Why this brief exists
Latika handles sensitive personal information relating to children, parents and guardians, families, education and therapy services, disability-related support, donor compliance, staff, and organisational operations. The organisation operates in India.
A signed Salesforce Data Processing Addendum is already on file (16-page global DPA, signed for Latika). That DPA covers the processor role, sub-processors, audits, breach notice, return/deletion, and cross-border transfers in general terms. It does not specifically answer Latika's risks around children's data, India DPDP, hosting/data locations, retention configuration, or operational safeguards. Latika also uses Google Workspace / Google for Nonprofits.
Generic compliance documents are not enough. Latika needs each vendor to confirm in writing how its commitments apply to Latika's actual use case, account, and the children/family data it stores.
Email 1 · Google Workspace / Google for Nonprofits
Complete and standalone. Replace [Name], [Your name], and [Your role] before sending. All questions are included in the body — no external link required.
Subject: Data protection, child data, and India DPDP compliance — Latika (Google Workspace / Google for Nonprofits)
Hi [Name],
I'm writing on behalf of Latika, a nonprofit based in Dehradun, India.
Latika handles sensitive personal information relating to children, parents and guardians, families, education and therapy services, disability-related support, donor compliance, staff, and organisational operations. Google Workspace (under our Google for Nonprofits subscription) is one of the core systems we rely on day to day for email, documents, Drive, collaboration, and organisational records.
Before we extend our use of Google Workspace, we would like written clarity on how the service supports Latika's obligations under India's Digital Personal Data Protection Act, 2023 and the related DPDP Rules, 2025 — particularly as they relate to children's data and family records.
Specifically, the framework areas we need to keep in view are: processing of children's personal data; verifiable parental / guardian consent; reasonable security safeguards; breach notification to the Data Protection Board and affected individuals; data retention and erasure; cross-border processing and transfers; sub-processors; data subject / parent or guardian rights; and accountability for vendors acting as data processors.
To make it easy to respond, please find below the specific questions we would appreciate written answers to. Where the answer depends on Latika's specific account or configuration, please map your response to our actual setup.
1. ROLE AND AGREEMENT
- Is Google acting as a Data Processor for Latika's Google Workspace data?
- Which Data Processing Addendum / Data Processing Amendment governs Latika's Google Workspace account?
- Is the DPA automatically incorporated into our Google Workspace / Google for Nonprofits subscription, or is any separate acceptance or signature required?
2. INDIA DPDP ACT AND CHILDREN'S DATA
- Does Google Workspace support customers in India with obligations under the Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025?
- Does Google provide any India-specific documentation or compliance mapping for DPDP?
- Does Google make any distinction for data relating to children / minors, parents / guardians, disability-related services, healthcare or therapy notes, or other sensitive categories?
- Are there Google Workspace features or settings Latika should enable specifically because we process data relating to children and families?
3. DATA LOCATION AND CROSS-BORDER PROCESSING
- Where is Latika's Google Workspace data stored and processed by default?
- Can Latika choose or restrict data regions for Gmail, Drive, Docs, Sheets, Meet recordings, Vault, and backups?
- If data is processed outside India, what contractual and technical safeguards apply?
- Are any Google sub-processors or support teams located outside India able to access Latika data?
4. SECURITY SAFEGUARDS
- What technical and organisational measures protect Latika's Workspace data?
- Please confirm encryption at rest and in transit.
- What admin controls should Latika enable for higher-risk data, including:
* Mandatory 2FA
* Context-aware access
* Device management
* DLP for Gmail and Drive
* Drive sharing restrictions
* External sharing controls
* Alerting and audit logs
* Vault retention / eDiscovery
- Are these controls available in Latika's current Google Workspace / Nonprofits edition, or would an upgrade be required?
5. BREACH NOTIFICATION
- If Google has a data incident affecting Latika's Workspace data, how quickly will Latika be notified?
- Who receives the notification?
- What information will Google provide so Latika can meet its DPDP breach-notification obligations?
- Can Latika configure specific security or legal contacts for breach notices?
6. RETENTION, DELETION, AND EXPORT
- What happens to deleted Gmail, Drive, Docs, and shared-drive data?
- How long is deleted data retained in backups or recoverable systems?
