Your compliance evidence, handled carefully.

Your data is stored in a managed Postgres database and file store hosted in India (ap-south-1, Mumbai), with the application running on Vercel. Data residency in-region matters for Indian companies and their counsel.

All traffic is encrypted in transit over HTTPS/TLS. Data and uploaded documents are encrypted at rest by our managed database and storage providers.

Uploaded documents live in a private storage bucket with no public access. The app serves them only through short-lived signed URLs to authorised users — there are no public file links. Diligence-pack exports are generated on demand for an admin; the read-only investor link you can share shows status only, never the underlying files.

Every company's data is isolated. Access is enforced by role-based permissions scoped per company — your CA, CS, lawyer or payroll vendor sees only their bucket. Database row-level security denies the public API key, so no browser key can read another company's data. Read-only diligence links are time-boxed and revocable.

Sign-in is handled by a managed auth provider (Supabase). Sign-in, sign-up and password-reset forms are protected by Cloudflare Turnstile bot mitigation. Application secrets are stored encrypted and are never exposed to the browser.

AI never decides what compliance applies to you— that's a deterministic, versioned rules engine. The AI only classifies documents, extracts fields, summarises notices and drafts reports, and every interpretive answer carries a “confirm with your CA, CS, or lawyer” disclaimer. We do not use your data to train AI models.

Export an organised diligence pack of your records at any time. Deleting a company removes its tasks, documents and evidence. You can revoke any read-only share link instantly.

We rely on a small set of vetted providers to run the service:

• Supabase — Managed Postgres database, authentication, and the evidence file store (ap-south-1, Mumbai).
• Vercel — Application hosting and serverless compute.
• Cloudflare — DNS and bot protection (Turnstile) on sign-in / sign-up.
• Resend — Transactional email (sign-in, reminders, advisor invites).
• Razorpay — Subscription billing (used only if you subscribe).
• Anthropic & OpenAI — AI that classifies documents, extracts fields, summarises notices and drafts reports.
• Meta (WhatsApp) — Reminder messages — only if you opt in and add a number.

We are building toward SOC 2 and ISO 27001, and aligning with India's Digital Personal Data Protection (DPDP) Act. To be clear: we are not yet certified— this is our direction, and we'll update this page as we reach each milestone.