Skip to content

Security & Compliance

Last updated May 2026

Your clients trust you with their conversations. You need to trust us with that data. No marketing language, no vague promises — exactly what we do, in plain terms.

🛡️ Posture at a glance: Hosted in India · Encrypted in transit and at rest · DPDP Act compliant by design · No customer data used for AI training · Daily encrypted backups · Audit-logged access.

On this page: Data residency · Encryption · DPDP compliance · Access controls · Subprocessors · Incident response · Certifications · Data processing.

🇮🇳 Data Residency

  • Hosted in India: Your application data and database live on infrastructure inside India and do not leave Indian territory. No replication to foreign servers.
  • Daily encrypted backups: Data is backed up daily to encrypted off-site storage with a defined retention window, and our restore procedure is tested.
  • EU / US residency: Available for Enterprise engagements on request — the chosen region is set out in the Data Processing Agreement.

AI inference (via Anthropic Claude) is processed in the US — unavoidable for current LLM providers. Only the conversation context needed to generate a reply is sent, and Anthropic's enterprise agreement explicitly prohibits using that data for model training.

🔐 Encryption

  • In transit: Every connection — API calls, dashboard sessions, and webhooks — is encrypted with current industry-standard TLS. Legacy protocols are disabled.
  • At rest: Stored data is encrypted on disk. Credentials, API keys, and tokens are stored hashed, never in plain text.

HTTPS is enforced site-wide and certificates are auto-renewed. Specific cipher and configuration detail is included in the security packet shared under NDA on request.

📋 DPDP Act 2023 Compliance

India's Digital Personal Data Protection Act 2023 governs how we collect, use, and delete personal data. Here's our posture on each relevant obligation:

  • Lawful purpose & consent (Compliant): Data is collected only to deliver the contracted WhatsApp first-responder service. Clients explicitly consent via our Terms of Service at signup.
  • Data minimisation (Compliant): We collect: phone number, business name, conversation history, and usage events. No location tracking, no device fingerprinting, no third-party ad pixels.
  • Retention limit (Compliant): Conversation data and leads are retained for 24 months from last activity. Clients can request earlier deletion (see below).
  • Deletion on request (Compliant): Clients and their end-customers can request full deletion via /data-deletion. We process all requests within 14 days and confirm via email.
  • Data fiduciary registration (In progress): Registration with the Data Protection Board is in progress post-incorporation (INC-20A expected Q2 2026).
  • Grievance officer (Designated): Ashish Dubey, Grievance Officer (Niyog AI). Email grievance@niyogai.com or write to 103 Diamond Harbour Road, Kolkata 700038, India. Acknowledged within 48 hours; resolved within 30 days, in line with IT Rules 2021 and DPDP Act 2023.

🔒 Who Can Read Your Data

By default, no Niyog staff can read your conversations. Access to production data requires explicit administrator credentials, and every administrative action is logged with a timestamp and retained in an immutable audit trail.

  • Workspace isolation: Each client workspace is logically isolated; access to a workspace requires a scoped, expiring access token.
  • Authenticated integrations: App and API integrations authenticate with a per-workspace secret that is hashed before storage.
  • Support access: We access your workspace only when you explicitly request investigation, only for that case, and only for as long as needed.
  • Audit log: Every agent action, message, and data change is recorded. You can request a full export at any time.

🤝 Subprocessors

We use a minimal set of third-party services. Each one is listed below with what data they touch and a link to their own privacy policy.

SubprocessorPurposeData touched
AnthropicAI inference (Claude models)Conversation context only — never used for model training
Meta (WhatsApp Business API)WhatsApp message deliveryMessage content in transit
RazorpayPayment processing & subscriptionsBilling details — no raw card data
India-based cloud hostingApplication & database infrastructureApplication data, hosted inside India

The full named list, with regions, is included in the security packet shared under NDA on request. We notify clients of any new subprocessor at least 30 days before it processes data.

🚨 Incident Response

  • 0–1 hr: Contain the incident. Revoke compromised credentials. Isolate affected systems.
  • 1–24 hrs: Notify all affected clients directly via WhatsApp + email. Provide initial impact assessment.
  • 24–72 hrs: Notify CERT-In (per DPDP Act obligation). File report with Data Protection Board once operational.
  • Post-incident: Full post-mortem published to affected clients. Corrective measures documented and implemented.

To report a suspected vulnerability: security@niyogai.com. We aim to acknowledge all reports within 24 hours.

🏅 Certifications & Compliance Roadmap

  • GST Registration (Active): Registered under Dubey Electronics (bridge entity). Niyog AI Pvt Ltd registration in progress.
  • Udyam (MSME) (Active): UDYAM-WB-10-0103548. Recognised small enterprise under the Ministry of MSME.
  • INC-20A (Company) (In progress): Niyog AI Pvt Ltd incorporation underway. Target: Q2 2026.
  • DPDP Registration (Post-incorporation): Data fiduciary registration with Data Protection Board once INC-20A clears.
  • SOC 2 Type I (Target Q1 2027): Scoped and planned. Audit firm evaluation begins Q3 2026.
  • ISO 27001 (Evaluating): Under evaluation. Intent confirmed; implementation timeline post-Series A.

📄 Data Processing Agreement

Need a Data Processing Agreement?

Enterprise and mid-market clients requiring a signed DPA (Data Processing Agreement) or MSA (Master Service Agreement) can request one directly. We typically turn these around within 5 business days.

Request DPA → · Privacy Policy · Terms of Service

Security questions?

We'll answer any security question before you sign. No pressure, no sales pitch. hello@niyogai.com →

WhatsApp