Compliance and security
ManaSmurti is a small company. This page lists only the compliance claims we can prove today, and is honest about everything we do not yet have. We would rather look smaller than we are than claim something we cannot back up.
Digital Personal Data Protection Act, 2023
ManaSmurti operates as a Data Fiduciary under the DPDP Act, 2023. The controls we implement today, verifiable in our codebase and in our privacy policy:
Appointed Grievance Officer
A named Grievance Officer reachable at grievance@manasmurti.com, with published response and resolution timelines.
Encryption at rest
All conversation content, user emails, API keys, and sensitive personal data are encrypted using AES-256-GCM before being written to the database.
Encryption in transit
All traffic between users and the ManaSmurti platform is encrypted with TLS 1.2 or higher. No plain-text HTTP endpoints.
Consent flows
Clear, affirmative consent at registration, at first corporate login (bill of rights), and on significant policy changes. Every consent is timestamped and version-stamped.
Data subject rights
Users can access, correct, port, erase, and withdraw consent through in-product controls or by contacting the Grievance Officer. Corporate users additionally have a cohort audit frequency request.
Breach notification commitment
We commit to notifying affected users and the Data Protection Board of India in the event of any personal data breach, as required by the DPDP Act.
Anonymise-on-delete
When a user deletes their account, personal data is removed and feedback signals are anonymised so they cannot be traced back to any individual.
Data hosted in India
Primary storage is on AWS Mumbai (ap-south-1). Cross-border transfers are limited, disclosed in our privacy policy, and comply with DPDP Act provisions.
What we do not yet claim
ManaSmurti does not currently hold SOC 2 Type 2, ISO 27001, ISO 27701, HITRUST, HIPAA, or any other third-party audited certification. We are an early-stage company, and the cost of a full external audit is real.
We will pursue these when our stage and revenue justify the investment. Anchoring a public timeline to a date we have not earned would be dishonest, so we are not going to. If you are a procurement team evaluating us for a large contract and certification is a hard requirement, please talk to us before writing us off. We can likely give you a roadmap, a security architecture document, and answers to a full security questionnaire.
We think making a false certification claim matters more than looking larger than we are. This page is how we keep ourselves honest.
Security contact
If you believe you have found a security vulnerability in ManaSmurti, please email security@manasmurti.com. Please give us a reasonable amount of time to respond and to fix the issue before publishing any details. We will acknowledge receipt within 48 hours and keep you updated on our progress. We currently do not run a formal bug bounty program, but we are genuinely grateful for responsible disclosure.
For general privacy or data-protection questions, use the Grievance Officer contact at grievance@manasmurti.com.