Security · Privacy · Compliance

What we hold, how we hold it, and what you can verify.

We publish our posture — for those who need to verify, not just trust. Where we’re early, we say so. Where we’re certified, we link the report. DPA on request, NDA before any data shared.

01 · Data classification

What we collect, what we don’t.

We collect: business contact details, payment metadata, account telemetry (login times, feature usage at aggregate level).

We process (transient): lead conversations (WhatsApp Agent), notice content for OCR (Chronos CA — only if you opt into Gemini Vision and using your key).

We don’t collect: notice contents at rest (Chronos CA stays local), personal communications outside billed conversations, anything subject to consent you haven’t given.

02 · Where data lives

Two products. Two postures.

Chronos CA

Your Windows machine + your Google account (Calendar + Sheets) + your Telegram bot. We don’t see notice contents. Optional Gemini Vision OCR uses your API key directly — we never proxy it.

Chronomation Sales Agent

Hosted on Mumbai-region AWS (ap-south-1). Lead conversations encrypted at rest (AES-256). TLS 1.2+ in transit. WhatsApp Business API routes through Meta’s infrastructure. Tenant data isolated.

03 · Encryption

Standard, not flashy.

At rest: AES-256
In transit: TLS 1.2+
Secrets: Windows Credential Manager (desktop) or AWS KMS (cloud)
Key rotation: 90 days for production secrets

04 · DPDP Act 2023

Indian compliance posture.

Role: data fiduciary / processor split. You’re the fiduciary, we process on your behalf with explicit consent and audited purposes.

Notice + consent: standardized flows on every collection point. Granular toggles for optional purposes.

Data subject requests: 30-day SLA for access, correction, and erasure requests.

Phase 3 readiness (May 2027): on track. Internal audits cadence: quarterly.

05 · Sub-processors

Who else touches your data, and why.

Provider	Role	Region
AWS (Mumbai)	Hosting for Sales Agent backend	ap-south-1
Meta (WhatsApp Business API)	Message delivery layer	Global
MongoDB Atlas	Conversation store	ap-south-1
OpenAI / Anthropic / Google	LLM inference (provider-agnostic; configurable per tenant)	US / EU / India where available
Stripe / Razorpay	Payment processing	India
Postmark	Transactional email	US

06 · Certifications

Where we are, where we’re going.

DPDP

Ready. Internal audit cadence: quarterly. Last review: Aug 2026.

SOC 2 Type I

In scoping. Target attestation: Q1 2027. Tractor partner: Vanta.

ISO 27001

On the roadmap. Scoped for late 2027.

07 · Legal documents

DPA, MSA, NDA.

Standard templates available on request. We use them as-is for most engagements and accept marked-up versions from larger clients.

Email for DPA Email for MSA Email for NDA

08 · Breach disclosure

SLA + CERT-In.

72-hour notification SLA to affected data fiduciaries. CERT-In notification per Indian rules (within 6 hours of confirmed incident). Post-incident report within 14 days. No carve-outs for soft launches or pilots.

09 · Access control

Production is founder-only.

Only Aman and Aryan have production access. All access via hardware security keys + audited via AWS CloudTrail. Quarterly access review. Customer data access requires written customer consent, except for active incident response.

10 · Responsible disclosure

Bug bounty.

Email security findings to thechronomation@gmail.com with subject “Security disclosure.” Scope: production endpoints + desktop app binary. Reward: ₹5k–₹1L based on severity (CVSS). We respond within 48 hours.

11 · Entity & jurisdiction

Chronomation.

Founded: 2026
Jurisdiction: Mumbai, Maharashtra, India
Entity details & statutory registrations: available on request under NDA.

Need the DPA?

Email us for the DPA → WhatsApp us