JumboBuy.in recognises that robust security and transparent cookie practices are fundamental to maintaining trust in our B2B marketplace. This Security and Cookies Policy explains how we protect your data through comprehensive security measures and how we use cookies and similar technologies to enhance platform functionality.
As a platform handling sensitive business information including trade secrets, financial data, and competitive intelligence, we implement security standards that meet or exceed requirements under the Information Technology Act, 2000, particularly Section 43A concerning data protection, and the Digital Personal Data Protection Act, 2023 (DPDP Act), specifically Section 8(5) requiring appropriate technical and organizational measures to prevent data breaches.
Our approach to security employs defence-in-depth principles, creating multiple protective layers that work together to safeguard your information. Similarly, our cookie practices balance platform functionality with user privacy, providing transparency and control over how tracking technologies are used. This policy applies to all users of the JumboBuy platform and should be read in conjunction with our Privacy Policy and Terms and Conditions.
SECURITY ARCHITECTURE
Technical Security Measures
Our technical security framework implements multiple layers of protection to safeguard your data throughout its lifecycle. We employ AES-256 encryption for data at rest, ensuring that information stored in our databases remains protected even in the event of unauthorised access. All data transmission between your browser and our servers uses TLS 1.3 encryption, creating secure channels that prevent eavesdropping or tampering. Sensitive data, such as passwords, is protected by salted hashing, a one-way transformation that prevents us from seeing your actual password.
Network security forms our first line of defence through enterprise-grade firewalls that inspect all incoming traffic, Web Application Firewalls (WAFs) that protect against common attacks such as SQL injection and cross-site scripting, and Distributed Denial of Service (DDoS) protection, ensuring platform availability during attack attempts. Our infrastructure includes intrusion detection systems that identify potential security breaches, automated threat response systems that can isolate compromised components, and comprehensive logging that creates audit trails for all sensitive operations.
Access control systems ensure that data is accessible only to authorised users through role-based permissions aligned with job responsibilities. Multi-factor authentication (MFA) adds crucial protection beyond passwords, requiring something you know (password) and something you have (such as your phone for OTP codes). Session management monitors for suspicious patterns, such as sudden location changes that might indicate account compromise, automatically terminates sessions after periods of inactivity, and implements secure session tokens that cannot be predicted or forged.
Organisational Security Measures
Technical measures alone cannot ensure security without corresponding organisational controls. All employees with access to user data undergo comprehensive background verification and sign strict confidentiality agreements. Regular security training ensures our team understands evolving threats and their responsibilities in protecting user data. We maintain a dedicated security team that monitors threats, responds to incidents, and continuously improves our security posture.
Our Security Operations Centre operates 24/7, monitoring platform activity for signs of suspicious behaviour or potential breaches. This includes real-time threat detection using artificial intelligence to analyse patterns that might escape human notice, integration with global threat intelligence networks that alert us to emerging risks, and proactive vulnerability management through regular security assessments and penetration testing. We maintain ISO 27001 certification, demonstrating independent validation of our security practices and commitment to international standards.
Third-party vendors who process data on our behalf undergo rigorous security assessments before integration and are continuously monitored thereafter. Contracts with these vendors include specific security requirements, audit rights, breach notification obligations, and liability provisions ensuring they maintain security standards comparable to our own. This extended security approach recognises that we're only as secure as our weakest link in the data processing chain.
DATA BREACH RESPONSE
Despite robust preventive measures, we maintain comprehensive incident response capabilities as required under Section 8(6) of the DPDP Act. Our incident response plan activates immediately upon detection of any potential security breach, with clear procedures for containment, investigation, and remediation. The priority is always minimising harm to affected users while preserving evidence for inquiry and learning.
When a breach is detected, our response follows established timelines, ensuring rapid yet thorough action. Within one hour, we complete the initial assessment to determine the scope and severity. Within 24 hours, we implement containment measures to prevent further damage and begin forensic analysis. Within 72 hours, we notify the Data Protection Board if the breach is likely to cause harm to data principals, as mandated by the DPDP Act. Affected users receive clear communication about what happened, what information was involved, what we're doing about it, and what they should do to protect themselves.
Post-incident procedures ensure we emerge stronger from security events. We conduct thorough reviews examining how the breach occurred, why preventive measures failed, and what improvements would prevent recurrence. These lessons directly influence security enhancements, making each incident an opportunity to strengthen our defences. We maintain detailed breach registers documenting all incidents, responses, and improvements, demonstrating accountability and continuous improvement in our security practices.
