Should we move support in-house to avoid vendor risk?

Not necessarily. In-house has its own risks. The defensive pattern is the same: minimum scope, MFA, audit logs, data minimisation — applies to internal users too.

What is the right pattern for KYC documents specifically?

Dedicated KYC vault with encryption at rest, KMS-managed keys, access-by-grant only with time-bounded per-user grants, audit logging, and documented retention (typically 5 years for AML in India). Never in support tools.

Discord Breach Disclosed Today: A 4-Step Customer-Support Vendor Audit Every Indian SaaS Should Run

Q: What is third-party risk management?

Ongoing discipline of periodic audits, contract maintenance, access reviews, and breach notification monitoring — broader than upfront due diligence. Most SMBs skip the ongoing portion.

Q: Does this audit replace a SOC 2 audit?

No. SOC 2 covers security, availability, processing integrity, confidentiality, privacy. This 90-minute audit covers one specific control area within the broader posture.

Q: What if our support vendor refuses to sign a DPA?

Serious red flag. Reputable vendors sign DPAs within 5-10 working days. Refusal signals either inability to meet obligations or lack of experience — treat it as a vendor-replacement signal.

Q: Are we required by DPDP to do this audit?

Yes — the Act requires reasonable security safeguards and vendor governance for processors handling personal data. This 4-step audit is the cheapest demonstration of compliance.

Q: What is the cost difference between major support platforms for this hardening?

All major platforms support MFA and IP allowlist at standard plans. Granular RBAC and session restrictions often require Enterprise tier or add-ons at Rs 1,500-4,000 per agent per month uplift.

Discord Breach Disclosed Today: A 4-Step Customer-Support Vendor Audit Every Indian SaaS Should Run

On October 3, 2025, Discord disclosed a security incident involving one of its third-party customer-support vendors. The breach exposed names, Discord usernames, emails, billing details (last 4 digits of cards), IP addresses, and approximately 70,000 government-ID images that the vendor had used to review age-verification appeals (Malwarebytes coverage, Bitdefender). The vendor — later named publicly as Netherlands-based 5CA — is a large customer-experience firm used across the tech industry. The incident follows the Salesloft-Drift breach from August. The pattern is consistent: third-party access is the recurring soft underbelly of SaaS security in 2025. This is the 4-step audit every Indian SaaS should run on their support partners this week.

Oct 3

Discord disclosure date

70,000

Government IDs exposed via the support vendor

5CA

Netherlands customer-experience firm named in the breach

4 steps

In the support-vendor audit below

## The 60-second answer Open your support tool's user/permission console. List every external vendor account with access. For each: scope it to the minimum data they need, enable session-recording for support agent actions, restrict access to specific business hours and geographies, and require MFA. The Discord breach happened because a single support vendor account had broader access than required. The 4 steps below close that gap in roughly 90 minutes for a typical Indian SaaS. ## Why this matters now The Discord breach is the third major third-party-vendor disclosure in 60 days. Salesloft-Drift in August. The Salesforce-Gainsight pattern in late November 2025 (covered separately). Discord today. The shared pattern: a non-product vendor with administrative or near-administrative access to customer data. Every Indian SaaS using Zendesk, Intercom, Freshworks, or HubSpot Service Hub with external support agents has this pattern. The specific data Discord lost — ticket conversations, billing details, government IDs from age-verification — is the kind of data that lives in support systems by default. Customers paste account-recovery information. They share screenshots that include payment details. They upload identity documents for KYC appeals. Support agents see it all. That access trail is the attack surface.

The 5CA detail. 5CA is not a small vendor — they support hundreds of consumer-tech brands globally. The breach was at the vendor, not at Discord. But Discord users do not care who Discord's vendor is. The accountability chain falls back to the brand the customer trusts. Your customers will hold YOU accountable for your support vendor's security posture. Audit accordingly.

## The 4 steps

Inventory and scope

List every external support agent or vendor with access to your support tool. Document what data they can see, what actions they can take, and the business reason for the scope.

Minimise data in tickets

Audit the last 200 tickets for sensitive data leakage. Implement masking for credit-card numbers, government IDs, and authentication tokens. Train customers and agents to redact at intake.

