Skip to main content
Skode -- AI-powered CRM and messaging platform
lockSecurity & Compliance

How we protect your data.

Security is a discipline, not a marketing slogan. This page lists what we have in place today, what we’re still building, and the honest gaps we think you should know about before you trust us with your data. Enterprise customers can request our security questionnaire, architecture diagrams, and current sub-processor attestations at security@skode.ai.

vpn_lock

TLS 1.2+

In transit

lock

AWS S3

Managed encryption at rest

policy

GDPR + DPDPA

Processor terms available

verified_user

SOC 2

Readiness in progress

cloud

Infrastructure Security

  • check_circleHosted on Amazon Web Services in the Mumbai region (ap-south-1). AWS operates this infrastructure within a SOC 2 Type II-attested environment. EU-based hosting is on our roadmap and not available today.
  • check_circleTLS 1.2 or higher on all external endpoints; HSTS applied on production hostnames
  • check_circleAWS-managed server-side encryption for files and backups stored in S3
  • check_circlePayment-gateway credentials stored inside our database with Fernet encryption
  • check_circleUser passwords stored as PBKDF2-SHA256 hashes (Django default)
  • check_circlePrivate networking, security groups, and managed DDoS protection provided by AWS
  • check_circleDaily automated backups. End-to-end encryption of database backups is on the remediation roadmap — see Transparency section below.
  • check_circleUptime targets described in our Service Level Agreement, published at /sla
shield

Application Security

  • check_circleEmail + password authentication (minimum 8 characters, PBKDF2-SHA256 hashing)
  • check_circleOptional social login with Google and Microsoft (OAuth 2.0)
  • check_circleEnterprise single sign-on: SAML 2.0 and OIDC (Okta, Azure AD / Microsoft Entra, Google Workspace, and other standards-compliant IdPs)
  • check_circleRole-based access control per workspace, with org_id-scoped queries and fail-closed filters
  • check_circleSession cookies are HTTP-only, Secure (in production), SameSite=Lax, with a 7-day maximum lifetime
  • check_circleCSRF protection, parameterised ORM queries, template auto-escaping, and input sanitisation on user- and AI-submitted content
  • check_circleRate limiting on public API endpoints and login flows; brute-force protection on authentication
  • check_circleTwo-factor authentication for end-user accounts is on our roadmap and not available today. We recommend a strong, unique password until it ships.
database

Data Security

  • check_circlePrimary data residency: AWS Mumbai (ap-south-1). EU-based hosting is on our roadmap.
  • check_circleDaily automated backups retained per our disaster-recovery plan
  • check_circleWorkspace isolation enforced at the database layer: every query is scoped to the requesting workspace with fail-closed behaviour
  • check_circleAudit logs for AI Connector actions retained for 30 days (failed events retained longer for investigation)
  • check_circleLead-assignment logs automatically purged after 90 days
  • check_circleExport of workspace data on request by emailing privacy@skode.ai; self-serve export is on the roadmap
  • check_circleDeletion workflow on account closure: 30-day restore window, then data deleted within a further 90 days, subject to statutory retention of invoices (7 years under Indian Income-tax Act and CGST Act, Section 36)
psychology

AI Data Handling

  • check_circleExternal AI integrations (ChatGPT, Claude) are off by default and require workspace-admin activation
  • check_circlePersonal fields (names, emails, phones, addresses, tax IDs) are pseudonymised before leaving Skode when returned to an AI provider — full algorithm documented in our AI Transparency Policy
  • check_circleVoice-to-text processed via OpenAI Whisper; transcripts are stored as CRM data, raw audio is not retained beyond the transcription call
  • check_circleEvery AI Connector response carries X-OpenAI-Training: disallow and X-AI-Data-Classification: pseudonymized headers
  • check_circleNo customer data is used to train Skode models or any third-party AI model
  • check_circleHonest limitation: free-text note bodies are not scanned for embedded personal data before being returned to the AI; we recommend treating notes as shareable with the connected AI
  • check_circleFull audit log of AI actions available via our GDPR Article 15 endpoint
verified

