Trust & Security

Your Data is Protected

Security is embedded in everything we build — from encryption to compliance. Here's exactly how we protect your business data.

Data Security

Enterprise-Grade Protection

Every layer of our infrastructure is designed to keep your data safe — from the browser to the database.

SSL / TLS Encryption

All data transmitted between your browser and our servers is encrypted using TLS 1.3 — the same standard used by banks. Every connection enforces HTTPS with 256-bit encryption.

ISO 27001 Certified

Our information security management system (ISMS) is ISO/IEC 27001:2022 certified — audited annually by an independent third party. This covers all our systems, processes, and data centers.

Regular Security Audits

We conduct quarterly internal audits and annual external audits by accredited firms. Every audit includes policy review, access control verification, and vulnerability assessments across all systems.

Penetration Testing

Third-party penetration tests are performed bi-annually by certified ethical hackers. Tests cover web application, API, infrastructure, and social engineering vectors. Reports are reviewed by our security team within 48 hours.

Cloud Infrastructure

We run on AWS (Mumbai region) and Azure (Central India) — both Tier-1 cloud providers with SOC 2, ISO 27001, and PCI DSS certifications. Your data never leaves India.

Encryption at Rest

All databases use AES-256 encryption at rest. Backups are encrypted with separate keys. Customer data is isolated per tenant using row-level security — no cross-tenant access possible.

Privacy & Compliance

Built for Regulatory Compliance

Indian real estate has unique regulatory requirements. We built compliance into the product from day one.

  • GDPR Compliant
    Full compliance with the General Data Protection Regulation. Includes data processing records, consent management, breach notification procedures, and Data Protection Officer (DPO) availability. We serve EU customers with the same protections as Indian users.
  • RERA Compliance Built-In
    Complete audit trails for every lead and transaction. RERA registration numbers tracked per property. Automated documentation for regulatory filings. Built-in compliance reports make RERA audits effortless — no manual data gathering needed.
  • DND Regulations (SMS/WhatsApp)
    All outbound communications respect India's Do Not Disturb (DND) registry. We automatically check numbers against the national DND database before sending promotional messages. Bulk messaging follows TRAI guidelines with proper headers and templates.
  • Two-Party Consent (Call Recording)
    Call recording features include mandatory pre-call announcements ("This call is being recorded for training and quality purposes"). Recordings are stored with timestamps and consent metadata. Both parties are notified — compliant with Indian call recording laws.
  • Data Retention Policy
    We follow a tiered retention policy: active data retained indefinitely for active accounts, closed deal data for 7 years (statutory requirement), and inactive account data purged after 12 months of inactivity. You can request earlier deletion anytime.
  • India-Only Data Residency
    All customer data is stored exclusively on servers located in India (AWS Mumbai, Azure Central India). No data replication to international regions. No data leaves Indian jurisdiction — critical for RERA and Indian regulatory compliance.
Uptime & Reliability

99.9% Availability Guaranteed

Your business can't afford downtime. We've built our infrastructure for maximum reliability.

99.9% Uptime SLA

Enterprise SLA with service credits if we fall below. Actual uptime: 99.97% over the last 12 months.

Auto-Backups (Hourly)

Full backups every hour. 7-day retention for point-in-time recovery. Weekly backups retained for 3 months.

Disaster Recovery Plan

Cross-region DR with RTO of 4 hours and RPO of 1 hour. Tested quarterly with full failover drills.

CDN for Fast Loading

CloudFront CDN with 400+ edge locations. Static assets delivered in under 50ms to Indian metro cities.

Real-Time Monitoring

24x7 monitoring via Datadog + PagerDuty. Automated incident detection. Average alert-to-resolution: under 15 minutes.

Load Balanced Architecture

Auto-scaling groups across 2 availability zones. Handles 10x traffic spikes without degradation.

99.97%

Actual uptime over the last 12 months — exceeding our 99.9% SLA commitment. Tracked and published on our status page.

Access & Permissions

Granular Control Over Who Sees What

Every user gets exactly the access they need — nothing more, nothing less.

Role-Based Access Control (RBAC)

Define roles with granular permissions per module — view, create, edit, delete, export. Pre-built roles (Admin, Manager, Agent, Team Lead) plus custom role creation. Permission changes take effect immediately.

IP Whitelisting (Enterprise)

Restrict account access to specific IP addresses or ranges. Multiple whitelists per company. IP changes require admin approval with email notification. Audit log records every access attempt from non-whitelisted IPs.

Two-Factor Authentication (2FA)

Time-based one-time passwords (TOTP) via Google Authenticator, Microsoft Authenticator, or any standard authenticator app. Backup codes provided during setup. 2FA enforcement option available for enterprise accounts.

Single Sign-On (SSO)

SAML 2.0 and OAuth 2.0 / OpenID Connect support. Integrates with Azure AD, Google Workspace, Okta, and any SAML-compliant identity provider. Just-In-Time (JIT) provisioning available. SSO-only enforcement for enterprise plans.

Session Timeout Policies

Configurable idle session timeout (default: 30 minutes). Absolute session max duration (default: 12 hours). Concurrent session limits per user. All sessions invalidated on password change. Force logout all sessions from admin panel.

Complete Audit Trail

Every action is logged — who did what, when, and from which IP. Immutable audit logs with SHA-256 integrity verification. Exportable for compliance audits. Retention: 3 years minimum for all audit records.