Tighten access controls

MFA, IP restriction, business-hours-only access, session recording, and quarterly access reviews. Each is cheap; the combination cuts attacker dwell time dramatically.

Contract clauses most teams skip

DPA, 24-hour breach notification SLA, sub-processor audit rights, data-deletion within 30 days of contract end, audit-log access. Five clauses; few support-vendor contracts include all five.

## The 90-minute audit walkthrough This is what we run with a head of support and one engineer. Each step has a verification before moving on.

Minute 0-20: Inventory external support access

In your support tool (Zendesk, Intercom, Freshdesk, HubSpot), navigate Admin → Team / Users → Filter by external/agency/vendor. Export to CSV. For each: agent name, employer (your firm or vendor), access level (admin/agent/viewer), last login, MFA enabled (Y/N). Verify: CSV with one row per external user, columns above filled in. Most 30-person SaaS teams find 8-15 external accounts they had forgotten about.

Minute 20-40: Audit the last 200 tickets for sensitive data

Pull the last 200 tickets. Grep (or use the support tool's search) for: credit-card-like patterns (16 digits with hyphens or spaces), government-ID patterns (Aadhaar 12 digits, PAN 10 alphanumeric), passwords typed in plain text, authentication codes from emails. Verify: a list of ticket IDs that contain sensitive data. The expected number is 5-15 for a typical SaaS that has not done this before.

Minute 40-65: Implement minimum-scope access controls

For each external account: enforce MFA (most support tools support this org-wide), restrict access by IP if the vendor works from fixed locations, set business-hours access (most vendors do not need 24/7), enable session recording. Verify: a fresh login attempt from outside business hours OR outside whitelisted IP gets blocked.

Minute 65-85: Mask sensitive data going forward

Configure auto-masking in the support tool for the patterns identified in step 2. Zendesk has built-in PII redaction; Intercom requires custom workflow; Freshdesk has a paid add-on. Train support agents to never paste raw sensitive data — use a secure file-upload feature instead. Verify: a test ticket with a 16-digit number gets masked automatically.

Minute 85-90: Schedule contract review

Calendar event for next week, 60 minutes, with your operations or legal lead: review the support-vendor contract for the 5 clauses below. Most SaaS firms find at least 2 of the 5 missing on first review.

## The 5 contract clauses most teams skip

Clause	What it says	Why it matters in a Discord-style breach
Data Processing Agreement (DPA)	Vendor is your processor under DPDP/GDPR; specifies their obligations	Without it, you cannot demonstrate due diligence to the regulator post-breach
24-hour breach notification SLA	Vendor must notify you within 24 hours of detecting any incident affecting your data	72-hour DPDP/GDPR notification clock starts when YOU know — vendor delay eats your window
Sub-processor audit rights	You can audit the vendor's sub-processors and require notification when they change	5CA is itself a chain of vendors; if Discord did not have audit rights down the chain, they were exposed
Data-deletion clause	Vendor must delete all your data within 30 days of contract end, with written certification	Stale ticket archives at former vendors are the most common forgotten-data risk
Audit-log access	You can request access to vendor-side audit logs for actions on your data	Without this, you cannot reconstruct what happened post-breach — incident response stalls

## What Discord did NOT do (publicly speculative, but the pattern is clear) Discord's disclosure post is professionally written but light on technical detail. From the public reporting and the structure of the breach, the gaps that probably contributed: - The vendor account had broader scope than business-need (hence access to the age-verification ID images, not just billing tickets) - Detection of unusual data-access patterns at the vendor was insufficient; attackers had time to exfiltrate before detection - Sub-processor visibility from Discord into 5CA's environment appears to have been limited - The 70,000 ID images suggests the vendor was retaining KYC documents longer than necessary for the support function None of these are exotic failures. Each is preventable in the audit above. The lesson for Indian SaaS: Discord is a multi-billion-dollar company with a mature security team. If the third-party-vendor pattern got past their controls, it will get past yours unless explicitly defended. ## When NOT to over-rotate If your support is fully in-house (no external agents, no outsourced contact centre), the scope and access portions of this audit shrink dramatically — but the data-minimisation portion still applies. In-house staff can also leak sensitive data; the only defence is to make sure sensitive data does not enter ticket bodies in the first place. If you use one of the major support platforms (Zendesk, Intercom, Freshworks) with no outsourced agents, you can defer the contract-review step — the platform's standard DPA covers most of what you need. Your audit is then primarily about access controls and data minimisation. If your support is one founder answering emails on Gmail, the audit is 15 minutes: enable 2FA, set a password manager, never paste customer-shared sensitive data into ticket replies. You do not need a contract.

