DPDP Rules 2025 compliance deadline is approaching. Is your visual data ready?
Check NowPhoto verification for regulated industries demands security that goes beyond checkboxes. Every layer of Veritas — from device hardware to cloud storage — is engineered for tamper resistance and auditability.
Every photo captured through the Veritas SDK is signed using a private key generated inside the device's Trusted Execution Environment (TEE). The key never leaves the hardware — it cannot be exported, copied, or accessed by any software, including the operating system. This provides cryptographic proof that a photo was captured on a specific physical device.
All data is encrypted in transit using TLS 1.3 with no fallback to older protocols. At rest, all personal data and photo assets are encrypted using AES-256. Encryption keys are managed through a dedicated key management service with automatic rotation. Even Veritas engineers cannot access plaintext customer data without audited, time-limited access grants.
Every Veritas capture embeds C2PA 2.1 content credentials — an open standard for content provenance. These credentials create a tamper-evident chain from capture to claim review. Any modification to the photo after capture invalidates the credential, providing an independent verification layer beyond Veritas trust scores.
Every API request is authenticated, authorised, and logged. There are no trusted internal networks. Service-to-service communication uses mutual TLS. API keys are scoped per environment and per permission. Role-based access control enforces the principle of least privilege across the dashboard and API.
100% India-only. Zero data replication outside Indian jurisdiction.
All connections enforce TLS 1.3. HSTS headers with 1-year max-age. No TLS 1.0/1.1/1.2 fallback.
All personal data, photos, and metadata encrypted using AES-256 with envelope encryption. Keys managed via Cloud KMS with automatic rotation.
Production workloads run in isolated VPCs. Web Application Firewall inspects all inbound traffic. Cloud Armor provides L3/L4/L7 DDoS mitigation.
Role-based access control on all systems. Production access requires MFA, justification, and manager approval. All access is time-limited and logged.
Every API call, dashboard action, and system event is logged with timestamp, IP, and authenticated user. Logs retained minimum 1 year per DPDP Rules 2025.
Automated daily backups with point-in-time recovery. Backups encrypted and stored within Mumbai region. 99.9% uptime SLA on Enterprise plans.
Automated vulnerability scanning on every deployment. Dependency audit for known CVEs. Critical vulnerabilities patched within 24 hours.
Full compliance with the Digital Personal Data Protection Act 2023 and DPDP Rules 2025. India-only data storage, consent management, erasure APIs, and breach notification tooling.
Audit in progress with a Big Four firm. Covers security, availability, and confidentiality trust service criteria. Expected completion: Q3 2026.
Information Security Management System certification planned. Gap assessment completed. Implementation underway with target certification by Q1 2027.
Content credentials conform to the Coalition for Content Provenance and Authenticity (C2PA) standard version 2.1 for digital content provenance.
Captures generate certificates compliant with Section 65B of the Information Technology Act 2000 for admissibility as electronic evidence in Indian courts.
We take security vulnerabilities seriously. If you believe you have found a security vulnerability in the Veritas platform, we encourage you to report it responsibly. We will work with you to understand and address the issue promptly.
The following systems are in scope for security research under our responsible disclosure policy:
Out of scope: Social engineering attacks on Veritas employees, physical attacks, denial of service attacks, and third-party services (e.g., Google Cloud, Razorpay) are not in scope. Please report vulnerabilities in those systems directly to their respective security teams.
For security-related inquiries, vulnerability reports, or to request our security documentation package (available to customers and prospects under NDA), contact our security team.
PGP key available on request for encrypted communication.