72-hour breach notification

What counts as a breach

Per DPDP §11(1), a "personal data breach" means any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromises confidentiality, integrity or availability.

What we'll do within 72 hours of detection

1. Notify the Data Protection Board of India.
2. Notify each affected data principal directly by email and SMS.
3. Publish a public incident report at /trust/breach/incidents covering:
   • Scope — how many principals affected
   • Affected fields — exactly what categories were exposed
   • Detection timeline — when, by whom, how
   • Containment + remediation — what we did about it
   • What we're changing to prevent recurrence
   • Contact for follow-up questions
4. Reset the days-since-last-breach counter on this page to 0.

Published security controls

This section should list only controls that are live for Maitro. The starter does not certify security by itself; it gives each venture a public place to document the controls already operating in production.

• HTTPS enforced with HSTS preload
• Global CSP, frame-ancestors none, X-Frame-Options DENY, and nosniff headers
• Turnstile and rate limits protect public intake forms
• Application data stored in India on the Maitro VPS stack
• Secrets scanned before deploy and kept out of git
• COI scan runs before application review
• Atomic SETU-style releases with PM2 reload and health checks

If you suspect a breach

Contact our DPO immediately at /trust/dpo or email privacy@maitro.tech. We acknowledge within 24 hours and triage within 72 hours. Responsible disclosure is welcomed — see our security.txt at /.well-known/security.txt.