Trust Center
Bublly is operated by FABRAINZ INDIA PRIVATE LIMITED. We build customer-support infrastructure for SMB and growth-stage teams, and we publish this page so reviewers can see what we have in place today and what is on our compliance roadmap. We'd rather say "not yet" than imply certifications we don't hold.Last reviewed: May 2026
The four pillars
Security
How we protect data today: encryption, access controls, AI guardrails, vulnerability disclosure — plus an honest view of what's on the roadmap.
- TLS 1.2+ in transit; AES-256 at rest via AWS-managed keys
- Role-based access (Admin / User / Viewer) and JWT sessions
- PII redaction in the AI pipeline before prompts leave the platform
- Coordinated vulnerability disclosure via security@bublly.com
Privacy
How personal data is collected, used, shared, and retained — including the rights individuals can exercise under the DPDP Act and GDPR.
- Purpose-limited processing with explicit consent
- Subject access, correction, deletion, and portability rights
- Configurable retention behaviour per workspace
- Grievance officer contact published in the Privacy Policy
Compliance
Where we are today and what's next. We don't claim certifications we don't hold — we share the roadmap and timelines instead.
- DPDP Act 2023 (India): privacy operations aligned today
- GDPR: DPA available to EU customers on request
- SOC 2 Type II: on the roadmap (not yet held)
- ISO 27001: on the roadmap (not yet certified)
Data Residency
Where customer data lives today, and what we can commit to contractually.
- Production data hosted in a single AWS region today
- EU / US residency available as a contracted Enterprise option
- Backups encrypted and retained for incident recovery
- Sub-processor list shared in the DPA on request
Compliance documentation
These artefacts cover most procurement, security, and legal review requirements. Most are NDA-gated; the rest are linked below.
Data Processing Agreement (DPA)
Covers DPDP Act-aligned obligations, GDPR responsibilities for EU customers, and our sub-processor commitments.
Request via security@bublly.com
Architecture & Security Overview
High-level architecture diagram, data-flow description, and the controls we have in place today. Useful for vendor risk assessments.
Request via security@bublly.com
Vendor Security Questionnaire
We respond to customer-supplied questionnaires (CAIQ, SIG-lite, or your own template). Turnaround depends on length.
Send your questionnaire to security@bublly.com
SOC 2 Type II Report
On the roadmap. We are scoping the audit and will share the observation-period start date once confirmed. No attestation to share today.
Roadmap — ask for current timeline
ISO 27001 Certificate
On the roadmap. Not yet certified.
Roadmap — ask for current timeline
Penetration Test Summary
An independent penetration test is planned. We do not yet have a current attestation letter to share.
Roadmap — ask for current timeline
Sub-processors
We engage a limited number of sub-processors to deliver the service: infrastructure (AWS), email transport, payment processing, observability, and AI model providers. Each is bound by a written agreement with confidentiality and data-protection obligations equivalent to our own.
The current sub-processor list is shared on request and included in the DPA. Material changes are communicated to workspace admins before they take effect.
Request the current list: security@bublly.com
Policies
Grievance & security contacts
- Security inbox
- security@bublly.com
- Privacy / DPDP grievance
- info@bublly.com
- Customer support
- support@bublly.com
- Entity
- FABRAINZ INDIA PRIVATE LIMITED
Procurement review?
Send your security questionnaire, DPA, or architecture-review request to security@bublly.com. We'll respond with what we have today and a clear view of what's on the roadmap.
Start a trust review