Privacy, security and statutory compliance — built in, not bolted on.
cmplihr.ai is designed for organisations that handle sensitive employee, payroll and statutory data. Our trust posture is engineered to meet Indian regulatory expectations and recognised international standards.
Your data, your control. India-first, India-only.
cmplihr.ai is engineered for organisations that must keep employee, payroll and statutory records under strict access, residency and accountability controls.
Primary, replica and backup data remain in Indian regions. There is no cross-border processing of customer records.
Every row, query, file and AI prompt carries tenant scope. Default-deny authorisation, enforced at the data layer.
Built-in workflows to handle access, correction and erasure requests in line with DPDP Act expectations.
Defence in depth, with controls a regulator will recognise.
Envelope encryption with tenant-scoped data keys, managed in a hardware-backed KMS and rotated on schedule.
- AES-256 at rest
- TLS 1.2+ in transit
- Tenant-scoped DEKs
- Scheduled key rotation
Least-privilege by default. Fine-grained RBAC/ABAC per module. SSO-ready and ready for just-in-time access elevation.
- SSO via SAML/OIDC
- Role and attribute policies
- JIT elevation with approval
- Session controls
An immutable, exportable audit log is the system of record. Every user and system action is signed, attributed and time-stamped.
- Signed event log
- Who, what, when, where
- SIEM-ready export
- Retention controls
Environment separation, peer-reviewed change controls, and an external VAPT cadence designed for regulated workloads.
- Isolated dev/stage/prod
- Peer code review on every change
- Quarterly external VAPT
- Incident-response runbooks
Aligned to the Acts and frameworks that matter.
We track and align our platform controls to the Indian statutory environment and recognised international information-security frameworks.
Aligned to the Digital Personal Data Protection Act. Consent, purpose limitation, retention and data-subject rights workflows are first-class.
Reasonable security practices aligned to the SPDI Rules under Section 43A and supporting CERT-In advisories.
Platform questionnaires, registers and notice flows track the Code on Wages, Industrial Relations, Social Security and OSH codes alongside state rules.
An ISMS programme is in active build. Independent certification engagement on roadmap. Trust Letter available under NDA.
Designed against the Trust Services Criteria (security, availability, confidentiality). Independent attestation engagement on roadmap.
Log retention, time-sync and incident-reporting controls aligned to CERT-In April 2022 directions.
Certifications listed as "on roadmap" or "in progress" are active engagement areas and not yet awarded. Contact us for our current Trust Letter and roadmap dates.
AI assists. People decide. Every output is reviewable.
cmplihr.ai uses AI to structure, classify and draft. It does not file, submit, or send anything autonomously. A qualified human reviewer must approve every consequential output. We log model version, prompt context and reviewer identity on every draft.
Need our DPA, security questionnaire response, or pen-test summary?
Our security team responds to vendor diligence requests directly. Reach out and we'll share our Trust Letter, DPA template, and the current state of independent assessments under NDA.