🛡 Trust & Security

SOC 2 Type 2 in-progress · ISO 27001 planned · RBI · DPDP · CERT-In · PMLA compliant by design · Vendor security assessment pack auto-emailed.

📥 Download security pack (PDF) Email security team

Compliance & Certifications

🏛

SOC 2 Type 2

12-month observation

In progress · audit firm Drata · ETA Q3

🔒

ISO 27001

ISMS certification

Planned · Q4 kickoff

💳

PCI DSS

Level 4 SAQ-A

Live · annual SAQ filed

🇮🇳

DPDP Act 2023

Data Fiduciary registration

In progress · DPB submission

⚖️

RBI Master Direction KYC

2024 amendment

Compliant · 43 endpoints

🚨

CERT-In 20(3)/2022

6-hour breach SLA

Automated incident XML

💰

PMLA + FATF

STR + sanctions + UBO

Compliant · 6 lists

🌏

India Data Residency

RBI Storage 2018

Enforced · ap-south-1 only

Security controls

Encryption · Identity · Network

Control	Implementation	Status
At-rest encryption	AWS KMS · envelope encryption · per-tenant CMK · automatic rotation	live
In-transit encryption	TLS 1.3 only · HSTS · perfect forward secrecy · OWASP Score A+	live
Multi-tenant isolation	Postgres RLS (row-level security) · tenant_id enforced at DB-level · not just app	live
Authentication	SAML 2.0 · OIDC · Magic-link · WebAuthn passkey · API keys w/ scoped JWT	live
Authorization	RBAC w/ scopes · per-endpoint · per-action · audit log captures all RBAC denials	live
MFA · admin accounts	Mandatory · TOTP + WebAuthn · 24h session timeout for admin	live
WAF + DDoS	AWS WAF · OWASP Top 10 · rate limiting · Shield Standard · Cloudflare optional	live
Secrets management	AWS Secrets Manager · HashiCorp Vault optional · zero secrets in code/git	live
Network segmentation	VPC peering · private subnets only for data · public for ALB only	live
Audit log	SHA256 hash-chained · Merkle-anchored · monthly external timestamp · 10-yr retention	live

Vulnerability management

Activity	Frequency	Last performed
External penetration test (CERT-In empanelled vendor)	Annual + on-major-release	Feb 2026 · clean · 1 low
Internal red-team exercise	Quarterly	May 2026 · clean
SAST scan (Semgrep + CodeQL)	On every PR	Continuous
DAST scan (OWASP ZAP)	Nightly	Last night · 0 critical
Dependency scan (Snyk + Dependabot)	Daily	Today · 2 medium auto-fixed
Container image scan (Trivy + Grype)	On every build + nightly	Continuous
Cloud config audit (Prowler · Steampipe)	Daily	Today · 0 high
SBOM publication (CycloneDX)	Per release	Last release v1.0.0-oss

Privacy & Data protection

Data classification: PII tier-1 (Aadhaar · PAN raw) · tier-2 (name · mobile) · tier-3 (audit metadata)
Aadhaar masking: always stored as hash · last-4 displayed · raw never exposed in logs · audit · webhooks
DPDP Act 2023: §6 consent capture · §11 access · §12 correction · §15 erasure · 30-day SLA
Data residency: ap-south-1 (Mumbai) primary · ap-south-2 (Hyderabad) DR · enforced via env gate (cannot deploy outside India)
Retention: 10-yr WORM (S3 Object-Lock COMPLIANCE mode) per RBI · cannot delete during retention period
Right-to-erasure: auto-runs on consent withdraw · 30-day deletion · audit trail kept (hashed)
Cross-border: default block · per-tenant opt-in w/ DPO sign-off · audit-logged
Sub-processors: AWS · Stripe · Sentry · public list at trust.kyc.zyroai.com/sub-processors

Incident response

SLA: Detection ≤30min · CERT-In notification ≤6 hours · customer notification ≤24 hours · public disclosure ≤72 hours
On-call rotation: 24×7 SRE · primary + secondary · PagerDuty integration · 5-min ack SLA
Runbook: 47 playbooks covering DDoS · data leak · key compromise · cert expiry · DB corruption · vendor outage
Last drill: Apr 2026 · simulated Cersai SFTP outage · 23-min full recovery · within SLA
Insurance: Cyber liability ₹50Cr · D&O ₹25Cr · annual penetration test required by underwriter

Downloads · Security pack for procurement

📄 SOC 2 Type 2 report (NDA gated) 📄 Penetration test letter (latest) 📄 SBOM · CycloneDX v1.0.0-oss 📄 DPA template 📄 Sub-processor list 📄 Security questionnaire (CAIQ pre-filled) 📄 Privacy policy · DPDP-aligned 📄 Vendor questionnaire (SIG Lite pre-filled) 📄 Helm SBOM · per-image manifest

Most enterprise customers complete vendor security review in 2-3 days using this pack. Need a custom answer? Email security@zyroai.com · response < 1 business day.