← Trust Center & Legal
Security

Security Policy

The technical and organisational measures protecting Ecom10x.

Company: EcomSarthi Business Solutions LLP ("EcomSarthi", "we", "us", "our")
Product: Ecom10x — One Dashboard. Every Marketplace. (the "Platform" or "Service")
Effective Date: [EFFECTIVE_DATE — e.g., 1 August 2026] · Version: [VERSION — e.g., 1.0] · Next Review: [NEXT_REVIEW_DATE — e.g., 1 February 2027]

1. Purpose

This Policy describes the technical and organisational measures ("TOMs") EcomSarthi applies to protect the Ecom10x Platform and Customer Data. It reflects current practice; we do not claim certifications we do not hold.

2. Encryption

  • In transit: all traffic to and within the Service uses HTTPS with TLS. Plain-HTTP access is not served.
  • At rest: databases and backups are encrypted at rest on our cloud infrastructure.
  • Tokens: Marketplace OAuth, access and refresh tokens are stored encrypted, are never displayed back in full (masked to last characters in the UI), are never included in exports or logs, and are deleted within 24 hours of disconnection.

3. Access Control

  • Role-based access control (RBAC): Owner, Admin, Account Manager, VA/Executive and Client-Viewer roles, with per-client scoping for restricted roles.
  • Least privilege: staff and system components receive only the access necessary for their function; production data access is restricted, logged and reviewed.
  • Tenant isolation: every query is scoped to the requesting organisation; cross-tenant access is denied by design and verified in code review.
  • Session management: signed session tokens, automatic logout on inactivity, and immediate invalidation on logout.
  • Password policy: minimum 8 characters (longer encouraged), stored only as salted adaptive hashes (bcrypt); passwords are never stored or transmitted in plaintext and never requested for Marketplaces.

4. Application Security

  • Input validation and output encoding; CSRF protection on state-changing requests; protection against common OWASP risks.
  • API rate limiting and login throttling to resist brute force and abuse.
  • Audit logs for security-relevant events (logins, permission changes, connections/disconnections, imports, destructive actions).
  • Dependency and platform updates applied on a periodic schedule, expedited for critical vulnerabilities.

5. Infrastructure

Hosting on reputable cloud providers (see Subprocessor Policy) with provider-level physical security, network controls and DDoS mitigations. Access to infrastructure consoles is limited to authorised personnel with strong authentication.

6. Monitoring & Fraud Detection

We monitor availability, error rates and anomalous access patterns, apply fraud-detection heuristics on suspicious account behaviour, and investigate alerts under the Incident Response Policy.

7. Personnel

Personnel with data access are bound by confidentiality obligations and receive security guidance appropriate to their role. Access is revoked promptly on role change or exit.

8. Customer Responsibilities

Security is shared: keep credentials confidential, assign least-privilege roles to your team, remove leavers promptly, verify export destinations, and report suspected compromise to [SECURITY_EMAIL — e.g., security@ecom10x.in] immediately.

9. Reporting

Security concerns or suspected vulnerabilities: see the Vulnerability Disclosure Policy, or write to [SECURITY_EMAIL — e.g., security@ecom10x.in].

Governing Law & Dispute Resolution

This document is governed by and construed in accordance with the laws of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, without regard to conflict-of-law principles.

Any dispute arising out of or in connection with this document shall first be attempted to be resolved amicably through good-faith negotiation within thirty (30) days of written notice. Failing amicable resolution, the dispute shall be referred to arbitration by a sole arbitrator appointed in accordance with the Arbitration and Conciliation Act, 1996. The seat and venue of arbitration shall be [JURISDICTION_CITY — e.g., New Delhi], India, and proceedings shall be conducted in English. Subject to the foregoing, the courts at [JURISDICTION_CITY — e.g., New Delhi], India shall have exclusive jurisdiction.

Contact

EcomSarthi Business Solutions LLP
[REGISTERED_OFFICE_ADDRESS OF ECOMSARTHI BUSINESS SOLUTIONS LLP]
Support: [SUPPORT_EMAIL — e.g., support@ecom10x.in] · Legal: [LEGAL_EMAIL — e.g., legal@ecom10x.in] · Phone: [SUPPORT_PHONE_NUMBER]