| Item | Details |
|---|---|
| Effective Date | June 26, 2026 |
| Last Updated | June 26, 2026 |
| Controller / Contracting Entity | Decryptogen LLC, doing business as MudraID, or the MudraID entity identified in the applicable Order Form |
| Legal Notice Address | Decryptogen LLC, Wyoming, United States |
| Privacy Contact | privacy@mudraid.ai |
| Security Contact | security@mudraid.ai |
| Data Protection Officer / EU Representative | No DPO required. EU representative (GDPR Art. 27): D M S P Alwis, Kajaani, Finland. |
| Website | https://mudraid.ai |
Privacy Policy Summary
| Topic | Summary |
|---|---|
| What MudraID does | MudraID provides identity, token issuance, token verification, public-key directory, Mudra Gateway, trust and reputation, logging, abuse investigation, and related services for AI agents, bots, websites, APIs, and enterprise systems. |
| Who this policy covers | Visitors to MudraID websites, account administrators, users of MudraID dashboards and APIs, customer representatives, developers, support contacts, business contacts, and individuals whose personal data appears in product logs or customer-submitted data. |
| MudraID role | MudraID may act as a controller for account, website, security, billing, marketing, usage, and service-improvement data. MudraID may act as a processor where it processes personal data on behalf of a Customer under a Data Processing Addendum. |
| Key product data | Bot metadata, website/API metadata, public keys, token issuance events, verification events, Gateway request metadata, trust signals, abuse reports, logs, telemetry, support data, and billing data. |
| What MudraID does not want | Do not submit private keys, client secrets, passwords, payment card data, health data, biometric data, children’s data, government IDs, or other regulated data unless expressly permitted by MudraID and lawful for your use case. |
| Selling personal data | MudraID does not sell personal information in the ordinary sense. If MudraID uses advertising or analytics technologies that are treated as “sale” or “sharing” under certain privacy laws, MudraID will provide required opt-out mechanisms. |
| Your rights | Depending on where you live, you may have rights to access, correct, delete, restrict, object to, port, or opt out of certain processing of your personal data. |
1. Scope and Application
This Privacy Policy explains how MudraID collects, uses, shares, stores, protects, and otherwise processes personal data in connection with MudraID websites, dashboards, APIs, developer tools, token issuance services, token verification services, Mudra Gateway, Public Key Directory, trust and reputation features, abuse reporting, support, sales, marketing, and related services.
This Privacy Policy applies to personal data processed by MudraID as a controller and describes, at a high level, how MudraID handles personal data when acting as a processor or service provider for Customers. Where MudraID processes personal data on behalf of a Customer, the Customer’s privacy notice and the applicable Data Processing Addendum may provide additional details.
This Privacy Policy is intended for business, developer, enterprise, and organizational use of MudraID. MudraID is not intended for consumer, household, or personal use.
2. Who We Are
MudraID is an identity, trust, and control layer for AI agents, bots, websites, APIs, and enterprise systems. MudraID helps Customers register Bots, issue and verify Mudra Tokens, publish and discover public keys, apply access policies through the Mudra Gateway, assess trust and reputation signals, investigate abuse, and maintain operational logs.
For purposes of this Privacy Policy, “MudraID,” “we,” “us,” and “our” mean the MudraID entity identified in the applicable Order Form or, if no Order Form applies, Decryptogen LLC, doing business as MudraID, unless another entity is specified at the point of collection.
3. Our Privacy Roles
MudraID may act in different privacy roles depending on the context of processing.
Privacy role overview
| Context | MudraID role | What this means |
|---|---|---|
| Account registration, billing, sales, support, security, abuse prevention, service analytics, website operation, marketing communications, and product improvement | Controller / business | MudraID determines why and how this personal data is processed, subject to applicable law. |
| Customer Data processed through MudraID services on behalf of a Customer, such as certain Gateway logs, verification records, or personal data submitted by Customer systems | Processor / service provider, where applicable | MudraID processes personal data according to the Customer’s documented instructions, the Terms, the applicable DPA, and applicable law. |
| Public Key Directory, trust and reputation data, abuse reports, security events, and service integrity records | Controller or independent security role, depending on context | MudraID may process this data to protect the platform, prevent fraud and abuse, maintain trust systems, comply with law, and enforce the Terms. |
| Customer websites, APIs, Bots, AI agents, end users, and customer-configured access policies | Customer responsibility | The Customer is responsible for its own privacy notices, lawful basis, user notices, consents, and compliance obligations. |
4. Personal Data We Collect
The personal data we collect depends on how you interact with MudraID, the Services you use, the Customer configuration, and the data submitted through our platform.
