CORAA
Trust Centre · India-hosted · DPDPA aligned

Audit data, taken seriously.

CORAA stores some of the most sensitive data a Chartered Accountancy firm holds — client ledgers, board minutes, related-party schedules, MIS, tax workings. This page documents how we protect it, and the regulatory regime that backs the commitments.

Certifications & alignment

Certified
ISO/IEC 27001:2022
Accredited certification body
Information Security Management System (ISMS), maintained on an annual cadence.
In progress
SOC 2 Type II
AICPA Trust Services Criteria
On our security and compliance roadmap; programme in progress.
Aligned
DPDPA 2023
Digital Personal Data Protection Act, India
CORAA acts as Data Processor for client audit data; the client firm is the Data Fiduciary.
Audit reports and certificates available to active customers and qualified prospects under NDA. Email security@coraa.ai.

What we commit to

The six commitments below cover what we do with your data, and what we do not do. Detailed sub-processor list, technical and organisational measures, security questionnaires, and incident transparency log live at trust.coraa.ai.

No model training on your data
We do not use your audit data, ledgers, working papers, or findings to train, fine-tune, or improve any model or analytics product made available to other customers or the public. This commitment is contractual and enforced through the MSA.
India-only hosting
Customer data is hosted on Amazon Web Services, Mumbai region (ap-south-1). It does not leave Indian regions. DPDPA 2023 aligned.
Tenant isolation
Each client firm operates inside its own logically isolated tenant. One firm's data is not accessible from another firm's tenant.
Encryption
In transit (TLS 1.2 or higher) and at rest (AES-256).
Access control
Role-based access and multi-factor authentication for any CORAA personnel with administrative access. Audit logs of administrative actions are retained.
30-day export window on termination
When your subscription ends, your data is available for export in CSV, Excel, or PDF for thirty days. After that, it is securely deleted, subject to any legal retention requirement.

Detailed policies

Trust Centre
Live sub-processor list, technical and organisational measures, security questionnaires, audit reports under NDA, and incident transparency log.
Privacy Policy
Full text of how we collect, use, store and share data.
Data Protection
DPDPA 2023 alignment, data principal rights, processor obligations.
Encryption
Detailed encryption-at-rest and in-transit specifications.
Data Retention
How long we keep data, deletion procedures, legal-hold handling.
Cookies & Tracking
What we set, what we don't, opt-out mechanisms.

Frequently asked questions

Where is CORAA hosted?+
Amazon Web Services, Mumbai region (ap-south-1). No replication outside India.
Does CORAA use customer data to train AI models?+
No. Client audit data, ledgers, working papers, classifications and findings are not used to train, fine-tune, or improve any model. This is a contractual commitment in the MSA.
Is CORAA DPDPA 2023 compliant?+
For client audit data, your firm is the Data Fiduciary and CORAA is the Data Processor. We follow the processor obligations under the Act.
What certifications does CORAA hold?+
ISO/IEC 27001:2022 is certified and renewed annually. SOC 2 Type II is in progress — the audit programme is on our roadmap. ISO 27001 reports are available under NDA.
What happens to my data if I cancel?+
You can export all your data (ledgers, working papers, reports) in CSV / Excel / PDF for 30 days after the subscription ends. After that, we securely delete it.

Need a security review for procurement?

We support the standard CA-firm and enterprise procurement workflow — security questionnaires, ISO 27001 report under NDA, and due-diligence calls with your IT / IS team. SOC 2 Type II will be added when the audit closes.

Contact security@coraa.aiAll contact options