Auth-at-the-edge
Sessions are httpOnly + Secure + SameSite cookies. Refresh tokens rotate. Reuse triggers family-level revocation. We never store tokens in localStorage.
Auditable by design
Boards sign off in an afternoon
Every mutation is hash-chained. Every API call is RLS-isolated. Every line of audit is downloadable. Read everything below. Nothing is gated behind a sales call.
Where we stand
We publish the truth. If a framework is "in progress" it's because we are honest about timelines, not a marketing slide.
| Framework | Status | ETA |
|---|---|---|
| SOC 2 Type II | audit window in progress | Report Q4 2026 |
| ISO 27001 | documentation phase | Certification 2027 |
| DPDP Act 2023 | implemented | Live |
| GDPR (Art. 8 minors) | implemented | Live |
| FERPA (US K-12) | implemented | Live |
| COPPA + BIPA | implemented | Live |
| UAE PDPL | implemented | Live |
Defence in depth
RLS-isolated tenancy
Every domain table carries a tenant_id with FORCE ROW LEVEL SECURITY. A leaked WHERE clause returns zero rows, not someone else's child.
Hash-chained audit log
Every mutation writes an immutable row with sha256(prev || canonical(row)). A nightly job re-verifies the chain. Customers can stream the log to their SIEM.
Per-tenant data residency
India · EU · US · GCC · SEA. The pick at signup binds your Postgres, R2 bucket, and AI inference region. Provable in the audit log on every read.
Subprocessors
Every vendor that touches tenant data, what they do, and their compliance posture. We email notification 30 days before adding a subprocessor.
| Vendor | Purpose | Region | Certifications |
|---|---|---|---|
| Neon | Managed Postgres | ap-southeast-1 | SOC 2 |
| Vercel | Edge compute + CDN | sin1, fra1, iad1 | SOC 2, ISO 27001 |
| Cloudflare R2 | Object storage | Per-tenant pinned | SOC 2, ISO 27001 |
| WorkOS | Auth + SSO + SCIM | US, EU | SOC 2, GDPR |
| Razorpay | India payments | ap-south-1 | PCI-DSS L1 |
| Stripe | Global payments | Multi-region | PCI-DSS L1 |
| MSG91 | India SMS + DLT | ap-south-1 | DLT-compliant |
| Meta WhatsApp Cloud | WhatsApp Business API | Multi-region | ISO 27001 |
| Resend | Transactional email | us-east-1 | SOC 2 |
| Axiom | Observability | us-east-1 | SOC 2 |
Send this to your CTO
All of the above is downloadable as a single PDF, alongside our DPA and DPIA template.