Security & Compliance
Security is not a feature. It's how we build.
From the database engine to the login button, every layer of AppSuite is designed to be private, auditable, and recoverable. Here's exactly what we do — and what we'd do if something went wrong.
GDPR-aligned
VAPT-tested
DPDPA-ready
SOC 2 in audit
Compliance posture
Standards we hold ourselves to
We don't claim certifications we don't have. Below is exactly where each programme stands today — happy to share auditor reports with prospects under NDA.
GDPR-aligned
Built around the data-subject rights framework — export, rectify, erase, restrict.
VAPT-tested
Annual third-party Vulnerability Assessment & Penetration Testing. Reports available on request under NDA.
India DPDPA-ready
Aligned with India's Digital Personal Data Protection Act, 2023 — including consent, purpose limitation, and breach notification.
SOC 2 (in progress)
Type I in audit. Type II expected within four quarters. We can share scoping documentation with prospects.
99.9%
Uptime target
30 days
PITR window
15 min
Access token TTL
24 h
Breach notification window
Security controls
The actual mechanisms protecting your data
No marketing fluff. These are the controls in production today across every customer tenant.
Encryption everywhere
TLS 1.3 for everything on the wire. AES-256 at rest. Per-tenant encryption keys for sensitive fields.
Strong authentication
Email + username + mobile login. OTP over email or SMS. TOTP-based MFA. SSO via SAML / OIDC on enterprise plans.
Granular RBAC
Custom roles with per-module, per-action permissions. Least privilege by default. Permission diff in every audit entry.
Audit logs
Every login, every read of sensitive data, every change to a record — captured, searchable, and exportable.
Secrets discipline
Secrets in a managed vault. Short-lived database credentials. No customer data in source control. Ever.
Session safety
JWT RS256 with 15-minute access tokens. Refresh-token rotation with reuse detection. Server-side blacklist on logout.
Backups & DR
Point-in-time recovery for 30 days. Daily encrypted snapshots replicated to a second region. Restore drills quarterly.
Data minimisation
We only collect what HR & ops apps need. PII is pseudonymised where possible. Logs are scrubbed automatically.
Hardened infrastructure
Private VPCs, no public database, firewalled bastions, OS-level CIS hardening, automated patching.
How we operate
Security isn't a release — it's a discipline
Every commit, every deploy, every customer audit is run through the same playbook.
01
Secure by default
New tenants get MFA enforcement available, strict CORS, secure cookies, and audit logging — turned on without you lifting a finger.
02
Continuously verified
Automated dependency scanning (npm audit, Snyk), container scanning, secret scanning on every commit. SAST runs in CI on every PR.
03
Tested by humans
Annual third-party VAPT, twice-yearly internal red-team exercises, ad-hoc engagements before major releases.
04
Transparent to you
Status page, public incident postmortems, customer-accessible audit-log export, and a security@appsuite.in inbox monitored 24×7.
Your rights
What we promise about your data
Whether you're a tenant admin, an end user, or a regulator — here's what AppSuite commits to in plain language.
You own your data
It's yours. Export everything as CSV or JSON, any time. We never sell it, never use it to train AI models, and never share it with third parties without a court order.
You can leave
Cancel any time. We retain backups for 30 days after termination, then everything is permanently destroyed. We issue a deletion certificate on request.
You can audit us
Customer audit logs, system-status history, public incident postmortems. Enterprise customers can request a VAPT report under NDA.
You will be told
If we ever have a confirmed security incident that touches your data, you hear from us within 24 hours — including what happened, what we did, and what you should do.
We minimise
We collect what the apps need. No tracking pixels. No analytics IDs sold to ad networks. No exporting your employee roster to "the marketing team" — there isn't one.
We are reachable
security@appsuite.in is monitored 24×7 by an actual on-call engineer, not an inbox.
Responsible disclosure
Found something? Send a write-up to security@appsuite.in — preferably encrypted with our PGP key. We acknowledge inside 24 hours, triage within 72, and pay bounties for valid findings. Please don't disclose publicly until we've shipped a fix and updated affected customers.
Talk security with us
Need a security review for your procurement team?
We're happy to walk through our controls, share auditor reports under NDA, complete vendor security questionnaires, or sit on a call with your CISO.