Skip to main content

Security at Indostra

Built for restaurants, designed with enterprise-grade controls: encryption, access management, monitoring, and a documented incident response plan.

Regulatory alignment (India)

Indostra processes digital personal data under the Digital Personal Data Protection Act, 2023, and follows lawful purpose, consent, collection limitation, data minimization, and deletion-on-purpose‑completion principles.

Where applicable, Indostra also implements “reasonable security practices and procedures” under Section 43A of the IT Act and the SPDI Rules, including a documented ISMS with managerial, technical, operational, and physical controls.

Data protection

  • Encryption in transit via TLS 1.2+ and at rest for databases and backups.
  • Role‑based access control with least privilege and periodic access reviews.
  • Segregated environments (dev/stage/prod) and configuration-as-code for repeatability.
  • Backups with tested restoration procedures and retention aligned to business needs.
  • Audit logging of administrative actions and sensitive events with alerting.

Vulnerability & dependencies

  • Automated dependency scanning and patching windows for critical CVEs.
  • Secure development lifecycle with code review and secret scanning.
  • Optional coordinated disclosure: security@indostra.com for reports.

Breach response

In the unlikely event of a personal data breach, Indostra will assess impact and notify affected individuals and the Data Protection Board as required under DPDP rules, alongside containment and eradication actions.

Communications include the nature of the incident, affected data categories (if known), steps taken, and recommended user actions, with follow‑up once remediation is complete.

Grievance officer (India)

A grievance mechanism is available for questions or complaints about personal data handling; contact our Grievance Officer at grievance@indostra.com.

Per legacy SPDI practice, complaints are acknowledged and addressed within a reasonable period; for DPDP requests, lawful timelines and verification will apply.

Data subject requests

Requests to access, correct, delete, or withdraw consent for personal data will be honored in line with the DPDP Act; identity verification may be required, and certain legal exceptions can apply.