Trust Centre · India-hosted · DPDPA aligned

Audit data, taken seriously.

CORAA stores some of the most sensitive data a Chartered Accountancy firm holds — client ledgers, board minutes, related-party schedules, MIS, tax workings. This page documents how we protect it, and the regulatory regime that backs the commitments.

Certifications & alignment

Certified

ISO/IEC 27001:2022

BSI / accredited certification body

Information Security Management System (ISMS). Covers risk management, access control, cryptography, supplier relationships, incident management. Renewed annually.

Certified

SOC 2 Type II

AICPA Trust Services Criteria

Type II covers operating effectiveness over a 6-12 month period (not point-in-time). Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality.

Aligned

DPDPA 2023

Digital Personal Data Protection Act, India

Consent management, data principal rights (access, correction, erasure, grievance), 72-hour breach notification window, processor obligations, retention limits.

Aligned

GDPR

EU General Data Protection Regulation

Process documentation, data subject rights, data protection by design. Applies where CORAA processes data of EU data subjects.

Audit reports and certificates available to active customers and qualified prospects under NDA. Email security@coraa.ai.

Data handling

The eight commitments below describe what we do with customer data — and equally what we do not do.

Customer data is not used to train foundation models

Customer ledgers, vouchers, working papers and findings are treated as audit evidence — not training material. CORAA uses proprietary classifiers and rule engines; foundation-model usage is limited to general reasoning over the customer's prompt, never to update model weights on customer data.

No public-LLM API exposure of customer data

CORAA does not transmit customer audit data to OpenAI / Anthropic / Google public APIs. All inference runs on India-hosted infrastructure with proprietary models.

India-only hosting

Microsoft Azure, South India region. Customer data does not leave Indian regions for any reason. DPDPA 2023 aligned, RBI data-localisation aligned for banking/financial clients.

Per-tenant logical isolation

Each customer's data is segregated by tenant key. Encrypted at rest with per-tenant encryption keys (AES-256). No cross-tenant data access, even by CORAA staff.

Encryption

AES-256 at rest (data, backups, archives). TLS 1.3 in transit. Encrypted database backups with separately-managed keys.

Audit trail

Cryptographically signed, timestamped, immutable. Every user action, AI inference, working-paper change and sign-off is logged. Required for SA 230 documentation and NFRA / ICAI peer review defence.

Authentication & access

SSO via Microsoft Azure AD, Google Workspace, and SAML 2.0. MFA enforceable at firm level. Role-based access (partner / manager / staff / reviewer). Session timeout on inactivity.

Backups & recovery

Encrypted incremental backups every 4 hours, retained 30 days. Geographically separated backup region (within India). Documented RPO (4 hours) and RTO (24 hours) for full-platform recovery.

Security operations

What runs behind the certifications.

Vulnerability management

Continuous scanning of code (SAST), dependencies (SCA) and infrastructure. Critical CVEs patched within 24 hours; high within 7 days; medium within 30 days. Penetration testing by independent third party annually.

Incident response

On-call rotation 24×7 for security incidents. Documented IRP with severity classification (S0–S3). Initial customer notification within 1 hour of confirmed S0/S1. Full RCA within 5 business days.

Employee security

Mandatory annual security training. Background verification for engineering and customer-data-access roles. Principle of least privilege; access reviewed quarterly. Hardware tokens for production access.

Third-party / sub-processor due diligence

All sub-processors listed publicly. Annual security review of each sub-processor including SOC 2 / ISO 27001 reports. DPDPA-compliant data-processing agreements in place.

Code & change management

All code goes through pull-request review with mandatory approvals. Production deployments via signed CI/CD pipelines. Database migrations versioned and reviewed.

Data deletion on contract end

On contract termination, all customer data (production + backups) is deleted within 30 days unless retention is required for legal compliance. Customer can request data export at any time during the contract.

Detailed policies

Full text of how we collect, use, store and share data.

→

Data Protection

DPDPA 2023 alignment, data principal rights, processor obligations.

→

Encryption

Detailed encryption-at-rest and in-transit specifications.

→

Data Retention

How long we keep data, deletion procedures, legal-hold handling.

→

Cookies & Tracking

What we set, what we don't, opt-out mechanisms.

→

Frequently asked questions

Where is CORAA hosted?+

Microsoft Azure, South India region only. No mirroring or replication outside India. This applies to production data, backups, and disaster-recovery infrastructure.

Is CORAA DPDPA 2023 compliant?+

Yes. CORAA processes data as a Data Processor on behalf of the customer (Data Fiduciary in DPDPA terminology). We comply with processor obligations under Section 8 of the Act — purpose limitation, security safeguards, breach notification, and data principal rights pass-through.

Does CORAA use customer data to train AI models?+

No. Customer ledgers, vouchers, working papers, classifications and findings are not used to train foundation models. This commitment is contractual and is enforceable via the Master Subscription Agreement.

What certifications does CORAA hold?+

ISO/IEC 27001:2022 (Information Security Management System) and SOC 2 Type II (Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality). Reports available under NDA.

Can I request a SOC 2 report?+

Yes. SOC 2 Type II reports are available to active customers and qualified prospects under NDA. Contact security@coraa.ai.

How does CORAA handle data residency for foreign-owned Indian subsidiaries?+

Data of the Indian subsidiary remains in India regardless of parent ownership. If the foreign parent requires data access from outside India (e.g., for group-audit purposes), data is provided in standardised export formats — but the source-of-truth remains India-hosted.

What happens to my data if I cancel my subscription?+

On cancellation, you can export all your data (ledgers, working papers, reports) in standard formats (CSV, Word, PDF). After a 30-day grace period, all production data and backups are deleted unless retention is required for legal compliance (e.g., active litigation hold).

Does CORAA notify customers of security incidents?+

Yes. For S0/S1 incidents involving customer data, we notify within 1 hour of confirmation. All security incidents are documented in a public quarterly transparency report. We have not had a customer-data breach to date.

Is CORAA penetration tested?+

Yes. Annual penetration test by an independent CERT-In empanelled security firm. Results are reviewed by leadership and remediations tracked to completion. Summary available to customers under NDA.

Need a security review for procurement?

We support the standard CA-firm and enterprise procurement workflow — security questionnaires, SOC 2 reports under NDA, due-diligence calls with your IT / IS team.

Contact security@coraa.ai All contact options