COMPREHENSIVE SECURITY POLICY AND SYSTEMIC INTEGRITY PROTOCOL
DOCUMENT REFERENCE: TRU-SEC-PRO-2026-V12.0CLASSIFICATION: BINDING DIGITAL SECURITY COVENANT
ENTITY STATUS: PASSIVE TECHNOLOGY INTERMEDIARY
JURISDICTION: REPUBLIC OF INDIA
ARTICLE I: ARCHITECTURAL SECURITY PREAMBLE AND SCOPE
1.1. NATURE OF INSTRUMENT: THIS SECURITY POLICY ("SECURITY POLICY") CONSTITUTES A LEGALLY BINDING PROTOCOL FOR THE SECURE UTILIZATION OF THE TRUCOI DIGITAL ECOSYSTEM. IT IS DESIGNED TO BE READ IN CONJUNCTION WITH THE PRIVACY POLICY AND TERMS OF SERVICE.1.2. SECURITY PHILOSOPHY: THE COMPANY OPERATES ON A "SHARED RESPONSIBILITY MODEL." WHILE WE IMPLEMENT SYSTEM-LEVEL DEFENSES, THE DATA PRINCIPAL (USER) IS SOLELY RESPONSIBLE FOR THE SECURITY OF THEIR LOCAL HARDWARE, OPERATING SYSTEMS, AND ACCESS TO MOBILE NETWORKS.
1.3. LIMITATION OF SOFTWARE IDENTITY: AS A PURELY SOFTWARE-BASED ENTITY, THE COMPANY DOES NOT CONTROL THE PHYSICAL ENVIRONMENT IN WHICH THE PLATFORM IS ACCESSED. CONSEQUENTLY, THE COMPANY DISCLAIMS ALL LIABILITY FOR SECURITY VULNERABILITIES ARISING FROM DEVICE-LEVEL COMPROMISE, SIM-SWAPPING, OR UNAUTHORIZED TELECOM ACCESS.
ARTICLE II: AUTHENTICATION INTEGRITY AND CREDENTIAL GOVERNANCE
2.1. PRIMARY IDENTIFICATION SEQUENCES: THE PLATFORM UTILIZES A ONE-TIME PASSWORD (OTP) AND JSON WEB TOKEN (JWT) ARCHITECTURE. THE DATA PRINCIPAL BEARS THE ABSOLUTE AND EXCLUSIVE FIDUCIARY RESPONSIBILITY FOR ENSURING THE CONFIDENTIALITY OF THE 10-DIGIT MOBILE IDENTIFIER AND THE RESULTANT AUTHENTICATION SEQUENCES.2.2. NON-TRANSFERABILITY: ACCESS CREDENTIALS ARE NON-TRANSFERABLE. ANY ACTION PERFORMED ON THE PLATFORM FOLLOWING A SUCCESSFUL OTP VALIDATION IS LEGALLY DEEMED TO BE AN ACTION OF THE REGISTERED DATA PRINCIPAL.
2.3. OAUTH AND THIRD-PARTY TOKENS: WHERE THE USER UTILIZES GOOGLE OAUTH OR SECONDARY IDENTITY PROVIDERS, THE COMPANY ASSUMES ZERO LIABILITY FOR VULNERABILITIES WITHIN THOSE THIRD-PARTY IDENTITY ECOSYSTEMS.
ARTICLE III: THE RIGHT OF SURVEILLANCE AND SECURITY AUDITING
3.1. HEURISTIC MONITORING: THE COMPANY RESERVES THE UNFETTERED RIGHT TO ENGAGE IN BEHAVIORAL HEURISTIC ANALYSIS AND REAL-TIME MONITORING OF ALL PACKET DATA FLOWING THROUGH THE PLATFORM. THIS IS CONDUCTED TO MITIGATE ADVERSARIAL VECTORS, DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS, AND UNAUTHORIZED DATA EXFILTRATION.3.2. ACCESS TO TELEMETRY: TO ENSURE ECOSYSTEM SAFETY, THE COMPANY RETAINS THE RIGHT TO COLLECT AND AUDIT DEVICE-LEVEL TELEMETRY, INCLUDING BUT NOT LIMITED TO IP GEOLOCATION, MAC ADDRESSES, AND SYSTEM KERNEL HEADERS, TO DETECT ATTEMPTS AT LOCATION SPOOFING OR IDENTITY MASQUERADING.
3.3. CALL LOGS AND COMMUNICATION AUDIT: EVERY INSTANCE OF COMMUNICATION INITIATED VIA THE PLATFORM’S DIGITAL INTERFACE IS LOGGED FOR ACCOUNTABILITY. THE COMPANY RESERVES THE RIGHT TO UTILIZE THESE LOGS TO INVESTIGATE SECURITY INCIDENTS, FRAUDULENT POSTINGS, OR CONTRACTUAL BREACHES BETWEEN USERS.
ARTICLE IV: THIRD-PARTY INFRASTRUCTURE AND EXTERNALIZED RISKS
4.1. CLOUD INFRASTRUCTURE RELIANCE: THE PLATFORM IS HOSTED ON THIRD-PARTY CLOUD INFRASTRUCTURE (HEREINAFTER "CLOUD PROVIDERS"). THE DATA PRINCIPAL ACKNOWLEDGES THAT THE PHYSICAL SECURITY OF THE SERVERS AND THE INTEGRITY OF THE UNDERLYING HARDWARE ARE BEYOND THE COMPANY'S CONTROL.4.2. TELECOM AND NETWORK LATENCY: SECURITY TOKENS AND DATA TRANSMISSIONS ARE SUBJECT TO THE VULNERABILITIES OF INDIAN TELECOMMUNICATION NETWORKS. THE COMPANY DISCLAIMS LIABILITY FOR "MAN-IN-THE-MIDDLE" (MITM) ATTACKS OCCURRING AT THE ISP OR TELECOM CARRIER LEVEL.