Categories of personal data
| Category | Examples | Typical source |
|---|---|---|
| Account and identity data | Name, business email, phone number, username, organization, title, role, administrator status, account identifiers, authentication metadata. | You, your organization, identity providers, account administrators. |
| Organization and billing data | Company name, address, tax information, billing contact, invoice details, payment status, subscription plan, purchase history. MudraID generally relies on payment processors for card/payment details. | You, your organization, payment processors, procurement systems. |
| Bot and AI agent metadata | Bot name, Bot identifier, owner/operator details, developer information, use case, contact information, endpoints, public keys, trust-related metadata, registration status. | Customers, Bot Developers, account administrators, APIs. |
| Website, API, and domain metadata | Domain name, website/API owner details, endpoint details, policy settings, abuse contact details, domain verification records, Gateway configuration metadata. | Customers, website owners, domain verification tools, APIs. |
| Public key and verification data | Public keys, key identifiers, algorithms, token identifiers, token issue and expiry timestamps, issuer, audience, scope, verification results, revocation status, registration status. | Customers, APIs, token services, verification services. |
| Gateway and request metadata | IP address, user agent, request headers, route, timestamps, token presence, Bot identifiers, policy decisions, allow/block/throttle/challenge results, error messages, latency, traffic metadata. | Mudra Gateway, customer systems, edge or cloud infrastructure. |
| Usage and telemetry data | API request counts, response times, error rates, rate-limit events, feature usage, dashboard activity, logs, diagnostic data, security signals, threat indicators. | Services, dashboards, APIs, SDKs, Gateway, infrastructure. |
| Trust, reputation, and abuse data | Trust Scores, Trust Levels, abuse reports, complaints, investigation records, security reports, risk signals, enforcement decisions, appeal materials, remediation evidence. | Customers, website owners, Bot developers, automated systems, manual review, third-party reports. |
| Support and communications data | Support tickets, chat/email messages, call notes, troubleshooting data, logs submitted for support, feedback, survey responses. | You, account users, support channels. |
| Website and cookie data | IP address, browser type, device identifiers, pages visited, referrer URL, approximate location, cookie identifiers, analytics events, marketing preferences. | MudraID websites, cookies, analytics tools, marketing tools. |
| Legal, compliance, and security data | Identity verification data, beneficial ownership or sanctions-screening information where required, legal requests, audit records, incident records, fraud signals. | You, public sources, vendors, legal authorities, security systems. |
5. Information You Should Not Submit
Unless MudraID expressly permits it in writing and the processing is lawful for your use case, you must not submit, route, log, store, or expose highly sensitive or regulated data through MudraID beyond what is necessary to use the Services.
- Private keys, client secrets, passwords, recovery phrases, or signing secrets.
- Payment card numbers, bank account credentials, or payment authentication data.
- Health data, biometric data, genetic data, children’s data, precise geolocation data, government identification numbers, criminal records, or special-category personal data.
- Classified, export-controlled, restricted government, or highly confidential third-party data.
- Personal data that you do not have the right, lawful basis, authorization, notice, or consent to process.
Customers are responsible for configuring MudraID integrations and Gateway logging so that unnecessary sensitive data is not sent to MudraID.
6. Sources of Personal Data
We may collect personal data from the following sources:
- Directly from you, such as when you register, contact sales, submit a support request, or configure a Service.
- From your organization, account administrators, identity providers, procurement systems, and billing contacts.
- From Customers and Bot Developers who register Bots, public keys, websites, APIs, domains, or Gateway configurations.
- Automatically from the Services, including APIs, token endpoints, verification endpoints, Public Key Directory, Mudra Gateway, dashboards, SDKs, logs, telemetry, and cookies.