The age-verification trap. If your product collects government IDs for any KYC, age verification, or identity-proofing flow, you are sitting on the most-coveted data type in the breach economy. Aadhaar, PAN, passport, driving licence — all command premium prices on dark-web markets. Storage policy: encrypted at rest, deleted after the verification is complete (or after a documented retention period), never accessible to support agents in plain form. The Discord breach happened because age-verification IDs lived in the support tool — they should have been in a separate KYC vault that the support tool did not access.

## The customer-comms template after a vendor breach When the vendor breach is public and your data is potentially affected, send this within 24 hours to the affected segment of your user base:

Subject: Important security update from [Your SaaS]

Earlier today, [vendor name] — a third-party customer support partner used by [Your SaaS] — disclosed a security incident affecting [specific data categories]. We are writing to share what we know and what we are doing.

What we know: [vendor], based in [country], confirmed unauthorised access to a portion of customer support data on [date]. Affected data may include: [list]. We have confirmed [your specific scope of impact] for [number] of our customers. Importantly, your [Your SaaS] account password and [other safe categories] were NOT involved.

What we are doing: We have revoked the vendor's access to our systems pending investigation. We have engaged independent security counsel. We have notified the [DPDP Board / regulator] within the required window. We are reviewing all third-party access across our stack.

What you can do: If you used [specific identifier] in a support ticket, [specific advice]. If you reused that information elsewhere, change it now.

We are sorry. The trust you placed in us extends to our partners, and we will be raising the bar on partner audits going forward. Reach grievance@yourdomain.in with any questions; we will reply within 48 hours.

## The post-audit checklist (print this)

External support-agent inventory CSV — one row per account with access level and last login
MFA enforced on every external support account
IP whitelist OR business-hours restriction on every external account
Session recording or detailed audit logging enabled for support actions on customer data
Last 200 tickets scanned for sensitive-data leakage; flagged tickets remediated
Auto-masking configured for credit cards, Aadhaar, PAN patterns in ticket bodies
Data Processing Agreement signed with every support vendor
24-hour breach-notification SLA in writing
Sub-processor list reviewed within last 90 days
Data-deletion clause confirmed; deletion certificate from former vendors in file

