Security & trust

Built for regulated industries.

The page you forward to your compliance team — what we do, what we don't, and the receipts. No vague promises, no "enterprise-grade" buzzwords.

DPDP Act (India) alignedGDPR postureISO-27001 roadmapEncryption in transit + at rest

Data handling

  • Tenant isolation. Every document, chat, lead, and KB entry is tagged with a tenant ID at insert time and filtered at every query. No cross-tenant reads are possible at the API layer.
  • PII masking. Phone numbers, email addresses, and free-form "I live at..." strings are redacted from LLM logs and from the confirmation bubble shown to visitors. Masking rules live in a single compliance service you can audit.
  • Retention. Chat transcripts and leads are retained for the lifetime of your workspace. Tenants can request deletion of any conversation or lead via the admin UI; deletes propagate to the vector index within minutes.
  • No training on your data. We do not fine-tune foundation models on tenant content. Retrieval augments the model at inference time — your documents are looked up, not memorised.

Compliance posture

We operate under India's DPDP Act framework (with GDPR-aligned controls for EU data subjects). Our public-facing legal documents — , , — are updated in lockstep with platform changes.

We are not yet SOC-2 or ISO-27001 certified. That's a deliberate honest statement, not a gap we hide. Our roadmap targets ISO-27001 Stage-1 audit by late 2026 once the platform stabilises past 50 paid tenants. We'll publish the auditor's letter here the day we pass.

Infrastructure

  • Data stores. MongoDB (primary), Qdrant (vector index), Upstash Redis (rate limiting + cache). All are encrypted at rest and accessed only over TLS.
  • LLM providers. Requests route through our provider layer to OpenAI, Anthropic, or Google depending on the tenant's configured model. Your prompts never leave that trusted triad.
  • Email. Transactional email (overage alerts, password resets, receipts) via Zoho SMTP. No marketing mailers are sent without explicit opt-in.
  • Data residency. Primary infrastructure in Asia-Pacific (AWS ap-south-1 by default). EU tenant residency on request.

Incident response & SLA

  • Uptime target. 99.5% for the chat API on paid plans. Live status: .
  • Audit trail. Every admin action (KB edits, tenant config changes, key rotations) is logged to an immutable audit collection and exposed in Observability → Events.
  • Disclosure. Verified security issues are acknowledged within 48 hours at hello@hanvitt.com. Customer-impacting incidents trigger a written post-mortem published on the status page within 5 business days.
  • Paper trail. DPA (Data Processing Agreement), SCC (Standard Contractual Clauses), and sub-processor list are available on request for any paid tenant.

Got a compliance questionnaire?

Send it over. We turn around most standard questionnaires within 3 business days.

Email the team

Your partner in Growth — For Individuals & Businesses

Hanvitt Consulting & Solutions — four disciplines, one partner. AI consulting, lead generation, modern websites, and legacy modernization, shipped end to end. We also run two platforms on the side: Hanvitt.in for individuals and Hanvitt AI Platform for SMEs.

Services

Platforms

Company

Resources

Legal

Contact

© 2026 Hanvitt Consulting & Solutions. All rights reserved.

Made for businesses that never want to miss a customer.