- Can Latika configure retention rules for different categories of data?
- If Latika exits Google Workspace, how can all data be exported and deleted?
- Can Google provide deletion confirmation?
7. SUB-PROCESSORS AND THIRD-PARTY APPS
- Where can Latika find the current list of Google Workspace sub-processors?
- How will Latika be notified of new sub-processors?
- Can Latika object to a new sub-processor?
- How can Latika audit or restrict third-party Marketplace apps that may access Workspace data?
8. AUDIT AND COMPLIANCE EVIDENCE
- Can Google provide current ISO 27001, SOC 2 / SOC 3, or other relevant audit and compliance reports for Google Workspace?
- Are these reports available to nonprofit customers?
- Can Google provide a written summary of how Google Workspace helps Latika meet Indian data protection expectations?
9. AI / GEMINI
- Is any Latika Workspace data used to train Google or Gemini models?
- If Gemini or AI features are enabled, what data is processed, where, and under what terms?
- Can AI features be disabled or restricted for users handling child or family case data?
10. RECOMMENDED CONFIGURATION
- Given that Latika is an Indian nonprofit handling children's and parents' data, what is Google's recommended secure-configuration checklist for our Workspace tenant?
Thank you for your time and for the work you do supporting nonprofits like Latika. We are happy to share any additional context that would help.
Warm regards,
[Your name]
[Your role]
Latika
Email 2 · Salesforce
Complete and standalone. Replace [Name], [Your name], and [Your role] before sending. All questions are included in the body — no external link required.
Subject: Data protection, child data, and India DPDP compliance — Latika (Salesforce)
Hi [Name],
I'm writing on behalf of Latika, a nonprofit based in Dehradun, India.
Latika handles sensitive personal information relating to children, parents and guardians, families, education and therapy services, disability-related support, donor compliance, staff, and organisational operations. Salesforce is the CRM Latika relies on for case management, beneficiary records, donor records, and related work.
A 16-page Salesforce Data Processing Addendum has already been signed on Latika's behalf. It covers the general processor framework, sub-processors, audits, breach notice, return / deletion, and cross-border transfers. However, the DPA does not specifically address Latika's risks around children, parents, disability / health-related data, India DPDP compliance, exact hosting and data locations, retention configuration, or operational safeguards.
Before we extend or renew our use of Salesforce, we would like written clarity on how the service supports Latika's obligations under India's Digital Personal Data Protection Act, 2023 and the related DPDP Rules, 2025 — particularly as they relate to children's data and family records.
Specifically, the framework areas we need to keep in view are: processing of children's personal data; verifiable parental / guardian consent; reasonable security safeguards; breach notification to the Data Protection Board and affected individuals; data retention and erasure; cross-border processing and transfers; sub-processors; data subject / parent or guardian rights; and accountability for vendors acting as data processors.
Please find below the specific questions we would appreciate written answers to. Where the answer depends on Latika's specific account or configuration, please map your response to our actual setup.
1. CONTRACTUAL STATUS
- Please confirm that the signed Salesforce DPA has been received, archived, and is legally effective for Latika.
- Which Salesforce entity is the contracting / data-processing entity for Latika?
- Is Latika directly contracted with Salesforce, through Salesforce.org, through a reseller, or via any legacy arrangement from Vera Solutions?
- If the original implementation was through Vera Solutions in 2013–14, does Latika currently have a direct contractual relationship with Salesforce covering privacy and security obligations?
2. ROLE UNDER INDIAN DATA PROTECTION LAW
- Does Salesforce act as a Data Processor for Latika's CRM data?
- Does Salesforce provide India-DPDP-specific documentation or a compliance mapping for the Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025?
- Can Salesforce confirm how its DPA supports Latika's obligations as a Data Fiduciary under Indian law?
3. CHILDREN AND SENSITIVE DATA
- Latika's CRM may contain information about children, parents / guardians, disability-related services, assessments, therapy / education support, family context, staff notes, donor reports, and case-management records.
- Does Salesforce have any specific guidance or controls for customers processing children's personal data?
- The DPA does not appear to specifically mention children / minors. Please confirm how Salesforce supports compliance for child data and parent / guardian rights.
