HealersMeet

Legal โ€บ Security Statement

Security Statement

Version v2.0 ยท Effective 2026-05-01 ยท Pitambhara Educom Consultancy Pvt Ltd / HealersMeet

SECURITY STATEMENT

Document version: v2.0 Effective date: 2026-05-01 Last updated: 2026-05-01

At Pitambhara Educom Consultancy Pvt Ltd, operator of HealersMeet / Mission Niramaya / InnerZen / DLT, protecting your personal and learning data is a core responsibility. Because our courses involve sensitive self-disclosure โ€” about mental states, trauma, relationships, and spiritual experiences โ€” we hold ourselves to a higher standard than a generic e-learning platform.

This Security Statement describes the safeguards we apply to our website, LMS, course materials, and supporting systems. It is aligned with:

  • the Information Technology Act, 2000 and the SPDI Rules, 2011 (reasonable security practices);
  • the Digital Personal Data Protection Act, 2023;
  • the CERT-In Cyber Security Directions, 2022 (CERT-In Direction 20(3)/2022);
  • generally accepted frameworks such as ISO/IEC 27001, NIST CSF, and OWASP ASVS.

1. GOVERNANCE

  • Documented Information Security Policy reviewed at least annually.
  • Designated Security & Grievance Officer accountable for security and privacy.
  • All staff, contractors, and instructors sign confidentiality and data-protection agreements before access.
  • Security and privacy onboarding training; annual refreshers.

2. INFRASTRUCTURE SECURITY

  • Hosted on reputable cloud providers (e.g., AWS / DigitalOcean / equivalent) with recognized certifications (ISO 27001 / SOC 2).
  • Servers hardened using current CIS baselines; non-essential services disabled.
  • Deployed behind managed firewalls and a Web Application Firewall (WAF).
  • Principle of least privilege โ€” services and staff receive only the minimum access required.
  • Production isolated from development and test environments.

3. DATA IN TRANSIT

  • All traffic encrypted with TLS 1.2 or higher.
  • HTTP auto-redirected to HTTPS; HSTS enabled.
  • Legacy protocols (SSL, TLS 1.0/1.1) and weak ciphers disabled.

4. DATA AT REST

  • Databases and object storage encrypted (AES-256 or provider-equivalent).
  • Passwords never stored in plain text โ€” hashed with bcrypt/argon2 and unique salts.
  • Payment data never touches our servers; card details tokenized by PCI-DSS-compliant gateways.
  • Session recordings with sensitive disclosures kept in encrypted, access-restricted storage.

5. APPLICATION SECURITY (LMS AND WEBSITE)

Development follows OWASP Top 10 secure-coding practices:

  • Parameterized queries / ORM to prevent SQL injection.
  • Output encoding and Content Security Policy (CSP) to prevent XSS.
  • CSRF tokens on state-changing operations.
  • Strong session management with rotating, signed tokens and automatic timeout.
  • Rate limiting and brute-force protection on login, OTP, password-reset.
  • File-upload validation (type, size, malware scan) for assignments.
  • Dependency scanning (Dependabot/Snyk-style); regular patching.
  • Periodic vulnerability assessments and penetration tests by qualified testers; findings triaged and remediated to SLAs.

6. ACCESS CONTROL

  • Role-based access control (RBAC) โ€” Students, Instructors, Support, Admin.
  • Multi-factor authentication (MFA) enforced for all staff and admin accounts.
  • Admin actions logged with actor, timestamp, and IP.
  • Access reviews at least quarterly; access revoked within 24 hours of role change or separation.

7. YOUR ACCOUNT SECURITY โ€” WHAT YOU SHOULD DO

Security is a shared responsibility. Please:

  • Use a unique, strong password (12+ characters, mix of types).
  • Enable two-factor authentication (2FA) when available.
  • Never share your password or OTP โ€” we will never ask for them.
  • Log out from shared or public devices.
  • Email from us comes only from @healersmeet.com; WhatsApp only from our verified business number +91 99814 45177. Beware of phishing.
  • Keep your operating system, browser, and antivirus updated.
  • Report any suspected incident immediately to security@healersmeet.com.

8. LOGGING AND MONITORING

  • Application, access, and security events logged centrally.
  • Logs retained for a minimum of 180 days in accordance with the CERT-In Directions, 2022.
  • Automated alerts for anomalous activity (unusual logins, mass downloads, privilege escalation attempts, brute-force attempts).
  • Log integrity protected against unauthorized access and tampering; time synchronized to NTP (in line with CERT-In).

9. BACKUPS AND RESILIENCE

  • Automated daily backups of the LMS database; weekly full backups.
  • Backups encrypted and stored in a geographically separate location.
  • Restoration tests at least twice a year.
  • Documented Business Continuity and Disaster Recovery Plan with defined RTO and RPO targets.

10. VENDOR AND THIRD-PARTY RISK

Before onboarding a vendor that handles Student data:

  • Review their security posture (certifications, questionnaires, references).
  • Sign a Data Processing Agreement covering confidentiality, security standards, and breach notification.
  • Limit data shared to the minimum necessary.
  • Periodically re-assess continued access and necessity.

Core vendors today include our cloud host, payment gateway, transactional email provider, WhatsApp Business API, video-conferencing provider, and certification partners (e.g., Medhavi Skills University).

11. COURSE CONTENT PROTECTION

To protect both your data and our course materials:

  • Videos stream via signed, time-limited URLs rather than direct download links.
  • PDFs and workbooks can carry user-specific watermarks.
  • Bulk/automated downloading triggers anomaly alerts and may cause suspension.
  • Front-end copy/right-click deterrents are applied (note: these are deterrents, not guarantees).

12. INCIDENT RESPONSE AND CERT-In COMPLIANCE

  • Defined Incident Response Plan covering detection, containment, eradication, recovery, and post-incident review.
  • Cross-functional incident response team mobilizable within hours.
  • CERT-In reporting: notifiable cyber incidents will be reported to CERT-In at incident@cert-in.org.in within six (6) hours of noticing, per Direction 20(3)/2022.
  • DPDP Act reporting: personal-data breaches likely to cause harm will be notified to the Data Protection Board of India and affected Data Principals within the timelines prescribed under the Act.
  • Designated Point of Contact (POC) for CERT-In communications: Manoj Jain ("Manudada"), grievance@healersmeet.com, +91 99814 45177.

13. RESPONSIBLE DISCLOSURE (BUG BOUNTY)

We welcome reports from security researchers and users.

  • Email security@healersmeet.com with a description, steps to reproduce, and proof-of-concept.
  • Do not exfiltrate data, degrade the Services, or access data beyond what is necessary to demonstrate the issue.
  • We acknowledge within 5 working days and work with you on remediation.
  • Good-faith researchers following this policy will not face legal action from us.

14. LIMITATIONS

No system is 100% secure. We apply industry-recognized safeguards appropriate to the scale and sensitivity of our operations but cannot guarantee absolute security. By using the Services you acknowledge this residual risk and agree to support the security of your own account as described in Section 7.

15. CONTACT