Privacy Mode fellowship programme

Privacy Mode fellowship programme

Documenting privacy best practices in industry

Make a submission

Accepting submissions till 22 Feb 2022, 11:55 PM

Conversations around privacy and data security are increasing everyday. The government has tabled a Personal Data Protection bill in the parliament, and a Joint Parliamentary Committee has presented its report on the potential and concerns regarding privacy and personal data.

There is a need to do data privacy across domains and at scale, especially around the following themes:

  1. Data protection/security practices.
  2. Consent frameworks tied to purpose use limitations.
  3. Data rights.
  4. Encryption practices.

The Privacy Mode Fellowship programme is set in this context. The goal of the programme is to work with practitioners to document practices that can be widely adopted across the industry, and innovated upon. The programme is particularly interested in showcasing:
- Privacy-related challenges that practitioners are solving, and the context around these.
- Solutions, and evidence of how these solutions have been implemented in different organizations.
- Results achieved through the solutions - a before and after explanation of what changed, and metrics achieved.

Check out the Best Practices Guides to understand the type of topics that the Fellowship is looking at.

If this is you, apply to be a Privacy Mode fellow today.


Duration of the fellowship programme: 3 months - from February to 30 April. Applications can be submitted till 21 February.

Time commitment involved: Part-time. As a Fellow, you will do your Fellowship projects alongside your day job. The programme will require between one and four hours time commitment per week to produce the output. The editorial desk will work with Fellows to set milestones and deadlines.

Expected output
a. A detailed article of 1,000 to 2,000 words - with illustrations, OR
b. 2-3 videos explaining practice and learnings in sequence.

Compensation: Rs. 1,50,000 - paid in three tranches, upon completion of milestones during the Fellowship period.

Feedback and mentorship from jury: A three-member jury of experts will guide selected applicants through conceptualization and documentation stages. The jury members for the fellowship programme are:
1. Uzma Barlaskar, Head of privacy and growth at WhatsApp.
2. Anand Venkatanarayanan, Independent cybersecurity researcher.
3. Sankarshan Mukhopadhyay, Editor at Privacy Mode.

Other benefits: As a Fellow, you will receive the following infrastructure and support:
- Editorial desk with copy-editing, proof reading and graphic design resources to help you complete your outputs.
- Distribution and elevation of final outputs.

Who can apply:
1. Tech practitioners - senior engineer, product manager, engineering manager, privacy officer - who work on data governance and privacy in their organizations.
2. Individuals from academia who work on data privacy.
3. Individuals working on social impact via data privacy.

Five applicants will be selected to participate in the first batch of the Fellowship Programme.

How to apply

To apply for the Fellowship, submit the following here:

  1. A statement of intent and purpose, detailing the following-
    - What problem area are you solving and the context around this? As mentioned above, the Fellowship programme will cover the following themes:
    A. Data protection/security practices
    B. Consent frameworks tied to purpose use limitations
    C. Data rights
    D. Encryption practices
    - A description of the solution and evidence of how it was implemented at your company.
    - Results achieved through this.
  2. The form in which you see the knowledge finally shaping up as - as an article or as a series of two-three explainer videos.
  3. Two samples of work - written or video.
  4. Your bio.

Selection process

Fellows’ will be selected on the basis of innovative approaches and solutions implemented for privacy.

The following criteria will also be applied for selecting fellows:

  1. Diversity - women, trans and gender non conforming persons and individuals from marginalised social contexts will be given preference.
  2. Candidates with prior speaking/writing experience.
  3. Candidates with mid to senior engineering and product leadership roles will be given preference.

Contact information

For queries about the Fellowship Programme, mail or leave a comment in the comments section

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by

Rohan Verma


Data Protection and Security Practices at Zerodha

Submitted Feb 21, 2022

Statement of intent and purpose

Proper access control and appropriate proliferation of critically-sensitive customer data across a variety of internal apps can be a complex beast. Using a few common-sense privacy principles along with a few architectural changes across the organization; it is straightforward to fortify and prevent data proliferation across the stack. At Zerodha, we have built a siloed, centralized application along with easy-to-use client libraries that allow internal apps to send communications to users (e-mail, SMS etc.) based on strict permissions without having to store or access sensitive user data. With this fellowship, I aim to document Data protection/security practices that we have implemented with this project and other organizations can easily incorporate into their stack.

This project acts as a gateway for all client communication. It allows apps to communicate with clients via SMS, email, push notifications, etc. without any direct access to the client data or sharing sensitive information such as email ID, phone number etc. All the outgoing communique are pre-templated with variables and this centralized system enriches the data from sensitive data sources that are never exposed to internal applications. When a request to send a message is queued, the templates are enriched with the requested data from the appropriate data sources based on the unique client identifier sent by the client library. This reduces any unintended data leaks due to data duplication or extraneous logs containing client information at the application end and eliminates the need to share networks between different kinds of internal applications and databases. This system operates at scale sending out millions of critical transactional e-mails, notifications, SMS etc.

This also helps us achieve broader regulatory compliance goals.

  • Appropriate data retention for messages that are required to be retained for compliance is also configurable centrally and doesn’t need to be set up by each application. [SEBI.17]
  • This also plays a key role in VPC Network segregation which is a compliance/regulatory requirement, as it allows us to silo data centrally and limit access. [SEBI.27]
  • The cyber security framework suggests that no person by rank or position should have an intrinsic right to access data [SEBI.13]. The principle of least privilege should be adopted with access provided based on defined purpose and limited period of access to IT systems [SEBI.14]. Along with that, all user access must be logged [SEBI.17]. Using our system, we can restrict nearly all access to sensitive client information for our developers and still support seamless communication.

All of this ties together with our principle of not intrinsically trusting even our internal applications with privileged access or sensitive data.

I think that the output of the fellowship would best be useful as an article where we share a generic architecture that can be applicable across a variety of stacks along with code snippets. Alongside that, I will do a deeper dive into data privacy and how we can achieve goals pertaining to those broader goals. I think it would be good to cover the following:
- Principles and Foundational ideas
- Reduce business risk and protect user privacy by exposing minimal data across apps
- Standardized, Auditable, and Centralized Template Management
- Access Control management
- Log retention management
- Internals and Architecture
- Machinery and Kafka
- Worker Orchestration
- Orchestrating and inserting/enriching data into templates
- User/ACL management
- Centralized logging + dashboards for auditing
- Plugging in backends and datastores
- Designing a stable and easy to implement HTTP API
- Self-hosting email/wherever possible to minimize risks

[SEBI] SEBI/HO/MIRSD/CIR/PB/2018/147 - Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants


{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Make a submission

Accepting submissions till 22 Feb 2022, 11:55 PM

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by