Skip to Content
LegalIncident Response

Incident Response

Effective: 1 May 2026

This page tells you how to report security issues, abuse, and data incidents — and what to expect from us when you do.

Quick reference

Type of reportEmailResponse time
Security vulnerability in our servicesecurity@splashifypro.in24 hours
Suspected breach of recipient datasecurity@splashifypro.in24 hours / 72 hours formal
Spam, phishing, or abuse from a Splashify Pro senderabuse@splashifypro.in24 hours business / 72 hours weekend
Privacy / data-protection issuedpo@splashifypro.in30 days statutory
Grievance redressalgrievance@splashifypro.in24 hours acknowledge / 15 days resolve
Suspected unauthorized access to your accountsecurity@splashifypro.in + lock immediatelyImmediate

Reporting a security vulnerability

We welcome reports from security researchers. To report:

  1. Email security@splashifypro.in with:
    • Steps to reproduce.
    • Expected vs actual behavior.
    • Impact assessment (what could an attacker do?).
    • Your name and contact details (or pseudonym if you prefer).
  2. Encrypt sensitive details with our PGP key (published on the trust portal). For most reports, plain email is fine.
  3. Do not publicly disclose until we have had a reasonable chance to investigate and fix.

Our commitments

  • We acknowledge within 24 hours.
  • We provide a tracking ID and a single point of contact.
  • We share periodic updates while we triage and remediate.
  • We disclose the fix to you when it ships.
  • We credit researchers in our public security advisories (with consent) on the trust portal.

Safe harbor

Good-faith vulnerability research conducted within these guidelines is authorized — we will not pursue civil or criminal action under the Information Technology Act §43A or §66, the Indian Penal Code, or the Computer Fraud and Abuse Act for testing that:

  • Stays within the scope of accounts you control.
  • Avoids accessing or modifying other partners’ data.
  • Avoids degrading service for other partners (no DDoS, no resource exhaustion).
  • Avoids social engineering of our staff.
  • Reports findings privately to security@splashifypro.in before public disclosure.

Out of scope

  • Findings against our marketing site (splashifypro.com) — please report to the marketing-site security team via the contact form.
  • Theoretical vulnerabilities without proof of exploitability.
  • Self-XSS, missing security headers without an exploitation path, rate-limit absence on non-sensitive endpoints.
  • Findings against third-party services we integrate with — report to that service’s security team.

Reporting abuse

If you’ve received spam, phishing, or fraudulent email from a sender using Splashify Pro:

  1. Forward the email with full headers preserved to abuse@splashifypro.in. Include any URLs you observed and any harm that resulted (financial loss, identity theft, etc.).
  2. We acknowledge within 24 hours on business days, 72 hours on weekends.
  3. We investigate, take action under the Auto-Action System, and respond with the outcome where confidentiality permits.

For urgent matters (active phishing campaign, financial fraud in progress), include “URGENT” in the subject line. We have on-call escalation outside business hours for these.

We act on every abuse report. Sender accounts that produce multiple credible reports are paused pending review even before our own automated detection triggers.

Suspected breach of recipient data

If you suspect a breach affecting recipient data (e.g. unauthorized access to your account that exposed your sending list):

  1. Lock your account immediately — change your password, rotate all API keys, terminate active sessions from the panel.
  2. Email security@splashifypro.in with subject “BREACH” and describe what happened and when.
  3. We respond within 24 hours with:
    • Confirmation we received the report.
    • A tracking ID.
    • Our preliminary assessment of any cross-tenant exposure.
  4. If the incident triggers our Processor obligation under the DPA §10, we provide formal notification within 72 hours including all information you need to fulfill your own notification obligations under DPDP Act §8(6) or GDPR Articles 33-34.

If the breach is on your side and recipient data was exposed via your own systems (not via Splashify Pro), we still cooperate fully with your investigation and provide any supporting data we hold.

Suspected unauthorized access to your account

If you see activity in your Splashify Pro account that you don’t recognize:

  1. Immediately:
    • Sign out everywhere from the Partner Panel (Settings → Sessions → Revoke all).
    • Rotate every API key (Settings → API Keys → Rotate).
    • Change your password.
    • Enable two-factor authentication if not already on.
  2. Email security@splashifypro.in:
    • Account ID.
    • The activity you didn’t recognize (timestamps, sends, config changes).
    • What credentials you suspect were exposed.
  3. We provide an account audit log going back 90 days within 24 hours, free of charge.
  4. We freeze billing impact during the investigation (sends made during the unauthorized window are not retroactively credited automatically — but we credit them on case review).

Privacy / data-protection issues

For:

  • Data-Subject Rights requests (access, correction, erasure, portability).
  • Concerns about how we handle your account data.
  • Sub-processor objections.

Email dpo@splashifypro.in. We respond within 30 days (DPDP Act) or one month (GDPR), extendable for complex requests.

For grievance redressal under the IT (Intermediary Guidelines) Rules, 2021, escalate to grievance@splashifypro.in. The Grievance Officer acknowledges within 24 hours and resolves within 15 days.

What we publish about incidents

After remediation, we publish:

  • Status-page incidents — real-time during the incident, post-mortem within 14 days, at status.splashifypro.com.
  • Security advisories — on the trust portal (forthcoming) for vulnerabilities of medium severity or higher, including affected versions, mitigations, and credit to researchers (with consent).
  • Annual transparency report — summary of law-enforcement requests we received and our response.

We do not publish:

  • Customer-specific incidents — these are communicated only to the affected customer.
  • Full technical details of fixed vulnerabilities while exploitation in the wild is plausible.

Government and law-enforcement requests

We require valid legal process for any disclosure of customer data — search warrant, court order, or specific statutory authority under the IT Act, CrPC, or equivalent in the requesting jurisdiction.

We:

  • Verify the authenticity of the request.
  • Narrow the scope wherever the request is overbroad.
  • Provide notice to the affected customer before disclosure unless prohibited by law (e.g. a non-disclosure order).
  • Reject voluntary requests not backed by lawful authority.

Annual statistics are published in our transparency report.

Drills and tabletop exercises

We run quarterly tabletop exercises covering:

  • Confirmed external compromise of the Service.
  • Sub-processor breach notification.
  • Coordinated phishing campaign by a banned sender.
  • Loss of access to a single sending region.

Findings feed back into runbooks and engineering priorities.

Contact escalation chain

If you don’t get a response in the windows above, escalate:

  1. The original mailbox (security / abuse / dpo / grievance).
  2. Grievance Officer: grievance@splashifypro.in
  3. Postal address: Grievance Officer, EvolvePro Tech Solutions Private Limited, Shimultala, Motiganj, Bongaon, North 24 Parganas, West Bengal — 743235, India.
  4. For matters governed by the IT Rules, 2021 — Grievance Appellate Committee under Rule 3A.
  5. For matters governed by the DPDP Act — Data Protection Board of India.
  6. For matters governed by the GDPR — your supervisory authority (CNIL, ICO, Garante, etc.).
Compliance Summary