4.3. ZERO-LIABILITY FOR EXTERNAL BREACHES: IN THE EVENT OF A GLOBAL SECURITY COMPROMISE OF THE UNDERLYING CLOUD PROVIDER OR THE THIRD-PARTY API SERVICES (SUCH AS MAPS OR SMS GATEWAYS), THE COMPANY SHALL BE HELD HARMLESS FROM ALL CONSEQUENTIAL DAMAGES.
ARTICLE V: SECURITY OF TRANSITORY ACCESS PROTOCOLS (MAGIC LINKS)
5.1. EPHEMERAL TOKEN VULNERABILITY: THE PLATFORM GENERATES TRANSITORY, NON-AUTHENTICATED TOKENS ("MAGIC LINKS") TO FACILITATE FRICTIONLESS DISPATCH. THE USER WHO GENERATES AND SHARES THIS LINK ASSUMES ALL SECURITY RISK ASSOCIATED WITH THE LINK FALLING INTO THE POSSESSION OF UNAUTHORIZED THIRD PARTIES.5.2. CONSTRUCTIVE ACCEPTANCE: ANY INDIVIDUAL ACCESSING THE SYSTEM VIA A TRANSITORY LINK IS SUBJECT TO THIS SECURITY POLICY AND IS DEEMED TO HAVE ACCEPTED THE "AS-IS" SECURITY STATE OF THE INTERFACE.
ARTICLE VI: DATA BREACH PROTOCOLS AND NOTIFICATION LIMITS
6.1. DEFINITION OF BREACH: A BREACH SHALL BE NARROWLY DEFINED AS THE UNAUTHORIZED PHYSICAL EXFILTRATION OF SENSITIVE PERSONAL DATA CAUSED SOLELY BY A PROVEN DEFECT IN THE COMPANY'S PROPRIETARY CODEBASE, EXCLUDING ANY THIRD-PARTY VULNERABILITIES.6.2. NOTIFICATION TIMELINES: IN THE EVENT OF A RECOGNIZED SECURITY INCIDENT, THE COMPANY SHALL COMPLY WITH THE REPORTING MANDATES OF THE INDIAN COMPUTER EMERGENCY RESPONSE TEAM (CERT-IN) WITHIN THE STATUTORY TIMELINES. INDIVIDUAL USER NOTIFICATION SHALL BE PROVIDED VIA AUTOMATED ELECTRONIC MEANS ONLY.
6.3. LIABILITY CAP: THE TOTAL CUMULATIVE LIABILITY OF THE COMPANY FOR ANY SECURITY FAILURE, NOTWITHSTANDING THE CAUSE, SHALL BE CAPPED AT THE NOMINAL VALUE OF INR 1,000, REPRESENTING THE ADMINISTRATIVE COST OF RE-AUTHENTICATION.
ARTICLE VII: PROHIBITED ADVERSARIAL ACTIVITIES
7.1. ANTI-SCRAPING MANDATE: USERS ARE STRICTLY PROHIBITED FROM UTILIZING AUTOMATED SCRAPERS, CRAWLERS, SPIDERS, OR ANY FORM OF ARTIFICIAL INTELLIGENCE TO EXTRACT DATA FROM THE PLATFORM. SUCH ACTIONS SHALL BE DEEMED A CRIMINAL VIOLATION UNDER SECTION 66 OF THE IT ACT.7.2. REVERSE ENGINEERING: ANY ATTEMPT TO DECOMPILE, REVERSE ENGINEER, OR DISASSEMBLE THE MONOREPO STRUCTURE OR FRONTEND FRAMEWORKS OF THE PLATFORM SHALL RESULT IN IMMEDIATE TERMINATION AND LEGAL PROSECUTION.
ARTICLE VIII: JURISDICTIONAL SECURITY COMPLIANCE
8.1. GOVERNING LAW: THIS SECURITY PROTOCOL IS GOVERNED BY THE LAWS OF THE REPUBLIC OF INDIA, INCLUDING THE CYBER SECURITY DIRECTIONS ISSUED UNDER SECTION 70B OF THE IT ACT.8.2. EXCLUSIVE JURISDICTION: ANY DISPUTE ARISING FROM THE SECURITY CLAIMS SHALL BE SUBJECT TO THE EXCLUSIVE JURISDICTION OF THE COURTS LOCATED AT THE COMPANY'S PRIMARY DIGITAL DOMICILE.
ARTICLE IX: GRIEVANCE REDRESSAL AND SECURITY REPORTING
9.1. TO REPORT A POTENTIAL SECURITY VULNERABILITY OR FOR LEGAL INQUIRIES REGARDING DATA SOVEREIGNTY:ATTENTION: CHIEF SECURITY OFFICER / PLATFORM ADMIN
EMAIL: support@trucoi.com
LEGAL: hr@trucoi.com with Subject as 'LEGAL QUERY'
END OF SECURITY PROTOCOL: TRU-SEC-2026