Responsible Disclosure Policy
Effective Date: 01th April 2025
Last Updated: 29th June 2026
Company Legal Name: Treewalker Digital Private Limited
Product: Galla.app
Website: https://galla.app
Registered Office: Vikas Plaza.38/ 1A (4), Kanappana Agrahara, Hosur Rd, Phase II, Electronic City, Bengaluru, Karnataka 560100
Support Email: support@treewalkerlabs.com
Legal Email: legal@treewalkerlabs.com
CIN: U72900KA2021PTC153840
GSTIN: 29AAICT9733E1ZXs
This Responsible Disclosure Policy (“Policy”) explains how security researchers, customers, users, partners, and members of the public may responsibly report suspected security vulnerabilities affecting Galla.app and related services provided by Treewalker Digital Private Limited (“Treewalker Digital”, “Galla”, “Galla.app”, “Company”, “we”, “us”, or “our”).
Galla.app is a SaaS platform for retail management, POS billing, warehouse management, inventory management, WhatsApp marketing, ecommerce development, third-party integrations, APIs, dashboards, reports, automation, hardware-assisted workflows, and related business operations.
We take security seriously and appreciate responsible reports from individuals who help us identify and fix security issues. This Policy provides a safe and structured way to report vulnerabilities while protecting customer data, platform availability, privacy, and business operations.
This Policy should be read together with our Terms of Service, Privacy Policy, Data Processing Addendum, Security Overview, Acceptable Use Policy, SLA and Support Policy, Incident Response Policy, Subprocessor List, and other applicable legal policies.
1. Purpose of this Policy
The purpose of this Policy is to:
- Encourage responsible reporting of security vulnerabilities.
- Provide a clear reporting channel for security issues.
- Define which systems and activities are in scope.
- Define which testing activities are not allowed.
- Protect Galla.app customers, users, data, infrastructure, integrations, and hardware workflows.
- Help security researchers understand safe testing boundaries.
- Support coordinated remediation before public disclosure.
- Reduce the risk of accidental harm, data exposure, disruption, or misuse.
- Establish expectations for communication, timelines, and recognition.
- Clarify that this Policy is not a bug bounty programme unless expressly stated.
2. Scope
This Policy applies to security vulnerabilities affecting Galla.app systems, products, services, or assets that are owned, operated, or controlled by Treewalker Digital Private Limited.
This may include:
- Galla.app website.
- Galla.app SaaS platform.
- Galla.app login and authentication flows.
- Retail Management module.
- POS Billing module.
- Warehouse Management module.
- Inventory Management module.
- WhatsApp Marketing module.
- Ecommerce management features operated by Galla.app.
- APIs and webhooks owned by Galla.app.
- Dashboards and reports.
- Customer admin panels.
- Support portals owned by Treewalker Digital Private Limited.
- Public-facing Galla.app domains and subdomains.
- Mobile or web applications officially released by Treewalker Digital Private Limited.
- Security issues in Galla-controlled integrations.
- Misconfiguration affecting Galla-owned cloud or application assets.
- Authentication, authorisation, access control, session, data exposure, or API security vulnerabilities in Galla-controlled systems.
3. Out-of-Scope Systems
The following are generally out of scope unless Treewalker Digital Private Limited gives written permission:
- Third-party websites not owned or controlled by Treewalker Digital Private Limited.
- Customer-owned ecommerce websites.
- Customer-owned ERP, accounting, marketplace, logistics, WhatsApp, payment gateway, SMS, email, or analytics accounts.
- Customer-controlled cloud infrastructure.
- Customer local networks.
- Customer POS devices, scanners, printers, handhelds, RFID devices, computers, tablets, or mobile devices.
- Third-party APIs, SDKs, plugins, themes, extensions, or applications.
- Social media pages.
- Public marketing pages hosted by third-party platforms, unless owned and controlled by Treewalker Digital Private Limited.
- Employee personal accounts.
- Vendor or partner systems.
- Service partner systems.
- Physical offices, facilities, warehouses, or data centres not directly controlled by Treewalker Digital Private Limited.
- Demo environments not specifically approved for testing.
- Beta, pilot, or customer-specific environments unless expressly authorised.
If you are unsure whether a system is in scope, please ask us before testing.
4. No Unauthorised Testing
You must not perform testing unless it complies with this Policy.
Testing should be limited, safe, non-destructive, and designed to prove the existence of a vulnerability without causing harm.
You must not:
- Access, view, copy, modify, delete, export, or disclose customer data.
- Disrupt Galla.app services.
- Degrade platform performance.
- Run denial-of-service or load tests.
- Conduct automated high-volume scanning.
- Conduct brute-force attacks.
- Attempt credential stuffing.
- Attempt password spraying.
- Attempt phishing or social engineering.
- Attempt physical security testing.
- Test employee devices or personal accounts.
- Test customer devices or customer networks.
- Access another customer’s account or data.
- Use malware, ransomware, spyware, worms, trojans, or harmful code.
- Exfiltrate data.
- Modify or delete data.
- Change account settings.
- Send unauthorised messages, emails, SMS, WhatsApp campaigns, or API requests that affect real users.
- Use payment gateways, WhatsApp, SMS, email, ecommerce, marketplace, logistics, or ERP integrations in a way that triggers real transactions or communication.
- Publicly disclose a vulnerability before coordinated remediation.
5. Safe Testing Rules
When testing, you must follow these safe testing rules:
- Use only your own account or a test account that you are authorised to use.
- Keep testing limited to the minimum required to confirm the vulnerability.
- Do not access real customer data.
- Do not change, delete, or corrupt data.
- Do not perform tests that affect other users.
- Do not attempt persistence or lateral movement.
- Do not use exploit chains beyond what is necessary to prove impact.
- Do not run scanners at high volume.
- Do not bypass rate limits in a way that causes service impact.
- Do not attempt to access production infrastructure, shells, consoles, databases, or internal systems.
- Do not attempt to access secrets, keys, credentials, environment variables, or tokens beyond demonstrating that exposure exists.
- Stop testing immediately if you see data that does not belong to you.
- Stop testing immediately if service performance is affected.
- Report the issue promptly.
- Keep all findings confidential until Treewalker Digital Private Limited confirms remediation or gives written permission for disclosure.
6. Vulnerabilities We Encourage You to Report
We encourage reports of real security vulnerabilities that may affect confidentiality, integrity, availability, authentication, authorisation, or data protection.
Examples include:
- Authentication bypass.
- Broken access control.
- Privilege escalation.
- Insecure direct object references.
- Cross-site scripting.
- SQL injection.
- Command injection.
- Server-side request forgery.
- Remote code execution.
- Sensitive data exposure.
- Insecure API endpoints.
- Broken session management.
- Cross-site request forgery with real security impact.
- Business logic vulnerabilities with security impact.
- Multi-tenant data isolation issues.
- Unauthorised access to invoices, reports, inventory, warehouse, POS, ecommerce, or WhatsApp campaign data.
- Unauthorised data export.
- Exposed secrets, tokens, API keys, or credentials.
- Misconfigured storage or cloud assets owned by Galla.app.
- Subdomain takeover affecting Galla-owned domains.
- Account takeover vulnerabilities.
- Security misconfiguration with real impact.
- Insecure file upload leading to security risk.
- Vulnerabilities affecting payment, billing, user management, API, or admin features.
- Vulnerabilities that could expose customer personal data or business data.
7. Vulnerabilities Usually Out of Scope
The following reports are generally out of scope unless they demonstrate a clear, practical, and material security impact:
- Missing security headers without demonstrated exploitability.
- Clickjacking on pages with no sensitive action.
- Self-XSS requiring a user to attack themselves.
- Logout CSRF.
- Rate limiting issues without meaningful security impact.
- Username enumeration without additional impact.
- Email spoofing without proof of domain misconfiguration.
- SPF, DKIM, or DMARC suggestions without demonstrable risk.
- Missing cookie flags on non-sensitive cookies.
- Mixed content on non-sensitive marketing pages.
- Version disclosure without exploitability.
- SSL/TLS configuration issues rated low risk.
- Publicly available information.
- Best-practice recommendations without a vulnerability.
- Social engineering scenarios.
- Physical security issues.
- Denial-of-service vulnerabilities.
- High-volume automated scanner output without validation.
- Reports from outdated browsers or unsupported devices.
- Vulnerabilities in third-party platforms not controlled by Treewalker Digital Private Limited.
- Issues requiring malware installation on the user’s device.
- Issues requiring compromised user credentials.
- Issues caused by customer-side misconfiguration.
- Issues in customer-owned websites, devices, networks, or integrations.
- Theoretical vulnerabilities without a working proof or practical impact.
- Duplicate reports already known to us.
- Reports about lack of ISO/SOC certification.
- Content or grammar issues.
- UI or usability issues without security impact.
- Feature requests.
8. Strictly Prohibited Activities
The following activities are strictly prohibited:
- Accessing customer accounts or data without permission.
- Accessing production databases.
- Exfiltrating data.
- Modifying, deleting, or corrupting data.
- Disrupting services.
- Denial-of-service testing.
- Load testing without written approval.
- Brute-force attacks.
- Credential stuffing.
- Password spraying.
- Phishing.
- Social engineering.
- Physical intrusion or facility testing.
- Testing employees, contractors, vendors, service partners, or customers.
- Installing malware.
- Uploading malicious files.
- Creating persistence.
- Attempting lateral movement.
- Accessing internal systems.
- Attacking third-party providers.
- Triggering real payment transactions.
- Sending real WhatsApp/SMS/email campaigns without authorisation.
- Accessing or changing hardware device configuration without permission.
- Tampering with POS, scanner, printer, RFID, handheld, tablet, or warehouse hardware.
- Public disclosure before remediation.
- Threatening disclosure, extortion, or ransom demand.
- Demanding compensation as a condition for disclosure.
- Using vulnerability information for commercial advantage against Galla.app or its customers.
- Any activity that violates applicable law.
- Violation of these rules may result in legal action, account suspension, termination, reporting to authorities, or other enforcement action.
9. Reporting Channel
Please report suspected vulnerabilities to:
Support Email: support@treewalkerlabs.com
Website: https://galla.app
Use the subject line:
Security Vulnerability Report - Galla.app
If the issue is urgent or may expose customer data, please include URGENT in the subject line.
10. What to Include in Your Report
A good report helps us validate and fix the issue faster.
Please include:
- Your name and contact details.
- Organisation name, if applicable.
- Affected domain, URL, API endpoint, module, or feature.
- Vulnerability type.
- Clear description of the issue.
- Step-by-step reproduction instructions.
- Proof-of-concept code, if safe and non-destructive.
- Screenshots or screen recording, if useful.
- Sample request and response, with sensitive data removed.
- Impact explanation.
- Whether any data was accessed.
- Whether any service disruption occurred.
- Whether the issue is still reproducible.
- Date and time of testing.
- Browser, device, operating system, and network details, if relevant.
- Any suggested remediation, if available.
- Whether you want public recognition, if eligible.
Please do not include real customer data in the report. If you accidentally accessed data that does not belong to you, stop testing and notify us immediately.
11. Handling of Accidental Data Access
If you accidentally access data that does not belong to you:
- Stop testing immediately.
- Do not copy, save, export, modify, delete, screenshot, or share the data.
- Report the issue immediately.
- Tell us exactly what data was accessed.
- Tell us how the access occurred.
- Delete any locally stored sensitive information, if any, after receiving instruction from us.
- Do not disclose the data to anyone else.
- Cooperate with our investigation.
Responsible handling of accidental access is important for customer privacy and legal compliance.
12. Our Response Process
After receiving a report, Treewalker Digital Private Limited will use reasonable efforts to:
- Acknowledge receipt of the report.
- Review the report for scope and completeness.
- Validate the vulnerability.
- Assess severity and business impact.
- Prioritise remediation.
- Request additional information, if required.
- Develop and test a fix or mitigation.
- Deploy a fix or workaround.
- Confirm remediation where practical.
- Close the report.
- Provide recognition if applicable and approved.
Response times may vary depending on severity, report clarity, business impact, exploitability, affected systems, third-party dependency, and engineering workload.
13. Target Communication Timelines
The following are target timelines and not guaranteed service levels.
|
Stage |
Target Timeline |
|
Initial acknowledgement |
Within 3 business days |
|
Initial assessment |
Within 7 business days |
|
Severity classification |
Within 10 business days where feasible |
|
Remediation planning |
Based on severity and complexity |
|
Fix deployment |
Based on severity, risk, and engineering effort |
|
Final closure communication |
After remediation or risk acceptance |
Critical issues affecting customer data or active exploitation may be prioritised for faster handling.
14. Severity Classification
We may classify vulnerabilities based on impact and exploitability.
Critical Severity
Examples:
- Remote code execution.
- Authentication bypass affecting multiple customers.
- Unauthorised access to customer data across tenants.
- Full account takeover.
- Exposure of production secrets.
- Critical payment or billing security flaw.
- Active exploitation affecting customer data.
High Severity
Examples:
- Privilege escalation.
- Access to another user’s sensitive data.
- Significant API access control issue.
- Stored XSS with account impact.
- Sensitive business data exposure.
- Unauthorised export of data.
- Integration credential exposure.
-
Medium Severity
Examples:
- Reflected XSS with meaningful impact.
- CSRF affecting sensitive action.
- Limited information disclosure.
- Security misconfiguration with practical impact.
- Moderate business logic issue.
- Limited account or role bypass.
Low Severity
Examples:
- Low-impact security header issue.
- Non-sensitive information disclosure.
- Minor misconfiguration.
- Low-risk UI or session issue.
- Best-practice improvement.
Final severity classification is determined by Treewalker Digital Private Limited.
15. Remediation Timelines
Remediation timelines depend on risk, exploitability, technical complexity, product impact, testing requirements, third-party dependencies, and release cycles.
General targets may be:
|
Severity |
Target Remediation Approach |
|
Critical |
Immediate investigation and urgent mitigation or fix |
|
High |
Prioritised remediation |
|
Medium |
Scheduled remediation based on risk |
|
Low |
Addressed in normal development cycle or risk accepted |
Some issues may require temporary mitigation before permanent fix.
Some findings may be accepted as business risk if impact is low or remediation is not practical.
16. Coordinated Disclosure
We request that researchers give Treewalker Digital Private Limited reasonable time to investigate and remediate before any public disclosure.
You must not publicly disclose details of a vulnerability without written permission from Treewalker Digital Private Limited.
Public disclosure may include:
- Blog posts.
- Social media posts.
- Videos.
- Conference talks.
- Public bug databases.
- GitHub repositories.
- Exploit code.
- Proof-of-concept scripts.
- Screenshots.
- Press communication.
We may approve coordinated public disclosure after remediation if it does not expose customers, systems, data, or sensitive technical details.
17. Recognition
Treewalker Digital Private Limited may, at its discretion, recognise researchers who submit valid and helpful vulnerability reports.
Recognition may include:
- Thank-you email.
- Public acknowledgement on a Hall of Fame page, if available.
- Certificate of appreciation, if available.
- LinkedIn mention, if approved by both parties.
- Private recommendation or acknowledgement, if appropriate.
Recognition is not guaranteed and may depend on report quality, impact, responsible conduct, and compliance with this Policy.
18. No Bug Bounty Unless Announced
This Policy is not a bug bounty programme.
Unless Treewalker Digital Private Limited has expressly announced a paid bug bounty programme in writing:
- No monetary reward is promised.
- No bounty amount is guaranteed.
- No compensation is owed for reports.
- No payment will be made for duplicate, low-impact, out-of-scope, or policy-violating reports.
- Demanding payment as a condition for disclosure is prohibited.
- Extortion, ransom, or threats of public disclosure are prohibited.
Any reward, appreciation, or recognition is entirely at our discretion.
19. Safe Harbour Statement
Treewalker Digital Private Limited will not initiate legal action against researchers for good-faith security research conducted in compliance with this Policy.
To remain eligible for this good-faith treatment, you must:
- Stay within the scope of this Policy.
- Follow safe testing rules.
- Avoid privacy violations.
- Avoid data access or exfiltration.
- Avoid service disruption.
- Avoid social engineering.
- Avoid physical attacks.
- Report the issue promptly.
- Keep the vulnerability confidential.
- Cooperate with our remediation process.
- Comply with applicable law.
- This safe harbour does not apply to activities that are unlawful, harmful, destructive, extortionate, fraudulent, disruptive, or outside this Policy.
This safe harbour does not bind third parties, customers, cloud providers, WhatsApp/Meta, payment gateways, marketplaces, ecommerce platforms, logistics providers, or any other external service provider.
20. Researcher Responsibilities
Researchers must:
- Act in good faith.
- Follow this Policy.
- Avoid harm to customers or users.
- Avoid accessing personal data or business data.
- Avoid disrupting service.
- Avoid public disclosure before remediation.
- Avoid testing third-party systems without permission.
- Avoid social engineering.
- Avoid physical testing.
- Avoid extortion or pressure tactics.
- Provide clear and accurate reports.
- Cooperate with reasonable follow-up questions.
- Delete any accidentally obtained sensitive information as instructed.
- Comply with applicable law.
21. Customer Responsibilities
Customers using Galla.app must report suspected security issues promptly.
Customers should report:
- Suspicious login activity.
- Unauthorised account access.
- Unknown users in account.
- Exposed API keys.
- Exposed credentials.
- Unexpected data exports.
- Unknown integrations.
- Incorrect user permissions.
- Lost or stolen devices with active Galla.app access.
- Suspicious WhatsApp, SMS, email, or API activity.
- Unusual billing or warehouse activity.
- Suspected data breach.
Customers are responsible for securing their own users, devices, passwords, networks, hardware, integrations, API keys, and third-party accounts.
22. Hardware and Physical Testing Restrictions
Galla.app may be used with hardware such as POS devices, barcode scanners, QR scanners, RFID readers, RFID antennas, handheld terminals, tablets, printers, chargers, and accessories.
Responsible disclosure for hardware-related issues is limited to issues affecting Galla.app-controlled software, firmware configuration, integration, or data security.
You must not:
- Tamper with hardware that you do not own.
- Open, modify, or damage devices.
- Test customer-owned devices.
- Interfere with warehouse, POS, or retail operations.
- Attempt RFID interception in customer environments.
- Attempt barcode or QR manipulation in live customer environments.
- Test physical security of customer sites.
- Access hardware logs without permission.
- Attempt to bypass device restrictions in a way that affects customer operations.
- Conduct radio-frequency, wireless, or network attacks without written permission.
Hardware defects, warranty claims, replacement requests, and service issues should be handled through the SLA and Support Policy and Refund, Billing, Cancellation, and Hardware Replacement Policy.
23. WhatsApp, SMS, Email, and Communication Testing Restrictions
Because Galla.app may support WhatsApp Marketing, SMS, email, and customer communication workflows, you must not perform tests that send real messages or affect real recipients.
You must not:
- Send test messages to real customers.
- Trigger WhatsApp campaigns.
- Trigger SMS or email campaigns.
- Modify templates.
- Access recipient contact lists.
- Export recipient data.
- Test opt-out workflows on real recipients.
- Trigger payment reminders or invoices.
- Send phishing or deceptive messages.
- Test WhatsApp/Meta systems directly through Galla.app without permission.
Any communication workflow testing must be limited to accounts, numbers, and recipients you own or are authorised to use.
24. Payment and Billing Testing Restrictions
You must not:
- Trigger real payments.
- Attempt payment fraud.
- Test stolen cards or unauthorised payment instruments.
- Manipulate invoices.
- Modify subscription records.
- Attempt to bypass billing controls.
- Create fake refunds.
- Access other customers’ billing data.
- Test third-party payment gateway vulnerabilities through Galla.app.
- Abuse coupons, trials, credits, or plan limits.
If you find a billing-related vulnerability, report it with safe proof that does not affect real customer invoices, payments, or financial records.
25. API Testing Restrictions
You may test APIs only if you are authorised to use the relevant API credentials and account.
You must not:
- Use stolen, leaked, or unauthorised API keys.
- Access another customer’s API data.
- Exceed reasonable request volume.
- Bypass rate limits.
- Trigger large imports or exports.
- Send malicious payloads to disrupt services.
- Attempt mass enumeration.
- Use APIs to scrape data.
- Trigger real communication, billing, stock, or warehouse workflows.
- Test undocumented endpoints in a way that may cause disruption.
- API reports should include request and response samples with sensitive information removed.
26. AI, Automation, and Business Logic Reports
If Galla.app includes automation, reports, recommendations, or AI-enabled features, reports may be considered in scope where they create a real security or privacy impact.
Examples may include:
- Unauthorised access through automation.
- Data leakage through reports.
- Cross-tenant exposure.
- Access control bypass in dashboards.
- Prompt injection causing data exposure, where applicable.
- Automation triggering unauthorised actions.
- Business logic flaws causing unauthorised data changes.
The following are generally out of scope unless clear security impact is shown:
- Hallucinated output without data exposure.
- Low-quality recommendations.
- Business disagreement with automated output.
- Generic prompt manipulation with no security impact.
- Non-security-related AI behaviour.
27. Duplicate Reports
If multiple researchers report the same vulnerability, recognition may be given to the first valid report received with sufficient detail.
Duplicate reports may not be eligible for recognition.
