Security & Compliance
How your data is actually protected.
Your clients trust you with their conversations. You need to trust us with that data. No marketing language, no vague promises — exactly what we do, in plain terms.
Infrastructure
Data Residency
AI inference (via Anthropic Claude) is processed in the US — this is unavoidable for current LLM providers. Only the conversation context needed to generate a reply is sent; no PII is transmitted beyond what's in the message itself. Anthropic's enterprise agreement explicitly prohibits using API data for model training.
Data Protection
Encryption
All API calls, dashboard sessions, and WhatsApp webhooks use TLS 1.3. Older protocols (TLS 1.0, 1.1) are disabled at the nginx layer.
Hetzner VPS disk encryption via LUKS (AES-256-XTS). Database passwords, API keys, and tokens are stored hashed (bcrypt/HMAC-SHA256), never plaintext.
HTTPS is enforced site-wide via HSTS with a 2-year max-age. Certificates are auto-renewed via Let's Encrypt / Certbot.
Regulation
DPDP Act 2023 Compliance
India's Digital Personal Data Protection Act 2023 governs how we collect, use, and delete personal data. Here's our posture on each relevant obligation:
Data is collected only to deliver the contracted WhatsApp first-responder service. Clients explicitly consent via our Terms of Service at signup.
We collect: phone number, business name, conversation history, and usage events. No location tracking, no device fingerprinting, no third-party ad pixels.
Conversation data and leads are retained for 24 months from last activity. Clients can request earlier deletion (see below).
Clients and their end-customers can request full deletion via /data-deletion. We process all requests within 14 days and confirm via email.
Registration with the Data Protection Board is in progress post-incorporation (INC-20A expected Q2 2026).
Ashish Dubey, Grievance Officer (Niyog AI). Email grievance@niyogai.com or write to 103 Diamond Harbour Road, Kolkata 700038, India. Acknowledged within 48 hours; resolved within 30 days, in line with IT Rules 2021 and DPDP Act 2023.
Access Controls
Who Can Read Your Data
Access to production data requires explicit admin credentials held by a single designated administrator. Every admin action is logged with timestamp, IP, and action type. Logs are immutable and retained for 12 months.
Each client workspace is isolated by client_id at the database row level. A dashboard token (HMAC-SHA256) scoped to your workspace is required. Tokens expire after 7 days.
Your mobile app and API integrations authenticate via an app_secret (32-byte random string) + owner phone pair. Secrets are hashed before storage.
If you contact support and explicitly request investigation, we may access your workspace data only for that specific support case and only for the duration needed.
Every agent action, message sent, and data modification is logged in whatsapp_audit_log and agent_runs tables. You can request a full export at any time.
Third Parties
Subprocessors
We use a minimal set of third-party services. Each one is listed below with what data they touch and a link to their own privacy policy.
| Subprocessor | Purpose | Data touched | Location |
|---|---|---|---|
| Anthropic | AI inference (Claude models) | Conversation context — no customer data used for model training | USA |
| Meta (WhatsApp Business API) | WhatsApp message delivery | Phone numbers, message content in transit | USA / Global |
| Razorpay | Payment processing & subscriptions | Billing name, email, payment method tokens — no raw card data | India |
| Hetzner Online | Cloud hosting & VPS infrastructure | All application data including database | India (Bangalore) |
| Sentry | Error monitoring & performance | Stack traces, non-PII request metadata | USA |
We will notify clients of any new subprocessors at least 30 days before they process data. Last updated: May 2026.
Breach Response
Incident Response
Contain the incident. Revoke compromised credentials. Isolate affected systems.
Notify all affected clients directly via WhatsApp + email. Provide initial impact assessment.
Notify CERT-In (per DPDP Act obligation). File report with Data Protection Board once operational.
Full post-mortem published to affected clients. Corrective measures documented and implemented.
To report a suspected vulnerability: security@niyogai.com. We aim to acknowledge all reports within 24 hours.
Roadmap
Certifications & Compliance Roadmap
Registered under Dubey Electronics (bridge entity). Niyog AI Pvt Ltd registration in progress.
UDYAM-WB-10-0103548. Recognised small enterprise under the Ministry of MSME.
Niyog AI Pvt Ltd incorporation underway. Target: Q2 2026.
Data fiduciary registration with Data Protection Board once INC-20A clears.
Scoped and planned. Audit firm evaluation begins Q3 2026.
Under evaluation. Intent confirmed; implementation timeline post-Series A.
Legal
Data Processing Agreement
Need a Data Processing Agreement?
Enterprise and mid-market clients requiring a signed DPA (Data Processing Agreement) or MSA (Master Service Agreement) can request one directly. We typically turn these around within 5 business days.
We'll answer any security question before you sign. No pressure, no sales pitch.
hello@niyogai.com →