Our Security Commitment
At AIzYantra, security is foundational to everything we build. As an AI consulting and automation engineering company handling sensitive business data, we implement enterprise-grade security measures across our entire technology stack. Our "Engineered Empathy" philosophy extends to security — we engineer systems that protect our clients' data with the same rigor and precision we apply to our AI solutions.
This page provides transparency into our security practices, infrastructure protections, and operational procedures. We believe our clients deserve to know exactly how their data is protected.
Infrastructure Security
| Layer | Technology | Security Measure |
|---|---|---|
| Application Hosting | Vercel | SOC 2 Type II certified, automatic DDoS protection, edge network with global CDN, isolated build environments |
| Database | Supabase (PostgreSQL) | SOC 2 Type II certified, AES-256 encryption at rest, automated backups, point-in-time recovery |
| AI Processing | OpenAI | SOC 2 Type II certified, data not used for model training (API usage), encrypted data transmission |
| DNS & CDN | Cloudflare | DDoS mitigation, Web Application Firewall (WAF), SSL/TLS management, bot protection |
| Domain | GoDaddy + Cloudflare | DNSSEC enabled, domain lock, registrar-level access controls |
| Automation | n8n (self-hosted) | Isolated execution environment, credential encryption, webhook authentication |
| Source Code | GitHub | Private repositories, branch protection rules, required code reviews, dependency vulnerability scanning |
Data Encryption
Encryption in Transit
- TLS 1.3 enforced on all connections to aizyantra.com — older protocols (TLS 1.0, 1.1) are disabled.
- HTTPS is enforced via HTTP Strict Transport Security (HSTS) headers with a minimum max-age of 1 year.
- All API communications between frontend and backend services use encrypted channels.
- Tripti Voice SDR audio streams are encrypted end-to-end via WebRTC with DTLS and SRTP protocols.
- Internal service-to-service communications (n8n webhooks, Supabase APIs) use TLS-encrypted connections with certificate validation.
Encryption at Rest
- All database data is encrypted at rest using AES-256 via Supabase's managed PostgreSQL infrastructure.
- Backup files are encrypted using the same AES-256 standard with separate encryption keys.
- File uploads and stored documents are encrypted within Supabase Storage buckets.
- n8n workflow credentials and sensitive configuration values are encrypted before storage.
Access Controls
Database-Level Security
- Row-Level Security (RLS): Enforced on all 41+ database tables. Every query is filtered through RLS policies ensuring strict data isolation between clients and user roles.
- UUID Primary Keys: All records use universally unique identifiers, preventing sequential enumeration attacks.
- Parameterized Queries: All database interactions use parameterized queries, eliminating SQL injection vectors.
- Schema Isolation: Client data is logically isolated through RLS policies rather than shared access, ensuring no cross-client data leakage.
Application-Level Security
- Authentication: Supabase Auth with JWT tokens, supporting email/password and social login providers. Session tokens have configurable expiration.
- Multi-Factor Authentication (MFA): Enforced for all AIzYantra team members. Available and recommended for client portal users.
- Role-Based Access Control (RBAC): Granular permissions system with roles including admin, team member, client, and viewer — each with defined access boundaries.
- API Key Security: API keys and credentials are stored in environment variables, never committed to source code. Server-side API routes prevent client-side exposure of sensitive keys.
- Session Management: Automatic session expiration, secure cookie attributes (HttpOnly, Secure, SameSite), and token refresh mechanisms.
Team Access Controls
| Principle | Implementation |
|---|---|
| Least Privilege | Team members are granted minimum access necessary for their role. Access is reviewed quarterly. |
| Separation of Duties | Production database access, deployment privileges, and financial system access are separated across different team members. |
| Access Reviews | Quarterly access audits to verify appropriate permissions and revoke unnecessary access. |
| Offboarding | Immediate revocation of all access upon team member departure, with documented deprovisioning checklist. |
Application Security
- Secure Development: Our development practices follow OWASP Top 10 guidelines. All code undergoes peer review before merging to production branches.
- Dependency Management: Automated vulnerability scanning of all npm and Python dependencies via GitHub Dependabot. Critical vulnerabilities are patched within 48 hours.
- Content Security Policy (CSP): Strict CSP headers prevent cross-site scripting (XSS) attacks by controlling which resources can be loaded and executed.
- CORS Configuration: Cross-Origin Resource Sharing is restricted to authorized domains only, preventing unauthorized API access from external origins.
- Input Validation: All user inputs are validated and sanitized on both client and server sides. TypeScript strict mode provides compile-time type safety.
- Rate Limiting: API endpoints implement rate limiting to prevent abuse and brute-force attacks.
- Error Handling: Production error responses never expose stack traces, database schemas, or internal system details. Detailed errors are logged server-side only.
