Built secure from the ground up.

1. Scope

This Security Overview describes the administrative, technical, and physical safeguards maintained by Astitva Technologies Private Limited ("Astitva") to protect the confidentiality, integrity, and availability of customer data processed through our platforms: PulseVoice.ai, LiveAnima.ai, and any APIs, SDKs, or dashboards we operate.

2. Data Encryption

In transit: All communications between your systems and Astitva are encrypted using TLS 1.2 or higher (TLS 1.3 enforced where supported). Cipher suites are limited to AEAD (AES-GCM, ChaCha20-Poly1305). Plain-text connections are rejected.

At rest: All customer data, model artefacts, and stored recordings are encrypted using AES-256. Encryption keys are managed via a dedicated key management service (KMS) with automatic rotation and hardware security module (HSM) backing.

3. Infrastructure Security

• Production workloads run inside private VPC networks with no direct public ingress except through authenticated load balancers.
• Network segmentation enforced between compute, data, and management planes.
• DDoS mitigation and Web Application Firewall (WAF) active at the edge.
• Immutable infrastructure: servers are never patched in place — replaced via blue-green or canary deployments.
• Container images are scanned for CVEs in CI and blocked from production if high-severity findings exist.
• Database backups encrypted and replicated cross-region with point-in-time recovery (PITR) enabled.

4. Access Control

• Role-based access control (RBAC) with least-privilege assignment for all internal and customer-facing roles.
• Multi-factor authentication (MFA) is mandatory for all employees accessing production systems.
• Privileged access is time-limited, session-recorded, and requires just-in-time (JIT) approval.
• Access is reviewed quarterly and revoked immediately upon offboarding.
• All access events are written to tamper-evident audit logs retained for a minimum of 12 months.

5. Application Security

Our engineering teams follow a Secure Development Lifecycle (SDL) aligned with OWASP Top 10 mitigations:

• Mandatory security code review for all pull requests touching authentication, data access, or external integrations.
• Static analysis (SAST) and dependency vulnerability scanning run on every commit.
• Dynamic analysis (DAST) run against staging environments before each production release.
• Input sanitisation, output encoding, and parameterised queries enforced across all services.
• CSP, HSTS, X-Frame-Options, and Permissions-Policy headers set on all public endpoints.
• API rate limiting and IP-based abuse detection active on all public-facing APIs.

6. AI Model Safety

Because our products process voice, video, and unstructured text, we apply additional controls specific to AI systems:

• Prompt injection defences: user inputs are sanitised and context-bounded before reaching model APIs.
• Output filtering: model responses are scanned for PII leakage, hate speech, and policy violations before delivery.
• Customer data (voice recordings, documents, conversation logs) is never used to train shared or third-party models without an explicit Data Processing Agreement (DPA).
• RAG pipelines enforce per-tenant knowledge-base isolation — one customer's documents cannot influence another's queries.
• AI outputs are logged with attribution metadata to support auditability and dispute resolution.

7. Physical Security

Astitva does not operate its own data centres. We rely exclusively on SOC 2 Type II and ISO/IEC 27001 certified cloud providers. Physical access to underlying hardware is governed by those providers' controls, which we review annually as part of our vendor assessment process.

8. Vendor & Supply Chain Security

• All third-party sub-processors are assessed against our security requirements before engagement.
• Sub-processors handling personal data must sign DPAs and maintain ISO 27001 or SOC 2 certifications.
• Open-source dependencies are locked by hash and audited using automated tools. Unpinned dependencies are not permitted in production.
• Sub-processor list is maintained and updated at: our Privacy Policy.

9. Incident Response

Astitva maintains a written Incident Response Plan (IRP) with defined severity levels, escalation paths, and communication templates.

• Detection: Automated alerts from SIEM and anomaly detection tools trigger on-call response within 15 minutes.
• Containment: Affected systems isolated within 1 hour of confirmed incident.
• Customer notification: Affected customers notified within 72 hours of a confirmed personal data breach, in compliance with DPDPA 2023 and GDPR Article 33.
• Post-incident: Root cause analysis published internally within 5 business days. Repeat incidents trigger an architecture review.

10. Penetration Testing & Audits

• Independent third-party penetration tests conducted at least once per year against all production-facing surfaces.
• Critical (CVSS ≥ 9.0) and High (CVSS ≥ 7.0) findings are remediated within 48 hours and 7 days respectively.
• Penetration test findings and remediation evidence are available to enterprise customers under NDA on request.

11. Compliance Posture

• DPDPA 2023 (India): Controls aligned with India's Digital Personal Data Protection Act, including lawful basis, Data Fiduciary obligations, and Grievance Officer appointment.
• GDPR: Data subject rights, DPAs with sub-processors, cross-border transfer mechanisms (SCCs) in place for EU data.
• ISO/IEC 27001 alignment: Information security management controls implemented across the organisation. Formal certification is on our roadmap.
• SOC 2 Type II: Readiness assessment completed. Report targeted for H2 2025.

12. Responsible Disclosure

We believe the security community plays a vital role in keeping the internet safe. If you discover a potential vulnerability in any Astitva product or infrastructure, please report it to us responsibly.

How to report: Email security@astitva.ai with a detailed description of the issue, steps to reproduce, and potential impact. Encrypt sensitive findings using our PGP key (available on request).

• We acknowledge all valid reports within 24 hours.
• We aim to provide a remediation timeline within 72 hours of triage.
• We do not take legal action against researchers acting in good faith.
• We publicly credit researchers (with their consent) after the vulnerability is fixed.

Out of scope: Social engineering attacks against Astitva employees or customers, denial-of-service testing, automated scanning without prior written authorisation, and findings already known to our team.

13. Questions & Security Contact

For security-related enquiries, vulnerability reports, or to request our penetration test summary, contact:

security@astitva.ai · Astitva Technologies Private Limited · Bengaluru, India

For general privacy concerns see our Privacy Policy. For terms governing use of our services see our Terms of Use.