- From third-party service providers, such as cloud providers, analytics providers, payment processors, fraud prevention vendors, support tools, and security tools.
- From public sources, third-party reports, abuse reports, security researchers, regulators, courts, law enforcement, or other parties where permitted by law.
7. How We Use Personal Data
MudraID uses personal data for the purposes described below. We do not use personal data for purposes that are incompatible with this Privacy Policy, the Terms, applicable DPAs, or applicable law.
Purposes and legal bases
| Purpose | Examples | GDPR / UK GDPR legal basis |
|---|---|---|
| Provide and operate the Services | Create accounts, register Bots, issue and verify Mudra Tokens, operate APIs, run dashboards, support Public Key Directory and Gateway features. | Contract performance; legitimate interests; legal obligation where applicable. |
| Authenticate and secure access | Login, account security, role-based access, credential management, fraud prevention, key rotation, token validation. | Contract performance; legitimate interests; legal obligation where applicable. |
| Verify Bots, tokens, keys, and trust status | Token issuance, token verification, JWKS, revocation checks, trust lookups, public-key lookup, bot-to-bot verification support. | Contract performance; legitimate interests; legal obligation where applicable. |
| Operate Mudra Gateway and access policies | Inspect request metadata, apply customer-configured allow/block/throttle/challenge policies, generate logs and security events. | Contract performance; legitimate interests; processor processing under Customer instructions where applicable. |
| Trust, reputation, and abuse prevention | Generate Trust Scores, review abuse reports, detect suspicious activity, investigate misuse, downgrade or suspend risky Bots or accounts. | Legitimate interests; legal obligation; substantial public or security interests where applicable and lawful. |
| Support and troubleshooting | Respond to support tickets, debug integrations, review logs, provide technical guidance. | Contract performance; legitimate interests. |
| Billing and account administration | Invoices, payment status, tax records, plan management, procurement, collections. | Contract performance; legal obligation; legitimate interests. |
| Service improvement and analytics | Analyze usage, performance, reliability, feature adoption, error rates, security posture, and product quality. | Legitimate interests; consent where required for cookies or similar technologies. |
| Marketing and communications | Send product updates, events, newsletters, demos, and similar business communications. | Legitimate interests; consent where required; contract performance for service notices. |
| Legal, compliance, and enforcement | Comply with laws, respond to legal requests, enforce Terms, protect rights, investigate disputes, maintain records. | Legal obligation; legitimate interests; establishment, exercise, or defense of legal claims. |
8. MudraID Product-Specific Processing
8.1 Bot Registration and Identity Data
When Customers register Bots or AI Agents, MudraID may process Bot metadata, owner/operator details, developer contact information, public keys, endpoints, use cases, trust-related submissions, and registration status. MudraID uses this information to create identity records, issue tokens, support verification, operate trust systems, investigate abuse, and enforce the Terms.
8.2 Token Issuance and Verification Data
MudraID may process token issuance events, token verification events, token identifiers, Bot identifiers, Client IDs, issuer, audience, scope, expiry, key identifiers, verification results, revocation status, timestamps, request metadata, and related logs. This data is used for authentication, verification, security, billing, auditing, troubleshooting, abuse prevention, and service improvement.
8.3 Public Key Directory Data
MudraID may publish or expose certain public-key records, Bot identifiers, registration status, key identifiers, and related metadata through supported interfaces. Do not submit information to the Public Key Directory unless you have the right to make it discoverable for verification purposes.
8.4 Mudra Gateway Data
Where the Mudra Gateway is used, MudraID may process request metadata, token metadata, Bot identifiers, IP addresses, user agents, route information, Gateway decisions, cache events, timestamps, errors, and traffic metadata. The exact data processed depends on deployment model and Customer configuration. Customers are responsible for lawful Gateway deployment, user notices, consent where required, and avoiding unnecessary sensitive data in Gateway logs.
8.5 Trust Scores, Trust Levels, and Abuse Data
MudraID may process personal data or metadata in connection with Trust Scores, Trust Levels, reputation indicators, risk signals, abuse reports, complaints, investigations, security events, appeals, and enforcement actions. These systems may use automated and manual review. Trust-related data is used to protect the platform, Customers, websites, APIs, Bots, users, and third parties.