COOKIES AND TRACKING TECHNOLOGIES
Understanding Cookies
Cookies are small text files stored on your device that enable websites to remember information about your visit. On JumboBuy, cookies serve essential functions, such as maintaining your logged-in session, remembering your preferences, and providing analytics that help us improve the platform. Without cookies, you would need to log in again on every page, repeatedly set your preferences, and we would lose valuable insights about how to enhance user experience.
We use different categories of cookies, each serving specific purposes with varying privacy implications. Strictly necessary cookies enable basic platform functions, such as maintaining your session, protecting against security threats, and remembering essential preferences. These cookies are fundamental to platform operation and don't require consent, as without them, we cannot provide the services you've requested.
Performance and analytics cookies help us understand how users interact with our platform, identifying popular features, technical issues, and navigation patterns that inform improvements. Functional cookies enhance your experience by remembering choices such as your preferred language, recently viewed products, and customised dashboard layouts. Marketing cookies support our business development by measuring advertising effectiveness, enabling retargeting campaigns, and helping us understand which marketing channels bring valuable users to the platform.
Cookie Management and Consent
In compliance with Section 6 of the DPDP Act regarding consent requirements, we implement granular cookie consent management that provides real choice and control. When you first visit JumboBuy, our cookie consent interface clearly explains what cookies we use and why, avoiding dark patterns that might trick you into accepting all cookies. You can choose to receive all cookies, reject non-essential cookies, or customise your preferences by category, with clear explanations of how each choice affects your platform experience.
Cookie preferences can be modified at any time through your account settings or the cookie preferences link in our footer. When you withdraw consent for certain cookies, we immediately stop setting new cookies of that type and delete existing ones where technically feasible. Some cookies might persist until their natural expiration due to technical limitations, but they won't be renewed. We also respect browser-level controls, such as Do Not Track signals, and provide detailed guides on configuring popular browsers for optimal privacy while maintaining platform functionality.
Third-party cookies require special consideration as they can track activity across multiple websites. We carefully vet all third-party services that might set cookies, ensuring they serve legitimate purposes and comply with privacy regulations. Our cookie policy provides transparency into which third parties may place cookies, the purposes they serve, and how to opt out of their tracking. We maintain strict limitations on third-party cookies, generally permitting only those that are essential to platform functionality or explicitly consented to for marketing purposes.
Alternative Tracking Technologies
Beyond traditional cookies, modern web platforms use various tracking technologies that require disclosure and appropriate controls. Local Storage and Session Storage use HTML5 features to store information directly in your browser, offering more storage capacity than cookies but with similar privacy implications. Pixel tags or web beacons are tiny, invisible images that track when emails are opened or web pages are viewed. Device fingerprinting combines various device characteristics to identify browsers without using cookies.
We use these technologies sparingly and only for specified purposes such as maintaining user preferences that require more storage than cookies allow, measuring email campaign effectiveness to improve our communications, and enhancing security by detecting potentially fraudulent access attempts. Whenever we employ alternative tracking technologies, we apply the same consent and control principles as with traditional cookies, ensuring transparency about what technologies we use and providing options to limit their use where possible.
USER SECURITY RESPONSIBILITIES
Shared Responsibility Model
Platform security requires active participation from all users, creating a shared responsibility model where we secure the infrastructure while you protect your account access. We maintain the servers, networks, and applications that power JumboBuy, implement security features such as encryption and monitoring, respond to platform-wide security threats, and ensure regulatory compliance. However, you remain responsible for maintaining strong, unique passwords, enabling and properly using multi-factor authentication, controlling access within your organisation, verifying the authenticity of communications claiming to be from JumboBuy, and maintaining the security of devices used to access our platform.
This division of responsibilities reflects practical realities, in which certain security aspects remain under your exclusive control. The strongest platform security cannot protect against weak passwords, shared credentials, or compromised user devices. By understanding and fulfilling your security responsibilities, you contribute to overall platform security that benefits all users. We provide tools, guidance, and support to help you maintain your security responsibilities, but ultimate implementation remains with you.
Security Best Practices
Protecting your JumboBuy account requires following security best practices that significantly reduce the risk of compromise. Password security starts with using unique, complex passwords at least 12 characters long, ideally using passphrases that are memorable but difficult to guess. Never reuse passwords across platforms, as one breached site could compromise all your accounts. Consider using a password managers that generate and securely stores strong passwords. Change passwords immediately if you suspect any compromise, and never share credentials with others, even team members who should have their own accounts.
Multi-factor authentication provides crucial additional protection that we strongly recommend for all users and require for high-risk accounts. When enabling MFA, choose authenticator apps over SMS where possible, as text messages can be intercepted through SIM swapping attacks. Keep backup codes in secure locations separate from your primary device, and register multiple authentication devices to prevent single points of failure. Train your team on proper MFA use, as security features only work when properly utilised.
