Data Security Statement

Sahayogi One Private Limited ("Company", "we", "us", or "our") recognises that your business data is fundamental to your operations. Protecting it is a core responsibility, not an afterthought. We apply practical, layered security measures across every part of the BoSS platform ("Platform") to safeguard the confidentiality, integrity, and availability of your information.

Security is an ongoing practice. We regularly review and strengthen our security posture as threats evolve and industry standards advance. This statement describes what we do today to protect your data — we do not make claims about certifications we have not earned or frameworks we have not implemented.

The Platform is hosted on enterprise-grade cloud infrastructure with data centres located in India. Our hosting environment maintains industry-standard physical security, environmental controls, and redundancy measures.

• Data centres with controlled physical access, surveillance, and environmental monitoring
• Infrastructure redundancy to minimise single points of failure
• Geographic data residency within India to meet regulatory and operational requirements
• Network segmentation and firewall protections isolating application, database, and management layers
• Distributed denial-of-service (DDoS) mitigation at the network edge

Access to your data is controlled through multiple layers, both at the application and infrastructure levels.

Application level

• Role-based access control (RBAC) ensuring users access only the data and features they are authorised to use
• Multi-factor authentication (MFA) available for all users and enforced for administrator accounts
• Session management with configurable timeout policies
• Granular permissions at the organisation, branch, and module level

Infrastructure level

• Principle of least privilege applied to all systems and personnel
• Infrastructure access restricted to authorised engineering personnel with individual credentials
• All administrative access events logged and subject to periodic review
• Production access separated from development and staging environments

Data is protected both in transit and at rest using industry-standard encryption methods.

• In transit: All communication between your browser or application and the Platform is encrypted using TLS 1.2 or higher
• At rest: Stored data is encrypted using AES-256 encryption
• Key management: Encryption keys are managed through secure, access-controlled key management practices with regular rotation
• Internal communication: Service-to-service communication within our infrastructure is encrypted

All critical actions within the Platform are recorded in an immutable audit trail. Each log entry captures:

• Timestamp: Precise date and time of the action
• User identity: The authenticated user who performed the action
• Action performed: The specific operation (create, update, delete, export, access change)
• Context: Affected resource, IP address, and session details where applicable

Audit logs are tamper-evident and retained in accordance with our data retention policies. Infrastructure-level events are monitored continuously with automated alerting for suspicious activity patterns.

We maintain a comprehensive backup strategy to protect against data loss and ensure business continuity.

• Regular automated backups of all business data on defined schedules
• Backup storage in geographically separate, secure locations
• Periodic restoration testing to verify backup integrity and recoverability
• Defined recovery point objectives (RPO) and recovery time objectives (RTO) to minimise potential data loss and downtime

Security is integrated into our software development lifecycle. We follow structured practices to reduce the risk of vulnerabilities reaching production.

• Code review: All code changes undergo peer review before deployment
• Security testing: Automated and manual security testing as part of the release process
• Separated environments: Development, staging, and production environments are strictly isolated with no production data in non-production environments
• Dependency management: Third-party dependencies are monitored for known vulnerabilities and updated promptly
• Secure defaults: Platform features are built with secure defaults, requiring explicit action to reduce security posture

We maintain defined incident response procedures for identifying, containing, and resolving security events.

• Identification: Continuous monitoring and alerting for potential security events
• Containment: Immediate measures to limit the scope and impact of confirmed incidents
• Investigation: Root cause analysis to understand what occurred and why
• Remediation: Corrective actions to resolve the incident and prevent recurrence
• Notification: Affected users are informed within prescribed timelines as required by applicable law and our contractual obligations

All incidents are followed by a post-incident review to identify improvements to our processes and controls.

We design our security practices with awareness of the regulatory landscape applicable to our operations and our customers' data.

• DPDP Act: Our data handling practices are aligned with India's Digital Personal Data Protection Act, including provisions for data principal rights, consent management, and data processing obligations
• ISO 27001: Our information security management practices are aligned with the ISO 27001 framework as a guiding standard for our controls and processes
• GDPR awareness: For users in or interacting with entities in the European Economic Area, we maintain awareness of GDPR requirements and implement relevant safeguards

For questions about our data security practices, contact: