ProtectComplyYour Compliance partner
Security & Trust

Built for India. Hardened for the Board.

The same principles your DPDP programme demands of you, applied to us. Data in India, encryption everywhere, immutable audit logs, and a published breach-response SLA.

Platform

Our security pillars

India data residency

All tenant data hosted in AWS Mumbai (ap-south-1). Backups stay in-region. No US/EU replication of customer data without explicit contract. EC2 + RDS within the same VPC.

Encryption everywhere

TLS 1.2+ in transit on every endpoint including the widget. AES-256 at rest for database, object store, backups. Encrypted fields for sensitive PII; secrets in AWS Secrets Manager.

Role-based access control

Granular per-module roles with multi-tenant row-level isolation at the data layer. Least-privilege by default; per-tenant API keys; topbar tenant switcher with audit.

Immutable audit log

Every state-changing action recorded with user, timestamp, IP, user-agent, and before/after diff. Append-only at the application layer; exportable as signed PDF.

Breach response SLA

Affected tenant notified within 24 hours of a confirmed breach, with containment status and preliminary RCA. Aligns with §8(6); post-incident review shared with the tenant.

Data export & portability

Export consent records, DSR history, grievance log, RoPA, and breach register anytime as CSV/JSON/PDF. 30-day grace export window on cancellation. Exit means data, not lock-in.

Security FAQ

What procurement and CISOs ask before they buy.

Where is my data stored?

AWS Mumbai (ap-south-1) by default. Backups stay in-region. We do not replicate customer data to non-Indian regions unless the contract explicitly authorises it.

Are you SOC 2 certified?

Not yet. SOC 2 Type II is on our active roadmap and we are in pre-audit; the underlying controls (encryption, RBAC, audit logging, change management) are already in place. We will not claim certification until the audit completes.

What happens if you detect a breach?

We notify the affected tenant within 24 hours of confirming a breach involving their data, share containment status and a preliminary root-cause, and follow up with a full post-incident review. This aligns with how DPDP §8(6) expects you to notify the Board.

Can I get my data out if I leave?

Yes. Every tenant can export consent records, DSR history, grievance log, RoPA, and breach register as CSV / JSON / PDF at any time. On cancellation we provide a 30-day grace export window before deletion.

Do you offer BYO-SSO?

Yes, SAML and OIDC SSO are on the Enterprise plan. SCIM provisioning is on roadmap.

Who has access to my tenant data?

Tenant data is isolated by row-level checks. Engineers do not have routine access; break-glass production access is logged and tenant-notifiable on request.

Need a security questionnaire filled?

We have a pre-filled vendor security pack ready for procurement. Open it and send it over.