Data Security Policy

This policy describes the security practices we use for systems and data that we control, including the public website, CMS content, admin accounts, media assets, contact submissions, business records, and service delivery workspaces.

We apply reasonable technical and organisational safeguards based on the nature of the data, system risk, role, project scope, and available infrastructure. Client-controlled systems may have additional or different controls under the relevant agreement.

Administrative access is limited to authorised users who need access for operations, publishing, support, security, or delivery. We use role-based access, least privilege practices, protected admin routes, and account review where practical.

Users with access to admin or client systems are expected to keep credentials confidential, use strong authentication practices, avoid sharing accounts, and notify us promptly of suspected compromise.

Our safeguards may include HTTPS, hashed passwords, environment-managed secrets, validation on protected APIs, database backups, secure reverse proxy configuration, firewall or network controls, logging, error diagnostics, version updates, and restricted production access.

We separate public content, admin operations, and infrastructure secrets as far as practical for the relevant project and hosting environment. We avoid exposing secrets, credentials, or internal operating details in public pages, repositories, or CMS content.

We review vendor and tool choices for purpose fit, security expectations, and data handling needs. We limit data shared with processors and service providers to what is needed for hosting, communication, diagnostics, billing, security, or delivery.

Backups and logs are retained for reasonable periods to support restoration, audit, security review, and dispute handling. Access to backups and logs is restricted to authorised operational use.

Clients are responsible for lawful data collection, accurate content, user notices, consent flows, access approvals, licensed assets, and security of accounts or systems they control. Clients should avoid sending unnecessary sensitive personal data or production secrets through ordinary email or public forms.

Where we act as a processor for a client, we follow the agreed instructions and security responsibilities in the signed agreement, subject to applicable law.

If we identify a suspected security incident, we assess scope, affected systems, data categories, containment steps, recovery needs, evidence preservation, and notification obligations.

Where required, we notify affected clients, users, regulators, CERT-In, the Data Protection Board of India, or other authorities according to applicable law and contractual obligations. Timelines may depend on confirmation, severity, legal requirements, and available contact information.

We retain operational, security, contact, CMS, billing, and project records only as long as needed for service delivery, law, tax, accounting, audit, security, dispute resolution, and contractual obligations.

When data is no longer needed, we delete, anonymise, or archive it through reasonable processes, subject to backup cycles and legal holds.

To report a security concern, email contact@illumeai.in with the subject Security Concern.