If we are breached, here is exactly what happens.
Detection and triage.
Our security monitoring (audit-log anomaly detection plus external pentest signals) is designed for sub-hour detection of unauthorised data access. On signal, we trigger a severity-1 incident, page the on-call engineer and the CTO, and isolate affected systems within thirty minutes.
Notification within 72 hours.
Rule 7 of the DPDP Rules, 2025 requires notification within seventy-two hours to the Data Protection Board and to affected Data Principals. Our internal target is twenty-four hours. The notification includes scope, affected data classes, root cause to the extent known, and remedial steps taken.
What you receive, free.
Every affected user receives, at our cost: a one-year subscription to a partner forensic-identity service that monitors for fraud signals tied to the leaked identifiers; full read access to our audit log for activity on your account during the breach window; and a credit equal to your annual subscription on your next renewal.
Coordinated reporting.
We report to CERT-In in parallel with the Board, and we coordinate with our enterprise customers' incident teams. We do not delay public disclosure to manage optics.
Public post-mortem.
Within thirty days of the incident resolution we publish a public post-mortem on this page: timeline, root cause, scope, what we did to remediate, what we will do differently. The post-mortem is reviewed by external counsel and signed by the CTO and the DPO.
Independent audit.
For any incident at severity 1 or higher we commission an independent forensic audit by a CERT-In empanelled assessor. The audit summary is appended to the public post-mortem.