Security isthe product
You're trusting us with your candidates' most sensitive personal data. Here is exactly how we protect it — the encryption standards, the infrastructure controls, the compliance frameworks, and the processes that keep your data safe.
DPDP Act 2023
CompliantFull compliance with India's Digital Personal Data Protection Act 2023 — consent flows, minimisation, and erasure built in.
ISO 27001
AlignedOur security management practices are aligned to the ISO/IEC 27001:2022 information security standard.
AES-256 Encryption
ActiveAll candidate data and verification reports are encrypted at rest using AES-256, the same standard used by banks.
TLS 1.3
EnforcedAll data in transit between your systems and ours is encrypted with TLS 1.3. Older protocols are rejected.
Infrastructure security
Our infrastructure is designed for isolation, redundancy, and zero tolerance for data leakage.
Data residency
All candidate data is stored exclusively on servers located in India (Mumbai region). No personal data is replicated to international infrastructure without explicit consent and a documented transfer mechanism.
99.9% uptime SLA
Our infrastructure is distributed across availability zones with automatic failover. We publish real-time status at status.truvixx.com. Enterprise plans include a contractual uptime SLA.
Automated backups
Encrypted backups are taken every 6 hours and retained for 30 days. Disaster recovery is tested quarterly with a documented RTO of under 4 hours.
Network isolation
Production systems run in isolated VPCs with no public ingress outside of documented API endpoints. Database servers have no external internet access.
Application security
Security controls built into the platform itself — not bolted on afterward.
Role-based access control
Every platform user has granular, role-based permissions. HR admins, hiring managers, and API clients each have access only to what they need. Audit logs capture every access event.
Full audit logging
Every action on candidate data — access, modification, download, deletion — is logged with timestamp, user identity, and IP address. Logs are tamper-proof and retained for 12 months.
Annual penetration testing
We engage an independent security firm to conduct a full external penetration test annually, with findings addressed before the next report cycle. Summaries available to Enterprise clients on request.
MFA enforcement
Multi-factor authentication is enforced for all platform users. API access requires signed JWTs with short-lived tokens. OAuth 2.0 and SAML 2.0 SSO are supported on Enterprise plans.
Vulnerability disclosure
We operate a responsible disclosure policy. Security researchers can report vulnerabilities at security@truvixx.com. We acknowledge within 48 hours and aim to patch within 14 days.
OWASP-aligned development
All code changes undergo automated SAST scanning and manual review before deployment. Our development practices are aligned to OWASP Top 10 guidelines.
Data protection by design
India's Digital Personal Data Protection Act 2023 is the framework we built Truvixx around — not a compliance box we checked after launch.
DPDP Act consent management
Built-in digital consent flows ensure every background check is initiated with the candidate's documented, purpose-specific consent — as required under DPDP Act 2023.
Data minimisation
We collect only what is necessary for the verification purpose. Each check type has a documented data taxonomy. Surplus data is never retained.
Defined retention schedules
Verification data is retained for the minimum period required by law and your contractual obligations, then deleted or anonymised automatically on schedule.
Right to erasure
Candidates and clients can request deletion of personal data at any time. Erasure requests are fulfilled within 72 hours and logged for compliance demonstration.
Responsible disclosure
If you discover a security vulnerability in Truvixx, please report it to us privately before public disclosure. We take all reports seriously and respond within 48 hours.
We operate a good-faith policy: researchers who report vulnerabilities responsibly will not face legal action. We aim to patch critical issues within 14 days and will credit researchers who wish to be named.
Report a vulnerability
security@truvixx.comResponse within 48 hours · Patch target 14 days · Researcher credit available
Common security questions
Where is candidate data stored?
Exclusively in AWS data centres in the Mumbai (ap-south-1) region. No candidate personal data leaves India.
Do you share data with third parties?
We query authoritative government databases (UIDAI, MCA, Sarathi, etc.) only as necessary to perform the requested check. We do not sell, rent, or transfer data to any third party for commercial purposes.
How long do you retain verification reports?
For clients, reports are retained for the duration of their subscription plus a 90-day grace period. For candidates who did not join the hiring company, we delete data within 6 months of the final hiring decision, or earlier on request.
Can we get a security questionnaire completed?
Yes. Enterprise clients can request a completed security questionnaire or access to our security documentation via their account manager. We complete standard security questionnaires within 5 business days.
Have security requirements to discuss?
Enterprise clients can request our full security documentation, completed questionnaires, and a technical call with our security team.