Legal · Compliance

Compliance

Last updated · 07 Jun 2026

Gooclaim OS is built for India’s insurance regulatory regime — from IRDAI’s 1-hour / 3-hour cashless mandate to the DPDP Act 2023. Compliance is wired into the platform’s architecture, not bolted on as policy. This page maps each obligation to the control that enforces it.

One-line summaryEvery automated decision emits an immutable audit event. Every outbound message passes a 4-tier safety check. Every workflow starts with an explicit DPDP consent gate. No exceptions, no overrides.

1. Regulatory coverage

Gooclaim OS supports Customers (insurers and TPAs) in meeting obligations under:

IRDAI Master Circular on Protection of Policyholders’ Interests (29 May 2024) — including the 1-hour cashless admission approval and 3-hour discharge mandate.
IRDAI PPHI Circular (Sept 2024) — daily penalty framework (Bank Rate + 2%) for delayed cashless and discharge.
IRDAI Internal Ombudsman Guidelines 2025 — mandatory internal grievance handling with audit-grade records.
Digital Personal Data Protection Act, 2023 (DPDP) — lawful basis, consent, processor obligations, data principal rights.
Information Technology Act, 2000 — Sections 43A and 72A — reasonable security practices and protection of personal information.
TRAI DLT framework — registered template, sender ID and consent records for outbound communications.

2. The control map

Each regulatory obligation is enforced by a specific Gooclaim OS control. None are advisory — they are platform-enforced.

2.1 Consent gate (DPDP, IT Act)

Every workflow begins with an explicit consent check. No claim message proceeds without a recorded CONSENT_GIVEN state against the claimant. Consent withdrawal is honored within one business day and immutably logged.

2.2 Policy Gate (IRDAI, IT Act, brand-safety)

Every outbound message passes a 4-tier safety check before delivery — exact-template match, semantic safety check, personal-data redaction, and source verification. Free text never reaches a customer.

2.3 Audit ledger (IRDAI, Ombudsman, DPDP)

Every automated decision, every outbound message, every consent change, every policy-gate outcome is written to an append-only, SHA-256-chained audit ledger. Records are retained for seven years and can be exported in IRDAI-required format on demand.

2.4 Per-tenant isolation (DPDP, IT Act)

Multi-tenant data is isolated at every layer — credentials, knowledge sources, audit events, dashboards. One tenant’s data is never accessible to another, even by Gooclaim engineers under normal operations.

2.5 Personal data hygiene (IT Act, DPDP)

Phone numbers, names, claim identifiers and other identifying fields are hashed in all internal logs. Raw values are never written to log lines, never sent to language models, and never persisted outside the encrypted application database.

2.6 Operational mode (IRDAI, business continuity)

Every workflow can be set to OPERATIONAL, RESTRICTED or SUSPENDED per tenant. The kill-switch is intended for incident response — for example, pausing outbound during a CMS outage — and is itself an audited action.

2.7 Templates-only output (IRDAI, brand-safety)

Outbound to claimants is restricted to pre-approved, versioned templates per channel and language. The approval workflow is explicit; rollback to the last approved version is one click.

2.8 SLA observability (IRDAI 1hr / 3hr mandate)

Per-tenant dashboards track time-to-acknowledge, time-to-decision and time-to-discharge against the regulatory clock. Breaches trigger alerts and feed the audit ledger; nothing about SLA performance is unobserved.

3. Security architecture

Encryption in transit (TLS 1.2+) and at rest.
Short-lived signed tokens for service-to-service authentication.
Per-tenant credential vaults, encrypted at the field level.
Zero-trust between internal services — no implicit network trust.
Continuous vulnerability scanning across container images and dependencies.
Static analysis, secret scanning and policy checks on every code change before merge.
Responsible-disclosure channel at security@gooclaim.com with a published acknowledgement window.

4. Data residency and retention

Production data is processed in India unless an engaging Customer explicitly chooses otherwise. Audit ledger events are retained for seven years in line with IRDAI record-keeping requirements. Operational data (conversation content, claim metadata) is retained only as long as the Customer instructs, after which it is purged or returned per the engagement’s data-processing terms.

5. Sub-processors

Gooclaim OS uses a small, audited set of sub-processors for hosting, channel delivery, telephony, observability and email. Each sub-processor is bound by a data-processing agreement and is reviewed annually. A live list is available to Customers under the MSA.

6. Independent assurance roadmap

We are pursuing independent assurance commensurate with our scale and regulatory exposure:

ISO/IEC 27001 — information security management system certification (in progress).
SOC 2 Type II — controls report covering security, availability and confidentiality (planned).
Annual VAPT — application and infrastructure penetration testing by independent firms.
DPDP readiness review — annual independent review against DPDP Act and forthcoming rules.

7. Incident response

We maintain an incident-response playbook covering detection, containment, eradication, recovery and post-incident review. Security incidents involving personal data are reported to the Data Fiduciary (the engaging insurer or TPA) within the timelines required by DPDP and the MSA, and to regulators where applicable. The current playbook version is available to Customers under NDA.

8. Responsible AI posture

Large language models are used for internal reasoning, not for free-text responses to claimants.
The Policy Gate validates every outbound for brand-safety, regulatory and factual grounding before delivery.
We never use Customer or claimant data to train external, third-party models.
Model providers are kept behind an internal model gateway so providers can be swapped without changing application code.
Every model invocation that influences a customer-visible outcome is written to the audit ledger.

9. Customer responsibilities

Compliance is a shared model. Gooclaim OS provides platform-level controls; the engaging Customer remains responsible for:

Maintaining a lawful basis under DPDP for each claimant interaction.
Approving templates before they are enabled in production.
Responding to claimant grievances and regulator requests within applicable timelines.
Keeping API credentials and operator accounts secure.

10. Contact

Compliance questions → contact@gooclaim.com
Security disclosures → security@gooclaim.com
Grievance officer (DPDP) → contact@gooclaim.com · acknowledged within 3 business days, substantive response within 15
Read alongside this page — Privacy Notice and Terms of Service. The three are meant to be read together.

Questions? Reach us at contact@gooclaim.com. Security disclosures → security@gooclaim.com.