Compliance

1. Controls Mapping

Our program aligns to key concepts in ISO/IEC 27001 and SOC 2. The table below summarizes how common control families map to platform and process measures.

Control Family	What we do
Information Security Policies	Documented policies reviewed annually, change-managed and communicated to staff with acknowledgement tracking.
Access Control	Role-based access scoped tenant→client; least-privilege defaults; short-lived sessions; device sign-out; optional 2FA.
Cryptography	HTTPS/TLS for data in transit; presigned uploads; encryption at rest provided by cloud storage.
Operations Security	Dependency scanning, patch cadence, environment separation (dev/stage/prod), rate limits and input validation.
Logging & Monitoring	Centralized logs for access/admin actions, errors and performance; anomaly alerts with on-call rotation.
Supplier Relationships	Subprocessor inventory, due diligence and contractual security obligations; change notifications to subscribed admins.
Business Continuity	Daily backups, periodic restores; documented DR runbooks with RTO/RPO targets by tier.
Incident Management	Documented triage and comms playbooks; customer notification on material incidents after verification.
Privacy & DPDP Readiness	Data minimization, purpose limitation, retention controls, verified deletion flows; user rights supported via admin.

2. Data Governance

• Data classification: operational client data, account/admin data, telemetry. Handling rules defined per class.
• Retention: operational data retained for the active subscription plus admin-configured periods; backups 30–90 days.
• Deletion: verified deletion by client/period on admin request; logs maintained for auditability.
• Export: Excel/CSV/JSON; audit log exports available to tenant admins.

3. Access & Security

• Role-based access with fine-grained permissions (upload, review, export, settings).
• TLS for all endpoints; presigned, short-lived upload URLs; encryption at rest by cloud provider.
• Session controls (short lifetimes, device sign-out); optional 2FA; IP anomaly notifications.

4. Operations & Monitoring

• Secure SDLC with peer review and dependency scanning.
• Environment separation; least-privileged service accounts.
• Rate limiting, file-type checks, GSTIN/HSN validation at source.
• Centralized logging, metrics and alerts with 24×7 on-call escalation for critical events.

5. Backups & Disaster Recovery

• Daily backups with periodic restore tests.
• DR runbooks, communications templates and contact trees.
• RTO/RPO targets vary by tier; details available during vendor assessment.

6. Incident Response

• Documented triage workflow (detect → contain → eradicate → recover → review).
• Material incidents: customer notification after verification, with follow-up PIR documenting mitigations.
• Responsible disclosure at security@ca-copilot.com.

7. Vendor & Subprocessor Risk

• Assessment of critical vendors for security, availability and confidentiality controls.
• Written agreements with security and confidentiality obligations; flow-down where applicable.
• Inventory maintained; material changes notified to subscribed admins.

8. Data Residency

Primary processing occurs in cloud regions selected for performance and reliability. Region options can be discussed during vendor assessment. Export formats (Excel/CSV/JSON) ensure no vendor lock-in.

9. Customer Responsibilities

• Appoint tenant admins; configure roles and review access regularly.
• Enforce strong passwords/2FA; manage device hygiene.
• Review audit logs and exports; request deletion where appropriate.

10. Audits & Evidence

• We can share policy excerpts, control summaries and selected evidence under NDA as part of vendor diligence.
• Pen-test summaries and restore-test attestations available upon request.

11. Contact

Security & compliance questions: security@ca-copilot.com

Last updated: 2025-11-10