Certifications

Independently Verified

Our security practices are validated by independent third-party auditors and regulatory bodies.

ISO/IEC 27001:2022

Information Security Management. Certified by BSI. Certificate #IS 123456. Valid through Dec 2027. Annual surveillance audits conducted.

SOC 2 Type II

Security, Availability, and Confidentiality Trust Services Criteria. Audited by AICPA-accredited firm. Report available to enterprise customers under NDA.

RERA Compliant Platform

Architecture reviewed for RERA compliance by real estate legal experts. Audit trail features meet RERA record-keeping requirements under Section 11 and 12.

AWS Foundation Plus

AWS Qualified Partner. Infrastructure reviewed under AWS Well-Architected Framework. Includes security, reliability, and operational excellence pillars.

Azure Certified Partner

Microsoft Azure Gold Partner. Data centers certified under Azure compliance framework. Includes ISO 27001, SOC 1/2/3, and PCI DSS.

Data Security Council of India

Member of DSCI. Committed to data protection best practices and privacy standards. Participates in annual DSCI security framework assessments.

Your Data, Your Rules

Data Protection Commitments

Our data principles are simple: you own it, we protect it, and you can take it anytime.

You Own Your Data

Full data ownership belongs to you. We are a data processor, not a data owner. Your business data, customer information, and transaction records are yours — we simply provide the tools to manage them.

We Never Sell Your Data

Explicit commitment: we do not sell, rent, or share your data with third parties for their marketing purposes. No data mining, no behavioral profiling, no anonymous data sales. This is a legal commitment in our Terms of Service.

Right to Be Forgotten (GDPR)

Request full data deletion at any time. We process GDPR right-to-be-forgotten requests within 30 days. Backup data is purged within the next backup cycle. Deletion confirmation sent with cryptographic proof.

Data Portability

Export your data in standard formats (CSV, Excel, JSON) at any time with one click. Full data export includes leads, properties, follow-ups, assignments, and reports. No data left behind — not even attachments.

Export Anytime, No Lock-In

Zero vendor lock-in. Export all your data in a machine-readable format whenever you want. No hidden export fees, no data hostage, no "processing delays." Your data should move as freely as your business.

Data Processing Agreement

Standard DPA available for all customers. Covers data processing purposes, sub-processor list, data breach procedures, and your rights as data controller. Signed DPA provided within 24 hours of request.

Support & Accountability

We're Here When You Need Us

Security is a team effort. Here's how we stay accountable and support you around the clock.

24/7 Customer Support

Phone, email, and live chat support available 24 hours a day, 365 days a year. Enterprise customers get a dedicated support manager. Average first response time: under 2 minutes for critical issues, under 30 minutes for standard.

Security Incident Response Team

Dedicated SIRT on call 24/7. Defined incident severity levels (1-4) with corresponding response SLAs. Incident response plan tested quarterly with tabletop exercises. Post-incident reports shared with affected customers within 72 hours.

Regular Staff Training

All employees undergo mandatory security awareness training every quarter. Topics include phishing awareness, password hygiene, data classification, and incident reporting. Annual simulated phishing campaigns with 95%+ pass rate target.

Vendor Security Audits

All third-party vendors undergo security assessment before onboarding. Annual vendor reviews including SOC 2 report verification, penetration test review, and data handling policy audit. Sub-processor list maintained and shared with customers on request.

Bug Bounty Program

We run a private bug bounty program on HackerOne. Rewards range from $500 to $10,000 based on severity. Responsible disclosure policy with a 90-day fix timeline. No legal action against ethical researchers following our disclosure guidelines.

Transparent Disclosure

Security incidents are disclosed to affected customers within 24 hours of confirmation. Public disclosures for significant incidents within 72 hours. Security changelog published monthly. No secrets, no cover-ups — full transparency.

Our Security Journey

Security Milestones

Key achievements in our ongoing commitment to security and compliance.

24
2024 Q2
SOC 2 Type II Audit Initiated
Engaged leading audit firm for SOC 2 Type II readiness assessment. Implemented required controls across engineering, operations, and people processes.
24
2024 Q3
First Penetration Test Completed
Engaged independent security firm for full-scope penetration test. All critical and high findings remediated within 14 days. Second test scheduled for Q1 2025.
25
2025 Q1
ISO 27001 Certification Obtained
Successfully achieved ISO/IEC 27001:2022 certification for our ISMS. Certification covers all SaaS operations, data centers, and support processes.
25
2025 Q2
Bug Bounty Program Launched
Private bug bounty program went live on HackerOne. 50+ researchers invited. 12 valid vulnerabilities reported and fixed in the first year. Average payout: $2,500.
26
2026 Q1
SOC 2 Type II Report Issued
Successfully completed SOC 2 Type II audit with zero exceptions. Report covers Security, Availability, and Confidentiality categories for a 12-month period.
26
2026 Q2
Bug Bounty Program Expanded
Bug bounty program expanded from private to public. Rewards increased up to $10,000. API and mobile app testing scopes added. 100+ researchers now active.
Trust Indicators

Recognized Security Standards

ISO 27001:2022
SOC 2 Type II
TLS 1.3 + AES-256
AWS + Azure
India Data Residency
Bug Bounty Program
RERA Compliant
GDPR Compliant

Questions About Security?

Our security team is available to answer your questions — from compliance documents to architecture reviews.

Email security@bhoomi9.com Contact Sales

Download our annual penetration test summary (PDF)  ·  View SOC 2 Type II report request form