SOC 2-aligned controls
Internal assessment complete; formal audit planned
ISO 27001 aligned
Security practices
GDPR & DPDPA
Privacy by design
Healthcare-ready
BAA on request
Every control, explained
Expand each category for technical detail and a ready-to-read client talking point. All controls below are live in production.
Server-enforced TOTP 2FA
All plansPrivileged roles (Owner, Super Admin, Admin) must complete TOTP verification before receiving a session. JWT is withheld until 2FA passes.
TELL YOUR CLIENT“Your admins cannot skip two-factor authentication — it is enforced by the server, not optional in settings.”
JWT httpOnly cookies
All plansSession tokens stored in httpOnly, Secure cookies — not accessible to JavaScript, reducing XSS token theft risk.
TELL YOUR CLIENT“Login sessions use industry-standard httpOnly cookies instead of browser storage that malware can read.”
CSRF protection
All plansDedicated CSRF token endpoint; state-changing API requests require a valid token. Verified in automated smoke tests.
TELL YOUR CLIENT“Cross-site request forgery is blocked — every write action needs a fresh anti-CSRF token.”
Login CAPTCHA (Cloudflare Turnstile)
All plansCAPTCHA gate on login when enabled. Automated tests confirm login without token returns captcha_required.
TELL YOUR CLIENT“Bot and credential-stuffing attacks hit a CAPTCHA wall before they can attempt passwords.”
Account lockout (django-axes)
All plansRepeated failed login attempts trigger temporary account lockout with configurable thresholds.
TELL YOUR CLIENT“Brute-force password attacks automatically lock the account after too many failures.”
API rate limiting
All plansRate limits on authentication and sensitive API endpoints to throttle abuse and enumeration.
TELL YOUR CLIENT“Automated abuse is throttled at the API layer — not just the login form.”
Active session management
All plansUsers can view active sessions and revoke individual sessions or all sessions from settings.
TELL YOUR CLIENT“If a laptop is lost, your team can kill that session instantly without resetting everyone's password.”
Automated verification
These checks run in production and CI — not marketing claims.
run_diy_security_checks — PASS (May 2026)
run_security_smoke_tests — CSRF + CAPTCHA gate verified
check_tenant_isolation — null-org audit + RLS cross-tenant probe
audit_security_headers — HSTS, CSP, X-Content-Type-Options
Login without CAPTCHA token — returns captcha_required
Backup restore drill — PASS with RTO/RPO logged
Dependency SCA — pip-audit + npm audit in CI
Internal assessment — no Critical/High in automated checks
SOC 2 evidence — 18/18 items collected internally
Access review Q2 2026 — Platform Owner sign-off
Verified via automated smoke tests, tenant isolation checks, and internal security assessment — not a third-party audit.
Your data, your control
Clear answers to the questions every IT lead asks before signing.
Where is data stored?
AWS Mumbai (ap-south-1) primary. Backup replication to Singapore. Data residency options available on Enterprise.
Can I export everything?
Yes. One-click export for every module — CSV, JSON, PDF. No vendor lock-in. We make it easy to leave (we just hope you don't).
What happens when I cancel?
90-day data retention. After that, hard delete with cryptographic erasure. Final export available anytime in those 90 days.
Do you train AI on my data?
Never. Your tenant data never leaves your tenant. No AI training, no analytics sharing, no third-party data sales — period.
What is the uptime SLA?
99.9% on Growth, 99.99% on Enterprise when contracted. Live operational status is published on our public status page when configured.
How do you handle incidents?
Public status page, email + Slack alerts, post-mortem within 5 business days. Breach notification within 72 hours per GDPR/DPDPA.
Sales FAQ — client questions
Copy-ready answers for security questionnaires and procurement calls.
Not yet certified. We are SOC 2-aligned with 18/18 internal evidence items collected and controls mapped to the Trust Services Criteria. A formal Type II audit can be engaged on Enterprise RFP timeline.
We completed an internal security assessment in May 2026 (automated checks, configuration review, tenant isolation probes). No Critical or High findings. A third-party penetration test is available for Enterprise RFP — we do not claim an independent pen test today.
Three layers: subdomain routing, application-layer org scoping on every query, and PostgreSQL Row Level Security on 10 core tables. Automated cross-tenant isolation tests run on every release in CI.
Primary: AWS Mumbai (ap-south-1). Backups replicate to Singapore. Enterprise customers can discuss data residency requirements and on-prem deployment.
Yes. One-click export per module (CSV, JSON, PDF). Full tenant export on request. After cancellation, data is retained 90 days then cryptographically erased. We make it easy to leave.
Never. Tenant data stays within your tenant boundary. No AI training, no analytics sharing, no third-party data sales.
We follow our documented incident response plan: public status updates, email/Slack alerts, post-mortem within 5 business days, and breach notification within 72 hours per GDPR/DPDPA.
Request our Security Pack: architecture overview, control matrix, internal assessment summary, subprocessor list, DPA, and evidence exports. Email security@infronest.com or book a call with our team.
Yes — server-enforced. Owner, Super Admin, and Admin roles must complete TOTP verification before receiving a session token. This is not a toggle users can disable.
Our internal DIY assurance score is approximately 9.3–9.4 out of 10 based on automated verification, RLS, encryption, audit logging, and compliance controls. Formal 10/10 requires external SOC 2 Type II audit and third-party penetration test.
Honest boundaries — what we do not claim
Not SOC 2 Type II certified — controls are aligned and evidence is collected internally
No third-party penetration test completed — internal assessment only (May 2026)
CAPTCHA uses Cloudflare Turnstile — production keys should replace test keys before customer-facing claim
Manual cross-tenant browser tests recommended for final Enterprise sign-off
Formal 10/10 score requires external auditor engagement (months + budget)
Claims reflect controls verified in our internal security assessment (May 2026). Formal SOC 2 Type II audit and third-party penetration test available on Enterprise RFP timeline.
Need a security review?
Request our security overview, DPA, and audit readiness summary.