Security & Data Protection Policy

BlackSMS ("we," "our," or "us"), hosted at https://blacksms.in, is committed to safeguarding customer credentials, transaction records, and recipient contact databases. This Security & Data Protection Policy details our technical security controls, data storage standards, and regulatory alignment under India's Digital Personal Data Protection (DPDP) Act, 2023.

1. Data Encryption

We utilize industry-standard cryptographic techniques to secure data throughout its lifecycle:

• In Transit: All communication between customer applications and our gateways is encrypted using Transport Layer Security (TLS 1.2 and TLS 1.3) protocols.
• At Rest: Sensitive customer databases, password hashes, API credentials, and identity documents submitted for KYC are encrypted using Advanced Encryption Standard (AES-256) at the storage tier.

2. Infrastructure & Network Security

Our gateway infrastructure is hosted in tier-3 equivalent cloud data centers with robust physical and logical barriers:

• Firewall Protection: Web Application Firewalls (WAF) scan and block malicious traffic, SQL injection attacks, and cross-site scripting (XSS) attempts.
• DDoS Mitigation: Automated traffic filtering systems protect our APIs against Distributed Denial of Service (DDoS) attempts.
• Intrusion Detection: We employ real-time monitoring to detect and alert our security response team of any unauthorized server access attempts.

3. Database Isolation & Access Controls

Customer data is logically segmented inside our systems, preventing any cross-tenant data leaks. Access to production servers is strictly limited to authorized engineering personnel using Multi-Factor Authentication (MFA) and secure VPNs. Detailed audit logs are maintained for all access events to guarantee traceability.

4. Compliance: Indian DPDP Act 2023

In accordance with the Digital Personal Data Protection (DPDP) Act, 2023:

• Purpose Limitation: We process recipient phone numbers and message content solely for the purpose of transmitting SMS requests to telecommunication networks on your behalf.
• Data Portability & Erasure: Customers can request the deletion of their accounts and associated personal data, subject to regulatory data retention laws.
• Local Processing: All customer information and message logs originating from Indian entities are stored in secure cloud systems located physically within India.

5. Incident Management and Breach Notification

In the highly unlikely event of a security compromise or data breach, BlackSMS will execute its Incident Response Plan. We will notify affected customers and regulatory bodies (such as CERT-In) within 72 hours of detecting a verified data breach, outlining the nature of the breach, affected records, and remediation steps.