The platform handles compliance evidence — the most sensitive material a customer hands to a vendor. Our own posture deserves the same scrutiny we ask of customers' platforms. This page documents what is live today, what is in flight, and what is planned. We update it as posture changes.
Every commitment below has a status (Live / In flight / Planned) and a target date where applicable. We do not list aspirational items as if they were operational. If you have a buyer-driven question that is not addressed below, write to us at trust@api4soc2.com.
All customer evidence, audit logs, configuration snapshots, and platform metadata are stored in AWS Mumbai (ap-south-1). No cross-border data flows for evidence under any circumstance. Data-residency clause baked into every customer MSA from Day 1.
Live · Day 1AES-256 at rest via AWS KMS with customer-managed keys available at Enterprise tier. TLS 1.2+ in transit. Database connection encryption mandatory. No exceptions for any environment.
Live · Day 1We are running our own SOC 2 readiness through Q3 2026, with the observation window opening Q4 2026 and Type II report targeted Q3 2027. Like every credible compliance platform, we run our own programme on our own platform.
In flight · Q3 2027ISO 27001:2022 readiness running in parallel with SOC 2. Certification body shortlist includes BSI India, TÜV India, and DNV India. Stage-1 audit targeted Q1 2027; Stage-2 audit Q2 2027; certificate issuance Q3 2027.
In flight · Q3 2027We are a Data Fiduciary for customer-employee, customer-lead, and platform-user data. Privacy notice published; consent manager wiring in place; data inventory maintained; DPIA running for the multi-tenant evidence vault. Significant Data Fiduciary obligations evaluated as customer base grows.
Live · Day 1The platform's own incident-response runbook includes the six-hour CERT-In reporting workflow. We have not had a reportable incident to date; we test the runbook quarterly via tabletop exercises. The runbook itself is based on the same templates the platform produces for customers.
Live · tested quarterlyExternal VAPT engagement quarterly with a CERT-In empanelled audit firm from our partner network. Internal SAST/DAST integrated into CI/CD with mandatory severity gates. Re-test included in every engagement.
Live · since Q1 2026Google Workspace SSO with MFA enforced for every employee, every contractor, every system. No shared accounts. Production access gated by named-individual identity, separately authorised per quarter. Break-glass account exists for emergencies and is locked-down + audit-logged.
Live · Day 1Cross-AZ replication within AWS Mumbai. Daily encrypted backups with 30-day retention plus monthly archives at 12-month retention. DR runbook tested semi-annually. RTO 4 hours · RPO 15 minutes. No cross-border replication for evidence storage.
Live · Day 1Active sub-processors as of 2026-05-01: AWS (ap-south-1), Cloudflare (edge CDN, no evidence storage), Postmark (transactional email, no evidence content), Plausible (privacy-focused analytics, no PII). Updated within 30 days of any change. Customers notified for material changes.
Live · monthly reviewMost recent CERT-In empanelled VAPT report available under NDA on request. We do not publish the report publicly because it contains environment-specific findings, but we share it with customers during procurement diligence within 24 hours of NDA signature.
NDA · on requestPublic responsible-disclosure programme via security@api4soc2.com. Acknowledgement within 24 hours, severity classification within 72 hours, fix timeline depending on severity. Hall of fame for researchers who have helped us harden the platform.
Live · openWe hold ourselves to the same standard we ask of customers. Below is the roadmap to our own attestation — running, transparently, on the platform we sell.
Most platforms publish trust pages only after attestation. We chose to publish the roadmap during the journey because the journey is part of the product. If we fall behind the dates above, this page updates with the new dates and the explanation. Honest in-flight status is more useful than vague "coming soon" claims.
India regulators as first-class frameworks. Bharat-resident evidence. Pricing locked in INR for the first 12 months. We are onboarding ten design partners through Q2-Q3 2026 ahead of general availability.