EasyOTP Security Statement

This Security Statement outlines the current security practices implemented by EasyOTP (operated by Braintech Corporation Private Limited) to protect personal data, authentication flows, and messaging services. It also provides a roadmap of upcoming enhancements as the platform scales to meet enterprise-grade compliance.

1. Current Security Baseline

Encryption

- All data in transit is encrypted using TLS 1.2+.
- All data at rest is encrypted using AES-256.
- Sensitive identifiers such as phone numbers are hashed or encrypted to minimize exposure.

Access Control

- Role-based access control is implemented across systems.
- Multi-factor authentication (MFA) is required for administrative access.
- Separation of environments (development, staging, production) with least privilege access.

Monitoring & Logging

- Basic application and infrastructure logging is enabled.
- Logs are retained securely for investigation in case of security events.
- Vendor and third-party service activity is monitored via cloud dashboards.

Incident Response

- EasyOTP commits to notify affected vendors and users within 72 hours of becoming aware of a personal data breach.
- A basic incident response runbook is maintained to triage, contain, and remediate security events.

Compliance Alignment

- EasyOTP follows SOC 2 and ISO/IEC 27001 aligned practices.
- Formal certification is on the compliance roadmap as the company scales.

2. Security Roadmap

As EasyOTP grows and engages with regulated industries and enterprise clients, the following enhancements will be implemented to strengthen compliance and security posture:

- Formal SOC 2 Type II and ISO/IEC 27001 certification.
- Automated monitoring and Security Information & Event Management (SIEM).
- Third-party penetration testing and vulnerability assessments.
- Vendor and sub-processor risk assessments.
- Quarterly access and role audits.
- Expanded incident response playbooks with simulated breach drills.

3. Commitment

EasyOTP is committed to protecting the confidentiality, integrity, and availability of its services and the data it processes on behalf of vendors and users. This Security Statement reflects current practices and the planned roadmap, ensuring transparency and trust with all stakeholders.