## A real example — a 35-person Mumbai fintech A B2C fintech in Mumbai (~80,000 paying users, 35 employees, 1 outsourced support pod of 8 agents in Indore) ran the 4-step audit with us in mid-September 2025 — before Discord, but after the Salesloft-Drift news. What we found in 88 minutes: - The Indore pod had 8 active accounts. Two were former agents who had left 4 and 7 months earlier. Revoked. - Access scope across all 8 accounts was "agent" — which in their support tool meant access to all customer data including Aadhaar uploads from KYC failures. Tightened to a custom scope that excluded KYC-related fields. - Last 200 tickets included 12 with raw card numbers customers had pasted "to verify a charge." Implemented auto-masking; trained agents to redact at intake. - Contract with the Indore vendor had a DPA but no breach-notification SLA, no sub-processor audit clause, and a vague data-deletion clause. Renegotiated within 30 days. - KYC documents had been accessible to the support pod. Moved to a separate vault with a temporary access-grant pattern (support agent requests access on a per-customer basis with a 4-hour window). Total time: 88 minutes audit + 1 week of remediation. Total cost: 1 week of one engineer's time + 4 hours of legal counsel for contract renegotiation. The CTO told us the KYC-vault separation was the change that mattered most — they had been carrying that risk for 18 months without seeing it clearly. For background on the broader pattern, see our 2025 piece on the Salesloft-Drift OAuth breach SaaS-integration audit — connected-app dimension of the same problem — and our DPDP Act pre-notification readiness audit from earlier in September. Together they form the cluster on third-party risk and Indian compliance. ## A founder note from our team Our founder Vivek Singh writes regularly about cybersec for SMB founders. The shortest version of his argument on third-party risk: every vendor relationship is a credit-line of trust, and most founders treat it as a one-time approval. The fix is to treat vendor access like financial credit — review the line periodically, tighten when not in use, close when relationship ends. This is not glamorous; it is bookkeeping. And bookkeeping is the most underrated cybersec discipline an SMB has. The ecosystem-wide view: India's DPDP enforcement is going to make these audits non-optional within 18 months. The cheap version is to build the discipline now. The expensive version is to respond to a notice. ## The Reddit pulse The r/sysadmin threads on the Discord breach in early October 2025 surfaced a recurring complaint: support tools have weak granular RBAC compared to product tools. Practitioners called out Zendesk and Intercom for limited custom-role configuration, and Freshdesk for better RBAC but weaker audit logging. The community workaround pattern is to use the support tool's API + a custom proxy for sensitive operations — adds engineering effort but worth it for high-risk data. The r/cybersecurity threads called out the broader pattern: "third-party vendors are the new ransomware vector." Defenders increasingly treat support, marketing-automation, and analytics vendors as part of the production attack surface — not a separate risk category. That mental shift is the right one for Indian SaaS to adopt now. ## FAQ ### What is "third-party risk management" — is it just due diligence? It is broader. Due diligence is the upfront check before signing a vendor. TPRM is the ongoing discipline — periodic audits, contract maintenance, access reviews, breach-notification monitoring. Most SMBs do due diligence (sometimes) and skip the ongoing portion. The Discord breach is the cost of skipping the ongoing portion. ### Does this audit replace a SOC 2 audit? No. A SOC 2 audit is a much broader exercise covering security, availability, processing integrity, confidentiality, and privacy. This 90-minute audit covers one specific control area (third-party vendor access for support) within the broader posture. Treat it as a 1-quarter task, not a once-in-a-year SOC 2 substitute. ### Should we move support in-house to avoid the vendor risk? Not necessarily. In-house support has its own risks (insider threat, lower coverage hours, higher cost). The pattern is the same either way: minimum scope, MFA, audit logs, data minimisation. The defence applies to internal users too. ### What if our support vendor refuses to sign a DPA? That is a serious red flag. Reputable support vendors will sign a DPA based on your template within 5-10 working days. Refusal means either (a) they cannot meet the obligations, or (b) they have not done this for other clients. Either way, treat it as a vendor-replacement signal. ### Are we required by DPDP to do this audit? The DPDP Act requires reasonable security safeguards and vendor governance for any processor handling personal data on your behalf. The 4-step audit is the cheapest way to demonstrate you are meeting that requirement. Once Rules notify, expect the regulator to specifically check vendor agreements during enforcement. ### What about KYC documents specifically — what is the right pattern? KYC documents (Aadhaar, PAN, passport) should live in a dedicated KYC vault with: encryption at rest with KMS-managed keys, access-by-grant only (per-document, per-user, time-bounded), comprehensive audit logging, and a documented retention period (typically 5 years post-relationship for AML reasons in India). They should NEVER live in the support tool. ### How does this affect outsourced contact-centre operations in India? Indian BPOs serving global brands now face greater scrutiny. The Discord-5CA pattern shows that the brand bears the reputational hit even when the vendor is at fault. Indian BPOs that proactively offer the 5 contract clauses, plus comprehensive audit logging, will win contracts that lower-priced competitors lose. The hygiene differentiation is becoming a sales advantage. ### What is the cost difference between major support platforms for this hardening? Zendesk, Intercom, Freshworks, and HubSpot Service Hub all support MFA and basic IP allowlisting at standard plans. Granular custom-role RBAC and IP-based session restriction often require Enterprise-tier or paid add-ons (₹1,500-4,000/agent/month uplift). For a 10-agent team, the cost of hardening is ₹15-40k/month — usually justified by even a single avoided incident.

Want a vendor-access audit on your support partners?

We run a 90-minute support-vendor audit for Indian SaaS teams under 100 employees for ₹30,000 fixed price. You leave with: full inventory of external access, sensitive-data leakage report from last 200 tickets, MFA + IP + session-recording configuration, and a contract gap-analysis. First call is with the engineer who would lead the audit.

Book a 20-min Call