8.6 Logs, Audit Records, and Security Records
MudraID may generate and retain logs and audit records for token issuance, verification, Gateway events, API activity, Public Key Directory access, trust events, account activity, support, billing, security, abuse investigation, compliance, and enforcement. Logs may not capture every event and are subject to retention limits.
9. Automated Processing, Trust Signals, and AI
MudraID may use automated systems, rule-based systems, security analytics, and machine-learning-assisted tools to detect abuse, assess risk, support Trust Scores, protect service integrity, and enforce the Terms.
MudraID does not intend its Trust Scores, verification results, or Gateway decisions to be used as the sole basis for decisions that produce legal or similarly significant effects on individuals. Customers are responsible for determining whether their own use of MudraID outputs involves automated decision-making under applicable law and for providing required human oversight, notices, rights, and safeguards.
MudraID is not the provider, deployer, operator, or controller of Customer Bots or Customer AI systems merely because MudraID registers a Bot, issues a token, verifies a token, provides trust signals, publishes a public key, or supports Gateway enforcement. Customers remain responsible for their own AI systems, agents, prompts, outputs, decisions, and legal obligations.
10. Cookies and Similar Technologies
MudraID websites and dashboards may use cookies, pixels, SDKs, local storage, analytics tools, and similar technologies to operate the website, secure accounts, remember preferences, analyze usage, improve services, and support marketing where permitted.
Where required by law, MudraID will request consent for non-essential cookies and provide a method to manage cookie preferences. Essential cookies may be used without consent where necessary to provide a requested service, maintain security, prevent fraud, or remember privacy choices.
Cookie categories
| Category | Purpose | Examples |
|---|---|---|
| Strictly necessary | Operate websites and dashboards, authenticate users, maintain sessions, prevent fraud, remember privacy choices. | Session cookies, security cookies, load-balancing cookies, consent preference cookies. |
| Analytics and performance | Understand traffic, diagnose errors, improve usability, measure performance. | Page views, click events, device/browser data, referrers, approximate location. |
| Functional | Remember preferences and improve user experience. | Language, region, interface preferences. |
| Marketing | Measure campaigns and show relevant business-to-business communications where permitted. | Campaign identifiers, conversion pixels, advertising cookies, retargeting technologies. |
Specific cookies and vendors are described in MudraID’s cookie banner or Cookie Policy where applicable.
11. How We Share Personal Data
MudraID may share personal data only as described in this Privacy Policy, the Terms, applicable DPAs, or as otherwise permitted or required by law.
Sharing categories
| Recipient category | Purpose |
|---|---|
| Service providers and subprocessors | Cloud hosting, infrastructure, analytics, support, payment processing, communication tools, security tools, monitoring, logging, data storage, and professional services. |
| Customers and account administrators | Provide dashboards, logs, user management, Bot registration data, Gateway configuration, verification events, and account activity information. |
| Relying parties and supported verification users | Expose Public Key Directory records, Bot identifiers, registration status, trust indicators, and verification metadata where configured or supported by product design. |
| Business partners and integrations | Enable integrations, marketplaces, reseller or referral arrangements, implementation support, and enterprise deployments where applicable. |
| Professional advisers | Legal, accounting, audit, tax, insurance, banking, compliance, and corporate governance purposes. |
| Authorities and legal parties | Respond to subpoenas, court orders, regulators, law enforcement, legal claims, government requests, sanctions checks, and legal obligations. |
| Corporate transaction parties | Support merger, acquisition, financing, investment, restructuring, sale of assets, or similar corporate transaction. |
MudraID does not permit service providers to use personal data for their own purposes except as permitted by law and applicable agreements.
12. International Data Transfers
MudraID may process and transfer personal data in the United States, Sri Lanka, the European Economic Area, the United Kingdom, and other countries where MudraID, its affiliates, service providers, subprocessors, or Customers operate.
