Back to Home

Data Security Policy

ContactZap – WhatsApp Contact Exporter

Issued by Synx Automation Private Limited | March 2025
CIN: U62099KL2024PTC087457 | GSTIN: 32ABNCS3504L1Z8
77 Spaces, Kumarapuram, Trivandrum, Kerala – 695011, India

1. Purpose & Scope

This Data Security Policy ("Policy") describes the technical and organisational security measures implemented by Synx Automation Private Limited ("Synx") to protect data processed through ContactZap – WhatsApp Contact Exporter ("the Service").

This Policy applies to all data stored, transmitted, or processed by Synx on behalf of users of the Service, and is designed in alignment with the Information Technology Act, 2000, SPDI Rules, 2011, Digital Personal Data Protection Act, 2023, and ISO 27001 principles.

2. Meta Platform Security Notice

Important Notice:

Synx Automation Private Limited is a Meta Solutions Partner. Meta Platforms, Inc. does not endorse or promote ContactZap – WhatsApp Contact Exporter. Security of data transmitted through Meta APIs (including WhatsApp Business API) is subject to Meta's security infrastructure and terms in addition to Synx's own security controls described herein.

3. Data Classification

Synx classifies data into the following tiers:

  • Confidential: Personal data, payment credentials, API keys, and authentication tokens. Highest level of protection applies.
  • Internal: Business configuration data, usage analytics, and operational logs. Access restricted to authorised personnel.
  • Public: Marketing content, documentation, and publicly available product information. No special restrictions apply.

4. Infrastructure & Hosting Security

3.1 Cloud Infrastructure

The Service is hosted on enterprise-grade cloud infrastructure (such as AWS, Google Cloud, or equivalent providers) with:

  • Geographically redundant data centres with physical access controls.
  • Automatic data backups with a minimum Recovery Point Objective (RPO) of 24 hours.
  • Server-side antivirus and intrusion detection systems.
  • Firewall rules, network segmentation, and DDoS mitigation.

3.2 Encryption

  • Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
  • Data at Rest: Sensitive data stored in our databases is encrypted using AES-256 encryption.
  • Backups: All backup data is encrypted prior to storage.

5. Access Control

Access to user data within Synx's systems is governed by the principle of least privilege:

  • Role-Based Access Control (RBAC): Employees are granted access only to systems and data necessary for their role.
  • Multi-Factor Authentication (MFA): Required for all administrative and privileged access.
  • Access Reviews: Periodic access reviews are conducted to revoke unnecessary privileges.
  • Separation of Duties: Critical operations require approval from multiple authorised personnel.
  • Audit Logs: All access to sensitive data is logged and retained for a minimum of 90 days.

6. Application Security

  • Secure Development Lifecycle (SDLC): Security requirements are integrated at every stage of software development.
  • Code Reviews: All code changes undergo peer review with a security focus.
  • Vulnerability Scanning: Regular automated vulnerability scans and dependency audits.
  • Penetration Testing: Periodic third-party penetration tests are conducted.
  • OWASP Top 10: Application security controls are maintained against the OWASP Top 10 vulnerability framework.
  • Input Validation: All user inputs are validated and sanitised to prevent injection attacks.

7. Data Breach Response

In the event of a confirmed or suspected personal data breach, Synx will:

  • Contain: Immediately isolate affected systems to prevent further exposure.
  • Assess: Investigate the nature, scope, and impact of the breach within 24 hours.
  • Notify: Where required by law (DPDPA, IT Act), notify affected users and the relevant regulatory authority within 72 hours of becoming aware of the breach.
  • Remediate: Implement corrective measures to prevent recurrence.
  • Document: Maintain a record of all breaches, responses, and outcomes.

To report a suspected security incident, contact legal@synxautomate.com with the subject line "Security Incident Report".

8. Third-Party & Vendor Security

Synx engages third-party vendors (cloud providers, payment processors, analytics tools) under contractual data processing agreements that require:

  • Equivalent or higher security standards.
  • Restriction on sub-processing without prior authorisation.
  • Right to audit and security attestations (e.g., ISO 27001, SOC 2).
  • Prompt notification of any security incidents affecting shared data.

9. Employee Security

  • All employees receive data security training at onboarding and annually thereafter.
  • Background verification is conducted for all employees with access to sensitive data.
  • Non-Disclosure Agreements (NDAs) are in place for all employees and contractors.
  • Clean desk policy and secure disposal of physical documents.
  • Device encryption and remote wipe capability for all company-managed devices.

10. Business Continuity & Disaster Recovery

  • Recovery Time Objective (RTO): We target restoration of core Services within 4 hours of a critical failure.
  • Recovery Point Objective (RPO): Data loss is targeted to be no more than 24 hours.
  • Redundancy: Critical systems operate with active redundancy across multiple availability zones.
  • DR Testing: Disaster recovery procedures are tested at least annually.

11. User Responsibilities

Users of the Service are responsible for:

  • Maintaining the confidentiality of account credentials and API keys.
  • Enabling available security features such as two-factor authentication.
  • Promptly reporting any suspected unauthorised access to legal@synxautomate.com.
  • Ensuring that devices used to access the Service are adequately secured.
  • Ensuring that use of the browser extension complies with WhatsApp's Terms of Service and applicable data protection laws.

12. Compliance & Certifications

Synx operates in alignment with the following standards and frameworks:

  • Information Technology Act, 2000 (India)
  • SPDI Rules, 2011 (India)
  • Digital Personal Data Protection Act, 2023 (India)
  • ISO/IEC 27001 principles
  • OWASP Application Security Standards
  • PCI DSS (for payment data handling, via third-party processors)

13. Policy Review

This Policy is reviewed at least annually or following any significant security incident, change in regulatory requirements, or major product update. The current version of this Policy is available at https://contactzap.synxautomate.com.

14. Contact

For security-related queries or to report a vulnerability:

Synx Automation Private Limited
77 Spaces, Kumarapuram, Trivandrum, Kerala – 695011, India
Email: legal@synxautomate.com
Website: https://contactzap.synxautomate.com

Last Updated: March 2025 | Synx Automation Private Limited | CIN: U62099KL2024PTC087457