How We Protect Your Data
Our infrastructure, application, and operational practices are built around protecting the data you entrust to us.
Infrastructure Security
Our infrastructure is designed to keep your data secure at every layer, from network to storage.
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS. HTTPS is enforced on every connection with HSTS headers. HTTP requests are automatically redirected to HTTPS.
Indian Data Residency
All consent records, personal data, and audit logs are stored exclusively on infrastructure located in India. No data is transferred outside the country.
Database Security
All databases are isolated within private networks with no public internet exposure. Connection pooling provides additional isolation between application and data layers. Automated backups ensure data can be recovered in the event of infrastructure failure.
Network Isolation
All services run in isolated containers on a private network. Only the reverse proxy is internet-facing. Databases, caches, and internal services are never exposed to the public internet.
Secrets Management
Credentials, API keys, and encryption keys are managed through secure, access-controlled systems. Secrets are never stored in source code or application logs.
Intrusion Prevention
Firewall rules enforce strict network-level access controls. Automated monitoring detects and blocks suspicious activity in real time. Administrative access is key-based with password authentication disabled.
Application Security
Security controls built into the application layer to protect data integrity and enforce access boundaries.
SHA-256 Consent Verification
Every consent record is hashed using SHA-256 at the time of creation. Exported consent logs include verification hashes so you can independently confirm that records have not been altered.
Role-Based Access Control
Team members are assigned specific roles with granular permissions. Organization-level data isolation ensures that each customer can only access their own data.
Privacy by Design
Consent records store anonymized identifiers, not personal information. IP addresses are used only for geolocation and are not stored in identifiable form. Cookie scanning does not collect visitor data.
Input Validation
Every API endpoint enforces strict schema-based input validation. All request data is validated before processing. Malformed or unexpected requests are rejected automatically.
Security Headers
All responses include industry-standard security headers to prevent clickjacking, MIME-type attacks, and unauthorized embedding. CORS policies restrict cross-origin access to authorized domains.
Rate Limiting
API rate limiting protects against abuse and denial-of-service attempts. Limits are applied per-endpoint to ensure fair usage and platform stability.
Compliance and Legal
Policies and agreements that support your compliance obligations as a Data Fiduciary under the DPDP Act.
Data Processing Agreement
AvailableStandard Data Processing Agreement (DPA) provided to all customers processing personal data through our platform.
DPDP Act Alignment
Built-inOur platform is purpose-built for the Digital Personal Data Protection Act, 2023. We implement reasonable security safeguards as required under Section 8(4) of the Act.
Breach Notification
DocumentedDocumented incident response procedures ensure affected customers are notified within 72 hours of confirming a data breach, in line with Data Protection Board requirements.
Sub-Processor Transparency
TransparentA current list of sub-processors involved in delivering our services is available to customers. Advance notice is provided for any changes to the sub-processor list.
Data Retention and Deletion
DefinedConsent records are retained for the duration required by your compliance obligations. Upon account termination, all customer data is permanently deleted within 30 days.
Audit Trail Exports
VerifiableConsent logs can be exported with SHA-256 integrity verification. Exported files include checksums so you can independently verify that records match what was originally stored.
Responsible Disclosure
If you discover a security vulnerability in our platform, please report it to security@complyzero.com. We take all reports seriously and will respond within 48 hours. We ask that you give us a reasonable timeframe to address the issue before public disclosure.
Questions About Our Security Practices?
For enterprise security questionnaires, DPA requests, or specific technical questions, our team is here to help.