What encryption does MentCura use to protect data?

MentCura employs AES-256 encryption for data at rest and TLS 1.3 for data in transit. All databases, file servers, and backup systems use encryption. Communication channels between clients and servers are protected by modern TLS 1.3 protocols with Perfect Forward Secrecy (PFS).

Where is my data stored?

All MentCura data is stored exclusively within India on secure cloud infrastructure provided by Google Cloud Platform (regions: Mumbai, Delhi) and Microsoft Azure (regions: Central India, South India). Data sovereignty is maintained at all times, and no data is transferred outside India.

How does MentCura handle data backups?

MentCura performs daily incremental backups and weekly full backups. Backups are encrypted using AES-256 and stored across three geographically separate availability zones. A Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 24 hours are maintained. Annual disaster recovery drills are conducted.

Is MentCura compliant with Indian data protection laws?

Yes. MentCura is fully compliant with the Digital Personal Data Protection Act (DPDP Act), 2023, the Information Technology Act, 2000 and its rules, and ISO/IEC 27001:2022 standards. We conduct regular compliance audits, maintain audit logs for 90+ days, and have appointed a Data Protection Officer and Grievance Officer.

Data Security Policy

Our Commitment to Your Data Security

At MentCura, we understand that mental health data is highly sensitive and requires the highest standards of protection. As a trusted corporate wellness partner, we are committed to safeguarding the privacy, security, and confidentiality of all data entrusted to us. This Security & Data Protection Commitment outlines the comprehensive measures we implement to protect your organization's data and your employees' personal information.

Regulatory Compliance

DPDP Act 2023 Compliance

MentCura fully complies with India's Digital Personal Data Protection Act, 2023 (DPDP Act), acting as a Data Fiduciary committed to protecting the rights of Data Principals.

Information Technology Act, 2000

We adhere to the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Continuous Compliance

Our compliance program is regularly reviewed and updated to align with evolving regulations and industry best practices.

Data Storage & Location

India-Based Infrastructure

All data is stored exclusively within India using secure cloud infrastructure provided by industry-leading providers:

Google Cloud Platform (Primary storage and hosting)
Microsoft Azure (Secondary storage and backups)

No International Transfers

We do not transfer any personal data outside of India, ensuring full compliance with Indian data sovereignty requirements.

Data Security Measures

Encryption

Data at Rest

All stored data is encrypted using AES-256 encryption (Advanced Encryption Standard with 256-bit keys)
Database encryption is enabled on all production systems
Backup files are encrypted using the same industry-standard encryption

Data in Transit

All data transmitted between users and our servers is encrypted using TLS 1.3 (Transport Layer Security)
HTTPS is enforced across all web pages and API endpoints
Insecure protocols are disabled

Encryption Key Management

End-user encryption keys are managed by users themselves
System-level encryption keys are managed securely by our cloud providers in accordance with industry best practices

Access Controls

Principle of Least Privilege

Access to data is granted based on job function and necessity
Administrative access is restricted to authorized personnel only

Authentication

Single Sign-On (SSO) and Email Authentication for employee authentication
Multi-Factor Authentication (MFA) required for all administrative accounts and sensitive systems

Strong Password Policies

Minimum 8-character passwords with complexity requirements
Hashed password storage using industry-standard algorithms

Database Security

Admin access to production databases restricted to Chief Technical Officer
All database access is logged and monitored
Regular access reviews conducted quarterly

Network Security

Firewall protection to block unauthorized traffic
Intrusion Detection Systems (IDS) monitor network activity
Production, development, and testing environments are segregated
Database servers isolated in private subnets

Application Security

Secure coding practices following OWASP guidelines
Regular vulnerability scans and security testing
Timely application of security patches and updates
Input validation to prevent injection attacks

Data Backup & Disaster Recovery

Automated Backups

Daily incremental backups and weekly full backups
Backups retained for 30 days
Stored in geographically separate data centers within India for redundancy

Backup Encryption

All backup files encrypted using AES-256 encryption

Disaster Recovery Plan

Recovery Time Objective (RTO): 4 hours
Recovery Point Objective (RPO): 24 hours
Annual disaster recovery testing and simulations

99.9% Uptime Commitment

We maintain Platform availability of 99.9% uptime, calculated monthly
Scheduled maintenance conducted during off-peak hours with advance notice

Data Privacy & Protection

Data Minimization

We collect only the minimum personal data necessary to provide our services:

Corporate Clients: Company name, authorized signatory details, business email, billing address
Employees: Name, email, phone number
Wellness Data: Mood tracking, journal entries, self-assessments, AI interactions (all encrypted and access-restricted)

