Security

1. Our Security Commitment

Badalytics is built on the principle that dealership data — including customer conversations, lead information, and business communications — must be treated with the highest level of care. We implement technical and organisational security measures that are appropriate to the risk and nature of the personal data we process.

2. Legal Framework

Our security practices are designed to meet the requirements of the following legislation and standards applicable in the Republic of Mauritius:

• Data Protection Act 2017 (DPA 2017): requires data controllers and processors to implement "appropriate technical and organisational measures" (Section 26) to protect personal data against accidental loss, destruction, damage, alteration, or unauthorised disclosure or access;
• Information and Communication Technologies Act (ICT Act): governs the security of communications systems and networks;
• Electronic Transactions Act 2000: provides the legal basis for electronic records and security of electronic communications;
• Computer Misuse and Cybercrime Act 2003: criminalises unauthorised access to computer systems and data, providing the legal backdrop to our access control obligations.

Where applicable, we also align our practices with internationally recognised security frameworks including ISO/IEC 27001 information security management principles.

3. Infrastructure Security

The Platform is hosted on reputable cloud infrastructure providers that operate data centres with industry-standard physical and environmental controls. Our infrastructure security measures include:

• Physical security: data centres are equipped with controlled access, CCTV surveillance, biometric authentication, and 24/7 on-site security;
• Network security: firewall rules, intrusion detection systems (IDS), and intrusion prevention systems (IPS) are deployed to monitor and filter traffic;
• DDoS protection: distributed denial-of-service mitigation is active at the network layer;
• Redundancy and backups: data is backed up regularly with geo-redundant storage. Backup integrity is tested periodically;
• Patch management: operating systems, software dependencies, and third-party libraries are updated and patched on a regular schedule.

4. Data Encryption

We apply encryption as a core layer of protection for all data at rest and in transit:

• In transit: all data transmitted between clients, users, and the Platform is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS;
• At rest: sensitive data stored in our databases and object storage is encrypted using AES-256 or equivalent symmetric encryption;
• Messaging data: communications processed through WhatsApp Business API are subject to WhatsApp's end-to-end encryption at the transport layer. Once received by the Platform, messages are encrypted at rest in our storage systems;
• Encryption key management: encryption keys are managed using a secure key management system (KMS) with rotation policies and strict access controls.

5. Access Controls

Access to client data and internal systems is governed by the principle of least privilege — individuals and systems are granted only the minimum access required to perform their function.

• Authentication: all user access to the Platform requires password authentication. Strong password policies are enforced. Multi-factor authentication (MFA) is available and recommended for all accounts;
• Role-based access control (RBAC): client Users are assigned roles (e.g. Admin, Agent, View-only) that restrict access to data and features appropriate to their responsibilities;
• Internal access: Badalytics staff access to production systems is limited to authorised personnel, protected by MFA and VPN, and subject to audit logging;
• Access reviews: access privileges are reviewed periodically and revoked promptly upon a User's departure or change of role;
• Session management: user sessions time out after a period of inactivity to reduce the risk of unauthorised access from unattended devices.

6. Application Security

We follow secure software development practices throughout the lifecycle of the Platform:

• Secure development lifecycle (SDLC): security requirements are integrated into the design, development, and testing phases of all features;
• Code review: all code changes are reviewed by qualified engineers before deployment, with security-focused review for features handling personal data;
• Dependency scanning: third-party libraries and packages are automatically scanned for known vulnerabilities as part of the continuous integration (CI) pipeline;
• Input validation: all user-supplied inputs are validated and sanitised to prevent injection attacks (SQL injection, XSS, etc.);
• API security: all API endpoints require authentication tokens and are rate-limited to prevent abuse;
• Penetration testing: the Platform is subject to periodic security assessments and penetration tests by qualified security professionals.

7. Data Retention & Deletion

Data is retained only for as long as necessary and in accordance with the retention periods set out in our Privacy Policy and individual Data Processing Agreements with clients.

• Automated deletion: data subject to defined retention periods is automatically flagged for deletion at expiry;
• Secure deletion: when data is deleted, it is permanently and irreversibly removed from active systems and scheduled for overwrite on underlying storage media;
• Client-requested deletion: upon receipt of a valid deletion request (whether from a data subject under the DPA 2017 or from a client following contract termination), data is deleted within 30 days subject to any legal retention obligations.

8. Incident Response & Breach Notification

Badalytics maintains a documented incident response plan to ensure swift and effective response to any security incident or personal data breach. Our response process follows the requirements of Section 36 of the DPA 2017:

• Detection and containment: security incidents are detected through automated monitoring alerts and are immediately triaged by our operations team;
• Assessment: the nature, scope, and risk of the incident are assessed within 24 hours of detection;
• Notification to the Data Protection Commissioner: where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Data Protection Commissioner of Mauritius without undue delay and, where feasible, within 72 hours of becoming aware;
• Notification to affected clients and data subjects: where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected clients and data subjects without undue delay, in accordance with the DPA 2017;
• Post-incident review: all significant incidents are subject to a root-cause analysis and remediation plan to prevent recurrence.

9. Third-Party Providers

We use a limited number of trusted third-party service providers to deliver the Platform. All third-party providers are assessed for their security posture before engagement and are required to:

• Enter into a Data Processing Agreement (DPA) that imposes equivalent data protection obligations;
• Maintain adequate security certifications or demonstrate compliance with applicable security standards;
• Notify Badalytics promptly of any security incidents affecting data processed on our behalf.

Key third-party integrations include communication channel providers (Meta/WhatsApp Business API, Instagram, Facebook Messenger), cloud infrastructure providers, and analytics tools. Each provider's data handling is subject to their own published security and privacy documentation, which we review as part of our ongoing vendor management process.

10. Client Responsibilities

Security is a shared responsibility. While Badalytics is responsible for the security of the Platform infrastructure and its underlying systems, clients are responsible for:

• Managing their users' access credentials and ensuring strong password practices are followed;
• Enabling and enforcing multi-factor authentication for their user accounts;
• Ensuring only authorised individuals have access to the Platform under their subscription;
• Promptly notifying Badalytics of any actual or suspected compromise of account credentials;
• Ensuring that their own use of the Platform — including the messages they send and the data they process — complies with all applicable laws, including the DPA 2017 and the ICT Act;
• Maintaining up-to-date devices and software used to access the Platform.

11. Vulnerability Disclosure

Badalytics welcomes responsible disclosure of security vulnerabilities. If you have identified a potential security issue in our Platform or website, we ask that you:

• Report it to us in confidence at info@badalytics.io with the subject line "VULNERABILITY DISCLOSURE";
• Provide sufficient detail to allow us to reproduce and assess the issue;
• Allow us a reasonable timeframe to investigate and remediate the vulnerability before any public disclosure;
• Not access, modify, delete, or exfiltrate data belonging to Badalytics or its clients in the course of testing.

We commit to acknowledging your report within 3 business days and to keeping you informed of our progress. We will not pursue legal action against researchers acting in good faith in accordance with these guidelines.

12. Contact

For any security-related questions, concerns, or disclosures, please contact us: