up-to-date personal data. We provide mechanisms for users to correct inaccurate data and implement processes to delete or update stale records.
05
Storage Limitation
Personal data is not retained beyond the period necessary for its original purpose, subject to legal retention obligations. See our Data Retention schedule in the Privacy Policy.
06
Integrity & Confidentiality
Technical and organisational measures ensure appropriate security — protecting against unauthorised access, accidental loss, destruction, or damage.
07
Accountability
We can demonstrate compliance with these principles. We maintain records of processing activities, conduct DPIAs for high-risk processing, and train all staff on data protection obligations.
04

SaaS Platform Data

Data flows differently depending on your role on the Platform. The following describes what data is collected, processed, and how it moves through the system:

Founder Data Flows
  • Founder profile and campaign data is stored in our primary database (AWS RDS, encrypted at rest).
  • Readiness scores are computed algorithmically from submitted data and stored alongside the campaign. Score breakdown (full) is visible only to our admin team — investors see only the total score.
  • Campaign data is surfaced to matched investors through the investor feed. Contact details are withheld until an intro is accepted.
  • Pitch deck and documents are stored in S3 with server-side encryption and served only via signed, time-limited URLs.
Investor Data Flows
  • Investor profile and thesis preferences are stored and used by the matching engine to generate personalised feed rankings.
  • Investor identity is revealed to founders only when the investor formally requests an intro — not at the follow or shortlist stage.
  • Investor activity (follows, shortlists, intro requests, data room views) is logged and available to the investor and to the relevant founder on a need-to-know basis.
  • Investor subscription and billing data is processed by Razorpay/Stripe and only the subscription tier and status is stored in our systems.
05

Financial & Confidential Data

Financial information shared on VentureSuite — including revenue figures, financial models, cap tables, and valuation data — is treated as highly sensitive and receives additional protections beyond standard personal data.

🔢
Field-Level Encryption
Revenue figures, financial projections, and valuation data are encrypted at the field level in addition to database-level encryption. Even our engineers cannot read these values without decryption keys that require two-person authorisation.
🚧
Strict Access Controls
Financial data in data rooms is accessible only to the founder, explicitly authorised investors, and our admin team on a documented need-to-know basis. No blanket access exists.
📜
Confidentiality Obligations
Investors who access data room financial documents are bound by confidentiality obligations in our Terms of Service. Any breach may be actionable under the Indian Contract Act, 1872.
🕐
Time-Limited Access
Signed URLs for financial documents expire after 1 hour. Revoked access takes effect immediately — previously issued URLs become invalid upon revocation.

We never use your financial data for our own commercial purposes. Revenue figures, financial models, and deal data will never be aggregated for sale, used to train external AI models, or shared with third parties other than your explicitly authorised investors and our regulated service providers.

06

Security Architecture

Our security architecture is designed around a defence-in-depth model with multiple independent layers of protection:

LayerControlStandard
Data at RestAES-256 encryption; database + field levelNIST SP 800-111
Data in TransitTLS 1.3; HSTS enforced; certificate pinningNIST SP 800-52
Access ControlRBAC + ABAC; MFA mandatory for admin; least privilegeNIST SP 800-53
Document AccessSigned S3 URLs; 1-hour expiry; IP loggingAWS S3 Security
InfrastructureVPC isolation; WAF; DDoS protection; private subnetsAWS Well-Architected
ApplicationOWASP Top 10 controls; input validation; CSP headersOWASP ASVS L2
Audit LoggingImmutable CloudTrail logs; 7-year retention; SIEM alertingCIS Controls v8
Penetration TestingAnnual third-party pentest; quarterly vulnerability scansOWASP Testing Guide
07

Breach Response

Despite our comprehensive security controls, we acknowledge that no system is immune to all threats. Our breach response procedure ensures rapid containment, assessment, and notification:

01
Detection (< 1 hour)
Automated monitoring, SIEM alerts, and continuous anomaly detection trigger immediate alerts to our security team upon detection of unusual access patterns or data exfiltration indicators.
Automated
02
Containment (< 4 hours)
Immediate isolation of affected systems, revocation of compromised credentials, emergency access controls, and preservation of forensic evidence. Affected users' sessions are invalidated.
Incident Response
03
Assessment (< 24 hours)
Scope determination — what data was accessed, how many individuals affected, what categories of data, and what the likely impact is. Legal and DPO engaged immediately.
Impact Analysis
04
Notification (< 72 hours)
Affected users notified with details of: what happened, what data was affected, what we have done, what you should do. Regulator notification as required by DPDPA obligations.
72-Hour Window
05
Remediation & Review
Root cause analysis, permanent fix implementation, security control enhancement, and post-incident review. Lessons learned shared with the team. Incident documented in our breach register.
Continuous Improvement
08

