Trust & Security

We hold ourselves to the standard we help you achieve

Packets is a compliance platform. Our own security posture has to be one we'd be comfortable auditing. Here's how we protect your data.

Request DPAView Subprocessors
India
Primary data residency
AES-256
Encryption at rest
Zero
Customer data used for AI training
72 hrs
Breach notification SLA

Infrastructure Security

All primary workloads (application compute, database, and AI processing) are hosted in Mumbai, India. Your data stays in India by default.

  • AES-256 encryption for all data at rest
  • TLS 1.2+ for all data in transit
  • Infrastructure hardened to CIS Benchmarks
  • Network-level DDoS protection and rate limiting
  • Daily automated backups, 30-day retention
  • Multi-availability zone deployment
  • Intrusion detection and alerting
View full subprocessor list
LayerRegion
Application computeMumbai, India
DatabaseMumbai, India
AI processingMumbai, India
File storageIndia
AI inferenceUSA (DPA, data sharing disabled)

Information Security

Controls protecting data confidentiality, integrity, and availability across the platform.

Data Encryption

  • AES-256 at rest
  • TLS 1.2+ in transit
  • Application-layer encryption for credentials and tokens
  • Passwords hashed with bcrypt

Tenant Isolation

  • Multi-tenant isolation at the application layer
  • Cross-organisation data access is architecturally prohibited
  • Row-level security in the database
  • Isolated storage namespaces per organisation

Audit & Monitoring

  • Immutable audit log of every data access and mutation
  • Logs retained for 3 years
  • Real-time alerting on anomalous access patterns
  • Centralised log aggregation

Access Management & Authentication

Least-privilege access from end users to internal engineering.

Customer Platform

  • RBAC with organisation-scoped permissions
  • Granular custom roles per organisation
  • MFA supported
  • SSO via Google and Microsoft OAuth
  • All authentication events audit-logged
  • Sessions expire on inactivity; revocable by admins

Internal Access

  • Least-privilege enforced for all internal systems
  • Production access restricted to authorised personnel
  • MFA required for all internal tooling
  • Access reviews conducted quarterly
  • Off-boarding revokes access same-day
  • SSH key-based auth; password access disabled

Responsible AI

AI is central to Packets. The same standards we help customers meet apply to how we handle your data in our AI layer.

Your data is never used to train AI models

Data sharing for model training and evaluation is contractually disabled with our AI provider. We can provide contractual evidence on request.

Consent before AI is enabled

AI features are off by default. Your organisation must actively enable them. Consent is recorded with a timestamp and can be withdrawn at any time.

Minimal data in, nothing extra

Only what is needed for a specific operation is sent to the AI layer: prompts, organisational context, compliance content. Credentials, payment details, and your end-users' personal data are never forwarded.

Drafts, not decisions

AI outputs are surfaced as drafts for human review. Packets does not take autonomous action on compliance or risk decisions. AI outputs are not legal or professional advice.

AI processing stays in India

Our proprietary agentic AI layer is operated by BreakNCo and hosted in Mumbai, India. LLM inference via our third-party AI provider is covered by a DPA with data-sharing contractually disabled.

AI Processing Addendum available

Enterprise and regulated-industry customers can request a standalone AI Processing Addendum covering what data reaches the AI layer, controller/processor roles, and opt-out mechanics.

Request AI Processing Addendum

Software Development Practices

Security is part of how we build, not a step we run at the end.

Secure SDLC

  • OWASP Top 10 reviewed in every code change
  • Mandatory peer review before merge
  • Separate development, staging, and production environments
  • GitHub Advanced Security: secret scanning, code scanning, and Dependabot alerts enabled across all repositories

AI-Assisted Code Review

  • All code changes reviewed by both human peers and AI analysis tools
  • AI review covers security anti-patterns, injection risks, and logic flaws
  • Multiple AI systems used to reduce single-model blind spots
  • AI review does not replace human sign-off; both are required

Testing & Assessment

  • Third-party penetration test at least once per year
  • Risk assessments conducted annually and after major architectural changes
  • Threat modelling for features handling sensitive data
  • Automated vulnerability scanning on infrastructure in CI/CD

Security Training & Awareness

Every person at BreakNCo goes through mandatory security training on joining and annually. We track completion, policy acknowledgements, and coverage through Packets itself.

If it's good enough to sell, it's good enough to use ourselves.

Access Control & Authentication

Least-privilege practices, password hygiene, MFA

Data Handling & Privacy

DPDP Act obligations, GDPR basics, handling customer data

Phishing & Social Engineering

Identifying and responding to phishing attempts

Secure Development

OWASP Top 10, secure coding, secrets management

Incident Response

Identifying and escalating a potential security incident

Business Continuity

Backup procedures, disaster recovery, availability obligations

Compliance & Certifications

We run our own compliance programme on Packets. We eat our own cooking.

SOC 2 Type I

In Progress

Actively working toward SOC 2 Type I, running our own compliance programme on Packets.

ISO 27001

In Progress

ISO 27001 certification programme running in parallel with SOC 2 Type I.

DPDP Act 2023

Compliant

Compliant with India's Digital Personal Data Protection Act 2023 as a Data Fiduciary.

GDPR

In Progress

GDPR compliance programme actively being implemented. DPA with EU SCCs available for enterprise customers.

Incident Response

What to expect if something goes wrong.

24 hrs
Contain and assess
From discovery of a confirmed security incident
72 hrs
Customer notification
Email to the primary account address with nature of the breach, affected data categories, record count, and remediation steps
72 hrs
Regulatory notification
Data Protection Board of India; GDPR supervisory authority as applicable

Enterprise Security Package

Enterprise customers get a pre-signed DPA with EU Standard Contractual Clauses, UK IDTA addendum, and an AI Processing Addendum on request.

  • Pre-signed DPA with EU SCCs and UK IDTA
  • AI Processing Addendum on request
  • Audit rights (once per year, 30 days notice)
  • 30-day advance notice of subprocessor changes
Request DPA

Responsible Disclosure

Found a vulnerability? Report it to us before going public. We'll acknowledge within 48 hours, fix it promptly, and credit you if you'd like.

Include a description of the issue, steps to reproduce, and your read on the potential impact.

Report a Vulnerability