1. What this list is
Under the Data Processing Agreement we maintain a public register of every party that processes personal data on our behalf. Each entry below shows the function, what data is shared, where it is stored, and the compliance posture. Customers and partners can subscribe to change-notifications via dpo@klarocare.in.
2. Hosting & infrastructure
| Subprocessor | Data region | Purpose | Compliance |
|---|---|---|---|
| Amazon Web Services | ap-south-1 (Mumbai) | Application hosting, RDS PostgreSQL, S3 document vault, KMS-managed encryption keys | ISO 27001 · SOC 2 · CSA STAR · IRDAI ISNP-empanelled |
| Cloudflare | Global edge | Edge CDN, DDoS protection, WAF for static + cached responses | ISO 27001 · SOC 2 · IS 700 (CERT-In) |
| Datadog | EU + IN regions | Application performance monitoring, log search (PII-masked at source) | ISO 27001 · SOC 2 · HIPAA |
| Sentry | EU | Frontend / backend error reporting; PII scrubbing applied client-side | ISO 27001 · SOC 2 |
3. Payments & finance
| Subprocessor | Data region | Purpose | Compliance |
|---|---|---|---|
| Cashfree Payments | India | Active payment gateway: card / UPI / netbanking · auto-debit mandates · refunds | PCI-DSS 4.0 · RBI-licensed Payment Aggregator |
| Razorpay | India | Legacy payment gateway · maintained for in-flight policies bought before Cashfree migration | PCI-DSS 4.0 · RBI PA |
| Tally Solutions | India | Reconciliation & GST filings; only aggregated transaction data, no policy detail | GST-suvidha-provider empanelled |
4. Communications
| Subprocessor | Data region | Purpose | Compliance |
|---|---|---|---|
| MSG91 | India | Transactional SMS · OTP · DLT-registered template delivery | ISO 27001 · TRAI-registered |
| WATI | India + Singapore | WhatsApp Business API for transactional + opt-in marketing messages | Meta-approved BSP · ISO 27001 |
| SendGrid (Twilio) | US + EU | Transactional email; suppressions list + bounce management. Marketing emails opt-in only. | ISO 27001 · SOC 2 |
| Exotel | India | Voice OTP fallback + outbound advisor calls (consent-recorded) | TRAI · DoT-registered cloud telephony |
5. KYC, identity, document verification
| Subprocessor | Data region | Purpose | Compliance |
|---|---|---|---|
| NSDL e-Governance | India | CKYC lookup · PAN verification | IRDAI / SEBI authorised KUA |
| UIDAI | India | Aadhaar e-KYC via authorised AUA (used only with explicit consent) | UIDAI Authorised AUA |
| DigiLocker | India | Document fetch with consent: driving licence, vehicle RC, education proofs | MEITY / NeGD |
| IDfy | India | OCR + face-match + liveness for video-KYC (used at agent-onboarding only) | ISO 27001 · ISO 27018 · SOC 2 |
6. Insurer integrations
Klaro Care passes minimum-necessary data to insurers when you request a quote, submit a proposal, or file a claim. Each insurer is an independent controller for the data they receive (per IRDAI composite-broker rules) and is governed by their own privacy policy + our master service agreement. The current insurer panel is at klarocare.in/insurers. No insurer receives data for a quote you didn't ask for.
7. Analytics & marketing
| Subprocessor | Data region | Purpose | Compliance |
|---|---|---|---|
| Google Analytics 4 | US + EU | Anonymised page-level analytics; IP-anonymised; cookie consent gated | ISO 27001 · SOC 2 |
| Mixpanel | US | Funnel analytics; only product events, never PII | ISO 27001 · SOC 2 Type II · GDPR DPA |
| Hotjar | EU | Session-replay on opted-in users only; PII auto-redacted; off by default | ISO 27001 · DPF |
8. Change control
- New subprocessors are reviewed by the Privacy & Security council before contracting.
- Standard Contractual Clauses are signed with every cross-border processor.
- Customers are notified 30 days in advance of any addition; objections can be raised to dpo@klarocare.in.
- Removed subprocessors are listed for one full quarter after exit, with a strikethrough, before being archived.
9. Reporting concerns
Data Protection Officer: dpo@klarocare.in.
For specific concerns about any subprocessor on this list, write to the DPO and reference the subprocessor name. We respond within 7 working days.