📘 Clipster – Security & Data Protection Policy

Last Updated: 14 January 2026
Operated by Axxoraa Private Limited

Introduction

Clipster is committed to protecting the security and privacy of our users' data. This Security & Data Protection Policy outlines the technical, administrative, and physical safeguards we implement to protect information across our platform.

Security Governance

2.1 Security Organization

Security Officer: Designated security lead
External SOC: Third-party monitoring service
Incident Response: Cross-functional team
Privacy Compliance: Designated team member

2.2 Security Framework

Clipster follows:

ISO 27001 principles
NIST Cybersecurity Framework
OWASP Top 10 for application security
Indian IT Act compliance requirements

Data Classification & Handling

3.1 Data Categories

Public Data: Public profiles, public content
Internal Data: Usage analytics, system logs
Confidential Data: Personal information, messages
Restricted Data: Payment info, government IDs

3.2 Handling Requirements

Each data category has specific:

Access controls
Encryption standards
Retention periods
Disposal methods

Access Control

4.1 Principle of Least Privilege

Employees access only necessary data
Role-based access controls (RBAC)
Regular access reviews
Immediate revocation upon role change

4.2 Authentication Standards

Multi-factor authentication for employees
Strong password policies
Session management controls
Failed login attempt restrictions

4.3 Third-Party Access

Vendor security assessments
Contractual security requirements
Limited, monitored access
Annual security reviews

Encryption Standards

5.1 Data in Transit

TLS 1.2+ for all communications
Perfect Forward Secrecy (PFS)
Strong cipher suites
Certificate transparency monitoring

5.2 Data at Rest

User data: Encrypted in Supabase (AES-256)
Video files: Encrypted at rest with Bunny CDN
Backups: Encrypted and geo-redundant
Key management: Provider-managed with regular rotation

5.3 End-to-End Encryption

Messages: E2EE where technically feasible
Payment data: Tokenization
Sensitive documents: Client-side encryption

Network Security

6.1 Infrastructure Security

AWS security best practices
VPC segmentation
Security groups and NACLs
DDoS protection (AWS Shield)

6.2 Network Monitoring

Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS)
Real-time traffic analysis
Anomaly detection

6.3 Web Application Firewall (WAF)

OWASP rule sets
Custom rule configuration
Rate limiting
Bot detection

Application Security

7.1 Secure Development Lifecycle

Security requirements in design phase
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Security code reviews

7.2 Vulnerability Management

Automated scanning: Continuous
Penetration testing: Bi-annually or after major releases
Bug bounty: Planned for future
Patch management: Critical patches within 7 days

7.3 API Security

API key management
Rate limiting per user/IP
Input validation
OAuth 2.0 for authorization

Physical Security

8.1 Cloud Infrastructure Security

Database Provider: Supabase (SOC 2 compliant)
Video Storage & CDN: Bunny CDN (global edge network)
Cloud Functions: Serverless architecture with multiple providers
Security controls: Follow shared responsibility model with all providers
Compliance: Rely on providers' compliance certifications (SOC 2, ISO 27001)

8.2 Office Security

Access control systems
Visitor management
Secure workstations
Clean desk policy

Incident Response

9.1 Incident Classification

Level 1: Minor - No data breach
Level 2: Moderate - Limited data exposure
Level 3: Major - Significant breach
Level 4: Critical - Systemic compromise

9.2 Response Timeline

Detection: Immediate automated monitoring
Containment: Within 4 hours for critical
Recovery: Within 24-48 hours
Post-mortem: Within 14 days

9.3 Notification Requirements

Users: Within 72 hours of confirmation
Regulators: As per legal requirements
Law enforcement: When appropriate
Public disclosure: Based on impact assessment

Data Protection

10.1 Privacy by Design

Data minimization
Purpose limitation
Storage limitation
Default privacy settings

10.2 Data Subject Rights

Right to access
Right to rectification
Right to erasure
Right to data portability
Right to object

10.3 Data Processing Agreements

With all data processors
GDPR/DPDPA compliance
Sub-processor notification
Audit rights

Business Continuity & Disaster Recovery

11.1 Backup Strategy

Daily incremental backups
Weekly full backups
Geo-redundant storage
30-day retention minimum

11.2 Recovery Objectives

RPO (Recovery Point Objective): 1 hour
RTO (Recovery Time Objective): 4 hours
Maximum tolerable downtime: 24 hours

11.3 Testing Schedule

Backup restoration: Monthly
DR drills: Quarterly
Full scenario testing: Annually

Employee Security

12.1 Security Training

Onboarding security training
Annual security awareness
Phishing simulation exercises
Secure coding training for developers

12.2 Policies & Agreements

Acceptable Use Policy
Confidentiality agreements
Bring Your Own Device (BYOD) policy
Remote work security guidelines

Third-Party Risk Management

13.1 Vendor Assessment

Security questionnaire
Compliance verification
On-site audits for critical vendors
Continuous monitoring

13.2 Contractual Requirements

Security requirements in contracts
Right to audit
Breach notification obligations
Liability for security incidents

Compliance & Auditing

14.1 Regular Audits

Internal audits: Quarterly
External audits: Annually
Compliance reviews: Bi-annually
Penetration tests: Quarterly

14.2 India-Specific Compliance

Information Technology Act, 2000 & Rules
Grievance Officer appointment (already done)
Data localization where required
Intermediary Guidelines compliance

Security Monitoring

15.1 Continuous Monitoring

SIEM (Security Information and Event Management)
Log aggregation and analysis
Real-time alerting
Threat intelligence feeds

15.2 Key Metrics Monitored

Failed login attempts
Unusual data access patterns
System performance anomalies
Security control effectiveness

User Security Features

16.1 Account Security

Two-factor authentication (optional)
Login notification alerts
Active session management
Password strength indicators

16.2 Privacy Controls

Granular privacy settings
Data download capability
Account deletion option
Communication controls

Breach Response Plan

17.1 Immediate Actions

Activate incident response team
Contain the breach
Preserve evidence
Assess impact

17.2 Communication Plan

Internal communication protocol
External communication templates
Regulatory reporting procedures
Customer notification process

17.3 Remediation Steps

Identify root cause
Implement fixes
Enhance controls
Monitor effectiveness

17.4 Incident Response Documentation

Incident response playbook maintained
Regular tabletop exercises
Lessons learned documentation
Continuous improvement process

**18. Data Breach Notification Procedure**

Assessment within 24 hours of discovery
Notification to affected users within 72 hours
Regulatory reporting as per Indian IT Rules
Transparency report annually

18.1 Compliance Monitoring

Automated policy enforcement
Manual reviews
Exception management
Regular reporting

18.2 Violation Consequences

Employee violations: Disciplinary action
Vendor violations: Contract termination
User violations: Account restrictions
Legal violations: Regulatory reporting

Policy Review & Updates

19.1 Review Schedule

Quarterly policy review
Annual comprehensive review
Ad-hoc updates for new threats
Post-incident reviews

19.2 Change Management

Security impact assessment
Stakeholder approval
Testing before implementation
User notification for significant changes

20. Contact Information

Security Team

Email: support@clipster.co.in ✅ (for all security-related user concerns)
Emergency: support@clipster.co.in ✅ (no separate emergency account; handled via support)

Data Protection Officer (DPO)

Email: legal@clipster.co.in
Response Time: Within 24 hours

Law Enforcement

Email: nodalofficer@clipster.co.in
For verified law enforcement requests only