Overview
SOCroom is a division of Procain Consulting & Services Pvt. Ltd. ("Procain", "we", "us", or "our"), a company incorporated in India and operating across India and the United States. We provide managed Security Operations Centre (SOC) services, cloud security monitoring, SOC staff augmentation, and related cybersecurity services to enterprise clients.
This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you visit our website (socroom.com), enquire about or purchase our services, or otherwise interact with us. It applies to prospective clients, existing clients, website visitors, job applicants, and any individual whose personal data we process in the course of our business.
A note on client security data: Data that our clients share with us as part of delivering SOC services — including log data, security events, network telemetry, and incident information — is processed under separate Data Processing Agreements (DPAs) with each client. Section 7 of this policy summarises how we handle that data. Your DPA takes precedence over this policy for all service-related processing.
Who We Are
The data controller for personal data collected through this website and in connection with our services is:
- Legal entity: Procain Consulting & Services Pvt. Ltd.
- Registered address: First Floor, Rathi Legacy – Rohan Tech Park, Seetharampalya – Hoodi Road, Doddanakundi, Bengaluru, Karnataka – 560048, India
- India contact: +91 91488 14400
- USA contact: +1 267 703 5359
We are certified to ISO/IEC 27001 (Information Security Management), ISO/IEC 20000-1 (IT Service Management), and ISO 9001 (Quality Management). Our information security practices — including the handling of personal data — are governed by these certifications and subject to regular third-party audit.
Data We Collect
We collect personal data in the following ways:
| Category | Examples | How Collected |
|---|---|---|
| Contact & identity data | First name, last name, job title, company name | Enquiry forms, phone calls, emails, business cards |
| Business contact data | Work email address, work phone number, company address | Enquiry forms, contract onboarding, LinkedIn |
| Technical & usage data | IP address, browser type, pages visited, time on page, referring URL | Automatically via website analytics (cookies) |
| Communication data | Content of emails, call recordings (where notified), meeting notes | Direct correspondence with our team |
| Recruitment data | CV/resume, employment history, qualifications, references | Job applications submitted via our website or email |
| Contractual data | Contract terms, billing details, service scope documents | Collected during client onboarding and contracting |
We do not intentionally collect sensitive personal data (such as health information, biometrics, or financial account numbers) through our website or standard sales processes. If any such data is shared with us incidentally, we will treat it with the highest level of care and delete it unless there is a documented need to retain it.
How We Use Your Data
We use personal data only for specific, documented purposes. We do not sell personal data to third parties, and we do not use it for advertising or profiling unrelated to our services.
- Responding to enquiries: When you contact us through our website or by phone, we use your contact details to respond to your enquiry, provide information about our services, and follow up on your request.
- Service delivery: We process contact and business data belonging to client representatives to deliver, manage, and support our SOC services — including scheduling calls, issuing reports, and managing incidents.
- Account and contract management: We use contractual and billing data to administer client accounts, issue invoices, and manage our legal and commercial obligations.
- Marketing communications: With your consent (or where we have a legitimate interest for B2B communications), we may send you information about our services, security insights, and updates. You can opt out at any time.
- Website improvement: We use aggregated, anonymised analytics data to understand how visitors use our website and improve its content and performance.
- Recruitment: We use application data to assess candidates for open positions and retain it for future opportunities where permitted.
- Legal and compliance obligations: We may process data to comply with applicable laws, respond to regulatory requests, or exercise our legal rights.
Legal Basis for Processing
We process personal data on the following legal grounds, depending on the nature of the processing and the applicable law:
- Contract performance: Processing necessary to deliver services under a contract with you or your organisation, or to take pre-contractual steps at your request.
- Legitimate interests: Processing necessary for our legitimate business interests — such as responding to B2B enquiries, improving our services, and maintaining client relationships — provided these interests are not overridden by your data protection rights.
- Legal obligation: Processing required to comply with applicable laws, including Indian data protection law (DPDP Act, 2023), GDPR where applicable to EU/UK individuals, and other regulations in jurisdictions where we operate.
- Consent: Where we rely on consent — such as for marketing emails or cookies — you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
Data Sharing & Disclosure
We do not sell, rent, or trade personal data. We share personal data only in the following limited circumstances:
- Service delivery partners: We engage carefully selected sub-processors — such as cloud infrastructure providers, SIEM platform vendors, and communication tools — who process data only on our documented instructions under binding data processing agreements.
- Parent company: As a division of Procain Consulting & Services Pvt. Ltd., data may be shared within our corporate group for operational and administrative purposes, subject to the same protections in this policy.
- Professional advisors: We may share data with legal, accounting, or insurance advisors where necessary, under obligations of confidentiality.
- Regulatory and law enforcement bodies: We will disclose data where required by applicable law, court order, or governmental authority. Where legally permitted, we will notify affected individuals before disclosure.
- Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the relevant third party, subject to equivalent privacy protections.
We never share client data with third parties for their own marketing or commercial purposes. Any sub-processor engaged in connection with a client engagement is bound by contractual terms at least as stringent as those in your DPA.
Client Security Data
In delivering SOC services, we process operational security data on behalf of our clients. This includes log data, network telemetry, security events, incident records, and related technical information from client environments. This data may contain personal data relating to the client's own employees, customers, or users.
