TRUST

How we handle your data.

We are an early-stage company, and our trust posture reflects that. We are DPDP-compliant today, India-resident by default, and honest about what we have yet to certify. Read on, and ask anything we have not covered.

Fursat Farms Pvt. Ltd. · Siliguri, West Bengal · CIN U55101WB2023PTC266520

DPDP Act 2023 compliant

India's Digital Personal Data Protection Act came into force in 2023. We operate as a data fiduciary for our direct users and as a data processor for guest data flowing through the platform on behalf of each chain. Named grievance officer, seven-day acknowledgement, thirty-day resolution, all per §13.

India data residency

Primary database lives in Mumbai (ap-south-1). Application functions run pinned to the Mumbai (bom1) region. Caching is Mumbai-resident too. We send data to overseas sub-processors only where the feature requires it, under contractual safeguards permitted by DPDP.

Tenant isolation

Every database query runs inside a tenant scope. The Prisma extension fails closed on missing tenant context. Two chains on the same platform cannot see each other's data, even by accident, even if a developer forgets a filter.

Encryption in transit and at rest

TLS 1.2 or higher for everything that crosses a wire. AES-256 at rest in the database. Secrets encrypted with platform KMS. Bring your own KMS for chain plans is on the roadmap.

VENDORS WE TRUST

Every sub-processor, accounted for.

Category	Purpose
Cloud hosting + edge network	Application runtime, Mumbai (bom1)
Database + cache	Primary store and tenant cache, Mumbai (ap-south-1)
Authentication	Sign-in, sessions, organizations
Payments + billing	Subscription billing and UPI mandates, India
Messaging delivery	WhatsApp Business delivery, India
Telephony	Inbound voice numbers and SIP, India
Voice AI	Agent orchestration and Hindi text-to-speech
Indic speech + translation	Speech recognition and translation, India
AI language models	Language understanding and drafts
Channel manager	OTA inventory and reservation sync (when connected); rated Premier in Booking.com’s Connectivity Partner Programme

Categories and data regions live in the privacy policy. The named vendor list is available to customers: sign in to view it at /legal/subprocessors or request it at hi@fursat.fun. We update it when we change vendors.

INCIDENT RESPONSE

What happens when something breaks.

Five steps. The seventy-two hour notification window is the legal floor, not the target. We are usually inside two hours for impact, twenty-four for cause.

01Detection: pager rotation on the engineering team, plus user-reported reports to hi@fursat.fun.
02Triage: the on-call engineer opens a war room within thirty minutes, scopes blast radius, and assigns a single incident commander.
03Containment: rollback or hotfix prioritized over root cause. We keep audit trails of every privileged action so a rollback is always available.
04Notification: if personal data is affected, we notify you and the Data Protection Board of India within seventy-two hours, per DPDP §8(6).
05Post-mortem: a written, blameless review shared with affected customers within seven business days. The fix lands before the report is closed.

HONEST ROADMAP

We do not have SOC 2 yet.

We have not completed a SOC 2 audit, an ISO 27001 audit, or a formal pen-test. We will not claim otherwise. Here is the timeline we are committing to, and we will update it when reality moves.

Penetration test by an India-based external firmQ3 2026
SOC 2 Type I readiness assessmentQ4 2026
SOC 2 Type I auditQ1 2027
ISO 27001 statement of applicabilityQ2 2027

Security questions?

Send your security questionnaire, your vendor risk assessment, or your specific question to hi@fursat.fun. The founder answers within a business day, usually the same hour. For DPDP-specific requests, see the privacy policy.