Data Protection & Security

Last updated: November 19, 2024

Our Commitment to Security

At bTrainr, protecting your data is our top priority. We implement enterprise-grade security measures and comply with international data protection regulations including GDPR (EU/UK), CCPA (California), PDPA (UAE), IT Act 2000 (India), and Australian Privacy Act 1988.

Security Measures

Encryption

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • End-to-end encryption for sensitive communications
  • Encrypted database backups stored in multiple geographic locations

Access Controls

  • Multi-factor authentication (MFA) for all accounts
  • Role-based access control (RBAC)
  • Single sign-on (SSO) integration for enterprise clients
  • Regular access audits and permission reviews

Infrastructure Security

  • Hosted on AWS/Google Cloud with SOC 2 Type II compliance
  • Web Application Firewall (WAF) protection
  • DDoS protection and rate limiting
  • 24/7 security monitoring and incident response
  • Regular penetration testing by third-party security firms

Compliance & Certifications

  • ISO 27001 certified Information Security Management
  • SOC 2 Type II audited annually
  • GDPR compliant data processing
  • PCI-DSS compliant payment processing (via Stripe)
  • HIPAA-ready architecture for health data

Data Storage & Location

Regional Data Centers

We store data in regional data centers to comply with local data residency requirements:

  • EU/UK customers: Data stored in EU data centers (Frankfurt, Dublin)
  • India customers: Data stored in Mumbai data center
  • UAE customers: Data stored in Bahrain or Mumbai data centers
  • USA customers: Data stored in US data centers (Virginia, Oregon)
  • Australia customers: Data stored in Sydney data center

Data Transfers

When data is transferred internationally, we ensure adequate safeguards:

  • Standard Contractual Clauses (SCCs) for EU data transfers
  • Adequacy decisions where applicable
  • Data Processing Agreements (DPAs) with all sub-processors
  • Transfer Impact Assessments for high-risk transfers

Data Backup & Recovery

  • Automated daily backups with 30-day retention
  • Real-time replication across multiple availability zones
  • Point-in-time recovery capability
  • 99.9% uptime SLA for paid plans
  • Disaster recovery plan tested quarterly
  • RPO (Recovery Point Objective): 24 hours
  • RTO (Recovery Time Objective): 4 hours

Privacy by Design

We embed privacy into every aspect of our platform:

  • Data minimization: We collect only necessary information
  • Purpose limitation: Data used only for stated purposes
  • Storage limitation: Data retained only as long as needed
  • Accuracy: Tools to keep your data accurate and up-to-date
  • Integrity & confidentiality: Security measures to protect data
  • Accountability: Documented processes and regular audits

Your Data Rights

Access & Control

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Receive your data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to processing for specific purposes
  • Withdraw consent: Revoke consent at any time

How to Exercise Your Rights

Submit requests through:

  • Account dashboard: Settings → Privacy & Data
  • Email: privacy@btrainr.com
  • Data Protection Officer: dpo@btrainr.com

We respond to all requests within 30 days (or as required by local law).

Data Breach Response

In the unlikely event of a data breach:

  • Immediate containment and investigation by security team
  • Notification to affected users within 72 hours
  • Notification to relevant supervisory authorities as required
  • Transparent communication about the nature and impact of the breach
  • Remediation steps and preventive measures

Third-Party Sub-Processors

We use trusted third-party services to deliver our platform. All sub-processors are vetted for security and compliance:

  • AWS/Google Cloud: Infrastructure hosting
  • Stripe: Payment processing (PCI-DSS certified)
  • SendGrid: Email delivery
  • Twilio: SMS and WhatsApp messaging
  • Cloudflare: CDN and DDoS protection
  • Sentry: Error tracking and monitoring

Full sub-processor list available upon request.

Employee Training & Policies

  • All employees undergo security and privacy training
  • Signed confidentiality and data protection agreements
  • Background checks for personnel with data access
  • Principle of least privilege for system access
  • Regular security awareness updates

Security Best Practices for Users

Help us protect your account:

  • Use strong, unique passwords (12+ characters)
  • Enable multi-factor authentication (MFA)
  • Never share your login credentials
  • Log out from shared or public devices
  • Report suspicious activity immediately
  • Keep your contact information updated
  • Review your account activity regularly

Contact Our Security Team

For security concerns or to report vulnerabilities:

Security Team: security@btrainr.com
Data Protection Officer: dpo@btrainr.com
Privacy Team: privacy@btrainr.com
Bug Bounty Program: security@btrainr.com

Updates to This Policy

We review and update our data protection practices regularly. Significant changes will be communicated via email and on this page.