- Does Salesforce classify disability, health, therapy, or social-support records as sensitive / special-category data for purposes of additional safeguards?
4. DATA HOSTING AND LOCATION
- In which country / countries is Latika's Salesforce data stored?
- Which Salesforce instance / pod / Hyperforce region hosts Latika's org?
- Are backups, logs, support copies, analytics, search indexes, sandbox data, and metadata stored in the same region?
- Can Latika choose India or a specific region for data residency?
- If data is processed outside India, what safeguards apply?
5. SUB-PROCESSORS
- Please provide the current list of Salesforce sub-processors applicable to Latika's specific Salesforce products.
- Please include the country / location and processing activity for each sub-processor.
- How will Latika be notified of new sub-processors?
- What is Latika's right to object?
6. SECURITY CONTROLS
- Please confirm the security controls applicable to Latika's Salesforce org, including:
* Encryption at rest and in transit
* MFA
* Role-based access control
* Field-level security
* Audit trails
* Login history
* Event monitoring
* Data export controls
* API access controls
* Sandbox controls
* Shield Platform Encryption, if available / recommended
- Which of these are included in Latika's current subscription, and which require additional licensing?
7. BREACH NOTIFICATION
- If Salesforce becomes aware of a Customer Data Incident affecting Latika, what is the notification timeline?
- Who at Latika will be notified?
- What details will be provided so Latika can comply with Indian breach-notification requirements?
- Can Latika register a dedicated legal or security contact for incident notices?
8. RETENTION, DELETION, AND EXIT
- What are the default Salesforce retention periods for:
* Active CRM data
* Deleted records
* Recycle bin data
* Backups
* Logs
* Support case attachments
* Sandbox data
- How can Latika configure retention / deletion for child and family records?
- If Latika terminates Salesforce, how can data be exported and permanently deleted?
- Can Salesforce provide written deletion confirmation?
9. DATA SUBJECT / PARENT & GUARDIAN RIGHTS
- How can Latika retrieve, correct, export, restrict, or delete a person's data if a child, parent, guardian, or beneficiary exercises rights under Indian law?
- Does Salesforce provide tools to search all records relating to one individual across objects, attachments, notes, activities, and custom fields?
- Are there limitations Latika should know about?
10. AUDITS AND CERTIFICATIONS
- Please provide the current Security, Privacy and Architecture documentation applicable to Latika's Salesforce products.
- Please provide current ISO 27001 and SOC 2 reports, or explain how Latika can access them.
- Please confirm whether Salesforce's audit reports cover the exact Salesforce products used by Latika.
11. GOVERNMENT / LAW-ENFORCEMENT ACCESS
- If Salesforce receives a government or law-enforcement request for Latika data, will Latika be notified unless legally prohibited?
- What process does Salesforce follow to challenge overbroad or unlawful requests?
- Does this apply equally to sub-processors?
12. AI / EINSTEIN / AGENTFORCE
- Is Latika data used to train Salesforce AI models?
- Are Einstein / Agentforce / AI features enabled in Latika's org?
- If enabled, what data is processed, where, and under what terms?
- Can Latika disable AI processing for child / family / case-management data?
13. CURRENT ORG HEALTH CHECK
- Can Salesforce or the account team provide a security / compliance review of Latika's current Salesforce configuration?
- Specifically, we would like recommendations for an Indian nonprofit handling children's and family data.
Thank you for your time. We are happy to share any additional context that would help.
Warm regards,
[Your name]
[Your role]
Latika
India DPDP Framework — Areas of Focus
- Processing of children's personal data
- Verifiable parental / guardian consent
- Reasonable security safeguards
- Breach notification to the Data Protection Board
- Data retention and erasure
- Cross-border processing and transfers
- Sub-processors
- Data subject / parent / guardian rights
- Accountability for vendors as data processors
Google Workspace / Google for Nonprofits Vendor 1
Latika uses Google Workspace for email, documents, Drive, collaboration, and organisational records. Please confirm the following in writing.
01Role and agreement
- Is Google acting as a Data Processor for Latika's Google Workspace data?
- Which Data Processing Addendum / Data Processing Amendment governs Latika's Google Workspace account?
