Compliance
Privacy law, security certifications, and AI governance frameworks — an honest status on every standard we're working toward.
Last Updated: July 2026
CloudServe Infotech is incorporated in India and operates as an AI-native software company serving Indian and global markets. We run a unified compliance program that covers privacy law, information security, and AI governance — not three separate checklists. We are honest about where we stand on each standard.
Frameworks & Certifications
The cards below cover every framework and certification in our program. Architecture-Ready means controls are actively operating and evidence is accumulating. Planned means it is on the certification roadmap with a defined target date.
India DPDP Act 2023
Digital Personal Data Protection Act
- Consent-first data collection architecture across all products
- Data principal rights: access, correction, and erasure built into every product
- Data localisation design for Indian user data
- Grievance officer designated — [email protected]
- DPDP Consent Manager Framework integration targeted before November 2026
GDPR
General Data Protection Regulation (EU)
- Privacy by design embedded in architecture from day one
- Data minimisation and purpose limitation applied throughout
- Lawful basis for all data processing defined and documented
- User data access, correction, and deletion workflows built into every platform
- Data processor agreements planned with all third-party sub-processors
EU AI Act
European Union Artificial Intelligence Act
- Article 50 transparency obligations are an org-wide standard, not a product-by-product retrofit
- Machine-readable labeling on AI-generated content built into every AI feature
- Synthetic-content watermarking for generated images, video, and audio
- Every AI feature classified against the Act's risk tiers before deployment
- Hard legal deadline August 2, 2026 — we are building ahead of it
ISO 27001
Information Security Management System (ISMS)
- Unified control catalog across access, change management, logging, and resilience
- Risk assessment and risk treatment documented per platform and infrastructure
- Business continuity and DR plans in place across all production systems
- Third-party audit engagement planned alongside SOC 2
- Formal certification targeted 2027 — controls operating now
ISO 42001
AI Management System (AIMS)
- Plan-Do-Check-Act over the AI lifecycle
- AI accountability, transparency, and impact assessment designed in from day one
- AI risk inventory maintained for every AI feature
- Human oversight requirements built into all AI-driven workflows
- Formal certification planned post-ISO 27001 (2027)
NIST AI RMF
AI Risk Management Framework (US NIST)
- Govern, Map, Measure, Manage model applied across all AI systems
- AI risk classification and impact assessment before every AI feature ships
- Continuous measurement and monitoring of AI risk in production
- Voluntary framework that directly underpins our ISO 42001 program
SOC 2 Type II
Service Organization Control Report
- Security, availability, and confidentiality trust principles guide all infrastructure design
- Evidence collection begins at product launch — the 12-month Type II observation window starts then
- Tamper-evident audit trails, least-privilege IAM, and change management controls already operating
- Independent third-party audit engagement planned as we scale
PCI DSS
Payment Card Industry Data Security Standard
- All payment handling via PCI DSS Level 1 certified processors — no card data on our systems
- No card data ever transits or is stored on our infrastructure — tokenization by design
- Scope minimized to SAQ-A by architecture — the lightest compliance footprint
- Formal SAQ-A attestation planned before payment features go live
Security by Design
Security principles that guide how we build every platform — from infrastructure to application layer.
Encryption
AES-256 field-level encryption for sensitive data at rest. TLS 1.2+ enforced everywhere in transit. No plaintext secrets in code or configuration.
Access Control
Least-privilege IAM on all infrastructure. No standing network access — deny-all default, scoped ingress only. MFA enforced for all admin access.
Audit Logging
Tamper-evident, hash-chained audit trails across all platforms. All infrastructure changes tracked via Git with mandatory PR review. Evidence available for SOC 2 and ISO 27001.
Vulnerability Management
Automated SAST, secret scanning, and dependency vulnerability scanning in every CI pipeline. No code reaches production without passing all security gates.
Network Security
No public IPs on databases or internal services. Edge CDN and DDoS protection at the network perimeter. VPC-isolated cloud infrastructure.
Resilience
Automated nightly backups with tested restore drills. Documented incident response runbooks. RTO and RPO targets defined per system before production launch.
Certification Timeline
No certifications issued yet — we are building the evidence base. Here is the honest sequence.
- India DPDP Act 2023 — consent, retention, DSAR, and breach-notification controls
- GDPR — privacy-by-design architecture, data-principal rights workflows
- EU AI Act Art. 50 — AI-output labeling and synthetic-content watermarking
- NIST AI RMF — Govern / Map / Measure / Manage program running across all AI features
- SOC 2 / ISO 27001 controls operating — audit-trail evidence accumulating
- SOC 2 Type II — 12-month observation window begins at product launch
- India DPDP Consent Manager Framework — hard deadline November 13, 2026
- PCI DSS SAQ-A attestation — before first payment processed
- ISO 27001 — formal certification (ISMS)
- SOC 2 Type II — report issued
- ISO 42001 — AI Management System certification
Data Processing Commitments
How we handle data across every platform we build.
Data Protection by Design
Data protection is designed into every product from the earliest architecture decisions — not added after launch. Privacy and security are built-in constraints, not optional features.
Transparency in Processing
We document all data processing activities. Users receive clear information about how their data is processed, stored, and protected — in the product flows, not buried in settings.
Data Minimisation
We collect and process only what is necessary for the stated purpose. Data minimisation is a design constraint, not a policy statement.
Sub-processor Management
Every third-party service is evaluated against our security and privacy requirements before adoption. Data processing agreements are established with all sub-processors before any personal data is shared.
Questions About Our Compliance Posture?
Enterprise buyers, security teams, and compliance officers — contact us directly. Your message goes straight to the founders.
Contact Us