lock

Security Policy

Last updated: May 2025

1. Our Commitment

At Gyansetu Digitalisation Solutions, security is not an afterthought — it is a foundational principle embedded in every layer of our platform. We operate Smart City operating systems, Digital Twin environments, IoT data pipelines, and advanced analytics platforms that process mission-critical urban infrastructure data. The integrity, confidentiality, and availability of that data are non-negotiable.

This Security Policy describes the technical and organisational measures we employ to protect our platform and your data. We continuously review and improve our controls in response to emerging threats, industry best practices, and applicable regulatory requirements.

2. Infrastructure Security

Our production environment is built on hardened Kubernetes (K3s) clusters deployed within private, network-isolated environments. The following controls are applied at the infrastructure level:

check_circle Hardened K3s clusters — nodes are provisioned with minimal surface area, CIS Kubernetes Benchmark controls applied, and default service accounts disabled. Container images are scanned for CVEs prior to deployment.
check_circle TLS 1.2 / TLS 1.3 — all inbound and inter-service traffic is encrypted using TLS. Older protocol versions (TLS 1.0, 1.1, SSL) are disabled at the load-balancer level.
check_circle DDoS protection — rate limiting, connection throttling, and upstream DDoS mitigation layers are configured on all public-facing ingress points to absorb volumetric attacks.
check_circle Network segmentation — workloads are separated by namespace-level network policies; database and internal services are not reachable from the public internet.
check_circle Automated patching — OS and container base images are patched on a regular cadence; critical security patches are applied within 72 hours of disclosure.

3. Data Encryption

We apply encryption at every stage of the data lifecycle:

storage

At Rest

All customer data stored on persistent volumes, databases, and object storage is encrypted using AES-256. Encryption keys are managed using a dedicated key management service and rotated annually or upon any suspected compromise.

sync_alt

In Transit

All data transmitted between clients and our platform, between microservices, and to third-party integrations is encrypted using TLS 1.2 or TLS 1.3 with strong cipher suites. Plain-text HTTP connections are rejected and redirected to HTTPS.

4. Access Control

Access to the Gyansetu platform and internal systems is governed by a strict access control framework:

check_circle Multi-Factor Authentication (MFA) — MFA is mandatory for all internal Gyansetu engineering and operations staff accessing production systems. Platform customers are strongly encouraged to enable MFA for their accounts, and it is enforced for Enterprise plans.
check_circle Least-privilege principle — every internal role and service account is granted only the minimum permissions required to perform its function. Access reviews are conducted quarterly.
check_circle Audit logs — all authentication events, administrative actions, and data access operations are logged with timestamp, user identity, and source IP. Logs are retained for a minimum of 12 months and are tamper-evident.
check_circle Role-Based Access Control (RBAC) — the customer-facing platform implements granular RBAC, enabling organisation administrators to assign and revoke roles without Gyansetu intervention.

5. Incident Response

Despite best-in-class controls, no system is immune to incidents. We maintain a formal Incident Response Plan (IRP) that is tested at least annually via tabletop exercises.

Detection & Triage

Automated monitoring and alerting systems detect anomalies. On-call engineers perform initial triage to confirm and classify the incident.

Containment & Mitigation

Affected systems are isolated to limit the blast radius. Patches or configuration changes are deployed to mitigate the vulnerability.

Customer Notification

In the event of a confirmed data breach affecting customer data, we will notify impacted customers within 48 hours of confirming the breach, in accordance with applicable law.

Post-Incident Review & Log

Every significant incident is documented in our internal incident log, covering root cause, timeline, impact, and remediation steps. Lessons learned are incorporated into our security roadmap.

6. Vulnerability Disclosure

We welcome responsible disclosure from security researchers and the broader community. If you believe you have discovered a vulnerability in any Gyansetu product or service, please report it promptly and responsibly:

mail Email a detailed report to security@gyansetu-digital.in, including: affected component, steps to reproduce, potential impact, and any supporting evidence.
schedule We will acknowledge your report within 3 business days and provide an initial assessment within 10 business days.
visibility_off We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate (typically 90 days).
do_not_touch Please do not attempt to exploit the vulnerability, access customer data, or disrupt our services during your research.

Researchers who responsibly disclose valid vulnerabilities will be credited in our security acknowledgements page (unless they prefer anonymity).

7. Compliance

Gyansetu operates in alignment with the following frameworks and regulations, and continually works toward formal certification where applicable:

ISO/IEC 27001

India IT Act 2000

DPDP Act 2023

OWASP Top 10

CIS Benchmarks

NIST CSF

Customers with specific compliance requirements (e.g., government or critical infrastructure mandates) are encouraged to contact us to discuss how our controls map to their regulatory obligations.

8. Customer Responsibilities

Security is a shared responsibility. While Gyansetu secures the platform and underlying infrastructure, customers are responsible for:

person Managing user accounts, access rights, and credentials within their organisation. Promptly revoking access for departed employees or contractors.
key Keeping API keys, tokens, and credentials secure. Not embedding credentials in publicly visible code repositories.
report Reporting suspected security incidents or anomalies to security@gyansetu-digital.in without delay.
devices Ensuring that endpoint devices used to access the platform are maintained with up-to-date operating systems and security software.
policy Complying with Gyansetu's Terms of Service and Acceptable Use Policy, and not attempting to probe, scan, or test the platform without prior written authorisation.