Legal & Security
GDPR Compliance & Data Security
We take data security seriously. Here's exactly how we protect your data and comply with global privacy regulations.
Home›GDPR & Data Security
Last Updated: November 1, 2024
Our Commitment to GDPR
ReachUp Solutions is committed to compliance with the General Data Protection Regulation (GDPR) for our European users, as well as the Information Technology (Amendment) Act, 2008 and the Personal Data Protection Bill framework for Indian users. We act as both a Data Controller (for our own customer data) and a Data Processor (for our customers' contact data used in messaging campaigns).
1. Data Processing Agreement (DPA)
If you are subject to GDPR and use our platform to process personal data of EU residents, we offer a Data Processing Agreement (DPA) that formalizes our obligations as your data processor. To request a signed DPA, email reachup.solutions1@gmail.com. Key provisions of our DPA include:
- We process personal data only on documented instructions from you
- We ensure our personnel are bound by confidentiality obligations
- We implement appropriate technical and organizational security measures
- We assist you in fulfilling data subject rights requests
- We delete or return all personal data upon termination of services
- We provide all information necessary to demonstrate compliance
2. Legal Bases for Processing
We process personal data under the following legal bases as applicable:
- Contractual Necessity: Processing required to provide our services to you
- Legitimate Interests: Improving our platform, fraud prevention, security monitoring
- Consent: Marketing communications, optional analytics cookies
- Legal Obligation: Compliance with applicable laws and regulations
3. Technical Security Measures
3.1 Encryption
- AES-256-GCM encryption for all data stored at rest
- TLS 1.3 for all data in transit between clients and servers
- Encrypted database backups with separate key management
- Hardware Security Modules (HSMs) for cryptographic key storage
3.2 Infrastructure Security
- Hosted on AWS (Mumbai Region) and Google Cloud Platform
- Virtual Private Cloud (VPC) isolation for all production systems
- Web Application Firewall (WAF) protecting all public endpoints
- DDoS protection via AWS Shield and Cloudflare
- Automated vulnerability scanning of all infrastructure
3.3 Application Security
- OWASP Top 10 security controls implemented
- Multi-factor authentication (MFA) available for all accounts
- Role-based access control (RBAC) with least privilege principle
- Session management with automatic timeout after inactivity
- SQL injection and XSS protection on all user inputs
- Security headers (HSTS, CSP, X-Frame-Options) on all pages
3.4 Monitoring & Incident Response
- 24/7 security operations center (SOC) monitoring
- Real-time anomaly detection and alerting
- Incident response plan with defined escalation procedures
- Data breach notification within 72 hours as required by GDPR
- Comprehensive audit logs retained for 12 months
4. Organizational Security Measures
- Background checks for all employees handling personal data
- Mandatory annual security awareness training for all staff
- Signed confidentiality agreements with all employees and contractors
- Strict need-to-know basis for production data access
- Quarterly internal security reviews and risk assessments
5. Sub-processors
We work with the following categories of sub-processors, all bound by appropriate data processing agreements:
- Cloud Infrastructure: Amazon Web Services (AWS), Google Cloud Platform
- Payment Processing: Razorpay Financial Solutions Pvt. Ltd.
- Email Delivery: Amazon SES, SendGrid
- Analytics: Google Analytics (anonymized), Mixpanel
- Customer Support: Freshdesk
A complete list of sub-processors is available upon request at reachup.solutions1@gmail.com.
6. Data Residency
By default, data for Indian customers is stored in the AWS Mumbai (ap-south-1) region. Enterprise customers may request dedicated data residency within specific geographic regions. EU customer data is processed in compliance with GDPR data transfer requirements including Standard Contractual Clauses.
7. Telecom Compliance (India)
As a messaging platform operating in India, we fully comply with TRAI (Telecom Regulatory Authority of India) regulations including:
- Distributed Ledger Technology (DLT) platform integration
- Mandatory scrubbing against National Do Not Disturb (NDND) registry
- Template pre-registration and principal entity registration requirements
- Time-window restrictions for promotional SMS delivery
- Full audit trails for all message transactions
8. WhatsApp Business API Compliance
Our WhatsApp integration is provided as an official Meta Business Partner. We enforce:
- Mandatory opt-in consent before any messages are sent
- Easy opt-out mechanisms in all campaigns
- Compliance with WhatsApp Business Policy on message categories
- Template pre-approval through Meta's system
9. Security Certifications & Audits
- Quarterly VAPT (Vulnerability Assessment & Penetration Testing) by certified third parties
- Annual SOC 2 Type II audit process underway
- ISO 27001 aligned information security management practices
10. Report a Security Vulnerability
We operate a responsible disclosure program. If you discover a security vulnerability, please report it to reachup.solutions1@gmail.com. We commit to acknowledging reports within 24 hours and providing updates as we address the issue. We do not pursue legal action against good-faith security researchers.
Contact Our Data Protection Officer
For GDPR-related inquiries, DPA requests, or data subject rights: reachup.solutions1@gmail.com