Honest security posture, in plain language
Vihaya runs inside the customer’s own VPC with no data egress to Vihaya, aligned to DPDP, RBI, IRDAI, and CERT-In. Customer data stays in-region, encrypted in transit and at rest via the customer’s own KMS. Vihaya is pre-SOC-2-Type-II and pre-pen-test: the architecture is production-shaped and the certifications are on the roadmap.
Posture today
| Area | Status | Notes |
|---|---|---|
| Audit trail (append-only) | In repo | Self-mapped to SOC 2 CC4.1 / CC7.2 (auditor review pending) |
| At-rest encryption | In repo | Designed to use customer KMS in customer’s environment |
| In-transit encryption | In repo | TLS 1.2+ required in production config |
| Bearer-token API auth | In repo | timingSafeEqual comparison |
| Multi-tenant logical isolation | In repo | tenant_id on every row |
| Multi-tenant physical isolation | In repo | Single-tenant deployment available on request |
| SSO (SAML / OIDC) | Pilot-dependent | Would be wired to your IdP during engagement |
| PHI / PII redaction in logs | Roadmap | First pilot deliverable |
| SOC 2 Type II | Roadmap | Auditor + timeline to be confirmed with first paid pilots |
| External penetration test | Roadmap | Report available on request under NDA once completed |
| ISO 27001 | Future | Pursued after SOC 2 if customer demand |
Security & compliance FAQ
Where does customer data live?
In the customer’s own cloud environment — typically AWS Mumbai (ap-south-1), GCP Mumbai (asia-south1), or Azure South India / Central India. Vihaya does not store customer data in our environment. Foundation-model calls route to the customer-approved provider; Azure OpenAI India and Vertex Mumbai support in-region processing for customers who require it.
Is Vihaya SOC 2 certified?
No. SOC 2 Type II is on the roadmap; the auditor and timeline will be confirmed alongside the first paid pilots. Today the architecture is production-shaped (append-only audit, control mapping, encryption, access controls), but the audit firm has not certified. Customers engaging today are functionally design partners and we work transparently with their security teams.
Does Vihaya support ISO 27001?
ISO 27001 certification is a future possibility, intended to follow SOC 2 if customer demand warrants. Many Indian enterprise security teams accept SOC 2 evidence in lieu of ISO 27001 for early-stage vendors.
What about pen-testing?
First external penetration test is on the roadmap; pen-test report will be available on request under NDA once completed. The pilot engagement includes a customer’s-pen-test-firm window as standard — many regulated customers run their own pen test as part of vendor onboarding, and the pilot SOW supports that path.
How is data encrypted?
TLS 1.2+ in transit (required in production config). At rest via the customer’s own KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault). Database-level encryption via the engine’s database layer or cloud-native transparent-data-encryption, depending on cloud.
What about BAAs?
BAA-ready posture for healthcare engagements. The customer would sign a BAA with Vihaya and chain BAAs with the foundation-model provider they’ve chosen (OpenAI Enterprise, Anthropic, Azure OpenAI, Vertex). The BAA template is prepared for pilot kickoff; no BAA has been executed yet.
Want to see this in your environment?
30-minute discovery call. We follow up with a draft SOW shortly after.
Talk to us about a pilot