Where personal data is transferred from the EEA, UK, Switzerland, or another jurisdiction with transfer restrictions to a country that has not been recognized as providing adequate protection, MudraID will use legally recognized transfer mechanisms where required. These may include Standard Contractual Clauses, UK International Data Transfer Addendum or equivalent clauses, adequacy decisions, transfer impact assessments, supplementary safeguards, or other lawful transfer mechanisms.
Customers are responsible for ensuring that their own use of MudraID and their transfer of personal data to MudraID complies with applicable data-transfer laws and the applicable Data Processing Addendum.
13. Data Retention
MudraID retains personal data for as long as necessary or appropriate for the purposes described in this Privacy Policy, the Terms, applicable Order Forms, DPAs, legal obligations, security requirements, dispute resolution, and service operation. Retention periods vary depending on the data category, Service Plan, deployment model, legal requirements, risk, and operational needs.
Indicative retention approach
| Data category | Typical retention approach |
|---|---|
| Account and organization data | Retained while the account is active and for a reasonable period afterward for legal, billing, security, audit, and dispute purposes. |
| Billing, tax, and payment records | Retained as required for accounting, tax, audit, payment dispute, and legal obligations. |
| Bot, website, API, and public-key metadata | Retained while registered or needed for verification, security, audit, abuse prevention, continuity, and dispute purposes. |
| Token, verification, Gateway, and API logs | Retained according to product configuration, Service Plan, security requirements, operational needs, and legal obligations. |
| Trust, abuse, and investigation records | Retained as long as necessary for security, fraud prevention, abuse prevention, enforcement, legal compliance, and platform integrity. |
| Support records | Retained for support history, quality assurance, legal protection, troubleshooting, and customer relationship management. |
| Marketing data | Retained until you opt out, withdraw consent where applicable, or the data is no longer needed for legitimate business purposes. |
| Aggregated, anonymized, or de-identified data | May be retained indefinitely where it no longer identifies an individual under applicable law. |
MudraID may retain data in backups, archives, security systems, and legal holds for longer periods where required or permitted by law. Customers should export or preserve any records they require before terminating their account.
14. Security
MudraID uses commercially reasonable administrative, technical, and organizational measures designed to protect personal data under MudraID’s control. These may include access controls, encryption in transit, logging, monitoring, vulnerability management, secure development practices, incident response processes, and vendor controls.
No system, cloud service, network, token system, gateway, trust system, encryption method, or security control can be guaranteed to be completely secure. Customers are responsible for securing their own accounts, administrators, Bots, websites, APIs, Gateways, credentials, private keys, tokens, logs, infrastructure, users, and integrations.
Do not send private keys, client secrets, passwords, access credentials, or unnecessary sensitive data to MudraID support or through unsecured channels.
15. Your Privacy Rights
Depending on your location and the context of processing, you may have rights regarding your personal data. These rights may be subject to limitations, exceptions, identity verification, and legal requirements.
Privacy rights
| Right | What it generally means |
|---|---|
| Access / know | You may request confirmation of whether we process personal data about you and receive information about that processing. |
| Correction / rectification | You may request correction of inaccurate or incomplete personal data. |
| Deletion / erasure | You may request deletion of personal data, subject to exceptions such as legal obligations, security, abuse prevention, backups, and dispute resolution. |
| Restriction | You may request that we restrict certain processing in specific circumstances. |
| Objection | You may object to certain processing based on legitimate interests or direct marketing. |
| Portability | You may request a portable copy of certain personal data where applicable. |
| Withdraw consent | Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing. |
| Automated decision rights | You may have rights relating to decisions based solely on automated processing that produce legal or similarly significant effects. |
| Complaint | You may lodge a complaint with a data-protection authority or supervisory authority where applicable. |
To exercise rights, contact privacy@mudraid.ai or the contact listed at the end of this Privacy Policy. If MudraID processes your personal data on behalf of a Customer, we may direct your request to that Customer or ask you to contact the Customer directly. We may need to verify your identity before responding.
16. EEA, UK, and Swiss Privacy Notice
This section provides additional information for individuals in the European Economic Area, United Kingdom, and Switzerland.