AI-Specific Security Measures
Tripti Voice SDR
- Voice data is transmitted via encrypted WebRTC channels with end-to-end encryption.
- Conversations are processed in real-time via OpenAI's Realtime API — voice data is not stored by OpenAI beyond the processing window.
- Transcripts are stored in Supabase with RLS policies restricting access to authorized team members only.
- Voice recordings are automatically purged after 90 days per our data retention policy.
- Users are explicitly notified that they are interacting with an AI agent and that conversations may be recorded.
AI Model Security
- API-Only Usage: We use OpenAI's API endpoints — client data sent via the API is not used to train or improve OpenAI's models.
- Prompt Security: System prompts are protected against prompt injection attacks through input sanitization and output validation.
- Output Filtering: AI-generated outputs are filtered for potentially harmful, biased, or inappropriate content before delivery.
- No Client Data in Training: AIzYantra does not use client data to train, fine-tune, or improve any AI models without explicit written consent.
Network Security
- DDoS Protection: Multi-layer DDoS mitigation via Cloudflare and Vercel edge network, with automatic traffic filtering and rate limiting.
- Web Application Firewall (WAF): Cloudflare WAF with managed rulesets protecting against OWASP Top 10 attack vectors, including SQL injection, XSS, and CSRF attacks.
- Bot Protection: Automated bot detection and challenge mechanisms prevent scraping, credential stuffing, and other automated attacks.
- DNS Security: DNSSEC enabled to prevent DNS spoofing and cache poisoning attacks.
Incident Response
AIzYantra maintains a documented incident response plan with the following phases:
| Phase | Timeline | Actions |
|---|---|---|
| Detection & Triage | 0-2 hours | Identify the incident, assess severity, activate response team, contain immediate threat |
| Containment | 2-12 hours | Isolate affected systems, prevent further data exposure, preserve forensic evidence |
| Client Notification | Within 48 hours | Notify affected clients with incident details, impact assessment, and immediate remediation steps |
| Regulatory Notification | Within 72 hours | Notify the Data Protection Board of India and other applicable regulators as required by DPDPA and GDPR |
| Eradication & Recovery | 24-72 hours | Remove the root cause, restore systems from clean backups, verify integrity of restored data |
| Post-Incident Review | Within 14 days | Root cause analysis, lessons learned documentation, preventive measure implementation, client debrief |
Business Continuity & Disaster Recovery
- Automated Backups: Database backups are performed daily with point-in-time recovery capability. Backups are stored in geographically separate locations.
- Recovery Time Objective (RTO): 4 hours for critical services (client portal, API, Tripti).
- Recovery Point Objective (RPO): Maximum 1 hour of data loss for production database systems.
- Multi-Region Deployment: Vercel edge network provides automatic failover across global edge locations, minimizing single points of failure.
- Redundancy: Critical services have redundant components to ensure availability during component failures.
Compliance & Certifications
| Framework | Status |
|---|---|
| DPDPA 2023 (India) | Compliant — Data Fiduciary obligations implemented |
| GDPR (EU) | Compliant — DPA, SCCs, and Data Subject rights mechanisms in place |
| CCPA (California) | Compliant — Consumer rights and opt-out mechanisms available |
| SOC 2 Type II | Achieved through infrastructure partners (Supabase, Vercel, OpenAI). AIzYantra's own SOC 2 certification is planned for Q4 2026. |
| PCI DSS | Payment processing handled by Razorpay (PCI DSS Level 1 certified). AIzYantra does not store card data. |
| ISO 27001 | Information security management practices aligned. Formal certification planned for 2027. |
Responsible Disclosure
We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security vulnerability in any AIzYantra service, please report it responsibly:
- Email: security@aizyantra.com
- Please include: a detailed description of the vulnerability, steps to reproduce, potential impact assessment, and your recommended fix if available.
- Response Time: We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days.
- No Retaliation: We will not take legal action against security researchers who discover and report vulnerabilities in good faith, following responsible disclosure practices.
- Recognition: With your permission, we will acknowledge your contribution in our security hall of fame.
Please do not publicly disclose vulnerabilities before we have had an opportunity to investigate and remediate. We request a minimum of 90 days from initial report before public disclosure.
Security Updates
This Security Practices page is reviewed and updated quarterly, or whenever significant changes are made to our security infrastructure. The "Last Updated" date at the top of this page indicates when this document was last revised. Material security changes affecting client data handling will be communicated directly to affected clients.
Contact Us
For security-related inquiries, vulnerability reports, or compliance questions, please contact us:
- Security Team: security@aizyantra.com
- Data Protection Officer: dpo@aizyantra.com
- Phone: +91-9958824555
- Address: AIzYantra Technologies, Bengaluru, Karnataka, India
