← Trust Center & Legal
Security

Incident Response Policy

How we detect, contain, notify and learn from security incidents.

Company: EcomSarthi Business Solutions LLP ("EcomSarthi", "we", "us", "our")
Product: Ecom10x — One Dashboard. Every Marketplace. (the "Platform" or "Service")
Effective Date: [EFFECTIVE_DATE — e.g., 1 August 2026] · Version: [VERSION — e.g., 1.0] · Next Review: [NEXT_REVIEW_DATE — e.g., 1 February 2027]

1. Definitions

  • "Security Incident" — a confirmed event compromising the confidentiality, integrity or availability of the Service or Customer Data.
  • "Personal Data Breach" — a Security Incident affecting personal data, as understood under the DPDP Act, 2023.

2. Phases

a) Detection & reporting. Sources include monitoring alerts, audit-log anomalies, fraud-detection signals, staff reports, customer reports ([SECURITY_EMAIL — e.g., security@ecom10x.in]), and vulnerability disclosures.

b) Triage & classification. Incidents are classified by severity (Critical / High / Medium / Low) based on data sensitivity, scope and exploitability. A responsible incident lead is assigned.

c) Containment. Immediate steps may include revoking tokens and sessions, rotating credentials and secrets, isolating affected components, disabling affected features, and blocking malicious sources.

d) Eradication & recovery. Root cause is removed, systems are patched and restored from clean state or backups (see Backup & Disaster Recovery Policy), and integrity is verified before normal operation resumes.

e) Notification.

  • Customers: for a Personal Data Breach affecting Customer Data, we notify affected customers without undue delay and within 72 hours of confirmation, describing the nature of the breach, likely consequences, and measures taken, and we cooperate with the customer's own obligations.
  • Authorities: we report incidents to CERT-In within the timelines mandated by its directions (currently six hours for specified incident types) and to the Data Protection Board of India where required by the DPDP Act.

f) Post-incident review. Within 10 business days of closure we complete a written review covering timeline, root cause, data impact, and corrective actions, and we track those actions to completion.

3. Evidence & Logs

Relevant logs and artefacts are preserved under legal hold for investigation and any regulatory or legal process.

4. Customer Cooperation

Customers must promptly report suspected incidents affecting their accounts and follow reasonable instructions (e.g., credential resets) during response.

5. Testing

Incident response steps are reviewed at least annually and after every Critical incident.

Governing Law & Dispute Resolution

This document is governed by and construed in accordance with the laws of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, without regard to conflict-of-law principles.

Any dispute arising out of or in connection with this document shall first be attempted to be resolved amicably through good-faith negotiation within thirty (30) days of written notice. Failing amicable resolution, the dispute shall be referred to arbitration by a sole arbitrator appointed in accordance with the Arbitration and Conciliation Act, 1996. The seat and venue of arbitration shall be [JURISDICTION_CITY — e.g., New Delhi], India, and proceedings shall be conducted in English. Subject to the foregoing, the courts at [JURISDICTION_CITY — e.g., New Delhi], India shall have exclusive jurisdiction.

Contact

EcomSarthi Business Solutions LLP
[REGISTERED_OFFICE_ADDRESS OF ECOMSARTHI BUSINESS SOLUTIONS LLP]
Support: [SUPPORT_EMAIL — e.g., support@ecom10x.in] · Legal: [LEGAL_EMAIL — e.g., legal@ecom10x.in] · Phone: [SUPPORT_PHONE_NUMBER]