Reports about already known issues or issues already under remediation may be closed as duplicates.
28. Confidentiality
All vulnerability information must be treated as confidential.
Researchers must not disclose:
- Vulnerability details.
- Exploit steps.
- Screenshots.
- Proof-of-concept code.
- Customer data.
- Internal URLs.
- API tokens.
- Credentials.
- System details.
- Remediation status.
Confidentiality remains in effect until Treewalker Digital Private Limited gives written permission for disclosure or the vulnerability is otherwise publicly disclosed by us.
29. Public Disclosure Approval
If you wish to publicly disclose a vulnerability after remediation, you must request written approval.
We may approve disclosure if:
- The vulnerability is fixed.
- Customer data is not exposed.
- Sensitive technical details are removed.
- The disclosure does not enable attacks.
- The disclosure is accurate.
- The disclosure does not include confidential information.
- The disclosure timing is mutually agreed.
- The disclosure does not violate law, contract, or third-party terms.
We may deny or delay disclosure for security, privacy, legal, customer, or operational reasons.
30. Legal Compliance
Researchers are responsible for complying with applicable laws.
This Policy does not authorise:
- Illegal access.
- Data theft.
- Unauthorised testing.
- Malware use.
- Service disruption.
- Attacks on third-party systems.
- Violation of privacy law.
- Violation of customer contracts.
- Violation of third-party platform terms.
- Extortion or coercion.
Treewalker Digital Private Limited reserves all legal rights against harmful, unlawful, malicious, or policy-violating activity.
31. Reports from Customers and Employees
Customers, employees, contractors, partners, and vendors may also report suspected security issues under this Policy.
Internal employees and contractors should follow internal security reporting channels where available.
Customers should also contact Support if the issue affects account access, billing, hardware, POS operations, warehouse operations, integrations, or data availability.
Security reports should be sent to the Security Email.
32. Reports Involving Third Parties
If your report involves a third-party service, such as WhatsApp/Meta, payment gateway, ecommerce platform, marketplace, cloud provider, ERP, logistics provider, SMS provider, email provider, analytics tool, or customer-owned system, we may not be able to fix the issue directly.
In such cases, we may:
- Validate whether Galla.app is affected.
- Work around the issue where feasible.
- Notify the third party where appropriate.
- Ask you to report directly to the third party.
- Coordinate only where we have a contractual or operational relationship.
- Close the report if the issue is outside our control.
- This Policy does not give permission to test third-party services.
33. Enforcement
If a researcher or user violates this Policy, Treewalker Digital Private Limited may take appropriate action, including:
- Requesting immediate stop of testing.
- Blocking traffic.
- Suspending accounts.
- Revoking API keys.
- Disabling access.
- Preserving evidence.
- Notifying affected customers.
- Notifying third-party providers.
- Reporting to authorities where required.
- Taking legal action.
Good-faith reporting is welcome. Harmful, reckless, unlawful, or extortionate conduct is not.
34. Policy Updates
Treewalker Digital Private Limited may update this Policy from time to time to reflect:
- Product changes.
- Security process changes.
- Legal or regulatory requirements.
- Changes in scope.
- Changes in reporting process.
- Changes in eligible systems.
- Changes in responsible disclosure practices.
- Operational or business requirements.
When we update this Policy, we will revise the “Last Updated” date.
Continued testing or reporting after the updated Policy becomes effective means that you agree to follow the updated Policy.
35. Contact information
For security reports and responsible disclosure:
Treewalker Digital Private Limited
Product: Galla.app
Registered Office: Vikas Plaza.38/ 1A (4), Kanappana Agrahara, Hosur Rd, Phase II, Electronic City, Bengaluru, Karnataka 560100
Legal Email: legal@treewalkerlabs.com
Support Email: support@treewalkerlabs.com
Phone: +91-6366-740-274
CIN: U72900KA2021PTC153840
GSTIN: 29AAICT9733E1ZX
36. Related Policies
This Responsible Disclosure Policy should be read together with:
- Terms of Service.
- Privacy Policy.
- Cookie Policy.
- Data Processing Addendum.
- Subprocessor List.
- Acceptable Use Policy.
- WhatsApp Marketing Policy.
- Security Overview.
- SLA and Support Policy.
- Data Retention and Deletion Policy.
- Incident Response Policy.
- Refund, Billing, Cancellation, and Hardware Replacement Policy.
