Security at Depra.

01Encryption

All data is encrypted in transit using TLS 1.2 or higher (TLS 1.3 preferred). HSTS is enabled site-wide and we are submitting depra.ai to the browser preload list.

All data at rest is encrypted using AES-256. This includes the application database, object storage (call recordings, file uploads), and backups. Encryption keys are managed by AWS KMS, rotated annually, and never leave the region.

Database connections inside our VPC use TLS. Internal service-to-service traffic uses mTLS where supported by the runtime.

02Infrastructure

Production runs on AWS in the ap-south-1 (Mumbai) region. Customer data does not leave India for primary processing.

Some sub-processors (LLM providers, voice STT/TTS) operate outside India. Cross-border processing is governed by the agreements listed at https://depra.ai/subprocessors and the Standard Contractual Clauses in our DPA.

Compute is isolated per environment (production, staging, development). Production has no shared credentials with non-production.

We use AWS-managed services for the database (RDS), object storage (S3), and queues (SQS) so we benefit from AWS's underlying SOC 2 / ISO 27001 / PCI-DSS certifications for the infrastructure layer.

03Tenant isolation

Customer workspaces are logically isolated: every database row carries a workspace_id, every API request is scoped to the caller's workspace at the auth layer, and queries that span workspaces are not possible from the application boundary.

Object storage uses per-workspace prefixes with bucket policies that enforce isolation at the AWS layer as a defense-in-depth.

We do not currently offer single-tenant deployments. Enterprise customers needing dedicated infrastructure should contact team@depra.ai.

04Access controls

All employee access to production systems requires SSO (Google Workspace) with mandatory hardware-key MFA.

Role-based access: engineers have read-only access to production by default; write access requires a documented break-glass procedure that's logged and reviewed weekly.

Customer admin actions inside the dashboard are audit-logged. Audit logs are exportable to Enterprise customers via the API.

Offboarding revokes all production and SaaS access within 24 hours of departure. Quarterly access reviews are part of our security program.

05Application security

Code is reviewed by at least one engineer before merging. Secrets are never committed to source - we use AWS Secrets Manager and a pre-commit hook that scans for credentials.

Dependencies are scanned daily for known vulnerabilities (Dependabot + npm audit in CI). High and critical CVEs are patched within 7 and 30 days respectively.

We run an annual third-party penetration test and remediate findings on a fixed schedule. Customers under NDA can request the most recent summary.

OWASP Top-10 controls are baseline: parameterised queries, output encoding, CSP (currently rolling out in report-only mode), strict CORS, signed JWTs with short lifetimes for API tokens.

06Backup and recovery

Database: encrypted automated backups every 6 hours, retained 35 days. Point-in-time recovery to any second within the retention window.

Object storage: cross-region replication (ap-south-1 → ap-southeast-1) with versioning enabled; deletes are soft for 30 days.

We test restore from backup quarterly and document the restore time. Current Recovery Time Objective (RTO) is 4 hours, Recovery Point Objective (RPO) is 1 hour for the database tier.

07Monitoring and incident response

24×7 alerting via PagerDuty. Sev-1 incidents are acknowledged within 15 minutes, with status updates every 30 minutes until resolution. Severity definitions and credit policy are in our SLA at https://depra.ai/sla.

Logs and metrics are centralised. Authentication events, admin actions, and data export operations are retained 12 months.

We follow an industry-standard incident response playbook covering identification, containment, eradication, recovery, and post-mortem. Sev-1 / Sev-2 post-mortems are published within 5 business days at status.depra.ai.

08Breach notification

If we identify a confirmed Personal Data breach, we notify affected customers within 48 hours of discovery, with the facts known at the time. Updates follow as the investigation progresses. This is also written into our DPA. Notice goes to the customer's primary contact email; major incidents are also published at status.depra.ai. Where applicable law requires, we report to the Data Protection Board of India or the relevant supervisory authority within 72 hours.

09Vendor and sub-processor management

Every sub-processor that handles customer Personal Data is listed publicly at https://depra.ai/subprocessors. The list is the source of truth - we update it before adding a new sub-processor.

We give at least 14 days' notice before engaging a new sub-processor. Customers can object on reasonable grounds; if we can't accommodate the objection we will help with migration or provide a pro-rated refund.

Each sub-processor is reviewed for SOC 2 / ISO 27001 status, data residency, and a signed DPA before onboarding.

10Compliance and certifications

DPDP Act (India, 2023): we operate as a Data Processor for our customers (the Data Fiduciaries) and provide tools for Data Principal access, correction, and deletion requests.

GDPR: where applicable, our DPA includes Standard Contractual Clauses for cross-border transfers from the EU/UK.

SOC 2 Type 1: in progress with Vanta. Target audit report Q3 2026. Type 2 follows once we have a qualifying observation window.

ISO 27001: roadmap target is 2027 once SOC 2 Type 2 is in place. Customers needing ISO 27001 evidence today should ask about the underlying AWS certifications.

PCI-DSS: Depra is not in scope for PCI-DSS - we do not store, process, or transmit cardholder data. Payment links route to the customer's own PCI-compliant payment gateway (e.g., Razorpay).

11Responsible disclosure

If you believe you've found a security vulnerability, please email team@depra.ai. Our contact details, scope, and acknowledgement timeline are also in our security.txt at https://depra.ai/.well-known/security.txt.

Please do not publicly disclose vulnerabilities until we've had a chance to investigate and ship a fix. We aim to acknowledge reports within one business day and triage within five.

We do not currently run a paid bug bounty programme but we credit researchers in release notes (with consent) for valid reports.

12Data Subject / Data Principal Rights

If you are a data principal under DPDP (or data subject under GDPR) with data we process on behalf of one of our customers, you should contact that customer directly - they are the Data Fiduciary. If you can't reach them, email team@depra.ai and we will route the request appropriately. Targets: 10 business days for assistance, 30 days for full resolution per DPDP.