Platform

Five disciplines. One operating system for trust.

Every identity, every device, every file, every byte that leaves your organisation — governed by a single policy engine, a single audit log and a single pane of glass.

Request a demo See DPDP coverage

01 / Data Loss Prevention

Stop data leaving. Everywhere it might leave.

Endpoint, email, web and cloud DLP — all enforced by one policy engine. No proxy, no MDM, no premium email plan, no browser enterprise upgrade.

Endpoint DLP — USB whitelist, clipboard monitoring, print watermarking, screenshot restriction, offline policy cache. Windows, macOS, Linux.
Email DLP — Real-time scan via Microsoft Graph & Gmail APIs. PAN, Aadhaar, SWIFT, credit-card regex + ML content classification.
Web & cloud DLP — Chrome/Edge extension blocks uploads to Drive, Dropbox, WeTransfer. Paste detection into web forms & SaaS.
Document fingerprinting — register a sensitive file once — detect every derivative copy on every channel.

POLICY RULE · dpdp.pii.v3

If document contains ≥ 5 PAN or Aadhaar → block egress

◉ email.external → block + quarantine

◉ upload.googleDrive → block + notify admin

◉ usb.write → block + audit

◉ print.office → watermark + audit

◉ paste.whatsappWeb → block

✓ SEALED · Audit event written to WORM log · replayable for 5 years

LIFECYCLE · JOINER → MOVER → LEAVER

One action. All systems.

01 · HRMS marks user as terminated

02 · Cyfriq receives webhook in <2s

03 · SSO session revoked across all apps

04 · SCIM deprovisions M365 · Google · Zoho · Slack · Salesforce

05 · Device certificate invalidated

06 · DLP last-hour egress report auto-generated

✓ Complete in 4.1s · audit-trail sealed

02 / Identity & Access Management

The whole lifecycle. End-to-end.

SCIM 2.0 provisioning, role-based access control, HRMS integration, access reviews, certification workflows. Without a second identity vendor.

SCIM auto-provisioning — create a user once in Cyfriq; they appear in every connected system.
Leaver automation — one deactivation revokes SSO, SCIM, certificates and active sessions in seconds.
RBAC with inheritance — department and role policies cascade cleanly; no flat permission sprawl.
Access review workflows — quarterly certification loops built for SOC 2 and ISO 27001 auditors.

03 / Identity Provider

Cyfriq is your SAML 2.0 IdP.

Replace Azure AD Premium and Okta IdP at the authentication layer. Enforce device trust, agent health, country and time-of-day gates on every login — no upgrade to M365 E5, no Entra P1/P2, no Intune add-on.

Device trust
Certificate-validated devices only

Agent health
Blocks login if agent offline or unhealthy

Geo-policy
Country allow/deny lists at auth layer

Risk scoring
UEBA feeds real-time risk into auth

AUTH ATTEMPT · ANATOMY

7 checks in <200ms.

① credential — valid & not compromised

② MFA — FIDO2 · TOTP · push

③ device.certificate — valid & registered

④ agent.health — online & policies current

⑤ geo — country on allowlist

⑥ risk.score — UEBA below threshold

⑦ time-of-day — within approved window

✓ ALLOW · session = 8h · sealed to audit log

M365

Google

Zoho

Slack

Salesforce

GitHub

AWS

Azure

Notion

Atlassian

Zendesk

+ SAML/OIDC

One secure login. Unlimited apps. No per-app fee.

04 / Single Sign-On

One login. Every application.

SAML 2.0 and OIDC for every corporate application. Unlimited apps. No per-application licence fee. Branded login domain (login.yourorg.com). Passkeys and FIDO2 hardware tokens supported out of the box.

05 / UEBA & Insider Threat

The quiet signals before the incident.

Machine-learning baselines every user, every device and every data channel. Surfaces the deviations: off-hours access, bulk downloads, pre-resignation hoarding, account takeover, impossible travel.

Behavioural baseline — 30-day rolling window per user, tuned continuously.
Risk scoring — 0–100 score feeds the IdP — high-risk users forced to re-auth or blocked.
Pre-resignation mode — HRMS webhook triggers elevated monitoring the moment notice is tendered.
Investigator console — replay a user's last 30 days in chronological order with one click.

RISK TIMELINE · user:k.menon

Day -10 · score 12 · baseline

Day -6 · score 24 · mild off-hours spike

Day -3 · score 41 · HRMS: notice served

Day -1 · score 63 · 4.2 GB Drive download

Today · score 87 · printed 312 client records

⚠ Reviewer notified · investigator console one-click replay

Architecture

Cloud-native by design. Regional data residency.

Per-tenant encryption keys. Strict data residency on AWS ap-south-1. API-first everywhere.

ISOLATION

Per-tenant keys

AES-256 at rest with a dedicated KMS key per tenant. Cross-tenant access is cryptographically impossible.

RESIDENCY

AWS ap-south-1

Customer data remains in India by default. US/EU regions available on request for global deployments.

API-FIRST

Every capability exposed

Policy, audit, enrollment, reporting — all addressable over REST + webhooks. Your SIEM, your HRMS, your ITSM.

AGENT

Windows · macOS · Linux

Single signed binary. Silent GPO / config-profile deployment. Offline enforcement cache. Under 40MB RAM.

SIEM

Splunk · Sentinel · QRadar

Event streams in CEF, JSON or Syslog. WORM audit log can be replayed for any date range, 5-year retention.

UPTIME

99.99% SLA

Multi-AZ active/active. Agent continues enforcing offline. Public status page with 90-day incident history.

Ready to see it in action?

30 minutes. Your own data. Live policy enforcement — not a scripted demo.

Request a demo → See pricing