Every Application Service Provider (ASP), that wishes to utilize the CoWIN APIs, shall have to submit an undertaking that the ASP agrees to the following Terms of Service:

1. Consent

Any application (API Client) developed by ASPs that uses Co-WIN APIs to access and collect data from Co-WIN, should ensure that it cannot access and collect personal data except as provided in the guidance issued by the MoHFW. Wherever personal data is collected, consent management will have to be undertaken as per the extant policy/ directions of the government issued in this regard as may be applicable. If any user does not consent for sharing of their data, through the Co-WIN APIs, then it must be ensured that such users have other viable and alternate mechanisms by which they can avail of Co-WIN related services through these applications.

2. Accessibility

Authorized third-party organizations should only access (or attempt to access) whitelisted data elements in the manner described, in the API documentation (refer https://apisetu.gov.in/public/marketplace/api/cowin/cowin-public-v2 & https://apisetu.gov.in/public/marketplace/api/cowin/cowin-protected-v2). If Co-WIN has assigned any developer credentials to the organisation, such credentials must only be used in relation to the applicable APIs. It must not misrepresent or obfuscate the identity of MoHFW or the identity of their organisation. These authorized organizations shall not share or disclose intentionally or unintentionally the API Keys or user details, or any information retrieved through API except as approved under this guideline.

3. Termination

MoHFW can terminate the use of the Co-WIN APIs any time with or without giving any notice. The authorized organizations can also terminate the use of the APIs any time by giving 30 days prior notice. However, in case of termination initiated by the authorized organizations the access key will be deactivated 30 days from the date of the notice submitted to MoHFW.

MoHFW’s Co-WIN team can terminate the API Terms of Service and discontinue the right to use the APIs and features thereof without cause and at any time without liability or other obligation. Upon such termination the organisation will immediately stop using the API and on the request of Co-WIN team, delete any data collected using the API except the data that they are necessarily required to maintain for complying with existing laws.

Any non-compliance or submitting any false information or violation of the Co-WIN API Terms of Service or misuse of the service, would result in appropriate legal actions.

4. Support

The authorized organization can seek support from MoHFW’s Co-WIN team for any support related technical queries related to the APIs. However, Co-WIN will not have any obligations to make any changes in the Co-WIN software or APIs to address the technical queries.

5. API Limitations

API requests will have predefined limited usage policies that may limit the number of users that can be served, including other limitations, as deemed appropriate by MoHFW. Authorized organisations shall not circumvent or attempt to circumvent these limitations, and appropriate action in accordance with law shall be taken in the instance of such circumvention or attempt to circumvent. If, for any reason and exception is desired, a written consent from MoHFW’s Co-WIN team is required.

6. Purpose of Information collected via the APIs

Co-WIN recognizes the importance of privacy of its end-users and also of maintaining confidentiality of the information provided by its end-users (either directly or via third- party organizations) as a responsible data controller and data processer. Co-WIN will provide these API services (both “public” and “protected” APIs), so that authorized third- party organizations can leverage and provide value added services to citizens, other businesses and relevant customers. In providing these Services, Co-WIN will process the data that the authorized third-party organizations will submit via the APIs and instruct Co- WIN to process on their behalf. This data will be subject to the data protection guidelines and applicable laws and policies, established or issued by the Government of India. The type of information sought by Co-WIN, via these APIs, will be as per the details outlined in the “LIST OF Co-WIN APIs” section (refer the “Annexure 1”). Co-WIN will retain the information, shared by the authorized third-party organizations, on its servers for as long as is reasonably necessary for the purposes established by the Government of India in accordance with the applicable law and policies issued by the Ministry, primarily for COVID-19 vaccination. Where this information is no longer required, Co-WIN will ensure it is either securely deleted or stored in a way which means it will no longer be used by either itself or any of its authorized partners (third-party organizations availing the Co- WIN APIs).

It is important that the third-party organizations have a clearly defined privacy policy of their own in accordance with applicable law for the time being in force in India, so that it articulates the information collected from the end users (including personal data, such as account creation data, usage information, data retention requirements and cookie information). Co-WIN processes the API data in accordance with the third-party organization’s instructions and will be subject to Co-WIN’s rules for data validation and completeness for further processing.

7. Re-Distribution

Authorized organizations shall not re-distribute any data that they are able to access through the API and shall ensure that integration of all such data shall compulsorily be limited to the specific services provided by Co-WIN. Under no circumstances, shall an organisation use the data collected as part of the Covid Vaccination Programme of the Government for any purposes other than the purposes specified herein, and as may be permitted by the government.

