Everything your security team
needs in one place.
Data residency, subprocessors, certifications status, and how to report vulnerabilities. Forward this page to your CISO — every claim here is verifiable.
Data residency
MessageArena is built India-first. For self-hosted deployments — the default for regulated customers — your data lives entirely on your infrastructure and never touches MessageArena systems.
For our optional managed cloud, all customer data (messages, files, user records, audit logs) is stored in Google Cloud's Mumbai region (asia-south1). Backups stay within the same region. No data is transferred outside India for storage or processing.
Cross-border data transfer is disabled at the infrastructure level. Even diagnostic logs are scrubbed of customer identifiers before leaving the region.
Certifications & compliance status
We publish honest status — what's already aligned, what's actively being formalized, and what's on the roadmap. No fake badges.
SEBI circulars on electronic communication
AlignedArchitected to meet archival, retention, and audit requirements for stockbrokers and intermediaries.
RBI IT Framework
AlignedData residency in India, AES-256 at rest, TLS 1.3 in transit, RBAC, and incident response framework.
IRDAI communication guidelines
AlignedCommunication logging, retention controls, and audit trail for insurance intermediaries.
DPDP Act 2023
In ProgressData fiduciary controls, consent management, and breach notification workflows being formalized.
ISO/IEC 27001
In ProgressControls implemented internally. Formal third-party audit planned for 2026 H2.
SOC 2 Type II
RoadmapTargeted post-ISO 27001. Will run a 6-month observation window once controls are externally validated.
CERT-In incident reporting
Aligned6-hour incident reporting workflow and log retention per CERT-In April 2022 directives.
Subprocessors
Third parties that may process customer data. Self-hosted deployments use none of the cloud subprocessors below — only the customer's own infrastructure.
| Provider | Purpose | Location | Data access |
|---|---|---|---|
| Self-hosted deployment | Default deployment model for regulated customers | Customer infrastructure (India) | None — MessageArena has zero access |
| Google Cloud Platform (Mumbai region) | Optional managed cloud deployment | Mumbai, India (asia-south1) | Encrypted storage and compute only; data encrypted at rest |
| Cloudflare | DDoS protection and CDN for messagearena.com marketing site | Global edge network | Marketing site traffic only — no customer data |
| Resend | Transactional email (account verification, security alerts) | United States | Email addresses and message content for transactional emails only |
Material changes to this list are communicated to enterprise customers 30 days before they take effect.
Security overview
Security architecture
Encryption, access control, audit logs, and the full layered architecture diagram.
Data Processing Addendum
Standard DPA covering data handling, retention, and customer rights.
Privacy policy
What we collect, how it's used, and your rights as a data principal.
System status
Live uptime, incident history, and scheduled maintenance.
A downloadable PDF security overview for procurement and vendor review is available on request — email security@messagearena.com.
Reporting vulnerabilities
We welcome reports from independent security researchers. If you believe you've found a vulnerability, please report it responsibly so we can fix it before it's exploited.
- →Report to security@messagearena.com with reproduction steps and impact assessment.
- →We acknowledge within 48 hours and provide a triage decision within 5 business days.
- →Critical issues are patched within 7 days; high within 30 days.
- →We don't pursue legal action against good-faith research that follows our responsible disclosure policy.
Talk to our security team
Vendor security questionnaires, custom DPA reviews, penetration test reports, or anything your CISO needs — we'll respond within 2 business days.