Security at Deepsoch AI

Deepsoch AI designs, builds and operates infrastructure end to end. Because we run the metal ourselves instead of renting it, our security is the sum of the decisions we make every day at every layer: hardware, network, operating system, application and process.

This page describes the controls we have in place today and the areas we are actively investing in. It is a working description of a production environment, not a marketing claim of certification we do not yet hold.

Our primary cluster is self‑hosted in a climate‑controlled lab in Mumbai. We own the CPUs and GPUs, the network switches, the storage and the UPS / power infrastructure. This gives us direct control over physical access, patching and hardware lifecycle.

• Access to the lab is restricted to named staff only.
• Out‑of‑band management interfaces are segmented off the production network.
• Redundant power, cooling and network paths, with documented failover runbooks.

All traffic between your browser, our website, our APIs and our internal services is encrypted using TLS 1.2 or higher, with modern cipher suites and HSTS enabled on public endpoints.

• Data at rest in Postgres and object storage is encrypted on‑disk.
• Secrets (API keys, DB credentials, tokens) are stored in a secrets manager and injected at run time, never checked into source control.
• File uploads (briefs, CVs, portfolios) are written to object storage with restricted bucket policies and signed URLs where applicable.

Access to production systems is limited to Deepsoch AI personnel who need it. We use role‑based access control (RBAC) and aim to keep the principle of least privilege.

• Single sign‑on (SSO) for all internal tooling.
• Multi‑factor authentication (MFA) required for administrative access.
• SSH via short‑lived, audited credentials on jump hosts.
• Access reviews happen at least quarterly and whenever someone changes role or leaves.

We monitor cluster, network and application health 24/7 and keep audit logs for security‑relevant events. Logs are retained for up to 12 months to support incident investigation and compliance.

• Structured application logs and metrics.
• Network flow logs at the edge and between sensitive segments.
• Alerting on authentication failures, privilege changes and unusual data‑access patterns.

We maintain a written incident‑response plan covering detection, triage, containment, remediation, communication and post‑mortem review. On‑call engineers are paged for high‑severity incidents.

If an incident results in unauthorised access to personal data, we will notify affected parties and the relevant authorities in the timeframes required by the Indian Digital Personal Data Protection Act, 2023 and any other applicable law.

We review every vendor that processes personal data on our behalf for security, contractual and privacy controls. Vendors are granted the minimum data necessary, under contractual confidentiality and data‑protection obligations.

Security is built into our day‑to‑day engineering, not bolted on at the end:

• Every change goes through peer review before it ships.
• Automated static analysis and dependency scanning on pull requests.
• Input validation at the server boundary (we use Zod schemas for form actions).
• Principle of least privilege across services and databases.
• Regular dependency upgrades to pick up security fixes.

Production databases are backed up daily, with point‑in‑time recovery retained for a configurable window. Backups are encrypted and tested by routine restore drills. We maintain a documented business‑ continuity plan covering cluster, network and staff availability.

We welcome reports from security researchers. If you think you have found a vulnerability in any Deepsoch AI product, please tell us before publishing.

• Email security@deepsoch.com with a clear description, impact and steps to reproduce.
• Give us a reasonable window (typically 90 days) to investigate and fix before public disclosure.
• Do not access more data than is necessary to demonstrate the issue, and do not degrade service for other users.

We will acknowledge your report within 3 working days, keep you posted through triage and fix, and credit you (with your consent) when we disclose the issue.

Deepsoch AI is committed to complying with the Indian Digital Personal Data Protection Act, 2023 and all applicable data‑ protection laws where we operate or offer services.

We are building towards formal attestations (for example SOC 2 Type II and ISO/IEC 27001) and will publish updates on this page as those programs reach milestones.

For security and compliance questions:

• Security reports: security@deepsoch.com
• Privacy: privacy@deepsoch.com
• Legal: legal@deepsoch.com