Controller: The controller is the MudraID entity identified in this Privacy Policy or the applicable Order Form. For Customer Data processed under a DPA, the Customer is usually the controller and MudraID is usually the processor.
Legal bases: MudraID relies on contract performance, legitimate interests, consent where required, legal obligations, and establishment, exercise, or defense of legal claims, depending on the processing activity.
Legitimate interests: MudraID’s legitimate interests may include providing and improving the Services, securing accounts, preventing fraud and abuse, operating trust and verification systems, enforcing Terms, conducting business-to-business marketing, protecting legal rights, and maintaining service integrity.
Transfers: MudraID uses legally recognized transfer mechanisms where required for international transfers, including Standard Contractual Clauses or equivalent safeguards.
Supervisory authority: You may have the right to complain to your local data-protection authority. We encourage you to contact us first so we can try to resolve your concern.
17. California Privacy Notice
This section applies to California residents where the California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies to MudraID. Terms used in this section have the meanings given by California privacy law.
MudraID primarily provides business-to-business SaaS services. The categories below describe personal information MudraID may have collected, used, or disclosed during the preceding twelve months depending on how you interacted with MudraID.
California categories of personal information
| CCPA/CPRA category | Examples | Disclosed to |
|---|---|---|
| Identifiers | Name, business email, phone, IP address, account ID, Bot/contact identifiers. | Service providers, Customers/account admins, security vendors, legal parties where required. |
| Commercial information | Subscription plan, invoices, billing contacts, payment status, purchase history. | Payment processors, accounting providers, CRM/procurement tools, advisers. |
| Internet or network activity | Website activity, API activity, dashboard activity, logs, Gateway request metadata, verification events. | Cloud providers, analytics/security vendors, Customers/account admins where applicable. |
| Approximate geolocation | Approximate location inferred from IP address. | Analytics, security, cloud, and fraud-prevention providers. |
| Professional or employment-related information | Job title, company, role, business contact details. | CRM, sales, support, account management, service providers. |
| Inferences | Risk signals, trust indicators, abuse indicators, product usage insights. | Internal systems, Customers where part of the Services, service providers. |
| Sensitive personal information | MudraID does not seek sensitive personal information. Some security data, account credentials metadata, or precise categories may be treated as sensitive under law if submitted by Customers. | Only as necessary for security, service provision, legal compliance, or as instructed by Customers. |
MudraID does not sell personal information for money. MudraID does not knowingly sell or share personal information of individuals under 16. If MudraID uses advertising or analytics technologies that are considered a “sale” or “sharing” under California law, MudraID will provide required opt-out mechanisms, such as a “Do Not Sell or Share My Personal Information” link or cookie preference tool.
California residents may have rights to know, access, correct, delete, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising privacy rights. To exercise these rights, contact privacy@mudraid.ai or use the method provided on the MudraID website. Authorized agents may submit requests as permitted by law, subject to verification.
18. Other Regional Privacy Rights
Depending on where you live, additional privacy laws may provide rights similar to those described above. These may include rights under privacy laws in jurisdictions such as Canada, Brazil, Australia, New Zealand, Japan, Singapore, India, South Africa, certain U.S. states, and other regions. MudraID will respond to applicable privacy requests as required by law.
Where local law gives you additional rights, nothing in this Privacy Policy is intended to limit rights that cannot be waived by contract.
19. Marketing Communications
MudraID may send business-to-business marketing communications, product updates, event invitations, newsletters, or similar messages where permitted by law. You can opt out of marketing emails by using the unsubscribe link or contacting us. Even if you opt out of marketing, we may still send transactional or service-related messages, such as security alerts, account notices, billing messages, support communications, and legal updates.
20. Children’s Privacy
MudraID is not intended for children and is not directed to individuals under 16 years of age. Customers must not use MudraID to collect, submit, route, or process children’s personal data unless expressly permitted by MudraID in writing and lawful for the Customer’s use case.
If we learn that we have collected children’s personal data without appropriate authorization, we may delete or restrict the data according to applicable law.
21. Third-Party Services and Links
MudraID may integrate with or link to third-party services, websites, platforms, identity providers, cloud providers, payment processors, analytics tools, AI platforms, developer tools, and other services. This Privacy Policy does not apply to third-party services that are not controlled by MudraID.
