Compliance and data residency
This page summarises how TrueSecurix handles data and where our compliance posture stands, so your compliance and legal teams can evaluate us quickly. We describe only what is true today and mark clearly anything we are still building toward.
Data residency
The Service runs on infrastructure hosted in India (Microsoft Azure, India region). Verification traffic is processed in India. Data is not transferred out of India for processing in the normal course of the Service.
Data minimisation: we do not keep your users' images
Selfies, ID images and statement PDFs submitted for a check are analysed in memory and are never written to disk as files. For each input we retain only a one-way SHA-256 hash plus the score and decision, so a customer can later prove which exact file produced a given verdict without us holding the file itself. Raw government ID numbers are not stored; document figures used in reconciliation are rounded so an exact private amount is not retained.
India DPDP Act, 2023
Our practices are aligned with the Digital Personal Data Protection Act, 2023. In an engagement we act as a data processor on behalf of the customer (the data fiduciary):
- Purpose limitation: data submitted to the API is used only to return a fraud-risk decision to that customer.
- Data minimisation: images are not retained; only hashes, scores and decisions are.
- Access and erasure: the dashboard provides self-serve data export and account deletion, and lead-data erasure, so a customer can exercise access and deletion rights.
- Security safeguards: encryption in transit, hashed credentials, tenant isolation, rate limiting and an immutable audit log (see Security).
- Processing agreement: a Data Processing Agreement (DPA) is available on request.
RBI KYC directions
TrueSecurix is a fraud-detection and forensics layer that supports a regulated entity's own KYC and Video-based Customer Identification Process (V-CIP). It is designed to strengthen a regulated entity's onboarding by catching deepfake selfies, tampered documents and injection attempts. It is not itself a substitute for the regulated entity's KYC obligations, government-source verification (for example UIDAI or NSDL), or record-keeping duties, which remain with the regulated entity. Processing in India supports data-localisation expectations for such data.
Your data rights, built in
| Right | How to exercise it |
|---|---|
| Access / export your data | Self-serve export from the dashboard, or on request. |
| Delete your account and data | Self-serve account deletion from the dashboard. |
| Data Processing Agreement | Available on request at contact@truesecurix.com. |
| Sub-processor list | Published on the Security page. |
What we do not claim
We do not currently hold SOC 2 or ISO/IEC 27001 certification, and we do not claim to. We are building toward independent certification and are glad to share our security controls and complete your questionnaire in the meantime. A third-party vulnerability assessment and penetration test (VAPT) can be arranged and shared under NDA.
Questions for your compliance team? Write to contact@truesecurix.com.