This article explains in practical terms how Rackwave processes, stores, protects, and manages the data you entrust to us. It covers the technical safeguards we use, who within Rackwave can access your data, which third-party sub-processors we use, and what happens when a security incident occurs.
Where Your Data Is Stored
| Data Type |
Storage Location |
Jurisdiction |
| Account data, billing records, portal data |
Primary data centre — India |
India |
| MigoSMTP email delivery infrastructure |
Distributed — India + USA (delivery nodes) |
India / USA |
| Telnxo SMS / Voice / WhatsApp infrastructure |
India (primary) + carrier network routing globally |
India (primary) |
| Backup snapshots |
Geographically separated backup facility — India |
India |
Encryption
| Context |
Encryption Standard |
| All data in transit (web dashboard, API, SMTP) |
TLS 1.2 minimum; TLS 1.3 preferred. HTTP connections are rejected or redirected. |
| All data at rest (databases, object storage, backups) |
AES-256 encryption. Keys managed using a hardware security module (HSM). |
| API keys and webhook secrets |
Stored as salted hashes — the original key value cannot be recovered from our database. Only you see the full key at generation time. |
| SMTP account passwords |
Encrypted using a one-way algorithm. Rackwave support staff cannot view your SMTP passwords. |
| Payment card data |
Not stored by Rackwave. All card data is handled by PCI-DSS Level 1 certified payment processors. Rackwave stores only tokenised references. |
Access Controls — Who Can See Your Data
| Person / System |
Access Level |
| Your account owner and admin users |
Full access to all data within your account per their assigned role |
| Rackwave support staff |
Read-only access to account metadata and logs strictly for support purposes. Access is logged and audited. Support staff cannot read email content or SMS message body. |
| Rackwave engineering team |
Access to infrastructure and anonymised aggregated metrics only. Access to production customer data requires a formal access request and approval. |
| Automated systems |
Internal systems (delivery engines, spam filters, abuse detection) access data as necessary for service operation — subject to the same security controls as human access. |
| Third parties / advertisers |
No access. Rackwave does not share your data with third parties for advertising, marketing, or commercial purposes. |
Sub-Processors
Rackwave uses a small set of trusted third-party sub-processors to deliver the service. All sub-processors are bound by data processing agreements and applicable data protection law:
| Category |
Purpose |
Data Shared |
| Cloud infrastructure provider |
Hosting servers, databases, and storage |
All data stored on the platform |
| SMS carrier networks |
Routing and delivering SMS messages to handsets |
Recipient phone number and message content |
| Voice carrier / SIP provider |
Routing and delivering voice calls |
Caller ID and recipient number; call audio |
| Meta (WhatsApp BSP) |
Delivering WhatsApp messages via the WhatsApp Business API |
Recipient WhatsApp number and message content |
| Payment processor |
Processing card payments and UPI transactions |
Billing name, amount; card is tokenised by processor |
Security Incident Response
Rackwave maintains a documented incident response process for security events:
- Detection — automated monitoring systems detect anomalous activity 24/7. All security alerts are triaged within 1 hour.
- Containment — the affected system or account is isolated to prevent further damage.
- Assessment — engineers assess whether personal data was accessed or compromised.
- Notification — if personal data of your users was compromised, you are notified within 48–72 hours of confirmation. The notification includes a description of the incident, data categories affected, approximate number of individuals impacted, and recommended steps.
- Remediation — root cause is addressed and controls are updated to prevent recurrence.
- Post-incident review — a post-mortem is conducted and findings are documented.
Vulnerability Management
- All platform dependencies are monitored for known CVEs and patched within SLA timelines based on severity.
- Rackwave conducts periodic penetration tests by external security firms.
- Responsible disclosure programme: if you discover a security vulnerability in the Rackwave platform, please report it to the security team via a support ticket marked Security Disclosure — Confidential. We will acknowledge within 24 hours and provide updates throughout the investigation.
Next Steps