Customers and users should review the privacy policies and terms of third-party services before using them. MudraID is not responsible for third-party privacy, security, or data practices outside MudraID’s control.
22. Customer-Controlled Data and End Users
Customers may use MudraID to process personal data relating to their own users, employees, contractors, developers, Bots, website visitors, API users, or third parties. In those cases, the Customer is usually responsible for determining the purposes and means of processing and for providing required privacy notices, lawful bases, consents, opt-outs, and rights processes.
If you are an end user of a MudraID Customer, you should contact that Customer first regarding privacy questions about the Customer’s Bots, websites, APIs, Gateway configuration, access policies, logs, or use of MudraID outputs. MudraID may refer your request to the relevant Customer where appropriate.
23. Data Processing Addendum and Subprocessors
Where MudraID processes personal data on behalf of a Customer as a processor or service provider, the applicable Data Processing Addendum governs that processing. The DPA should address processing instructions, security measures, subprocessors, international transfers, assistance with rights requests, deletion or return, incident notification, and audit rights.
MudraID may maintain a list of subprocessors or provide subprocessor information through the MudraID website, Documentation, DPA, or customer portal. Customers are responsible for reviewing applicable subprocessor terms and notices where required.
24. Changes to this Privacy Policy
MudraID may update this Privacy Policy from time to time to reflect changes in the Services, technology, law, security practices, subprocessors, data processing, or business operations.
If we make material changes, we will provide notice through reasonable means, such as posting the updated policy, sending email notice, displaying in-product notice, or notifying account administrators. The “Last Updated” date indicates when the policy was last revised.
Your continued use of the Services after the updated Privacy Policy becomes effective means that you acknowledge the updated Privacy Policy, subject to rights that cannot be waived under applicable law.
25. Contact Us
For privacy questions, requests, or complaints, contact MudraID using the details below.
Contact details
| Purpose | Contact |
|---|---|
| Privacy requests | privacy@mudraid.ai |
| Security reports | security@mudraid.ai |
| Legal notices | legal@mudraid.ai — Decryptogen LLC, Wyoming, United States |
| Data Protection Officer / EU or UK representative | No DPO required. EU representative (GDPR Art. 27): D M S P Alwis, Kajaani, Finland. |
| Website | https://mudraid.ai |
Appendix A. Product Data Map
This appendix provides a practical map of MudraID product data. It is intended to help Customers understand what data may be involved in common MudraID workflows. Actual data processed may differ depending on configuration, Service Plan, deployment model, and product version.
MudraID product data map
| Workflow | Data involved | Primary use |
|---|---|---|
| Account setup | Name, business email, company, role, authentication metadata, administrator settings. | Account creation, user management, support, security. |
| Bot registration | Bot metadata, owner/operator details, use case, endpoints, public keys, contact information. | Bot identity, token eligibility, verification, trust signals. |
| Token issuance | Client ID, Bot identifier, token claims, timestamp, expiry, scope, issuer, audience, key identifier, request metadata. | Issue Mudra Tokens, audit, billing, security, abuse prevention. |
| Token verification | Token metadata, verification result, issuer, audience, expiry, revocation status, trust status, request metadata. | Verify identity, support access decisions, audit, security. |
| JWKS / key lookup | Public keys, key identifiers, algorithms, cache metadata, lookup events. | Signature verification, public-key discovery. |
| Mudra Gateway | Request metadata, token presence, Bot identifiers, IP address, user agent, route, policy decision, cache events, errors. | Apply access policies, route traffic, generate logs, detect abuse. |
| Trust scoring | Registration data, usage patterns, abuse reports, Gateway signals, security events, manual review, automated risk signals. | Risk indicators, trust levels, abuse prevention, enforcement. |
| Abuse investigation | Reports, logs, timestamps, Bot identifiers, account data, request metadata, remediation evidence, investigation notes. | Investigate misuse, enforce Terms, protect Customers and third parties. |
| Support | Contact information, tickets, logs submitted by Customer, screenshots, reproduction steps, configuration details. | Troubleshooting, customer service, quality improvement. |