Where Do Your Property Documents Go? Data Security Questions for Verification Vendors
You hand a property verification vendor your sale deed, your encumbrance certificate, your PAN, and a scan of the registered agreement. Then what? Where does the file sit? Who can open it? Is it still there six months later? Is a copy of it now sitting in an AI training set somewhere?
These are not paranoid questions. For a bank or NBFC, they are the questions a third-party-risk team must ask before onboarding any vendor that touches borrower data. For an individual buyer or an NRI uploading a deed from Dallas, they decide whether your most sensitive financial records are safe.
This post is the checklist. It gives you the questions to ask any property verification vendor, why each matters, and what a good answer sounds like. We use LegiScore's published posture as a worked example because it is public and specific, but the framework applies to every vendor you evaluate, including us.
What's actually sensitive inside a property document?
People treat "property papers" as boring paperwork. They are not. A single sale deed bundles together more regulated personal data than most insurance forms.
Open a typical registered sale deed and you find: full legal names of buyer and seller, parents' names, residential addresses, PAN numbers, sometimes Aadhaar fragments, the exact financial consideration paid, the loan amount, and the relationships between parties (joint owners, spouses, inheritors). An encumbrance certificate adds the asset's full transaction history. A khata or mutation record links the person to a precise location.
Under Indian law this is personal data. PAN and financial figures push parts of it toward the sensitive end. When you upload that to a vendor, you are not sharing a document. You are sharing the identity and net-worth profile of every person named in it. That is why data security on a verification platform is not an IT footnote. It is the core of the trust.
What legal frame governs a vendor that holds your documents?
Three layers apply in India, and you should know which one gives you leverage.
The first is the Digital Personal Data Protection Act, 2023. Under the DPDP Act, the entity deciding why and how your data is processed is the "Data Fiduciary" and carries the compliance duty even when a processor does the work. The Act requires a lawful basis (usually consent), mandates security safeguards, and obliges the fiduciary to notify the Data Protection Board and affected individuals on a personal-data breach. The DPDP Rules, 2025 were notified on 13 November 2025; the Data Protection Board was stood up immediately, while core fiduciary obligations carry a full-compliance deadline of 13 May 2027. The law is real and dated, even if some duties phase in. Penalties run up to ₹250 crore for security failures.
The second layer applies only if your vendor serves regulated lenders. The RBI's Master Direction on Outsourcing of Information Technology Services, issued 10 April 2023 and effective 1 October 2023, governs how banks and NBFCs use IT vendors. It expects risk-based due diligence on every service provider, annual review of their condition, audit rights (including over providers based outside India), and it pushes data storage to India. If you are a bank evaluating a verification vendor, this Master Direction is the document your auditor will hold you to.
The third layer is your contract. Confidentiality clauses, a data-processing agreement, and audit rights are where vague promises become enforceable. The law sets a floor. The contract sets your floor.
What should you ask a property verification vendor about data security?
Ask these eight questions before you upload anything or sign anything. A vendor that answers them plainly is already ahead of one that hides behind a "bank-grade security" banner.
| Question to ask | Why it matters | What a good answer looks like |
|---|---|---|
| Where is my data stored and processed? | RBI outsourcing rules push storage to India; banks need jurisdictional comfort. | Named India-region servers for documents, app, and database. Any offshore processing (e.g. AI) disclosed explicitly. |
| Are my documents used to train AI models? | A deed in a training set can never be pulled back out. | A clear "no": inputs processed in transit only, not retained by the AI provider per its data-processing agreement. |
| Who can access my document, and is every access logged? | Insider misuse is the common breach vector, not hackers. | Role-based access plus append-only audit records of state changes, with actor and timestamp. |
| How long do you keep my deed after the report? | Indefinite retention is indefinite risk. | A stated retention window and a deletion-on-request path tied to your data-principal rights under DPDP. |
| Is data encrypted in transit and at rest? | Interception and storage theft are basic threats. | TLS 1.2+ in transit, encryption at rest via the storage layer. Honest vendors say whether they offer customer-managed keys. |
| Who are your sub-processors? | Your data is only as safe as their weakest vendor. | Willingness to share the full vendor inventory and their attestations under NDA on request. |
| What certifications do you actually hold? | "Bank-grade" is marketing; ISO 27001 is a fact. | The vendor states plainly what it is certified for and what it is not, instead of implying. |
| What happens on a breach, and how fast are we told? | DPDP mandates notification; silence is a contract risk. | A committed notification window (DPDP expects 72 hours to the Board) and a named Grievance Officer. |
Save this table. It is the same one our own third-party-risk reviewers walk through, and it works on any vendor in the category.
Why does India-region data residency matter?
Data residency is the rule about which country's servers physically hold your data and process it. For property documents handled by an Indian lender's vendor, residency is not a preference. It is close to a requirement.
Here is why it carries weight. The RBI's IT outsourcing direction expects regulated entities to keep data in India and, where processing happens abroad, to ensure the foreign jurisdiction upholds confidentiality and grants audit access. An auditor reviewing a bank's vendor file wants to point to a line that says "documents stored on India-region object storage" and stop there. A vendor whose storage location is vague, or who cannot tell you whether a US region holds copies of borrower deeds, creates an open finding the bank then has to defend.
So the question is concrete: where are documents stored, where are they processed, and which steps leave the country? In vendor assessments we've responded to, this is usually the first question a bank's risk desk asks, and the answer either closes the conversation or stalls it.
LegiScore's public security page answers it directly: primary data store, document and report storage, application and worker services, and transactional email are all hosted on India-region infrastructure. The one offshore step, third-party AI analysis, is disclosed and qualified: inputs are processed in transit and not retained by the providers under their data-processing agreements. That is the shape of a residency answer an auditor can file.
