Compliance & Security
B2B platforms built for India's digital economy — under a full-stack compliance program covering privacy law, information security, AI governance, and payment standards from day one.
Last Updated: July 2026
CloudServe Digital is the enterprise and marketplace division of CloudServe Infotech, building B2B platforms for India's digital economy. We handle business data, professional user PII, payment transactions, and AI-powered document workflows — all under the group-wide compliance program that applies uniformly across every CloudServe division.
Frameworks & Certifications
The cards below cover every framework and certification in our program. Architecture-Ready means controls are actively operating and evidence is accumulating. Planned means it is on the certification roadmap with a defined target date.
India DPDP Act 2023
Digital Personal Data Protection Act
- Consent-first data collection architecture across all platforms
- Data principal rights — access, correction, and erasure — built in from day one
- Data localisation design for Indian user data
- Grievance officer designated — [email protected]
- DPDP Consent Manager Framework integration targeted before November 2026
GDPR
General Data Protection Regulation (EU)
- Privacy by design embedded in architecture from the start
- Data minimisation and purpose limitation applied throughout
- Lawful basis for all data processing defined and documented
- User data access, correction, and deletion workflows built into every platform
- Data processor agreements planned with all third-party sub-processors
EU AI Act
European Union Artificial Intelligence Act
- Article 50 transparency obligations are a division-wide standard, not a feature-by-feature retrofit
- Machine-readable labeling on AI-generated content built into every AI feature
- Synthetic-content watermarking for generated images, video, and audio
- Every AI feature classified against the Act's risk tiers before deployment
- Hard legal deadline August 2, 2026 — we are building ahead of it
ISO 27001
Information Security Management System (ISMS)
- Unified control catalog across access, change management, logging, and resilience
- Risk assessment and risk treatment documented per platform and infrastructure component
- Business continuity and DR plans in place across all production systems
- Third-party audit engagement planned alongside SOC 2
- Formal certification targeted 2027 — controls operating now
ISO 42001
AI Management System (AIMS)
- Plan-Do-Check-Act framework for AI lifecycle governance across all AI features
- AI accountability, transparency, and impact assessment designed in from day one
- AI risk inventory maintained for every AI feature
- Human oversight requirements built into all AI-driven workflows
- Formal certification planned post-ISO 27001 (2027)
NIST AI RMF
AI Risk Management Framework (US NIST)
- Govern, Map, Measure, Manage model applied across all AI systems
- AI risk classification and impact assessment before every AI feature ships
- Continuous measurement and monitoring of AI risk in production
- Voluntary framework that directly underpins our ISO 42001 program
SOC 2 Type II
Service Organization Control Report
- Security, availability, and confidentiality trust principles guide all infrastructure design
- Evidence collection begins at product launch — the 12-month Type II observation window starts then
- Tamper-evident audit trails, least-privilege IAM, and change management controls already operating
- Independent third-party audit engagement planned as we scale
PCI DSS
Payment Card Industry Data Security Standard
- All payment handling via PCI DSS Level 1 certified processors — no card data on our systems
- No card data ever transits or is stored on our infrastructure — tokenization by design
- Scope minimized to SAQ-A by architecture — the lightest compliance footprint
- Formal SAQ-A attestation planned before payment features go live
Security by Design
Security principles that guide how we build every platform — from infrastructure to application layer.
Encryption
AES-256 field-level encryption for sensitive data at rest. TLS 1.2+ enforced everywhere in transit. No plaintext secrets in code or configuration.
Access Control
Least-privilege IAM on all infrastructure. No standing network access — deny-all default, scoped ingress only. MFA enforced for all admin access.
Audit Logging
Tamper-evident, hash-chained audit trails across all platforms. All infrastructure changes tracked via Git with mandatory PR review. Evidence available for SOC 2 and ISO 27001.
Vulnerability Management
Automated SAST, secret scanning, and dependency vulnerability scanning in every CI pipeline. No code reaches production without passing all security gates.
Network Security
No public IPs on databases or internal services. Edge CDN and DDoS protection at the network perimeter. VPC-isolated cloud infrastructure.
Resilience
Automated nightly backups with tested restore drills. Documented incident response runbooks. RTO and RPO targets defined per system before production launch.
Certification Timeline
No certifications issued yet — we are building the evidence base. Here is the honest sequence.
- India DPDP Act 2023 — consent, retention, DSAR, and breach-notification controls
- GDPR — privacy-by-design architecture, data-principal rights workflows
- EU AI Act Art. 50 — AI-output labeling and synthetic-content watermarking
- NIST AI RMF — Govern / Map / Measure / Manage program across all AI features
- SOC 2 / ISO 27001 controls operating — audit-trail evidence accumulating
- SOC 2 Type II — 12-month observation window begins at product launch
- India DPDP Consent Manager Framework — hard deadline November 13, 2026
- PCI DSS SAQ-A attestation — before first payment processed
- ISO 27001 — formal certification (ISMS)
- SOC 2 Type II — report issued
- ISO 42001 — AI Management System certification
Data Processing Commitments
How we handle data across every platform we build.
Data Protection by Design
Data protection is designed into every platform from the earliest architecture decisions — not added after launch. Privacy and security are built-in constraints, not optional features.
Transparency in Processing
We document all data processing activities. Users receive clear information about how their data is processed, stored, and protected — in the product flows, not buried in settings.
Data Minimisation
We collect and process only what is necessary for the stated purpose. Data minimisation is a design constraint, not a policy statement.
Sub-processor Management
Every third-party service is evaluated against our security and privacy requirements before adoption. Data processing agreements are established with all sub-processors before any personal data is shared.
Questions About Our Compliance Posture?
Enterprise buyers, security teams, and compliance officers — contact us directly. Your message goes straight to the founders.
Contact Us