NDTDesk

Data Security and Privacy Statement

NDTDESK Data Security & PrivacyStatementEffective Date:13 June 2026Last Updated:13 June 2026This Data Security & Privacy Statement provides a summary of howNDTDESK, operated byNKLINE Technology Services Private Limited, handles customer data, personal data, accesscontrol, data storage, retention, export, and security practices.This statement is intended to support customer IT, quality, compliance, and procurement review. Itshould be read together with ourPrivacy Policy,Terms of Service,Cookies Policy, andRefundand Cancellation Policy.1. Platform OverviewNDTDESK is a cloud-based platform for NDT certification management, online examinations,training management, employee qualification tracking, certificate validity tracking, approvalworkflows, QR-based certificate verification, experience log management, and professional recordmanagement.The platform may be used by business customers, employers, NDT Level III personnel, certifyingauthorities, training providers, employees, candidates, trainees, and individual NDT professionals.2. Data OwnershipAll data entered, uploaded, generated, or maintained by a customer within NDTDESK remainsowned by the customer.Individual professionals retain ownership of their personal profile data, certificates, employmenthistory, experience logs, training records, and uploaded documents.NDTDESK does not claim ownership over customer data or individual professional data.NDTDESK does not sell customer data or personal data.3. Data Storage and HostingAt present, NDTDESK uses cloud-based infrastructure.Current hosting details:•Database provider:MongoDB Atlas•Hosting infrastructure / region:AWS / N. Virginia, United States —us-east-1

•Application hosting / deployment providers:Netlify, Vercel, AWS, or related cloudinfrastructure as applicable•Authentication / session management:NextAuth•Business communication and operational tools:Zoho•Payment processing and subscription billing:PaddleBecause the current hosting region isAWS / N. Virginia (us-east-1), United States, customer datamay be stored or processed outside the customer’s country of residence, including outside theEuropean Economic Area.Where a customer requires EU-based hosting, dedicated cloud hosting, specific data residency, oron-premise deployment, this can be reviewed separately subject to technical feasibility,implementation scope, security review, and commercial agreement.4. Security MeasuresNDTDESK uses reasonable technical and organizational measures to protect customer data andpersonal data.These measures may include:•Secure cloud infrastructure;•Encrypted communication using HTTPS/TLS;•Role-based access control;•Account authentication;•User permission management;•Restricted internal access;•Database security controls;•Backup and recovery procedures;•Controlled support access;•Session-based authentication;•Monitoring and troubleshooting controls;•Periodic review of security practices.No internet-based system can be guaranteed to be completely secure. However, NDTDESK takesreasonable steps to protect data from unauthorized access, misuse, loss, alteration, or disclosure.

5. User Access and Role-Based PermissionsAccess to data within NDTDESK is controlled through user roles and permissions.Business customers can assign different roles such as administrator, manager, examiner, trainer,Level III, certifying authority, employee, candidate, or trainee.The customer organization is responsible for assigning and reviewing user permissions within itsaccount.NDTDESK is not responsible for internal access decisions made by customer administrators orauthorized users.6. NDTDESK Internal AccessNDTDESK personnel do not routinely access customer data.Access by NDTDESK personnel may occur only where necessary for:1.Technical support;2.Troubleshooting;3.Customer-requested assistance;4.Onboarding or implementation support;5.System maintenance;6.Security investigation;7.Legal or regulatory compliance.Internal access is limited to authorized personnel and only for legitimate service-related purposes.7. Data Processing and GDPR-Aligned PracticesNDTDESK is operated by an Indian company, NKLINE Technology Services Private Limited.For business customers, the customer organization normally acts as the data controller, andNDTDESK acts as a data processor or service provider processing data on behalf of the customer.For individual professional accounts, NDTDESK may act as the data controller for the personaldata collected directly from the individual.NDTDESK follows GDPR-aligned principles such as:•Transparency;•Purpose limitation;

•Data minimization;•Access control;•Data security;•Data retention control;•Data export and deletion support.NDTDESK does not currently claim ISO 27001, SOC 2, or similar formal security certificationunless expressly stated in a separate written document.8. Subprocessors and Service ProvidersNDTDESK uses third-party service providers to operate, secure, support, and improve the platform.Current subprocessors or service providers may include:•MongoDB Atlas– database hosting;•AWS– cloud infrastructure / hosting region support;•Netlify / Vercel– application hosting and deployment infrastructure, where applicable;•NextAuth– authentication and session management;•Zoho– business email, communication, support, CRM, or operational tools, whereapplicable;•Paddle– payment processing, subscription billing, invoicing, and tax-related paymentadministration.These service providers are used only as required to deliver, support, secure, or operate theNDTDESK service.9. Data RetentionData retention depends on account status and service type.Unless otherwise agreed in writing:•Active accounts:Data is retained during the active subscription or service period.•Trial accounts:Trial data may be retained for up to60 daysafter trial expiry.•Terminated subscriptions:Customer data may be retained for up to90 daysaftersubscription termination.•Backups:Deleted data may remain in protected backups for a limited period until normalbackup rotation is completed.

After the applicable retention period, data may be deleted or anonymized unless retention isrequired by law, contract, dispute resolution, audit, security, or agreed written arrangement.10. Data ExportCustomers may request export of their data during an active subscription or before account closure.Export may be provided in commonly used electronic formats where technically feasible.Customers are responsible for requesting export before the end of the applicable retention periodafter cancellation or termination.Individual professionals may request export of their personal account data, subject to identityverification and applicable legal or customer-controlled record limitations.11. Trial Data HandlingData entered during a trial remains owned by the customer or user.If the customer does not continue after the trial, trial data may be retained for up to60 daysaftertrial expiry to allow review, reactivation, export, or follow-up.Upon customer request, trial data may be deleted earlier, subject to legal, security, backup, andtechnical limitations.12. Subscription DiscontinuationIf a customer discontinues the subscription, the customer may request export of its data beforeaccount closure.After subscription termination, customer data may be retained for up to90 daysto allowreactivation, export, account closure, legal compliance, dispute resolution, or backup processing.After the retention period, data may be deleted or anonymized unless retention is required by law oragreed separately in writing.13. Remote Proctoring and AI-Assisted ProctoringWhere remote proctoring or AI-assisted proctoring is enabled, NDTDESK may process examinationintegrity data such as activity logs, images, video, audio, screen activity, or proctoring observationsdepending on the enabled feature and customer requirement.AI-assisted proctoring is intended to support review. It should not be treated as the sole basis forcertification approval, rejection, disciplinary decision, or employment-related decision withouthuman review by the customer or authorized personnel.

Customers are responsible for informing candidates and obtaining any required consent beforeusing remote or AI-assisted proctoring features.14. Dedicated Hosting and On-Premise DeploymentNDTDESK’s standard deployment is cloud-based.For enterprise customers, the following options may be reviewed separately:•Dedicated cloud deployment;•EU-based hosting;•Customer-specific data residency;•Private cloud deployment;•On-premise deployment;•Custom infrastructure arrangement.These options are subject to technical feasibility, customer IT requirements, security review,implementation scope, support model, and separate commercial terms.NDTDESK is not obligated to provide dedicated or on-premise deployment unless agreed inwriting.15. ContactFor questions about data security, privacy, hosting, retention, export, or customer data handling,contact:NKLINE Technology Services Private Limited13/2958-33, Admanathasamy Nagar North,Pattinamkathan, Ramanathapuram,Tamil Nadu, India - 623503Email:contact@ndtdesk.app