Compliance & Certifications

Health Insurance Portability and Accountability Act — US federal law governing Protected Health Information (PHI) security and privacy.

• Business Associate Agreements (BAA) signed before any PHI exposure
• Technical safeguards: AES-256 encryption at rest and in transit
• Access controls with unique user IDs, auto logoff, MFA
• Immutable audit logs for all PHI access and modifications
• HIPAA-eligible AWS services only (BAA in scope)
• Third-party pen test before launch for all healthcare platforms

General Data Protection Regulation — EU law governing the collection, storage, and processing of personal data of EU/UK residents.

• Data Processing Agreements (DPA) for EU/UK clients
• Lawful basis assessment for each data processing activity
• Privacy by design: minimal data collection, purpose limitation
• Right-to-erasure implementation (soft delete + hard purge workflow)
• Data residency in EU regions (AWS eu-west-1, eu-central-1)
• Cookie consent management integration (OneTrust or custom)

AICPA Service Organisation Control 2 — audit standard covering security, availability, processing integrity, confidentiality, and privacy.

• Controls mapped to SOC 2 Trust Service Criteria at project outset
• Logging and monitoring aligned to CC7 (System Operations) requirements
• Change management process aligned to CC8 (Change Management)
• Risk assessment documentation for each client system
• Third-party audit readiness support for clients undergoing SOC 2
• Formal Canny Technologies SOC 2 Type II audit in progress (2025)

Payment Card Industry Data Security Standard — mandatory security standard for any system that stores, processes, or transmits cardholder data.

• Never store raw card data — tokenisation via Stripe or Razorpay only
• PCI-DSS scope minimisation: cardholder data environment isolated
• HTTPS/TLS 1.3 enforced on all payment-adjacent endpoints
• Network segmentation: payment services in dedicated VPC subnets
• Third-party PCI ASV scan before production payment launches
• Quarterly vulnerability scans on payment system infrastructure

Reserve Bank of India digital lending, data localisation, and IT security guidelines for banks, NBFCs, and payment aggregators.

• Data localisation: all Indian customer financial data stored in India (AWS ap-south-1)
• RBI digital lending guidelines: disbursement/collection only to/from verified bank accounts
• Account Aggregator framework integration (NBFC clients)
• Aadhaar OTP and video-based KYC implementation
• NACH mandate management via approved payment gateways
• Regulatory reporting capability (CRILC, SMA classification)

Digital Personal Data Protection Act 2023 — India's first comprehensive data protection law governing personal data processing for Indian residents.

• Consent management system for all personal data collection
• Data fiduciary obligations: purpose limitation, data minimisation
• Data Principal rights: access, correction, erasure, grievance redressal
• Data localisation for sensitive personal data categories
• Significant Data Fiduciary (SDF) compliance assessment for large-scale platforms
• Breach notification workflow: 72-hour notification to DPBI as required