Security, privacy, and compliancebuilt into everything we do

Application Security

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 with 256-bit encryption.
• Encryption at Rest: Sensitive data (passwords, payment details, personal information) is encrypted at rest using AES-256 encryption.
• Password Security: User passwords are hashed using bcrypt with salt, never stored in plain text.
• Session Management: Secure session tokens with automatic expiry and IP binding to prevent session hijacking.
• API Security: Rate limiting, authentication tokens, and request validation to prevent abuse.

Infrastructure Security

• Cloud Hosting: Hosted on enterprise-grade cloud infrastructure (AWS/Google Cloud) with SOC 2 Type II compliance.
• DDoS Protection: Multi-layer DDoS mitigation to ensure platform availability during attacks.
• Firewalls & Network Security: Web application firewall (WAF) and intrusion detection systems (IDS) monitoring all traffic.
• Database Security: Isolated database clusters with access controls, regular backups, and point-in-time recovery.
• Vulnerability Scanning: Automated daily scans for known vulnerabilities and misconfigurations.

Security Testing & Audits

• Penetration Testing: Planned quarterly security penetration tests conducted by independent third-party firms.
• Code Reviews: Mandatory security code reviews for all production deployments.
• Dependency Scanning: Automated scanning of open-source dependencies for known security vulnerabilities.
• Bug Bounty Program: We welcome responsible disclosure of security vulnerabilities (details below).

Privacy Principles

We follow privacy-by-design principles in all product development:

• Data Minimization: We collect only the data necessary to provide our services.
• Purpose Limitation: Data is used only for the purposes disclosed at collection.
• Transparency: Clear, accessible privacy notices explaining our data practices.
• User Control: You can access, correct, delete, or export your data at any time.
• Security: Appropriate technical and organizational measures protect your data.

Compliance Framework

• DPDP Act 2023 (India): Full compliance with India's Digital Personal Data Protection Act, including Grievance Officer appointment and user rights mechanisms.
• GDPR (EU): GDPR-compliant for European users, including lawful basis documentation and data transfer safeguards.
• Data Residency: Primary data storage in India; cross-border transfers use standard contractual clauses.
• Third-Party Vendors: All service providers undergo privacy and security assessments and sign data processing agreements.

Your Privacy Rights

You have the right to:

• Access a copy of your personal data;
• Correct inaccurate or incomplete data;
• Request deletion of your data (subject to legal retention requirements);
• Export your data in a portable format;
• Opt out of marketing communications;
• Lodge complaints with our Grievance Officer or data protection authorities.

Exercise your rights by contacting privacy@bittforge.in. See our Privacy Policy for details.

Payment Processing Partners

• Razorpay: Primary payment gateway for India (PCI DSS Level 1 compliant, RBI authorized).
• Stripe: Secondary payment processor for international transactions (PCI DSS Level 1 compliant).
• UPI & Net Banking: Direct bank integrations secured by partner gateways.

Payment credentials are tokenized and encrypted by payment processors. BitForge receives only transaction confirmations and masked card details (e.g., "XXXX-XXXX-XXXX-1234").

Fraud Prevention

• Real-Time Fraud Detection: Machine learning models analyze transactions for suspicious patterns.
• 3D Secure Authentication: Additional verification layer (OTP, biometric) for card transactions.
• Velocity Checks: Automated limits on transaction frequency and amounts to prevent abuse.
• Chargeback Monitoring: Proactive monitoring and dispute management to protect buyers and sellers.
• IP & Device Fingerprinting: Detection of anomalous access patterns and account takeover attempts.

Payout Security for Sellers

• Mandatory KYC verification before first payout;
• Bank account verification via penny drop or Aadhaar linkage;
• Automated holds on suspicious seller accounts;
• Secure payout processing through verified banking channels;
• Transaction audit trails for compliance and dispute resolution.

Seller Onboarding Process

All Sellers undergo a multi-step verification process:

1. Identity Verification: Government-issued ID (Aadhaar, PAN, passport) verification via third-party KYC providers.
2. Business Verification: For registered businesses, GST number and business registration documents are verified.
3. Bank Account Verification: Micro-deposit verification or Aadhaar-linked bank verification.
4. Product Review: Initial product listings are manually reviewed for compliance with content policies.
5. Ongoing Monitoring: Continuous monitoring of seller behavior, product quality, and customer feedback.

Content Moderation

• Automated Scanning: AI-powered content analysis to detect prohibited items, malware, and policy violations.
• Human Review: Dedicated moderation team reviews flagged content and user reports.
• Virus Scanning: All uploaded files scanned for malware and viruses before being made available for download.
• Intellectual Property Protection: DMCA compliance and proactive detection of copyright violations.

Trust Signals for Buyers

We provide transparency to help buyers make informed decisions:

• Verified seller badges for KYC-completed sellers;
• Seller ratings and reviews from verified purchases;
• Total sales and customer satisfaction metrics;
• Product update history and support responsiveness;
• Clear refund policies and support contact information.

Regulatory Compliance

• Digital Personal Data Protection Act (DPDP), 2023:Compliance with India's primary data protection law, including Grievance Officer designation and data rights management.
• Information Technology Act, 2000: Adherence to intermediary guidelines and digital signature requirements.
• Consumer Protection Act, 2019: E-commerce rules compliance, including transparent pricing and complaint redressal.
• RBI Guidelines: Compliance with payment system regulations and KYC norms for financial transactions.
• GST Compliance: Automated GST calculation, invoice generation, and reporting for sellers.
• GDPR (EU Residents): Lawful basis for processing, data subject rights, and international transfer safeguards.

