TRUST

How we handle your data.

We are an early-stage company, and our trust posture reflects that. We are DPDP-compliant today, India-resident by default, and honest about what we have yet to certify. Read on, and ask anything we have not covered.

Fursat Farms Pvt. Ltd. · Siliguri, West Bengal · CIN U55101WB2023PTC266520

DPDP Act 2023 compliant

India's Digital Personal Data Protection Act came into force in 2023. We operate as a data fiduciary for our direct users and as a data processor for guest data flowing through the platform on behalf of each chain. Named grievance officer, seven-day acknowledgement, thirty-day resolution, all per §13.

India data residency

Primary database lives in MongoDB Atlas, Mumbai (ap-south-1). Application functions run on Vercel pinned to Mumbai (bom1). Caching on Upstash, also Mumbai. We send data to overseas sub-processors only where the feature requires it, under contractual safeguards permitted by DPDP.

Tenant isolation

Every database query runs inside a tenant scope. The Prisma extension fails closed on missing tenant context. Two chains on the same platform cannot see each other's data, even by accident, even if a developer forgets a filter.

Encryption in transit and at rest

TLS 1.2 or higher for everything that crosses a wire. AES-256 at rest in MongoDB Atlas. Secrets in Vercel encrypted with platform KMS. Bring your own KMS for chain plans is on the roadmap.

VENDORS WE TRUST

Every sub-processor, named.

Vendor	Purpose
Clerk	Authentication and organizations
Cashfree	Subscription billing and UPI mandates
Vercel	Hosting and edge functions, Mumbai (bom1)
MongoDB Atlas	Primary database, Mumbai (ap-south-1)
Upstash Redis	Tenant cache and rate limiting, ap-south-1
NextPax	OTA channel manager (exclusive)
Gupshup	WhatsApp Business delivery, India
Retell	Voice agent orchestration
Cartesia	Text-to-speech (Sonic Hindi)
Sarvam	Indic STT and translation
Google (Gemini)	Language understanding and drafts

The full list of vendors, including their data regions and what data they touch, lives in the privacy policy. We update it when we change vendors.

INCIDENT RESPONSE

What happens when something breaks.

Five steps. The seventy-two hour notification window is the legal floor, not the target. We are usually inside two hours for impact, twenty-four for cause.

01Detection: pager rotation on the engineering team, plus user-reported reports to hi@fursat.fun.
02Triage: the on-call engineer opens a war room within thirty minutes, scopes blast radius, and assigns a single incident commander.
03Containment: rollback or hotfix prioritized over root cause. We keep audit trails of every privileged action so a rollback is always available.
04Notification: if personal data is affected, we notify you and the Data Protection Board of India within seventy-two hours, per DPDP §8(6).
05Post-mortem: a written, blameless review shared with affected customers within seven business days. The fix lands before the report is closed.

HONEST ROADMAP

We do not have SOC 2 yet.

We have not completed a SOC 2 audit, an ISO 27001 audit, or a formal pen-test. We will not claim otherwise. Here is the timeline we are committing to, and we will update it when reality moves.

Penetration test by an India-based external firmQ3 2026
SOC 2 Type I readiness assessmentQ4 2026
SOC 2 Type I auditQ1 2027
ISO 27001 statement of applicabilityQ2 2027

Security questions?

Send your security questionnaire, your vendor risk assessment, or your specific question to hi@fursat.fun. The founder answers within a business day, usually the same hour. For DPDP-specific requests, see the privacy policy.