DATA SECURITY AT SITEFY
Last updated: 24 August 2025

Our promise
Sitefy Global Technologies Pvt. Ltd. (“Sitefy”, “we”, “us”) protects your data with a defense-in-depth approach that blends technical safeguards, robust processes, and responsible practices across every layer of our products and company operations. We design for privacy and security by default and by design, globally.

Security principles we follow

  • Least privilege and need-to-know access
  • Encryption in transit and at rest by default
  • Secure development lifecycle (SSDLC) with continuous testing
  • Continuous monitoring and rapid incident response
  • Vendor and sub-processor due diligence
  • Data minimization, purpose limitation, and transparent controls
  • Shared responsibility with our customers

What data we handle

  • Customer Content: the data you or your users upload or generate in Sitefy products.
  • Account & Billing Data: contact info, billing details, and plan information.
  • Service Metadata: logs, diagnostics, and telemetry needed to operate and improve our services.
    We minimize what we collect and retain only as long as necessary for the stated purposes or as required by law.

Governance & accountability

  • Executive oversight: Security and Privacy are owned at the leadership level with clear lines of accountability.
  • Policies: company-wide security, access, acceptable use, incident response, vendor risk, and secure coding policies are reviewed at least annually.
  • Training: all team members complete security, privacy, and phishing training on hire and recurrently.

Compliance & global privacy alignment
We align our program to recognized frameworks and laws, and update controls as regulations evolve:

  • Frameworks & standards: ISO/IEC 27001, NIST Cybersecurity Framework, OWASP ASVS (alignment; no implied certification).
  • Privacy & data protection: GDPR/UK GDPR, CCPA/CPRA (US), LGPD (Brazil), PIPEDA (Canada), POPIA (South Africa), DPDP Act (India), and others as applicable.
  • Cross-border transfers: when personal data moves across borders, we use appropriate safeguards permitted by applicable law (e.g., standard contractual clauses or equivalent mechanisms).

Data classification & handling

  • Data is classified (e.g., Public, Internal, Confidential, Restricted) with handling rules for storage, sharing, and retention.
  • Sensitive data receives additional protections (tighter access, extra logging, stricter retention).

Encryption & key management

  • In transit: TLS 1.2+ for all external connections; modern cipher suites only.
  • At rest: industry-standard encryption (e.g., AES-256 or equivalent) for databases, file/object storage, and backups.
  • Keys: managed via cloud-native or equivalent key management services with rotation, separation of duties, and strict access controls.

Access controls & identity

  • Single Sign-On (SSO) via SAML/OIDC where available; mandatory MFA for privileged access.
  • Role-based access control (RBAC) and just-in-time access for production systems.
  • No shared admin accounts; all access is logged and reviewed.

Secure development lifecycle (SSDLC)

  • Threat modeling and security requirements at design time.
  • Code reviews for every change; automated SAST/SCA (dependency and secret scanning).
  • Dynamic testing (DAST) on critical services; regular penetration testing by qualified third parties.
  • Segregated environments (dev/stage/prod) and change management with approvals.
  • Vulnerability management: risk-based SLAs for remediation and verification.

Infrastructure & network security

  • Hosted on reputable cloud providers with physical security, redundancy, and certified facilities.
  • Network segmentation, private subnets, security groups, WAF, and DDoS protections.
  • Hardened images and baseline configurations; timely patching of OS, containers, and runtimes.
  • Backups are encrypted and tested periodically for restorability.

Monitoring, logging & detection

  • Centralized logging for authentication, admin actions, configuration changes, and system events.
  • Alerting and anomaly detection via SIEM-class tooling; 24×7 on-call rotation for critical events.
  • Audit trails retained for a defined period to support investigations and compliance.

Business continuity & disaster recovery

  • Documented BCP/DR plans with periodic tests.
  • Redundancy across availability zones/regions where supported by the service.
  • Recovery objectives are risk-based; we continuously improve RTO/RPO targets for critical systems.

Incident response

  • Formal runbooks for triage, containment, eradication, and recovery.
  • Post-incident reviews with corrective actions and lessons learned.
  • If a data breach affecting you occurs, we will notify you without undue delay and in accordance with applicable law and our agreements.

Vendor and sub-processor management

  • Security and privacy due diligence before onboarding vendors that handle customer data.
  • Data Processing Agreements and appropriate transfer safeguards where required.
  • Ongoing reviews for material vendors; sub-processor list available upon request.

Data retention & deletion

  • Retention schedules are tied to purpose and legal requirements.
  • When you delete data, we remove it from active systems and, after backup cycles expire, from backups according to our retention policy.
  • On contract termination, we provide export options and delete remaining data per policy and law.

Customer controls (shared responsibility)

  • Use MFA and SSO for your users wherever possible.
  • Review user roles and permissions regularly.
  • Configure data retention and deletion settings that match your obligations.
  • Keep your devices and browsers updated and secured.

AI & model safety (where applicable)

  • Customer Content used for AI features is processed to provide the service; we do not use your Customer Content to train our foundation models without your explicit agreement.
  • We apply access controls, encryption, and retention policies to prompts, outputs, and intermediate artifacts similar to other Customer Content.

Children’s data
Our services are not directed to children where local law prohibits such data collection. We do not knowingly profile children for advertising.

Reporting vulnerabilities
We welcome responsible disclosure. If you believe you’ve found a security issue, email support@sitefy.co with details (affected service, steps to reproduce, impact). Please avoid testing that could disrupt services or access other users’ data. We will acknowledge receipt and work to resolve verified issues.

Contact

  • Security: support@sitefy.co
  • Privacy: support@sitefy.co