CD
ComplianceDesk AI
Security Policy

Responsible
Disclosure Policy

We take the security of our platform and the privacy of India's workforce seriously. If you've found a vulnerability, we want to hear from you.

Version: 1.0
Effective: 16 March 2026
Review: Annually
Owner: DPO, ComplianceDesk AI
DPDP Act 2023 Compliant
Protean eGov Authorised Reseller
AWS Mumbai Region
Statutory DPO Appointed

๐ŸŽฏ Our Commitment

ComplianceDesk AI operates India's first DPDP Act 2023-native identity verification platform, processing Aadhaar, DigiLocker, and government API-based KYC data for enterprise clients. The sensitivity of this data makes security a non-negotiable priority.

We commit to working with security researchers in good faith โ€” acknowledging valid reports promptly, keeping you informed throughout remediation, and not pursuing legal action against researchers acting in good faith within the scope of this policy.

๐Ÿ”ญ Scope

In Scope
  • www.compliancedesk.ai and subdomains
  • API endpoints (*.compliancedesk.ai/api)
  • WhatsApp webhook handlers
  • KYC verification pipeline
  • Authentication & session management
  • Data storage & encryption
  • Admin dashboard interfaces
Out of Scope
  • Protean eGov APIs (upstream provider)
  • Meta / WhatsApp infrastructure
  • AWS infrastructure layer
  • Third-party integrations not hosted by us
  • Social engineering of our staff
  • Physical security attacks
  • DoS / DDoS attacks

โšก Response Timeline

Acknowledgement
Within 48 hours of receiving your report
Initial Assessment
Within 5 business days
Severity Classification
Within 7 business days
Critical Fix
Within 7 days of confirmation
High Fix
Within 30 days of confirmation
Medium / Low Fix
Within 90 days of confirmation
Public Disclosure
Coordinated with researcher after fix is deployed

๐Ÿšจ Severity Classification

Severity Examples SLA
Critical Aadhaar data exposure, unauthenticated KYC access, RCE, mass PII leak 7 days
High Auth bypass, IDOR on verification sessions, SQL injection, API key leak 30 days
Medium XSS, CSRF, misconfigured CORS, session fixation, sensitive info in logs 90 days
Low Missing headers, verbose error messages, non-sensitive info disclosure 90 days

๐Ÿ“ฌ How to Report

๐Ÿ”

Report a Vulnerability

Send a detailed report including steps to reproduce, proof-of-concept (if available), affected endpoints, and potential impact. Please do not share vulnerability details publicly before coordinating with us.

๐Ÿ“ง security@compliancedesk.ai

๐Ÿค Safe Harbour

Security research conducted in accordance with this policy is authorised. ComplianceDesk AI will not initiate legal action against researchers who: discover vulnerabilities in good faith, avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability, do not disrupt our services or clients, and report findings to us before public disclosure. We consider this activity to be authorised under the Information Technology Act, 2000 (India).

๐Ÿ† Hall of Fame

Be the first to responsibly disclose a vulnerability and earn your place here.