What should the vendor's retention and deletion policy say?
A verification vendor needs your deed to produce a report. After the report ships, every extra day it keeps your document is risk with no upside to you.
Ask two things. First, how long is the deed retained after the report is delivered, and is that window stated rather than "as long as necessary"? Second, can you request deletion, and will the vendor honour it? Under the DPDP Act, you as a data principal have the right to erasure of your personal data once the purpose is served, so a deletion path is a right you can invoke, not a courtesy the vendor grants.
Watch the gap between storage and backups. A vendor may "delete" your live document while a copy persists in a backup snapshot for the backup retention window. That is normal and usually acceptable, but a good vendor tells you it happens rather than pretend deletion is instant everywhere. Honesty about backup retention signals the rest of the answers are honest too.
How do you evaluate access control and audit logging?
Most property-data leaks are not movie hacks. They are an employee opening a file they had no business opening, or a credential that was never revoked after someone left. Access control is the defence, and the audit log is the proof.
Ask whether access is role-based, so a support agent cannot quietly pull every customer's deed. Then ask the sharper question: is every access to a document recorded, with who opened it and when? An append-only audit trail of document uploads, status changes, and privileged actions is what lets a bank reconstruct events after an incident and what lets you, the customer, trust that access leaves a mark.
This is also where RBI's audit rights bite. The Master Direction expects the regulated lender, and the RBI itself, to be able to audit the service provider. A vendor that already keeps per-action audit records makes that audit possible. A vendor that cannot tell you who accessed a file last Tuesday fails the test before the auditor arrives.
LegiScore's posture here is specific: user-facing state changes including document uploads, case status, acknowledgements, and payment events are written to append-only audit records for post-incident reconstruction. That is the kind of concrete claim you can verify against the platform, not a slogan. (For the bank-side view of why this matters, see our piece on the audit trail in property verification.)
Is my document used to train an AI model?
This is the newest question on the list and the one most vendors answer worst. If a verification platform feeds your deed into a model that learns from it, fragments of your data can resurface in ways no one can fully control or delete. A property document in a training corpus is a permanent exposure.
So ask it directly: is the document I upload used to train your models, or any third-party model you call? Then read the actual policy, not the marketing. A good answer separates two things. It confirms that uploaded documents are not used for training, and it specifies what happens when the vendor calls an external AI service: are inputs retained by that provider, or only processed in transit and discarded?
LegiScore's published position is that third-party AI analysis runs via external API endpoints where inputs are processed in transit and not retained by the providers under their data-processing agreements. The point is not that one vendor phrased it well. The point is that you should require this sentence in writing from any verification service before you upload a single deed.
The honest-posture argument
Here is the test that cuts through vendor pitches faster than any certification logo. Ask the vendor what it does not do.
A vendor selling "bank-grade security" and "fully compliant, enterprise-ready" without naming a single standard is telling you nothing you can verify. A vendor that publishes a page listing what it is certified for and, in the same breath, what it is not certified for is handing you something rare: a claim you can check and a company that did not need to be cornered to be specific.
LegiScore's security page does the uncomfortable version. It states plainly that the platform is not ISO 27001 certified, not SOC 2 attested, and not GDPR certified, while describing what it has aligned to under the DPDP Act. It adds honest scope notes: it does not run a 24/7 staffed security operations centre and relies on cloud-default at-rest encryption rather than customer-managed keys. None of that is flattering. All of it is more useful to a risk reviewer than a wall of badges, because it tells you exactly where the lines are.
In vendor assessments we've seen, the vendor that publishes its limits beats the vendor with glossier claims, because the risk team's whole job is to find the gap between what was promised and what is true. When the vendor has already named the gap, there is nothing left to catch. That is the posture to reward, in LegiScore and in everyone else you evaluate.
Frequently asked questions
Is a property deed considered personal data under Indian law? Yes. A registered deed contains names, addresses, PAN, financial consideration, and family relationships, which are personal data under the DPDP Act, 2023. Parts of it (PAN, financial figures) sit at the more sensitive end. Treat any vendor holding deeds as handling regulated personal data.
Does the DPDP Act let me ask a verification vendor to delete my document? Yes. As a data principal, the DPDP Act gives you the right to erasure of personal data once the purpose for processing is complete. Ask the vendor for its deletion process and its retention window, and confirm both in writing. Note that backup copies may persist for the vendor's stated backup retention period.
What does the RBI require for a bank's IT vendors? The RBI's Master Direction on Outsourcing of IT Services (10 April 2023, effective 1 October 2023) requires risk-based due diligence on each provider, annual review, audit rights for the bank and the RBI, and pushes data storage to India. If you are a regulated lender, your auditor will expect a vendor file that satisfies these points.
Should I trust a vendor that says it is not ISO 27001 certified? Often, yes. Certification is one signal, not the whole picture. A vendor that states plainly what it is and is not certified for is easier to assess than one that implies certification it does not hold. Judge the specifics: residency, audit logs, retention, AI handling, and breach notification.
What is the single most important question to ask? "Where is my data stored, and is it used to train AI models?" Those two answers expose more real risk than any other pair. A clear India-region storage answer and a firm "not used for training" tell you the vendor has thought about the things that actually matter for property documents.
Related reading
- The audit trail in property verification for banks and RBI compliance
- Audit readiness for bank legal verification: SOP and RBI alignment
- LOS integration for property verification via API workflow
- In-house legal team vs outsourced due diligence
- Property verification apps and services in India compared
- NRI property due diligence and remote verification