Home / Security

Security & compliance

Security pages on most collaboration tools speak in adjectives — "enterprise-grade," "bank-level," "industry-leading." Those words are useless during a real security review.What a CISO wants is the specific control, the specific implementation, and the ability to verify both during procurement.

Below are the operating security and compliance controls in place at Cesign today, organised by the categories that map to most enterprise security review templates. DPDP compliance is treated as architecture, not as a feature checklist. End-to-end encryption is a default, not a configuration. Zero data on edge devices is a structural property, not a setting..

Overview

Cesign runs against the following 18 controls. Each control is operating today on every customer deployment. Not aspirational, not roadmapped, not configurable down.

DPDP & data residency
4 controls
01
India data residency
All Cesign customer data is stored within India. No cross-border transfer of conversation content, files, or recordings. Hosted in Indian-operated data centres with documented physical and logical access controls.
02
Consent and purpose limitation
User data is collected only for stated purposes and processed only for those purposes. Consent is recorded at the platform level and exposed through the admin console for audit.
03
Right to access and deletion
User-level data access requests and deletion requests are handled within statutory timelines. Hard delete, not soft delete. Tenant administrators can initiate deletion for departing users.
04
DPDP-compliant by design
DPDP requirements are baked into the architecture and the data model, not retrofitted as a feature flag. Compliance is the default, not the checkbox.
Encryption & cryptography
3 controls
05
End-to-end encryption
Every message, every file, every ICAN recording is end-to-end encrypted. Only the intended recipients can read. The architecture does not allow Cesign-side decryption.
06
Encryption in transit
TLS 1.3 for all client connections. No HTTP fallback. HSTS enforced. Inter-service communication within Cesign also TLS-encrypted.
07
Per-tenant key isolation
Encryption keys are scoped to the tenant. No customer can access another customer’s keys, conversations, or recordings. Key rotation policies enforced.
Edge device security
3 controls
08
Zero data on edge devices
No conversation data persisted on phones, laptops, or tablets. Cloud-only persistence. A lost laptop, a stolen phone, or a compromised endpoint exposes no thread, no file, no recording.
09
Session-bound access
Access requires an active session. Session invalidation propagates immediately to all device clients on password change, admin revocation, or device sign-out.
10
No screenshot for private threads
Private threads display screenshot warnings on supported platforms. The platform makes confidential conversations harder to leak by accident.
Identity & access management
4 controls
11
SSO via SAML and OIDC
Enterprise SSO via SAML 2.0 and OIDC. Cesign integrates into your existing identity provider — Okta, Azure AD, Google Workspace, or any compliant IdP.
12
Two-factor authentication
2FA via authenticator apps available for non-SSO users. Required at first login from a new device. Tenant administrators can enforce 2FA across the workspace.
13
Role-based access control
Per-thread admin privileges. Per-workspace role assignments. Thread membership is the unit of access — not the workspace, not the channel.
14
Off-boarding workflows
Departing user access is revocable in seconds from the admin console. Their thread membership is removed; the threads themselves continue with the remaining members.
Audit & ongoing assurance
4 controls
15
Comprehensive audit trail
Every user action, every thread modification, every ICAN recording, every admin operation is logged with timestamp, user, and IP. Audit logs are immutable and exportable in standard formats for SIEM ingestion.
16
Tenant-scoped admin console
Tenant administrators have full visibility into their workspace activity. No visibility across tenant boundaries. Admin actions are themselves audited.
17
Independent security reviews
Security architecture reviewed periodically by independent specialists. Findings remediated with documented timelines. Reports available under NDA for customer security reviews.
18
Backup and recovery
Customer data backed up to separate, encrypted, geographically distributed storage. Disaster recovery procedures tested periodically with documented RTO and RPO commitments.

Need a deeper conversation with your security team?

We can walk through the controls in detail, share architecture diagrams under NDA, and answer specific questions for your environment.

Schedule a security review