- Is the DPA automatically incorporated into our Google Workspace / Google for Nonprofits subscription, or is any separate acceptance or signature required?
02India DPDP Act and children's data
- Does Google Workspace support customers in India with obligations under the Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025?
- Does Google provide any India-specific documentation or compliance mapping for DPDP?
- Does Google make any distinction for data relating to children / minors, parents / guardians, disability-related services, healthcare or therapy notes, or other sensitive categories?
- Are there Google Workspace features or settings Latika should enable specifically because we process data relating to children and families?
03Data location and cross-border processing
- Where is Latika's Google Workspace data stored and processed by default?
- Can Latika choose or restrict data regions for Gmail, Drive, Docs, Sheets, Meet recordings, Vault, and backups?
- If data is processed outside India, what contractual and technical safeguards apply?
- Are any Google sub-processors or support teams located outside India able to access Latika data?
04Security safeguards
- What technical and organisational measures protect Latika's Workspace data?
- Please confirm encryption at rest and in transit.
- What admin controls should Latika enable for higher-risk data, including:
- Mandatory 2FA
- Context-aware access
- Device management
- DLP for Gmail and Drive
- Drive sharing restrictions
- External sharing controls
- Alerting and audit logs
- Vault retention / eDiscovery
- Are these controls available in Latika's current Google Workspace / Nonprofits edition, or would an upgrade be required?
05Breach notification
- If Google has a data incident affecting Latika's Workspace data, how quickly will Latika be notified?
- Who receives the notification?
- What information will Google provide so Latika can meet its DPDP breach-notification obligations?
- Can Latika configure specific security or legal contacts for breach notices?
06Retention, deletion, and export
- What happens to deleted Gmail, Drive, Docs, and shared-drive data?
- How long is deleted data retained in backups or recoverable systems?
- Can Latika configure retention rules for different categories of data?
- If Latika exits Google Workspace, how can all data be exported and deleted?
- Can Google provide deletion confirmation?
07Sub-processors and third-party apps
- Where can Latika find the current list of Google Workspace sub-processors?
- How will Latika be notified of new sub-processors?
- Can Latika object to a new sub-processor?
- How can Latika audit or restrict third-party Marketplace apps that may access Workspace data?
08Audit and compliance evidence
- Can Google provide current ISO 27001, SOC 2 / SOC 3, or other relevant audit and compliance reports for Google Workspace?
- Are these reports available to nonprofit customers?
- Can Google provide a written summary of how Google Workspace helps Latika meet Indian data protection expectations?
09AI / Gemini
- Is any Latika Workspace data used to train Google or Gemini models?
- If Gemini or AI features are enabled, what data is processed, where, and under what terms?
- Can AI features be disabled or restricted for users handling child or family case data?
10Recommended configuration
- Given that Latika is an Indian nonprofit handling children's and parents' data, what is Google's recommended secure-configuration checklist for our Workspace tenant?
Salesforce Vendor 2
Latika has a signed Salesforce Data Processing Addendum on file. We need clarity on how that DPA applies to our actual Salesforce instance and data.
01Contractual status
- Please confirm that the signed Salesforce DPA has been received, archived, and is legally effective for Latika.
- Which Salesforce entity is the contracting / data-processing entity for Latika?
- Is Latika directly contracted with Salesforce, through Salesforce.org, through a reseller, or via any legacy arrangement from Vera Solutions?
- If the original implementation was through Vera Solutions in 2013–14, does Latika currently have a direct contractual relationship with Salesforce covering privacy and security obligations?
02Role under Indian data protection law
- Does Salesforce act as a Data Processor for Latika's CRM data?
- Does Salesforce provide India-DPDP-specific documentation or a compliance mapping for the Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025?
- Can Salesforce confirm how its DPA supports Latika's obligations as a Data Fiduciary under Indian law?
03Children and sensitive data
- Latika's CRM may contain information about children, parents / guardians, disability-related services, assessments, therapy / education support, family context, staff notes, donor reports, and case-management records.
- Does Salesforce have any specific guidance or controls for customers processing children's personal data?
- The DPA does not appear to specifically mention children / minors. Please confirm how Salesforce supports compliance for child data and parent / guardian rights.
- Does Salesforce classify disability, health, therapy, or social-support records as sensitive / special-category data for purposes of additional safeguards?