Organisational security extends beyond individual practices to encompass company-wide culture and procedures. Implement clear access management procedures that grant minimum necessary permissions, regularly review and update access rights, and immediately revoke access when employees leave. Conduct regular security training covering topics like recognising phishing attempts, handling sensitive data, and reporting suspicious activities. Develop incident response plans that outline roles and responsibilities during security events, ensuring your organisation can respond effectively to potential breaches.
THIRD-PARTY SECURITY
Integration Security
JumboBuy integrates various third-party services to provide comprehensive B2B functionality, from payment processing to logistics tracking. Each integration undergoes a thorough security assessment before implementation, evaluating the vendor's security certifications, security incident history, data protection practices, and contractual commitments. We only integrate services that meet security standards comparable to our own, recognising that third-party vulnerabilities could compromise platform security.
API security forms a critical component of integration protection. We implement OAuth 2.0 protocols for secure authentication without exposing credentials, enforce rate limiting to prevent abuse, maintain comprehensive audit logs of all API activities, and use encrypted communications with certificate pinning for critical integrations. Data shared through APIs follows the principle of least privilege, providing only information necessary for specific functions. For example, shipping integrations receive delivery addresses but not payment details, minimising potential impact if a partner experiences a breach.
Supply Chain Security
The interconnected nature of modern software means we must consider security throughout our supply chain. We maintain a Software Bill of Materials documenting all components in our platform, enabling rapid response when vulnerabilities are discovered in third-party libraries. Automated scanning continuously checks for known vulnerabilities in our dependencies, and we rapidly patch or replace affected components. This vigilance extends to development tools and infrastructure, recognising that attackers increasingly target software supply chains to reach multiple victims.
Business supply chain security helps users understand and manage risks in their trading relationships. While we cannot control the security practices of all platform businesses, we provide tools to assess counterparty risks, including verification badges indicating enhanced due diligence completion, security incident disclosure requirements that ensure transparency about breaches, and transaction security scores based on account history and verification level. These features empower users to incorporate security considerations into business decisions, contributing to overall marketplace security.
COMPLIANCE AND STANDARDS
Regulatory Compliance
Our security and cookie practices comply with multiple Indian regulatory frameworks that establish minimum protection standards and specific requirements. The Information Technology Act, 2000, particularly Section 43A, mandates compensation for failure to protect sensitive personal data, making robust security legally required.
The IT (Reasonable Security Practices) Rules, 2011, specify technical requirements, including encryption standards and access controls that we implement and exceed. The Digital Personal Data Protection Act, 2023, strengthens these requirements with specific provisions on breach notification, data minimisation, and purpose limitation, which influence our security architecture.
International standards complement Indian law by providing structured approaches to security management. Our ISO 27001 certification demonstrates adherence to globally recognised information security standards through systematic risk management, documented policies and procedures, regular audits, and continuous improvement. We also follow the National Institute of Standards and Technology (NIST) guidelines for specific technical implementations, leveraging decades of security research. While not legally mandated, these international standards position us to serve global clients expecting world-class security.
Audit and Accountability
Regular audits verify that our security practices match our policies and legal obligations. Internal audits operate continuously, with monthly vulnerability assessments, quarterly access reviews, semi-annual penetration tests, and annual policy reviews. External audits provide independent validation through annual ISO surveillance audits, biannual third-party penetration tests, and regulatory compliance assessments. We publish sanitised audit summaries in transparency reports, demonstrating accountability while protecting specific vulnerability information that could aid attackers.
Continuous improvement drives our security program's evolution based on audit findings, incident lessons, changes in the threat landscape, and user feedback. We view security not as a static achievement but as an ongoing journey requiring constant vigilance and adaptation. Your reports of suspicious activities or potential vulnerabilities contribute directly to platform security improvements, making you an active participant in our security ecosystem.
UPDATES AND CONTACT INFORMATION
This Security and Cookies Policy may be updated to reflect changes in technology, threats, or regulatory requirements. Material changes will be notified through email and platform notifications with appropriate notice periods. We maintain archives of previous policy versions, demonstrating our commitment to transparency in the evolution of security practices.
For security concerns or cookie-related queries, contact our security team at contact@JumboBuy.in or our Data Protection Officer at contact@JumboBuy.in. Report security vulnerabilities through our responsible disclosure program at contact@JumboBuy.in for appropriate recognition and remediation. Our Security Operations Centre monitors critical security channels 24/7, ensuring rapid response to urgent security matters.
By using JumboBuy, you acknowledge that you understand our security measures and cookie practices, your role in maintaining platform security, and your choices regarding cookie acceptance. Together, we create a secure, trusted marketplace that enables Indian businesses to thrive in digital commerce while protecting the sensitive information that powers modern B2B transactions.
