How We Protect
Your Data

Overview

Messagify Technologies Pvt. Ltd. operates a cloud-based, multi-tenant SaaS platform that processes business communication on behalf of our customers — including WhatsApp messages, SMS, email, and voice. The sensitivity of this data places security and regulatory compliance at the top of our operational priorities.

We hold all staff to strict data handling policies, undergo periodic internal security reviews, and are actively working toward external certification (ISO 27001 and SOC 2 Type II). Our platform is built exclusively in India and is designed to comply with the Digital Personal Data Protection Act, 2023 (DPDPA) and Telecom Regulatory Authority of India (TRAI) guidelines.

Regulatory Compliance

TRAI Compliance

All SMS messaging routes on the Messagify platform operate through TRAI-registered, Distributed Ledger Technology (DLT) compliant telecom infrastructure. Our sender IDs, templates, and principal entity registrations are maintained in compliance with TRAI's commercial communication regulations.

• DLT-registered sender IDs and message templates
• Consent-based promotional messaging enforcement
• NDNC / DND scrubbing on promotional SMS routes
• Time-restriction enforcement (9 AM – 9 PM IST for promotional messages)

WhatsApp Business API

The Messagify platform integrates with the official WhatsApp Business API via Meta's approved partner ecosystem. All WhatsApp message templates are subject to Meta's review and approval process before they can be used in campaigns.

Telecom Registration

Messagify Technologies Pvt. Ltd. is registered as a Telecom Service Provider with the Department of Telecommunications (DoT), Government of India. Our services operate within the regulatory framework prescribed by the Indian Telegraph Act and the Telecom Regulatory Authority of India Act.

Data Security

Encryption in Transit

All data transmitted between users and the Messagify platform is encrypted using TLS 1.2 or higher. Our web properties enforce HTTPS exclusively — HTTP connections are automatically redirected. API endpoints are accessible only via secure connections.

Encryption at Rest

Customer data stored in our databases is encrypted at rest using AES-256 encryption. Backup data is also stored in encrypted form.

API Security

• Bearer token authentication on all API endpoints
• Rate limiting on public-facing APIs to prevent abuse
• Request signing (HMAC-SHA256) on webhook deliveries
• IP allowlisting available for enterprise accounts

Secrets Management

API keys, database credentials, and private keys are stored in environment-level secret stores and are never committed to version control systems. Access is restricted to authorised deployment pipelines.

Infrastructure

The Messagify platform is hosted on enterprise-grade cloud infrastructure in India, ensuring data residency within Indian jurisdiction. We do not transfer personal data outside India without explicit consent or legal basis.

• Cloud infrastructure hosted within India
• Automated backups with point-in-time recovery
• 99.9% uptime SLA on platform services
• Network-level DDoS protection
• Infrastructure monitored 24/7 with automated alerting
• Isolated tenant environments — one customer's data cannot access another's

Access Controls

• Role-based access control (RBAC) at both platform and tenant level
• Principle of least privilege enforced across all internal systems
• Multi-factor authentication (MFA) available for platform accounts
• All employee access to production systems is logged and audited
• Access is reviewed and revoked promptly upon staff offboarding
• Privileged access to customer data requires managerial approval and is logged

Data Privacy

Digital Personal Data Protection Act, 2023 (DPDPA)

Messagify Technologies is committed to compliance with India's Digital Personal Data Protection Act, 2023. We act as a Data Fiduciary in respect of data collected directly (account registrations, form submissions, contact records) and as a Data Processor in respect of customer communication data processed on behalf of our business customers.

• Data collection limited to the purpose declared at the point of collection
• Data subjects can request access, correction, or deletion of their personal data
• Consent records maintained where consent is the legal basis for processing
• Data retention periods defined and enforced per data category

Data Retention

We retain customer data for the duration of the subscription and for up to 90 days after account closure, to support dispute resolution. Message logs are retained for 12 months. Upon written request, data can be purged earlier. Full details are in our Privacy Policy.

GDPR

For European users or customers with EU-resident data subjects, we handle personal data in a manner consistent with GDPR principles. We do not proactively market to European consumers without a valid legal basis. Contact info@messagify.in to discuss GDPR-specific data processing agreements.

Business Continuity

• Recovery Time Objective (RTO): < 4 hours for critical services
• Recovery Point Objective (RPO): < 1 hour (continuous database backups)
• Disaster recovery runbooks maintained and reviewed quarterly
• Multi-zone redundancy for critical infrastructure components
• Incident response plan with defined escalation paths
• Planned maintenance communicated at least 48 hours in advance

Responsible Disclosure

If you believe you have found a security vulnerability in the Messagify platform, we ask that you report it to us responsibly. Do not exploit the vulnerability or disclose it publicly before giving us reasonable time to address it.

Please send vulnerability reports to: security@messagify.in. We will acknowledge your report within 48 hours and aim to resolve critical issues within 14 days.

Compliance & Certification Matrix