Compliance

  • check_circleGDPR / UK GDPR — we operate as a processor under our Data Processing Agreement. Standard Contractual Clauses (EU) 2021/914 and the UK IDTA are used for onward transfers
  • check_circleCCPA / CPRA — see our California Privacy Notice
  • check_circleIndian Digital Personal Data Protection Act 2023 — Grievance Officer appointed; see /legal/grievance-officer
  • check_circleSOC 2 Type II — readiness assessment in progress. Skode Technologies Private Limited does not itself hold a SOC 2 attestation today; the AWS infrastructure we run on is SOC 2 Type II-attested by AWS.
  • check_circleISO 27001 — not currently pursued
  • check_circleHIPAA — Skode does not sign Business Associate Agreements. Do not put Protected Health Information into Skode.
  • check_circlePCI DSS — card data is handled by Stripe and Razorpay; Skode falls within SAQ-A scope
hub

AI Connector Security

  • check_circleConnectors disabled by default; require explicit workspace-admin activation
  • check_circleOAuth 2.1 with PKCE S256 and Dynamic Client Registration (or Client ID Metadata Documents) for ChatGPT and Claude integrations
  • check_circleAPI keys generated with 256-bit entropy, stored as SHA-256 hashes at rest, and automatically revoked after 90 days. Plain-text keys are shown once at creation only.
  • check_circleMutual TLS (mTLS) validation on inbound requests from OpenAI Connectors (validates mtls.connectors.openai.com SAN)
  • check_circlePer-workspace and per-endpoint rate limits: 300 req/min sustained, 15/sec burst, 30 writes/min, 500 bulk lead operations per workspace per day
  • check_circleEvery AI Connector request and response logged to an Integration Event audit trail (30-day retention for success; longer for failures)
  • check_circleInstant connector deactivation revokes all active keys immediately
  • check_circleKnown gap: OAuth tokens for upstream integrations are a current remediation item; we are migrating them to application-layer encryption — see Transparency section below
emergency

Incident Response

  • check_circleDedicated security incident response team
  • check_circleCustomer notification within 72 hours of confirmed breach
  • check_circlePost-incident review with root cause analysis
  • check_circleContinuous monitoring and alerting
  • check_circleStatus page at status.skode.ai for real-time updates
report

Transparency — what we’re still building

Over-promising on security is worse than under-promising. These are the items we know about and are actively working on. If any of them blocks your deployment, talk to us at security@skode.ai — some can be addressed contractually today.

  • build_circleTwo-factor authentication for end-user accounts is not yet shipped. On our roadmap.
  • build_circleEmail verification is not currently enforced at signup. On our roadmap.
  • build_circleSkode Technologies Private Limited does not yet hold its own SOC 2 attestation. Readiness assessment is in progress; the AWS infrastructure we run on is SOC 2 Type II-attested by AWS today.
  • build_circleISO 27001 is not currently pursued.
  • build_circleOAuth tokens for upstream integrations are being migrated to application-layer encryption; today they rely on database-layer access controls. Remediation is in active development.
  • build_circleDatabase backups are being moved to encrypted, off-site storage with key rotation. Today we run daily backups with AWS-managed encryption at the disk layer.
  • build_circleAnomaly detection and SIEM-grade security monitoring are not yet deployed. Today we rely on standard application logging, rate limiting, and audit trails.
  • build_circleContinuous SAST/DAST scanning in CI is on our roadmap. Today we run manual dependency review and standard Django framework protections.
  • build_circleEU data residency is not available today. Primary region is AWS Mumbai. Contact us if this is a commitment blocker.
  • build_circleNo formal bug-bounty programme today. We welcome coordinated disclosure under our Responsible Disclosure policy below.

Responsible Disclosure

If you discover a security issue, please report it to us first. We commit to a safe-harbour for good-faith research, acknowledgement of reports within two business days, and a no-legal-action policy for researchers who follow this process. Our machine-readable contact details are published at /.well-known/security.txt per RFC 9116. A formal bug-bounty programme is on our roadmap and not yet in place.

security@skode.aiarrow_forward

Request a Security Review

Enterprise customers can request detailed security documentation, penetration test reports, and complete a security questionnaire.

Contact Salesarrow_forward