CompareRequest demo
PlatformComplianceSecurityPricingCompanyFAQCompareRequest demo →
Architecture

How customer data flows through Cyfriq.

Buyer-level view for CISOs and security architects evaluating Cyfriq. Six logical layers, one policy engine, zero cross-tenant exposure. A detailed deployment view (AWS components, VPC topology, KMS hierarchy) is available under NDA — request via security@cyfriq.com.

Windows / macOS / Linux Cyfriq endpoint agent DLP · MFA · device trust Browser extension Chrome · Edge · Brave Upload & paste interception M365 · Google · Zoho APIs Graph · Gmail · Zoho APIs Email DLP scan layer Mobile (iOS · Android) Cyfriq Secure Mail app Containerised mobile DLP Admins Console UI FIDO2 enforced 01 · EDGE Cyfriq Edge — TLS 1.3 termination · Anycast · DDoS protection · Geo & IP allowlist 02 · IDENTITY Cyfriq IdP (SAML 2.0 · OIDC) MFA · FIDO2 hardware tokens · device-trust enforcement Agent-health gating · geo-policy · risk-score step-up 03 · POLICY ENGINE Unified policy evaluation DLP rules · UEBA risk scoring · ML content classification DPDP / GDPR / HIPAA pre-built templates 04 · TENANT ISOLATION Per-tenant data & key hierarchy AES-256 at rest · TLS 1.3 in transit · KMS root key per tenant Cross-tenant access cryptographically impossible 05 · IMMUTABLE AUDIT WORM-sealed event stream Tamper-proof · 5-year retention · regulator-replayable Streams to customer SIEM (Splunk, Sentinel, QRadar) 06 · REGION AWS ap-south-1 (Mumbai) by default · US & EU on request · Multi-AZ active-active · 99.99% SLA
Layer detail

What each layer enforces.

01 · EDGE

Cyfriq Edge

TLS 1.3 termination at the global Anycast edge. Geo / IP allowlist. DDoS protection. Customer-traffic mTLS for agent calls.

  • TLS 1.3, modern cipher suites only
  • Geo-policy (deny-by-default jurisdictions)
  • WAF / rate-limit
02 · IDENTITY

Cyfriq IdP

SAML 2.0 + OIDC identity provider. Every auth request is gated by MFA (FIDO2 / TOTP / push), live device trust, and configurable geo-policy.

  • FIDO2 hardware tokens preferred
  • Agent heartbeat = device trust signal
  • Geo + risk-score step-up
03 · POLICY ENGINE

Unified evaluation

One engine evaluates every action — login, email, web upload, file copy, USB write, paste. ML content classification + regex + fingerprinting.

  • DPDP / GDPR / HIPAA pre-built rules
  • Document fingerprinting
  • Custom rule DSL
04 · TENANT ISOLATION

Per-tenant encryption

Each tenant has its own root key in AWS KMS. All customer data is encrypted at rest with AES-256 using a per-record data key derived from the tenant's root key.

  • Per-tenant KMS root key
  • Cryptographic tenant separation
  • No shared decryption surface
05 · IMMUTABLE AUDIT

WORM-sealed events

Every control-plane action is sealed to a tamper-proof log. Retained 5 years. Streamed to customer SIEM in real time. Regulator-replayable.

  • Hash-chained log entries
  • SIEM integration: Splunk, Sentinel, QRadar
  • 5-year retention default
06 · REGION

Data residency

AWS ap-south-1 (Mumbai) by default. US-East and EU-West on request. Multi-AZ active-active. Data never crosses region without explicit customer action.

  • ap-south-1 default
  • US / EU on request
  • 99.99% SLA
Layer 04 · The database beneath

The sovereign foundation beneath your data

The per-tenant encrypted store and WORM audit log are built on ShaktiDB — India's indigenous, open-source, PostgreSQL-forked database, incubated at and backed by IIT Madras Pravartak. ACID-compliant, distributed with built-in replication and high availability, engineered for sovereignty and designed to align with RBI and CERT-In's SBOM directive.

Need the detailed deployment view?

The NDA-gated version includes AWS service breakdown (KMS, RDS, S3, Lambda, ECS, VPC layout, peering), failover topology, BCP/DR runbooks, and key-rotation procedure.

Request under NDA →