Privacy policy

anyone engaged by Arrowhead inside or outside India, including current and former employees, directors, interns, and third-party workers (collectively "Employees").

natural persons who interact with our Services through our enterprise clients (collectively "Customers").

Any information that identifies or can reasonably be linked to an individual.

Personal Data that is subject to heightened protection under law (e.g., financial information, health data, biometric identifiers, government IDs)

Any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).

For Employee data, Arrowhead acts as Controller. For Customer data, Arrowhead typically acts as Processor on behalf of our enterprise client, who is the Controller.

Identifiers

Employment Information

Financial Data

Health & Safety

IT & Usage Data

Identifiers

Interaction Content

Transactional & Device Metadata

Performance of employment contract; compliance with labour, tax, and social-security law; Arrowhead's legitimate interests (e.g., network security); and, where required, consent (e.g., use of photos for marketing)

Performance of our client contract (service delivery); compliance with legal obligations; Arrowhead's legitimate interests in service quality, fraud prevention, and security; consent where required by law (e.g., voice recording notices)

Workforce administration (hiring, onboarding, payroll, benefits, performance, promotion, termination).

Corporate governance, budgeting, and financial reporting.

IT account provisioning, authentication, and security monitoring.

Health & safety, access-control, and premises security (including CCTV).

Compliance with statutory obligations (tax, social security, immigration, ESOP, whistle-blower investigations).

Investigation of misconduct, fraud, or legal claims.

Delivering the contracted voice AI or automation workflow (e.g., scheduling a call, completing a purchase, routing to a human agent).

Generating and storing audio & transcript logs to enable quality assurance, dispute resolution, and regulatory compliance

HR, Finance, IT, Legal, Security teams with role-based access.

Access to Customer interaction data generated through their own end-users, via secure dashboards or APIs.

Cloud hosting, telephony platforms, payroll vendors, benefits administrators, email & collaboration tools—each bound by confidentiality and data-processing agreements.

Responding to lawful requests, audits, or court orders

Mergers, acquisitions, or asset transfers, subject to non-disclosure and continuation of protections.

AES-256 at rest, TLS 1.2+ in transit; customer name and phone numbers and PII data are encrypted at application level additional using AES-GCM.

SSO (mandatory for all internal Arrowhead systems; customer-facing SSO available as an opt-in), MFA, least-privilege IAM roles, segregation of duties, and quarterly access reviews

AWS Guard Duty, Inspector, and Macie; Web Application Firewall (WAF) on public endpoints; VPC segmentation.

Centralised SIEM, immutable audit logs, anomaly detection, 24×7 alerting.

Code reviews, dependency scanning, container image hardening, staged rollouts.

Automated backups, point-in-time RDS snapshots, cross-region replication, validated recovery playbooks.

Third-party risk assessments, contractual security requirements, and right-to-audit clauses.

For customers requiring complete isolation, Arrowhead provisions and operates a dedicated AWS account exclusively for the client. Arrowhead maintains administrative control while granting the customer read-only auditor access for transparency. This option may be subject to additional costs depending on the contractual arrangement.

Unless otherwise specified, all customer data is stored in AWS us‑east‑1 (Virginia). This region offers the best latency for our global customer base and is protected by the controls described in Section 5.3.

Customers that require data to remain in-country may opt for storage exclusively in AWS ap-south-1 (Mumbai/BOM). All primary and backup copies stay within Indian territory.

For customers based in Malaysia and Singapore who require local data residency, Arrowhead offers storage in AWS Asia Pacific regions – either Singapore (ap-southeast-1) or Kuala Lumpur (ap-southeast-5), based on customer preference or regulatory requirements. All data, backups, and metadata remain within the selected region.

Employee data is normally stored in India. Limited cross-border transfer (e.g., into global HR SaaS tools) is subject to adequacy findings or SCCs plus encryption.

Any cross-border transfers rely on:

Adequacy decisions under applicable privacy laws; or

Contractual safeguards such as Standard Contractual Clauses (SCCs) augmented by end-to-end encryption.

7 years after termination (or longer if required by labour or tax law).

Till contract term, configurable per client contract. Post contract termination data is deleted upon customer request or per compliance.

12 months for operational logs; up to 7 years for forensic or legal hold.