Industry Standards

• ISO 27001 (In Progress): Working towards information security management system certification.
• SOC 2 Type II: Our cloud infrastructure partners maintain SOC 2 Type II compliance.
• PCI DSS: Payment processors are PCI DSS Level 1 compliant; BitForge operates as a PCI DSS compliant merchant.
• OWASP Top 10: Security controls aligned with OWASP guidelines for web application security.

Third-Party Assessments

• Planned quarterly penetration testing by certified security firms;
• Annual compliance audits by independent auditors (phased rollout);
• Ongoing vulnerability assessments and remediation;
• Security vendor risk assessments for all critical service providers.

Security Incident Response Plan

We maintain a formal incident response plan that includes:

• Detection & Analysis: 24/7 security monitoring and automated alerting for anomalous activity.
• Containment: Immediate isolation of affected systems to prevent spread of security incidents.
• Eradication & Recovery: Root cause analysis, vulnerability patching, and system restoration.
• Communication: Transparent notification to affected users within 72 hours of confirmed data breaches (as required by DPDP Act).
• Post-Incident Review: Comprehensive analysis and implementation of preventive measures.

Data Breach Protocol

In the event of a data breach:

• We will assess the scope and impact within 24-48 hours;
• Notify the Data Protection Board of India (as required by DPDP Act);
• Notify affected users via email with details of the breach and remediation steps;
• Provide identity theft protection services if sensitive data is compromised;
• Publish a public incident report (if material) on this Trust Center.

Business Continuity & Disaster Recovery

• High Availability: Multi-region deployment with automatic failover for 99.9% uptime.
• Data Backups: Automated daily backups with point-in-time recovery up to 30 days.
• Geographic Redundancy: Data replicated across multiple data centers in different geographic locations.
• Recovery Time Objective (RTO): Target recovery within 4 hours for critical services.
• Recovery Point Objective (RPO): Maximum data loss of 1 hour for critical data.

Security Transparency

We believe in radical transparency about our security practices:

• Public disclosure of security audits and certifications (where applicable);
• Regular security posture reports published on this page;
• Transparent incident reporting with root cause analysis;
• Open source contributions to security tools and libraries;
• Participation in industry security communities and knowledge sharing.

Platform Metrics (Updated Monthly)

Compliance Reports

Available upon request for enterprise customers and partners:

• SOC 2 Type II report (from infrastructure partners);
• Penetration testing executive summaries;
• Data processing agreements and standard contractual clauses;
• Security questionnaires and vendor assessments;
• Compliance attestation letters.

Request reports at compliance@bittforge.in with your business details and intended use.

For All Users

• Use Strong Passwords: Create unique passwords with at least 12 characters, including uppercase, lowercase, numbers, and symbols.
• Enable Two-Factor Authentication (2FA): Add an extra layer of security to your account (coming soon).
• Verify Email Communications: Always check that emails claiming to be from BitForge come from @bittforge.in addresses.
• Keep Software Updated: Ensure your browser and operating system are up to date with the latest security patches.
• Use Secure Networks: Avoid accessing your account on public Wi-Fi without a VPN.
• Monitor Account Activity: Regularly review your transaction history and report suspicious activity immediately.
• Log Out on Shared Devices: Always log out when using BitForge on public or shared computers.

For Buyers

• Verify seller ratings and reviews before purchasing;
• Read product descriptions and system requirements carefully;
• Download products from official BitForge links only;
• Scan downloaded files with antivirus software before opening;
• Report suspicious products or sellers to our support team.

For Sellers

• Complete KYC verification to build trust with buyers;
• Upload only products you own or have rights to sell;
• Scan all uploaded files for malware before listing;
• Provide accurate product descriptions and support information;
• Respond promptly to buyer inquiries and support requests;
• Keep your payout information and tax details up to date.

Bug Bounty Program

We welcome security researchers and ethical hackers to help us identify vulnerabilities. If you discover a security issue, we encourage responsible disclosure.

Responsible Disclosure Guidelines

We ask that security researchers:

• Report vulnerabilities privately before public disclosure;
• Give us reasonable time to investigate and remediate (90 days for non-critical, 30 days for critical);
• Do not access, modify, or delete user data without explicit permission;
• Do not perform actions that could harm platform availability (e.g., DDoS testing);
• Do not exploit vulnerabilities for personal gain or to harm users;
• Comply with all applicable laws and regulations.

Recognition & Rewards

• Hall of Fame: Public recognition on this page for responsible disclosure (with your permission).
• Bounty Rewards: Monetary rewards for qualifying vulnerabilities based on severity (program details coming soon).
• Direct Communication: Opportunity to work directly with our security team on remediation.

Out of Scope

The following are not eligible for bounty rewards:

• Denial of service (DoS/DDoS) attacks;
• Social engineering attacks against BitForge employees;
• Physical attacks against BitForge infrastructure;
• Reports from automated scanners without validation;
• Known issues already reported or publicly disclosed;
• Issues in third-party services not under BitForge control;
• Missing security headers without demonstrated impact;
• Self-XSS or issues requiring significant user interaction;
• Vulnerabilities in deprecated or EOL software versions clearly marked as unsupported.

PGP Public Key (Coming Soon)

For encrypted communications, our PGP public key will be available here. In the meantime, sensitive information can be shared via encrypted email or secure file transfer upon request.

Business Address

BitForge Technologies Pvt. Ltd.

Pune, Maharashtra, India