DPDPA.center — Security Statement

Version: 1.0 | Effective date: 2026-06-12 Operated by: CynorSense Solutions Pvt. Ltd., India Security contact: dpo@cynorsense.com

This statement describes the security measures protecting data processed by the DPDPA.center application.

1. Hosting and architecture

• Backend services run as Docker containers on a managed VPS operated by CynorSense, on a private container network with services bound to internal interfaces and exposed only through a TLS-terminating reverse proxy.
• Hosting region: [PLACEHOLDER: HOSTING_REGION — owner to specify the VPS provider’s physical region. For a DPDPA product, an India region is a selling point and a likely buyer question; confirm and state it explicitly, and consider migrating if not already in India.]
• The consent ledger (system of record) is a multi-tenant PostgreSQL database (TSI DPDP CMS). Each installing site is provisioned as an isolated tenant with its own credentials and configuration.

2. Encryption

• In transit: all browser↔︎service and service↔︎platform traffic is HTTPS only, TLS 1.2+. No plaintext endpoints are exposed.
• At rest: [TO CONFIRM: full-disk/volume encryption status of the VPS and database storage is not yet documented — owner to verify with the hosting provider and record the mechanism here. Until confirmed, do not claim at-rest disk encryption in external answers.] Independent of disk encryption, database access is restricted to vault-issued, per-service credentials, and the database is not reachable from the public internet.

3. Secrets management

• All secrets — per-tenant API keys and secrets, fiduciary configuration, service tokens — are stored in an OpenBao vault (per-tenant paths).
• Secrets never appear in source code, container images, or the browser.
• [PLACEHOLDER: secret-rotation policy/cadence — one rotation of the app secret is already scheduled; document the ongoing cadence.]

4. Access control and identity

• Tenant isolation: sessions are HMAC-bound to (email | site instance | expiry); a session issued for one site is invalid on every other site.
• End-user identity: email addresses are never typed by users. Member identity is resolved server-side from the platform session, countersigned with an HMAC, then verified by a one-time code sent only to the resolved inbox — the flow cannot be used to probe other people’s data.
• Machine-to-machine: incoming webhooks are verified as RS256-signed JWTs; outbound platform API access uses per-instance OAuth credentials.
• Administrative access to the VPS and containers is limited to authorized CynorSense personnel. [PLACEHOLDER: number of admins, SSH key-only policy, and MFA status — owner to confirm and record.]

5. Audit logging

• An append-only audit store persists webhook event envelopes, erasure steps, and consent-push records on a dedicated host volume, with a per-tenant reader endpoint.
• Erasure operations write durable retention-registry records (frozen-at, retention-until, legal basis, status), and final purges record purge proof.
• Full error detail goes to container logs only; users see sanitized, tenant-voiced messages that never disclose infrastructure names.

6. Data minimization

The app processes consent records, contact identifiers, cookie-consent states, rights-request contents, and audit events. It does not process payment card data and does not store message contents — vertical records (orders, bookings, submissions, messages, invoices) are read transiently only to assemble a verified Data Principal’s access report or to evaluate legal holds.

7. Backups and resilience

• [TO CONFIRM: backup posture — frequency, encryption, retention, and restore testing for the PostgreSQL ledger and the OpenBao vault are not yet documented. Owner to define and record before making external claims.]
• Service health is verifiable via dedicated health endpoints checked after every deployment.

8. Incident response

Security incidents are handled under the Incident Response Policy (incident-response.md), including notification to affected Data Fiduciaries within 72 hours and support for their Data Protection Board of India notification obligations.

9. Responsible disclosure

Report suspected vulnerabilities to dpo@cynorsense.com. We will acknowledge within [PLACEHOLDER: acknowledgment SLA, e.g., 2 business days] and keep the reporter informed of remediation. Please do not test against production tenants containing real personal data.