BGV Vendor Terms & Conditions

BGV vendors do not self-register on Datagate. Access to the platform as a BGV vendor requires prior approval by Datagate. The approval process includes:

• Submission of company registration documents and operating licences
• Review of data handling practices and security posture
• Acceptance of these terms in writing
• Onboarding by Datagate's admin team

By accepting these terms — whether electronically or in writing — you ("BGV Vendor", "you") agree to be bound by them in full. If you are accepting on behalf of an organisation, you represent that you have authority to do so.

These terms are a legally binding agreement between you and Datagate ("Datagate") and operate alongside the DPDP Act, 2023.

• "Employee data" means personal data about a candidate that you access through the platform pursuant to an employer's assignment
• "Assigned case" means a specific background verification case assigned to you by an employer through the platform
• "Instructing employer" means the employer who assigned the case to you through the platform
• "Scope of check" means the specific verification checks you are assigned to conduct — for example, identity, education, employment, address, criminal, court, or reference checks
• "Platform" means the Datagate employment verification platform at datagate.co.in

Your access to employee data on Datagate is:

• Derived: You receive access because an employer assigned a case to you. The underlying consent was given by the employee to the employer, not to you directly.
• Scoped: You access only the data elements necessary for the specific checks you are assigned to conduct
• Temporary: Your access exists only for the duration of the assigned case
• Revocable: Datagate or the instructing employer may revoke your access at any time

You may use employee data accessed through the platform only to:

• Conduct the specific background checks assigned to you by the instructing employer
• Upload evidence, check outcomes, and case documentation through the platform
• Communicate with the instructing employer and employee through the platform's messaging system regarding the assigned case
• Submit a final verification report through the platform on completion of assigned checks

• Do not use employee data for any purpose other than the assigned checks
• Do not retain employee data after the case is closed or your access is revoked
• Do not share employee data with any person or system outside the assigned case workflow
• Do not use employee data to build databases, profiles, or repositories of candidate information
• Do not sell, license, or transfer employee data under any circumstances
• Do not conduct checks beyond the scope assigned to you
• Do not contact the employee directly outside the platform's messaging system
• Do not use employee data to train AI or machine learning systems
• Do not share platform credentials with any person not authorised by Datagate

While a case is active, you must:

• Access and process employee data only within the Datagate platform where possible
• Where data must be accessed outside the platform (e.g. for field verification), store it only on secured, access-controlled systems for the minimum time necessary
• Ensure all personnel involved in a case are bound by confidentiality obligations at least as protective as these terms
• Encrypt any data stored or transmitted outside the platform
• Maintain an internal log of all personnel who accessed employee data for each case

You must delete all employee data in your possession:

• Within 72 hours of case closure
• Within 72 hours of your platform access being revoked for any reason
• Within 72 hours of receiving notice that the employee has withdrawn consent or deleted their account

Deletion must be secure and complete — including any copies in email, local storage, shared drives, or internal case management systems. Secure deletion means data cannot be recovered.

You must maintain at a minimum:

• Access controls limiting employee data to personnel assigned to the specific case
• Encryption of data at rest and in transit
• Multi-factor authentication for access to any system holding employee data
• A documented data breach response procedure

Datagate may request evidence of these controls as part of onboarding or periodic review. Failure to demonstrate adequate controls is grounds for removal from the platform.

You must notify Datagate within 24 hours of becoming aware of:

• Any actual or suspected breach involving employee data
• Any unauthorised access to your systems that could affect employee data
• Any legal order or regulatory inquiry involving employee data from the platform
• Any change in your organisation's legal status, ownership, or data handling practices material to this Agreement

Notification must be sent to security@datagate.co.in and must include: the nature of the incident, the data affected, the steps taken or planned, and the likely impact.

You agree to:

• Conduct all assigned checks with due diligence, accuracy, and professional care
• Not submit reports based on unverified or fabricated information
• Disclose any conflict of interest involving a candidate before accepting a case
• Communicate with employees and employers through the platform in a professional and respectful manner
• Not make adverse findings about a candidate without adequate evidence documented in the case record

You agree to indemnify and hold harmless Datagate from any claims, damages, losses, penalties, and costs arising from:

• Your breach of any provision of these terms
• Your violation of the DPDP Act, 2023 or applicable law
• Any inaccuracy or negligence in a verification report you submitted
• Any data breach or security incident attributable to your systems or personnel

Datagate's total liability to you for any claim shall not exceed the fees paid by the instructing employer to Datagate for the specific case giving rise to the claim.

Datagate may remove you from the platform immediately and without notice for:

• Any violation of the prohibited uses in Section 5
• Any data breach or security incident attributable to your systems
• Submission of inaccurate or fraudulent reports
• Failure to meet security requirements under Section 8
• Any conduct that damages the trust of employees or employers on the platform

On removal, your access to all platform data is revoked immediately. Your obligations regarding data already received survive removal.

This Agreement is governed by the laws of India. Any dispute shall be subject to the exclusive jurisdiction of courts of competent jurisdiction in Hyderabad, Telangana, India. Both parties agree to attempt good-faith resolution within 30 days of written notice of any dispute.

Entire agreement: These terms, together with Datagate's Privacy Policy, constitute the entire agreement between you and Datagate regarding BGV vendor access to the platform.

Severability: If any provision is found invalid or unenforceable, the remaining provisions continue in full force.

Changes: Datagate may update these terms with 14 days' notice for material changes. Continued use constitutes acceptance.

No assignment: You may not assign these terms or your platform access to any other entity without Datagate's prior written consent.