DATA SECURITY AT SITEFY.IN

Last updated: 20 January 2026

Our Promise

Sitefy Global Technologies Pvt. Ltd. (“Sitefy”, “we”, “us”) is committed to protecting your data through a defense-in-depth security strategy that combines strong technical controls, disciplined internal processes, and responsible operational practices.

Headquartered in Bangalore and serving customers across India, we design and operate our products with security and privacy by default and by design, aligned with Indian laws and globally recognized best practices.

Security Principles We Follow

• Least-privilege and need-to-know access

• Encryption in transit and at rest by default

• Secure Software Development Lifecycle (SSDLC)

• Continuous monitoring and rapid incident response

• Vendor and sub-processor security due diligence

• Data minimization and purpose limitation

• Shared responsibility between Sitefy and our customers

What Data We Handle

• Customer Content
  Data you or your end users upload, store, or generate using Sitefy products and services.

• Account & Billing Data
  Business contact details, authentication information, billing details, and subscription data.

• Service Metadata
  Logs, system metrics, diagnostics, and usage telemetry required to operate, secure, and improve our services.

We collect only what is necessary and retain data only for as long as required for legitimate business, contractual, or legal purposes.

Governance & Accountability

• Executive Oversight
  Security and privacy are owned at the leadership level with defined accountability.

• Policies & Controls
  Company-wide policies for information security, access control, incident response, vendor risk, and secure coding are reviewed at least annually.

• Training & Awareness
  All employees and contractors undergo security, privacy, and phishing awareness training at onboarding and periodically thereafter.

Compliance & Regulatory Alignment (India-First)

• Frameworks & Standards
  ISO/IEC 27001, NIST Cybersecurity Framework, OWASP ASVS
  (alignment only; no implied certification)

• Privacy & Data Protection Laws

  • Digital Personal Data Protection (DPDP) Act, 2023 – India

  • GDPR / UK GDPR (where applicable)

  • CCPA/CPRA (US), LGPD (Brazil), PIPEDA (Canada), POPIA (South Africa), as relevant

• Cross-Border Data Transfers
  Legally permitted safeguards (such as contractual protections) are applied where personal data is transferred outside India.

Encryption & Key Management

• In Transit: TLS 1.2+

• At Rest: AES-256 or equivalent

• Key Management: Secure key rotation, separation of duties, and strict access controls

Access Controls & Identity Management

• SSO (SAML/OIDC) where supported

• Mandatory MFA for privileged access

• RBAC and just-in-time access

• No shared admin accounts; all access is logged

Secure Development Lifecycle (SSDLC)

• Threat modeling at design stage

• Mandatory code reviews

• Automated SAST, dependency and secret scanning

• DAST for critical services

• Periodic third-party penetration testing

• Segregated dev, staging, and production environments

• Risk-based vulnerability remediation SLAs

Infrastructure & Network Security

• Secure cloud infrastructure with certified data centers

• Network segmentation, WAF, and DDoS protection

• Hardened systems and timely patching

• Encrypted, regularly tested backups

Monitoring, Logging & Detection

• Centralized logging for authentication, admin actions, and system changes

• SIEM-based alerting and anomaly detection

• Defined audit-log retention periods

Business Continuity & Disaster Recovery

• Documented and tested BCP/DR plans

• Redundancy across availability zones or regions where applicable

• Risk-based RTO and RPO targets

Incident Response

• Formal incident response runbooks

• Post-incident reviews with corrective actions

• Breach notifications provided without undue delay as required by Indian law and contracts

Vendor & Sub-Processor Management

• Security and privacy due diligence before onboarding

• Data Processing Agreements where required

• Periodic vendor reviews

• Sub-processor details available upon request

Data Retention & Deletion

• Retention tied to business purpose and legal requirements

• Deleted data removed from active systems and backups after retention cycles

• Data export and deletion on contract termination

Customer Controls (Shared Responsibility Model)

Customers should:

• Enable MFA and SSO

• Review access permissions regularly

• Configure retention and deletion settings

• Maintain secure devices and browsers

AI & Model Safety (Where Applicable)

• Customer Content is used only to deliver AI features

• No training of foundation models without explicit customer consent

• Prompts and outputs protected with standard security controls

Children’s Data

Sitefy services are not directed toward children where prohibited by law. We do not knowingly collect or profile children’s personal data.

Responsible Vulnerability Disclosure

If you discover a security vulnerability, report it to:
📧 support@sitefy.in

Please include affected services, steps to reproduce, and potential impact. Avoid actions that could disrupt services or access other users’ data.

Contact

Security & Privacy
📧 support@sitefy.in