Security & compliance

Trust engineered into the platform.

Security, audit, and compliance are not add-ons. They are the foundation HEMA is built on — by default, for every tenant.

Secure enterprise server room with neat racks and indicator lights

RBAC & SSO

Granular role-based access control. Optional SAML/OIDC SSO. Policies enforced at API and UI layers.

Immutable audit log

Every action — approval, edit, transfer, payout — written to an append-only audit stream with full context.

Tenant isolation

Multi-tenant by design. Logical and policy-level isolation across organizations, branches, and workspaces.

Hardened infrastructure

PostgreSQL with backup and PITR, Redis-backed queues, Docker deployments, and zero-trust network defaults.

Observability

Sentry for error capture and Prometheus for metrics. Real signals when something drifts.

Compliance-ready

Data export, retention controls, audit packs, and policy templates aligned to enterprise compliance reviews.

Request a security review

Compliance posture

Audit-ready by default. Certifications in progress.

In progress

SOC 2 Type II

Currently in the observation window. Letter of engagement available on request.

Roadmap

ISO 27001

ISMS scoped. Targeting Stage 1 audit in the next 12 months.

Operational

GDPR-aligned

Data subject request workflow, retention policies and DPA template ready to sign.

Operational

Nepal Data Protection

In-region hosting available. Statutory codes (PF, SSF, TDS, VAT) built in.

Data residency

Hosting where you operate.

Primary regions: India (Mumbai) and Singapore.
Nepal in-country deployment available for Enterprise.
Encrypted in transit (TLS 1.3) and at rest (AES-256).
Daily backups with 30-day PITR retention.

Access control

Least-privilege, end to end.

Granular RBAC with module, branch and field-level policies.
SAML 2.0 / OIDC SSO and SCIM 2.0 provisioning.
Mandatory 2FA for admin roles, optional TOTP/WebAuthn for users.
Session controls: device binding, IP allow-listing, idle timeout.

Sub-processors

The vendors with access to your data.

Each sub-processor is bound by DPA, audited annually and scoped to a specific function. Customers are notified before any change.

Vendor	Purpose	Region
Amazon Web Services	Compute, storage, networking	ap-south-1 / ap-southeast-1
Cloudflare	Edge CDN, DDoS protection, WAF	Global
Twilio / Meta WhatsApp BSP	WhatsApp Business messaging	Global
Sentry	Error monitoring	EU
Resend	Transactional email	EU
Stripe	Payment processing (optional)	Global

Responsible disclosure

Found something? Tell us first.

We acknowledge vulnerability reports within 48 hours and ship critical fixes within 7 days. Researchers acting in good faith are protected under our safe-harbor policy.

security@infonitygroup.com Request security pack

Response targets

Acknowledgement: Within 48 hours
Triage & severity: Within 5 business days
Critical patch: Within 7 days
High patch: Within 30 days
Public disclosure: Coordinated with reporter