8. Use and Retention of information

1. Prior to seeking beneficiary’s consent, authorized organizations must inform each of their beneficiaries in a clear, concise and accessible manner of the specific purpose for which the data would be used, the period of time for which it shall be retained and the manner in which it shall be deleted.

2. Once collected, the organization shall only use the data for the stated purpose in accordance with these guidelines and delete it on or before the expiry of the retention period or as defined in the API Terms of Service.

3. All API Clients shall be designed to only collect as much data as is strictly necessary to achieve the stated purpose and to delete such data as soon as possible after such purpose has been served.

4. For the avoidance of all doubts, no API Client shall be designed to use the data for a purpose unrelated to the management of COVID-19 Vaccination nor shall the period for which the data is retained by the API Client exceed the data retention provisions set out by Co-WIN.

5. The CVCs can retain the patient data as required for complying with the existing applicable laws of data retention, as may be required. However, no ASP shall store the Aadhaar number or the details or any copy of the identity cards/documents being used by beneficiaries, either in physical or electronic form, under any circumstances. Such information will be stored only at CoWIN and will be provided to the ASP’s systems through the CoWIN APIs for facilitating various functional needs such as recording of vaccination events and generation of certificates etc.

6. Whenever personal information needs to be published for the purposes of managing COVID-19 vaccinations, only the last 4 digits of the Aadhar number/Identity document, may be printed.

7. The authorized organizations shall ensure that they will generate and maintain auditable logs of the Co-WIN data collected and processed by the API Client, including details and records of the storage, access and sharing of any such data, and shall, on demand, make such logs available to the Co-WIN team.

8. The authorized organization shall not use the APIs and the data available through APIs to engineer any products that lead to any automation of the data input processes specially those where the data is to be entered by the citizen/beneficiary. Provision of the API keys must not be construed as a concurrence of the Ministry, for any such misuse of the system, the APIs and the data accessed or made available through the APIs.

9. The CoWIN APIs or the data accessed through the APIs shall not be commercially exploited.

9. Data Security

1. The authorized organizations shall use all reasonable efforts to protect the user data collected by the API Client from unauthorized access or use, and take all measures as may be required by any applicable law in relation to security of personal data, and will promptly report to MoHFW’s Co-WIN team and the users about any unauthorized access or use of such information to the extent required by Law.

2. To the extent possible, the API client should follow the anonymisation principles, where applicable. All AP| communication should be done in a secure manner, using a transport layer encryption.

3. The API Keys should not be exposed in plain text.

4. The API Keys allotted to one organization, should not be shared with anyone else except as may be allowed by the Ministry.

5. Incase of any compromise of the API Key, then the same should be immediately reported to the Co-WIN team.

6. The data collected through the APIs, shall be stored within India only.

10. Compliance with Law, Third Party Rights, and Other Terms of Service

The authorized organizations will comply with all applicable laws, regulation, policies and third-party rights (including without limitation, any laws regarding the import or export of data or software, privacy, and local laws) established by Government of India. These organizations will not use the APIs to encourage or promote illegal activity or violation of third-party rights including these “Terms of Service” with Co-WIN.

11. Correctness of Data provided by third party systems

The ASPs updating data in Co-WIN shall be solely responsible for the correctness of the such data and any liability arising out of any data so provided shall completely rest with such third party. Any liabilities civil or criminal, arising out of any incorrect data shall solely lie with the concerned ASP.

12. Prohibitions and Confidentiality

When using the Co-WIN APIs, the authorized third-party organizations shall ensure (or allow those acting on behalf of organizations) that the following actions aren’t performed.

1. Sublicense/subcontracting of the APIs–the authorized organizations will not create an API Client that functions substantially the same as the Co-WIN APIs and offer it for use by third parties.

2. Perform an action with the intent of introducing any viruses, worms, defects, Trojan horses, malware, or any items of a destructive nature; to Co-WIN services.

3. Interfere with or disrupt the APIs or the servers or networks providing the APIs.

4. Promote or facilitate unlawful online gambling or disruptive commercial messages or advertisements.

5. Reverse engineer or attempt to extract the source code from any API or any related software.

6. Use the APIs to process or store any data in contravention of the IT Act, or any applicable policies or guidelines issued by the Government of India.

13. Use of Government logo

Government logo may only be used after a separate explicit approval has been obtained from the Ministry in this regard.

14. Display of approval

Any ASP application will have to prominently display on the application’s citizen facing interface that it is “Approved by CoWIN”, so as to distinguish it from applications that are not approved.

Please accept Terms of Service