Purpose Limitation

Data is used only for specified, legitimate purposes disclosed at the time of consent:

Providing corporate wellness services
Generating personalized AI-driven insights
Facilitating tele-counseling appointments
Delivering aggregated analytics to corporate clients

Employee Privacy

Counselor Access Restrictions

Mental health professionals (counselors) do not have automatic access to employee data
Employees must explicitly share information during tele-counseling sessions
Session content is not recorded or stored

Anonymous Corporate Analytics

Corporate clients receive only aggregated, anonymized usage data
Individual employee identities are never disclosed to employers
All identifiers (names, emails, IDs) removed from analytics

Data Retention

Data retained only for as long as necessary
Corporate client data retained for subscription duration plus 7 years for compliance
Employee data deletion requests processed within 14 days

User Rights Under DPDP Act

Employees and corporate clients have the right to:

Access their personal data
Correct inaccurate or incomplete data
Delete their personal data (right to be forgotten)
Data Portability - receive data in machine-readable format
Withdraw Consent at any time
File Complaints with our Grievance Officer or the Data Protection Board of India

Monitoring & Auditing

Security Logging

All data access attempts logged and monitored
Logs retained for minimum 90 days
Automated alerts for suspicious activity

Regular Audits

Monthly internal security audits
Monthly security log reviews
Annual policy reviews and updates

Future Certifications

Working toward ISO 27001 and SOC 2 certifications to demonstrate industry-leading security standards

Data Breach Response

Rapid Response Protocol

Dedicated incident response team led by technical leadership
Breaches contained and investigated immediately
Affected parties notified within 4 hours of breach confirmation

Transparency

Clear communication about breach nature, scope, and impact
Guidance provided to affected parties on protective measures
Regulatory authorities notified as required by DPDP Act

Post-Incident Improvement

Root cause analysis conducted for every incident
Security measures strengthened based on lessons learned

Vendor & Third-Party Management

Trusted Partners

We work only with reputable, security-conscious vendors:

Google Cloud Platform - Cloud hosting and storage (India)
Microsoft Azure - Secondary storage and backups (India)
Razorpay - Secure payment processing (India)
Meta/Facebook - Marketing analytics (India)

All vendors comply with applicable data protection laws and maintain industry-standard security certifications.

No Data Sharing Without Consent

We do not sell, rent, or share personal data with third parties for their marketing purposes.

Employee Training & Awareness

Comprehensive Training Program

Monthly data protection training for all employees handling data
Role-specific security training (technical staff, customer support, management)
New employee onboarding includes mandatory data protection training

Security Culture

Regular security awareness communications
Clear policies and consequences for violations
Continuous improvement mindset

Governance & Accountability

Data Protection Officer

Name: Ritik Kumar
Title: Chief Technical Officer
Responsibilities: Overseeing data protection compliance, managing technical security, coordinating with regulatory authorities

Grievance Officer

Name: Pavni Kandpal
Title: Operations Manager
Email: contact@mentcura.com
Response Time: Complaints acknowledged within 24 hours, resolved within 15 days

Board Oversight

Our Board of Directors reviews data protection practices and receives regular reports on compliance and security.

Crisis Data Handling

Emergency Support

Direct links to national mental health helplines available through the Platform
No recording of crisis interactions or conversations with external helplines
Minimal metadata collected, never linked to individual identities

Commitment to Continuous Improvement

Security is not a one-time effort—it's an ongoing commitment. We continuously:

Monitor emerging threats and vulnerabilities
Update security measures and technologies
Review and enhance policies and procedures
Stay informed about regulatory changes
Invest in employee training and awareness

Transparency & Trust

We believe transparency builds trust. This Security & Data Protection Commitment is part of our broader commitment to openness about our data practices, which also includes:

Privacy Policy - Details on data collection, use, and user rights
Terms and Conditions - Legal framework for Platform use
Service Agreement - Contractual obligations to corporate clients

Questions or Concerns?

We're here to help. If you have questions about our security practices or data protection measures, please contact us:

Email: contact@mentcura.com
Website: https://corp.mentcura.com/
Data Protection Officer: Ritik Kumar (ritikkumar@mentcura.com)
Grievance Officer: Pavni Kandpal (pavnikandpal@mentcura.com)

Our Promise

At MentCura, we treat your data and your employees' mental health information—with the utmost care and respect. Security and privacy are not just compliance checkboxes; they are core values embedded in everything we do.

We are committed to:

Protecting sensitive mental health data with industry-leading security
Maintaining full compliance with Indian data protection laws
Respecting employee privacy and confidentiality
Being transparent about our practices
Continuously improving our security posture

Thank you for trusting MentCura with your corporate wellness program.

Security & Data Protection Policy