Honest security posture, in plain language.
Security teams ask for the same artefacts from every vendor: where the data lives, how it's encrypted, who can access it, what happens during an incident. Here are the answers without marketing language. Vihaya is pre-SOC-2-Type-II and pre-pen-test — the architecture is production-shaped, the certifications are on the roadmap, and we work transparently with your security team through the pilot.
Posture today
| Area | Status | Notes |
|---|---|---|
| Audit trail (append-only) | Shipped | SOC 2 CC4.1 / CC7.2 mapping |
| At-rest encryption | Shipped | Customer KMS in customer's environment |
| In-transit encryption | Shipped | TLS 1.2+ required |
| Bearer-token API auth | Shipped | timingSafeEqual comparison |
| Multi-tenant logical isolation | Shipped | tenant_id on every row |
| Multi-tenant physical isolation | Shipped | Single-tenant deployment available on request |
| SSO (SAML / OIDC) | Pilot-dependent | Wired to your IdP during engagement |
| PHI / PII redaction in logs | Roadmap | First pilot deliverable |
| SOC 2 Type II | Roadmap | Auditor + timeline to be confirmed with first paid pilots |
| External penetration test | Roadmap | Report available on request under NDA once completed |
| ISO 27001 | Future | Pursued after SOC 2 if customer demand |
Security & compliance FAQ
Where does customer data live?
In the customer's own cloud environment — typically AWS Mumbai (ap-south-1), GCP Mumbai (asia-south1), or Azure South India / Central India. Vihaya does not store customer data in our environment. Foundation-model calls route to the customer-approved provider; Azure OpenAI India and Vertex Mumbai support in-region processing for customers who require it.
Is Vihaya SOC 2 certified?
No. SOC 2 Type II is on the roadmap; the auditor and timeline will be confirmed alongside the first paid pilots. Today the architecture is production-shaped (append-only audit, control mapping, encryption, access controls), but the audit firm has not certified. Customers engaging today are functionally design partners and we work transparently with their security teams.
Does Vihaya support ISO 27001?
ISO 27001 certification is a future possibility, intended to follow SOC 2 if customer demand warrants. Many Indian enterprise security teams accept SOC 2 evidence in lieu of ISO 27001 for early-stage vendors.
What about pen-testing?
First external penetration test is on the roadmap; pen-test report will be available on request under NDA once completed. The pilot engagement includes a customer's-pen-test-firm window as standard — many regulated customers run their own pen test as part of vendor onboarding, and the pilot SOW supports that path.
How is data encrypted?
TLS 1.2+ in transit (required in production config). At rest via the customer's own KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault). Database-level encryption via Postgres native or transparent-data-encryption depending on cloud.
What about BAAs?
BAA-ready posture for healthcare engagements. The customer signs a BAA with Vihaya and chains BAAs with the foundation-model provider (OpenAI Enterprise, Anthropic, Azure OpenAI, Vertex). Standard execution at pilot kickoff.
Want to see this in your environment?
30-minute discovery call. Draft SOW within 5 business days.
Talk to us about a pilot →