Our security architecture, certifications, and sub-processors

AutoCops is a privacy and compliance platform — security is not a marketing line for us, it's the product. We take the same operational discipline we sell to our customers and apply it internally with no exceptions. The pages below describe our architecture, certifications, sub-processors, and incident response — all of which you can ask about during diligence.

AutoCops can be deployed in two configurations: as a single-tenant dedicated instance on the customer's own cloud account, or as a managed multi-tenant deployment on our infrastructure. Most enterprise customers choose the dedicated instance.

• Region: All Indian customer deployments default to asia-south1 (Mumbai). Personal data of Indian Data Principals never leaves the country.
• Encryption at rest: All data stores (Data Store, object storage, backups) use AES-256 encryption at rest with customer-managed keys via Cloud KMS where supported.
• Encryption in transit: All traffic uses TLS 1.2+ with strong cipher suites. HSTS enforced. HTTP traffic is redirected to HTTPS at the load balancer.
• Authentication: Username + password + TOTP MFA mandatory for all user accounts. Privileged roles additionally require email verification.
• Network isolation: Application tier and data tier are in separate VPC subnets with strict egress rules. Database access is restricted to the application service account.

The application implements the following controls by default:

• HMAC-SHA256 session token signing with rotating server-side secrets
• CSRF protection on all state-changing endpoints
• Rate limiting on authentication endpoints (10 attempts / 5 minutes per IP)
• Audit logging of all authentication events, role changes, and data access
• Hash-chained consent ledger and audit trail (tamper-evident)
• Field-level encryption for highly sensitive data (Aadhaar, PAN, financial)
• Automated vulnerability scanning on every Docker image build
• SAST and dependency scanning in CI
• Quarterly penetration tests by an independent firm

• Production access restricted to a small named on-call team, MFA mandatory
• All production access is logged and reviewed weekly
• Background checks for all employees with production access
• Annual security training for the entire team
• Documented incident response runbook with quarterly tabletop drills
• Customer breach notifications within 72 hours of awareness, in line with Section 8(6) of the DPDP Act

AutoCops is built to align with the following standards. Where a formal certification is in progress or pending, we will share the current audit status under NDA on request.

• DPDP Act 2023 (India) — full alignment, audited internally
• ISO/IEC 27001 — certification in progress (target: 2026)
• SOC 2 Type II — readiness assessment complete, audit scheduled
• NIST Cybersecurity Framework — internally mapped
• OWASP Top 10 — covered in quarterly pen tests

AutoCops uses a small number of sub-processors to deliver the service. Each is reviewed against our DPDP clause checker, and the full list is available to customers under NDA. The current high-level list:

We notify customers in advance of any changes to the sub-processor list. New sub-processors that handle customer data require customer consent.

If you discover a security vulnerability in the AutoCops platform or website, please email hello@autocops.orgwith the subject “Security”. We acknowledge within 24 hours and aim to triage within 72 hours. We do not currently run a paid bug bounty programme but we credit responsible disclosures publicly with the researcher's permission.