CmpliHR.ai — AI-Powered Workforce Compliance Intelligence
Security Policy

Our information-security commitments and controls.

Last updated: 2026-06-05

This Security Policy describes the principles, controls and operational practices that cmplihr.ai applies to safeguard the confidentiality, integrity and availability of customer information.

1. Governance

Security is owned at the leadership level. We operate an Information Security Management System aligned to ISO/IEC 27001 and SOC 2 Trust Services Criteria, with policies reviewed at least annually.

2. Data residency

Primary, replica and backup data for the Platform are hosted within Indian data regions. We do not transfer customer content across borders without contractual safeguards.

3. Access control

  • Default-deny authorisation. All access is least-privilege by design.
  • Role- and attribute-based access controls (RBAC/ABAC) enforced per module.
  • SSO via SAML/OIDC supported for enterprise customers.
  • Just-in-time access elevation with approval for privileged operations.
  • Periodic access reviews of internal users and customer administrators.

4. Encryption

  • AES-256 encryption at rest, using tenant-scoped envelope keys.
  • TLS 1.2 or higher for all data in transit.
  • Hardware-backed KMS for key management with scheduled rotation.

5. Tenant isolation

Every record, query and stored object is scoped to a tenant identifier. The data layer enforces tenant context on every request — including in any AI prompt context where used.

6. Audit logging

The Platform maintains an immutable, signed audit log capturing user and system actions. The log is exportable in standard formats and integrates with customer SIEMs.

7. Secure development

  • Peer code review on every change. No direct production commits.
  • Static analysis and dependency scanning in CI.
  • Separated development, staging and production environments.
  • Regular threat modelling for new modules and major features.

8. Vulnerability management

  • External Vulnerability Assessment and Penetration Testing (VAPT) on a defined cadence.
  • Continuous infrastructure and dependency scanning.
  • Triage SLAs tied to severity, with executive escalation for critical findings.

9. Backups & resilience

Backups are encrypted, region-local and tested for restorability. Recovery objectives are defined per service and reviewed regularly.

10. Incident response

We maintain a documented incident-response plan covering detection, containment, eradication, recovery and post-incident review. Customers are notified of incidents that materially affect their data in line with their contractual SLAs and applicable law, including CERT-In directions and the DPDP Act.

11. Personnel security

  • Background verification for personnel with access to production systems.
  • Mandatory annual security and privacy training.
  • Confidentiality and acceptable-use undertakings.

12. Sub-processors

We engage a limited set of sub-processors under contractual security obligations. A current list is available on request and updates are communicated to customers under the DPA.

13. Responsible disclosure

Security researchers can report suspected vulnerabilities to [email protected]. We acknowledge reports promptly and work in good faith to validate and remediate.

This document is published for transparency and does not constitute legal advice. For specific concerns, contact [email protected].