Ophillia HRMS was designed from the first commit with India's Digital Personal Data Protection Act 2023 as a core requirement. Every write operation is audited. Every employee gives versioned consent. Every DSR request flows through a tracked queue.
Every write operation (attendance, leave approval, employee edit, salary change) appends an immutable record to the per-tenant audit log. Records include timestamp, actor, IP address, action type and the before/after state. The audit log cannot be edited or deleted — only read.
Every boundary event (onboarding, role change, data processing change) presents the employee with a versioned consent notice. Their acceptance (or withdrawal) is logged with a timestamp and the consent text version ID. HR can view the consent history for any employee from the compliance dashboard.
HR raises DSR requests (access, erasure or portability) from Compliance → DSR Requests. Each request is logged in the audit trail and tracked through a review workflow. The employee is notified at every status change. Requests are completed within the statutory 30-day window.
A built-in data inventory maps every PII field in the system: what data is collected, why it is collected, how long it is retained and who can access it. The inventory can be exported as a report for DPO (Data Protection Officer) review or regulatory submission.
Configure retention periods per data category: employee records, attendance logs, audit entries, leave data and communication logs. Records past their retention date are flagged for HR review before automated purge. The purge itself is logged in the audit trail.
Application-level logs (API access logs, error logs) automatically redact PII field values before writing to disk. Names, email addresses, PAN numbers and phone numbers are replaced with hashed tokens. The original values are never written to server logs.
Digital Personal Data Protection Act 2023 and Draft Rules 2025. Covers consent, DSR, data fiduciary obligations, cross-border transfer restrictions and breach notification requirements.
General Data Protection Regulation. Applicable to any Ophillia HRMS customer with EU data subjects. Lawful basis for processing, right to erasure, data portability and DPA agreements available for Enterprise customers.
Data requirements under the Industrial Employment (Standing Orders) Act, Shops and Establishments Acts (state-wise) and the Code on Social Security 2020 — all met by the audit log and record retention features.
Infrastructure follows ISO 27001 security principles: access control, encryption at rest and in transit, vulnerability management, incident response procedure and regular security reviews.
No separate DPO tool required. Compliance is part of the HRMS.