In this context, SOCroom acts as a data processor and the client is the data controller. Our processing is governed by the Data Processing Agreement (DPA) executed with each client, which specifies:
- The nature, purpose, and duration of processing
- The types of personal data and categories of data subjects involved
- The security measures we apply to protect that data
- Our obligations regarding sub-processing, data breaches, and data subject requests
- Data retention and deletion obligations at the end of the engagement
Our ISO/IEC 27001 certification governs the security controls applied to all client data, including access controls, encryption, audit logging, and incident response procedures. Client security data is never used for any purpose other than delivering the contracted services.
Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our standard retention periods are:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Enquiry and pre-sales contact data | 2 years from last interaction | Legitimate interest in potential future engagement |
| Client contractual and billing data | 7 years from contract end | Legal and tax compliance obligations |
| Client security / operational data | As specified in the DPA (typically 1–3 years) | Service delivery and forensic audit requirements |
| Marketing consent records | Until consent is withdrawn + 1 year | Evidence of consent basis |
| Recruitment data (unsuccessful) | 12 months from application date | Potential future opportunities (with consent) |
| Website analytics data | 26 months (aggregated/anonymised) | Website performance and improvement |
At the end of applicable retention periods, personal data is securely deleted or anonymised in accordance with our ISO 27001-certified data disposal procedures.
Security Measures
The security of personal data is central to everything we do — it is, after all, our core business. We implement and maintain the following controls:
- Encryption in transit and at rest: All personal data transmitted to or from our systems is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256.
- Access controls: Access to personal data is granted on a strict need-to-know basis. All access is role-based, logged, and reviewed regularly.
- Multi-factor authentication: MFA is enforced across all systems that process personal or client data.
- Audit logging: All access to and actions taken on personal data are logged and retained for audit purposes in line with our ISO 27001 controls.
- Vulnerability management: Our infrastructure and systems are subject to continuous vulnerability scanning and regular penetration testing.
- Staff training: All employees handling personal data receive mandatory data protection and information security training as part of onboarding and annually thereafter.
- Incident response: We maintain a documented security incident response procedure. In the event of a personal data breach, we will notify affected individuals and relevant regulators within the timeframes required by applicable law.
International Data Transfers
SOCroom operates in both India and the United States. Personal data may be transferred between these jurisdictions as part of our operations. We ensure that any such transfer is subject to appropriate safeguards:
- India to USA: Where personal data of Indian residents is transferred to our US operations, we apply equivalent data protection standards consistent with India's Digital Personal Data Protection Act, 2023 (DPDP Act).
- EU/UK individuals: Where we process personal data of individuals in the European Union or United Kingdom — for example, clients or prospects based in those regions — we comply with GDPR and UK GDPR requirements. Transfers outside the EEA are conducted under Standard Contractual Clauses (SCCs) or other recognised transfer mechanisms.
- Sub-processors: Where we engage sub-processors in other jurisdictions (such as cloud platform providers), we ensure appropriate contractual protections are in place, including data processing agreements aligned to applicable law.
Your Rights
Depending on your location and the applicable data protection law, you may have the following rights in relation to your personal data:
- Right of access: You may request a copy of the personal data we hold about you, along with information about how it is used.
- Right to correction: You may ask us to correct inaccurate or incomplete personal data.
- Right to erasure: You may request deletion of your personal data where we no longer have a legal basis to retain it.
- Right to restrict processing: You may ask us to limit how we use your personal data in certain circumstances.
- Right to data portability: Where applicable, you may request a copy of your personal data in a structured, machine-readable format.
- Right to object: You may object to processing based on our legitimate interests, or to direct marketing at any time.
- Right to withdraw consent: Where we process data based on your consent, you may withdraw it at any time without affecting prior processing.
- Right to lodge a complaint: If you are located in India, you may lodge a complaint with the Data Protection Board of India. If you are in the EU/EEA, you may contact your local supervisory authority.
To exercise any of these rights, please contact us by phone or post using the details in Section 15. We will respond within 30 days. We may need to verify your identity before processing your request.
Cookies & Tracking Technologies
Our website uses cookies and similar technologies to operate correctly and to understand how visitors use the site. We use the following categories of cookies:
- Strictly necessary cookies: Essential for the website to function. These cannot be disabled. They include session management and security cookies.
- Analytics cookies: We use anonymised analytics (such as aggregate page view data) to understand how visitors interact with our website. No individual visitor is identified or tracked across other sites.
- Functionality cookies: These remember your preferences — such as language or region — to improve your experience on return visits.
We do not use advertising, retargeting, or third-party tracking cookies on socroom.com. You can manage your cookie preferences through your browser settings. Note that disabling strictly necessary cookies may affect site functionality.
Children's Privacy
Our services are directed exclusively at business organisations and their representatives. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at info@procainconsulting.com and we will take prompt steps to delete it.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify active clients by email.
We encourage you to review this policy periodically. Your continued use of our website or services after any changes constitutes your acknowledgement of the updated policy.
Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or our data protection practices, please contact us:
- India phone: +91 91488 14400
- USA phone: +1 267 703 5359
- Postal address: Procain Consulting & Services Pvt. Ltd., First Floor, Rathi Legacy – Rohan Tech Park, Seetharampalya – Hoodi Road, Doddanakundi, Bengaluru, Karnataka – 560048, India
We take all privacy enquiries seriously and aim to respond within 5 business days. For formal data subject rights requests, our response deadline is 30 days from receipt of a verified request.