Data Protection Impact

VentureSuite conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms. DPIAs have been conducted or are planned for:

  • Algorithmic scoring: The deterministic scoring engine processes founder financial and team data to produce a quality score. DPIA confirmed: mitigated by transparency (founders can see scoring dimensions), human oversight (admin review), and right to contest.
  • Investor matching algorithm: Personalised feed ranking based on thesis preferences. DPIA confirmed: no protected characteristics used, no discriminatory profiling, based purely on stated commercial preferences.
  • Data room access logging: Comprehensive logging of investor document access. DPIA confirmed: necessary for founder protection and security; logs are only accessible to the founder and admin team.
  • Payment processing integration: Financial data transmitted to payment processor. DPIA confirmed: mitigated by tokenisation, no card storage, processor compliant with PCI-DSS Level 1.

DPIA outcomes and mitigation measures are documented internally and reviewed annually or whenever the processing activity materially changes.

09

Vendor Management

We apply rigorous standards to all third-party vendors who process personal data on our behalf. Our vendor management framework includes:

  • Pre-engagement assessment: Security and privacy due diligence before any vendor engagement, including review of their SOC 2 Type II report, privacy policy, sub-processor disclosures, and incident history.
  • Data Processing Agreements (DPAs): All vendors who process personal data sign a DPA that requires them to: process data only on our instructions, implement equivalent security controls, notify us of any breach within 24 hours, and delete data upon termination.
  • Annual review: Vendor compliance is reviewed annually. Material changes to a vendor's security posture or sub-processor list trigger an immediate reassessment.
Vendor CategoryData AccessedLocationCertification
Cloud Hosting (AWS)All platform dataMumbai / SingaporeISO 27001, SOC 2 Type II
Payment Processing (Razorpay)Payment card tokensIndiaPCI-DSS Level 1, RBI compliant
Email Delivery (Postmark)Email addresses onlyUSA (SCCs applied)SOC 2 Type II
Analytics (PostHog / self-hosted)Anonymised usage dataEU / Self-hostedGDPR-compliant (self-hosted)
10

Governance & Accountability

Our data protection governance structure ensures that accountability is embedded at every level of the organisation:

👤
Data Protection Officer (DPO)
A designated DPO is responsible for advising on data protection obligations, monitoring compliance, and acting as the primary contact for data subjects and regulatory authorities. Contact: legal@theventuresuite.com
📋
Records of Processing (ROPA)
We maintain a comprehensive Record of Processing Activities that documents every processing operation, its legal basis, data categories involved, retention periods, and associated safeguards.
📚
Staff Training
All team members with access to personal data receive mandatory data protection training at onboarding and annually thereafter. Role-specific training is provided to engineering, customer success, and operations teams.
🔄
Annual Review Cycle
This Policy, our ROPA, DPIAs, and all vendor DPAs are reviewed annually by our legal and compliance team, with updates triggered by material changes in processing activities or legal requirements.

For data protection enquiries or to exercise your rights, contact: legal@theventuresuite.com

VentureSuite · Legal & Compliance

Questions about
data protection?

Our Data Protection Officer is available to answer technical and compliance questions about how we protect your data.

Return to Platform → Contact Legal Team
Venture Suite LogoVentureSuite
in𝕏fig
For founders
  • Find investors
  • Raise capital
  • Investor directory
  • Pricing
  • Live campaigns
Venture Suite
  • About Us
  • Platform Overview
  • Partner with Us
  • Careers
  • Media & Press
  • Security & Compliance
  • Ecosystem Partners
Legal & Support
  • Contact
  • Subscribe Newsletter
  • Privacy Policy
  • Terms of Service
  • Data Protection
  • Cookie Policy
  • Terms of Refunds

Disclaimer : All trademarks and logos or registered trademarks and logos found on this site or mentioned herein belong to their respective owners and are solely being used for informational purposes. Information provided herein has been gathered from public sources. Venture Biz Care LLC disclaims any and all responsibility in connection with the veracity of this data. Information presented on this website is for educational purposes only and should not be treated as legal, financial, or any other form of advice. Venture Biz Care LLC is not liable for financial or any other form of loss incurred by the user or any affiliated party on the basis of information provided herein. Venture Biz Care LLC is neither a stock exchange nor does it intend to get recognised as a stock exchange under the Securities Contracts Regulation Act, 1956. Venture Biz Care LLC has not been authorised by the capital markets regulator to solicit investments. Venture Suite also states that it does not facilitate any online or offline buying, selling, or trading of securities. Venture Biz Care LLC has partnered with regulated entities as a channel partner to distribute their products on its platform.

This Site will be updated regularly.

© 2026 Venture Suite

Built for serious founders & investors

LinkedIn•Twitter•Facebook•Instagram