04Data hosting and location
- In which country / countries is Latika's Salesforce data stored?
- Which Salesforce instance / pod / Hyperforce region hosts Latika's org?
- Are backups, logs, support copies, analytics, search indexes, sandbox data, and metadata stored in the same region?
- Can Latika choose India or a specific region for data residency?
- If data is processed outside India, what safeguards apply?
05Sub-processors
- Please provide the current list of Salesforce sub-processors applicable to Latika's specific Salesforce products.
- Please include the country / location and processing activity for each sub-processor.
- How will Latika be notified of new sub-processors?
- What is Latika's right to object?
06Security controls
- Please confirm the security controls applicable to Latika's Salesforce org, including:
- Encryption at rest and in transit
- MFA
- Role-based access control
- Field-level security
- Audit trails
- Login history
- Event monitoring
- Data export controls
- API access controls
- Sandbox controls
- Shield Platform Encryption, if available / recommended
- Which of these are included in Latika's current subscription, and which require additional licensing?
07Breach notification
- If Salesforce becomes aware of a Customer Data Incident affecting Latika, what is the notification timeline?
- Who at Latika will be notified?
- What details will be provided so Latika can comply with Indian breach-notification requirements?
- Can Latika register a dedicated legal or security contact for incident notices?
08Retention, deletion, and exit
- What are the default Salesforce retention periods for:
- Active CRM data
- Deleted records
- Recycle bin data
- Backups
- Logs
- Support case attachments
- Sandbox data
- How can Latika configure retention / deletion for child and family records?
- If Latika terminates Salesforce, how can data be exported and permanently deleted?
- Can Salesforce provide written deletion confirmation?
09Data subject / parent & guardian rights
- How can Latika retrieve, correct, export, restrict, or delete a person's data if a child, parent, guardian, or beneficiary exercises rights under Indian law?
- Does Salesforce provide tools to search all records relating to one individual across objects, attachments, notes, activities, and custom fields?
- Are there limitations Latika should know about?
10Audits and certifications
- Please provide the current Security, Privacy and Architecture documentation applicable to Latika's Salesforce products.
- Please provide current ISO 27001 and SOC 2 reports, or explain how Latika can access them.
- Please confirm whether Salesforce's audit reports cover the exact Salesforce products used by Latika.
11Government / law-enforcement access
- If Salesforce receives a government or law-enforcement request for Latika data, will Latika be notified unless legally prohibited?
- What process does Salesforce follow to challenge overbroad or unlawful requests?
- Does this apply equally to sub-processors?
12AI / Einstein / Agentforce
- Is Latika data used to train Salesforce AI models?
- Are Einstein / Agentforce / AI features enabled in Latika's org?
- If enabled, what data is processed, where, and under what terms?
- Can Latika disable AI processing for child / family / case-management data?
13Current org health check
- Can Salesforce or the account team provide a security / compliance review of Latika's current Salesforce configuration?
- Specifically, we would like recommendations for an Indian nonprofit handling children's and family data.
Internal Latika checklist In parallel
Before Latika can fully evaluate vendor responses, the team should document the following internally. This protects Latika regardless of how vendors respond and is the foundation for every external diligence answer.
- What categories of personal data are stored in Google Workspace?
- What categories of personal data are stored in Salesforce?
- Which data relates to children?
- Which data relates to parents and guardians?
- Which data relates to disability, health, therapy, education, or case management?
- Who has access internally, and at what level of privilege?
- Are external consultants, volunteers, donors, or vendors given access?
- Are files shared outside the organisation, and through what channels?
- Are there retention rules for old case files?
- Is parental / guardian consent recorded and traceable?
- Who is the privacy and security point of contact at Latika?
- What is the incident response process if data is leaked or wrongly shared?
Closing & recommendation
How to send this
Recommendation: send this as a formal diligence note, not a casual support query. The signed DPAs are useful, but the key gap is that Latika needs each vendor to confirm in writing how its commitments map to Indian DPDP + children and family data + Latika's actual product configuration. Once Latika identifies the right Google Workspace / Google for Nonprofits and Salesforce contacts, the vendor-specific sections can be sent separately or as one combined diligence request.