Home / Legal / Security
Legal

Security

How BulkMessageSender keeps your data and your customers' data safe.

Last updated · 1 May 2026 · Effective for all BulkMessageSender customers globally.

1. Security programme

BulkMessageSender operates a SOC 2 Type II audited and ISO 27001 certified information security programme. Our latest reports are available under NDA — contact security@serves.in to request a copy.

2. Infrastructure

BulkMessageSender runs on Amazon Web Services in the Mumbai region (ap-south-1). Customer Data is encrypted at rest using AES-256 with keys managed by AWS KMS. All data in transit uses TLS 1.3.

Our production environment is segregated from staging and development. Access to production systems requires hardware-token two-factor authentication and is logged in a tamper-evident audit log.

3. Access controls

Internal access follows the principle of least privilege. All staff access is provisioned through SSO and revoked within four hours of role change or departure. Production database access requires a justified, time-bounded ticket reviewed by a second engineer.

For customers

Inside your workspace, you can enable two-factor authentication for all users (recommended), set role-based permissions, and enforce SSO via SAML 2.0 on the Scale plan.

4. Data handling

Customer Data is encrypted at rest, segregated per workspace, and never used for product development or model training. Backups are encrypted and retained for 30 days. Deletion follows our Data Deletion Policy.

5. Vulnerability management

We run continuous static analysis on every commit, dependency scanning every 24 hours, and weekly authenticated dynamic scans against production. We commission a third-party penetration test annually; a redacted summary is available under NDA.

Responsible disclosure

Found a security issue? Email security@serves.in with details. We respond within 48 hours and reward valid reports based on severity. Please don't disclose publicly until we've shipped a fix.

6. Incident response

We maintain a 24/7 on-call rotation. In the event of a confirmed security incident affecting Customer Data, we notify the affected Customers without undue delay and no later than 72 hours after confirmation, in accordance with Indian and EU data-protection law.

7. Certifications & reports

  • SOC 2 Type II (annual)
  • ISO/IEC 27001:2022 (annual)
  • DPDP Act 2023 compliance (India)
  • GDPR-aligned controls (EU customers)

8. Contact

For security questions or to report a vulnerability, write to security@serves.in. PGP key on request.