Cyfriq is an enterprise security platform. We hold ourselves to the same — and a stricter — bar than we ask of our customers. This page documents how.
All customer data is encrypted at rest with AES-256 using a dedicated KMS key per tenant. In transit, everything uses TLS 1.3 with forward secrecy.
Cross-tenant access is cryptographically impossible. Each tenant's root key lives in AWS KMS, used only to decrypt that tenant's per-record data keys.
Customer data is stored in Mumbai by default. US-East and EU-West regions are available on request. Data never traverses regions without explicit customer action.
Every Cyfriq employee authenticates with phishing-resistant FIDO2 hardware tokens. Your workload API calls require rotating, least-privilege credentials.
Every control-plane action is sealed to a tamper-proof log. Retained up to 5 years. Replayable by your auditors on request.
Deployed across three availability zones. Agent enforcement continues offline via local policy cache for up to 14 days.
Every Cyfriq employee starts with zero access. Access to customer tenants is time-bounded, ticket-justified and logged. No customer data access outside an open support ticket.
No code reaches production without peer review, automated security tests (SAST, SCA, secrets detection) and a documented rollback plan. Infrastructure defined as code and reviewed the same way.
Every build runs dependency scanning, static analysis and container scanning. External penetration tests quarterly by independent firms. Public bug bounty with responsible-disclosure policy.
Every employee and contractor is background-verified before access. Annual security awareness training mandatory; phishing simulations run monthly.
RPO 15 minutes · RTO 1 hour. Full disaster-recovery exercise executed twice a year against a restored, isolated environment. Results published to customers on request.
24×7 on-call rotation. Severity-based response SLAs. Status page updates within 15 minutes of SEV1 detection. Root-cause analysis published within 5 business days.
Customers are notified at least 30 days before any sub-processor is added or changed.
| Sub-processor | Purpose | Location | Certifications |
|---|---|---|---|
| Amazon Web Services (India) | Primary infrastructure hosting & KMS | Mumbai (ap-south-1) | SOC 1/2/3, ISO 27001/17/18, PCI, STAR |
| Cloudflare | DNS, WAF, DDoS mitigation, edge TLS | Global edge · India PoPs | SOC 2, ISO 27001, PCI |
| Datadog | Observability & internal operational telemetry | US · with data residency controls | SOC 2, ISO 27001, HIPAA |
| Zendesk | Customer support ticketing & communication | Global · EU/US | SOC 2, ISO 27001 |
| Stripe | Billing & payment processing (card only) | Global | PCI-DSS Level 1, SOC 2 |
| HubSpot | Sales CRM (prospect metadata only) | US · EU | SOC 2, ISO 27001 |
Sub-processor list is current as of this page's last revision. Customers may subscribe to sub-processor change notifications in the Cyfriq admin portal.
Every enterprise customer signs a Data Processing Agreement aligned to the DPDP Act 2023, GDPR Article 28, and industry best practices. Available for redline review before signature.
Public status page with 90-day uptime history: status.cyfriq.com
We operate a public vulnerability disclosure programme with a safe-harbour policy. Bounties for qualifying reports. Encrypted reporting via email or HackerOne. First acknowledgement within 24 hours.