Skip to main content
Legal & Compliance

Compliance & Security

B2B platforms built for India's digital economy — under a full-stack compliance program covering privacy law, information security, AI governance, and payment standards from day one.

Last Updated: July 2026

CloudServe Digital is the enterprise and marketplace division of CloudServe Infotech, building B2B platforms for India's digital economy. We handle business data, professional user PII, payment transactions, and AI-powered document workflows — all under the group-wide compliance program that applies uniformly across every CloudServe division.

Frameworks & Certifications

The cards below cover every framework and certification in our program. Architecture-Ready means controls are actively operating and evidence is accumulating. Planned means it is on the certification roadmap with a defined target date.

India DPDP Act 2023

Digital Personal Data Protection Act

Architecture-Ready
  • Consent-first data collection architecture across all platforms
  • Data principal rights — access, correction, and erasure — built in from day one
  • Data localisation design for Indian user data
  • Grievance officer designated — [email protected]
  • DPDP Consent Manager Framework integration targeted before November 2026

GDPR

General Data Protection Regulation (EU)

Architecture-Ready
  • Privacy by design embedded in architecture from the start
  • Data minimisation and purpose limitation applied throughout
  • Lawful basis for all data processing defined and documented
  • User data access, correction, and deletion workflows built into every platform
  • Data processor agreements planned with all third-party sub-processors

EU AI Act

European Union Artificial Intelligence Act

Architecture-Ready
  • Article 50 transparency obligations are a division-wide standard, not a feature-by-feature retrofit
  • Machine-readable labeling on AI-generated content built into every AI feature
  • Synthetic-content watermarking for generated images, video, and audio
  • Every AI feature classified against the Act's risk tiers before deployment
  • Hard legal deadline August 2, 2026 — we are building ahead of it

ISO 27001

Information Security Management System (ISMS)

Planned
  • Unified control catalog across access, change management, logging, and resilience
  • Risk assessment and risk treatment documented per platform and infrastructure component
  • Business continuity and DR plans in place across all production systems
  • Third-party audit engagement planned alongside SOC 2
  • Formal certification targeted 2027 — controls operating now

ISO 42001

AI Management System (AIMS)

Planned
  • Plan-Do-Check-Act framework for AI lifecycle governance across all AI features
  • AI accountability, transparency, and impact assessment designed in from day one
  • AI risk inventory maintained for every AI feature
  • Human oversight requirements built into all AI-driven workflows
  • Formal certification planned post-ISO 27001 (2027)

NIST AI RMF

AI Risk Management Framework (US NIST)

Architecture-Ready
  • Govern, Map, Measure, Manage model applied across all AI systems
  • AI risk classification and impact assessment before every AI feature ships
  • Continuous measurement and monitoring of AI risk in production
  • Voluntary framework that directly underpins our ISO 42001 program

SOC 2 Type II

Service Organization Control Report

Planned
  • Security, availability, and confidentiality trust principles guide all infrastructure design
  • Evidence collection begins at product launch — the 12-month Type II observation window starts then
  • Tamper-evident audit trails, least-privilege IAM, and change management controls already operating
  • Independent third-party audit engagement planned as we scale

PCI DSS

Payment Card Industry Data Security Standard

Planned
  • All payment handling via PCI DSS Level 1 certified processors — no card data on our systems
  • No card data ever transits or is stored on our infrastructure — tokenization by design
  • Scope minimized to SAQ-A by architecture — the lightest compliance footprint
  • Formal SAQ-A attestation planned before payment features go live

Security by Design

Security principles that guide how we build every platform — from infrastructure to application layer.

Encryption

AES-256 field-level encryption for sensitive data at rest. TLS 1.2+ enforced everywhere in transit. No plaintext secrets in code or configuration.

Access Control

Least-privilege IAM on all infrastructure. No standing network access — deny-all default, scoped ingress only. MFA enforced for all admin access.

Audit Logging

Tamper-evident, hash-chained audit trails across all platforms. All infrastructure changes tracked via Git with mandatory PR review. Evidence available for SOC 2 and ISO 27001.

Vulnerability Management

Automated SAST, secret scanning, and dependency vulnerability scanning in every CI pipeline. No code reaches production without passing all security gates.

Network Security

No public IPs on databases or internal services. Edge CDN and DDoS protection at the network perimeter. VPC-isolated cloud infrastructure.

Resilience

Automated nightly backups with tested restore drills. Documented incident response runbooks. RTO and RPO targets defined per system before production launch.

Certification Timeline

No certifications issued yet — we are building the evidence base. Here is the honest sequence.

Now — Active
Operating
  • India DPDP Act 2023 — consent, retention, DSAR, and breach-notification controls
  • GDPR — privacy-by-design architecture, data-principal rights workflows
  • EU AI Act Art. 50 — AI-output labeling and synthetic-content watermarking
  • NIST AI RMF — Govern / Map / Measure / Manage program across all AI features
  • SOC 2 / ISO 27001 controls operating — audit-trail evidence accumulating
H2 2026
In Progress
  • SOC 2 Type II — 12-month observation window begins at product launch
  • India DPDP Consent Manager Framework — hard deadline November 13, 2026
  • PCI DSS SAQ-A attestation — before first payment processed
2027
Certification
  • ISO 27001 — formal certification (ISMS)
  • SOC 2 Type II — report issued
  • ISO 42001 — AI Management System certification

Data Processing Commitments

How we handle data across every platform we build.

Data Protection by Design

Data protection is designed into every platform from the earliest architecture decisions — not added after launch. Privacy and security are built-in constraints, not optional features.

Transparency in Processing

We document all data processing activities. Users receive clear information about how their data is processed, stored, and protected — in the product flows, not buried in settings.

Data Minimisation

We collect and process only what is necessary for the stated purpose. Data minimisation is a design constraint, not a policy statement.

Sub-processor Management

Every third-party service is evaluated against our security and privacy requirements before adoption. Data processing agreements are established with all sub-processors before any personal data is shared.

Questions About Our Compliance Posture?

Enterprise buyers, security teams, and compliance officers — contact us directly. Your message goes straight to the founders.

Contact Us