vikaasOur trust posture. Plain language.
Security-conscious enterprise buyers and their IT, legal, and compliance teams need more than a checkbox. This page covers our compliance posture, data handling, AI usage disclosures, and LinkedIn account protocols. The full procurement document — including sub-processors, incident response, and the customer onboarding checklist — is available as a DOCX below.
What we comply with. What's in progress. What's coming.
We disclose our compliance posture in full, including what's still in process — because telling you only what sounds good isn't how we run our business.
| Area | Our posture | Status |
|---|---|---|
| Legal entity | Banao Pvt Ltd, Bengaluru, India · Vikaas is the operating brand. CIN: U72900KA2015PTC082435. | READY |
| DPDP Act 2023 (India) | Vikaas acts as data processor on the customer's behalf. DPA included in standard MSA. Data fiduciary obligations remain with the customer. | READY |
| GCC data protection | UAE Federal Decree-Law No. 45 of 2021 · KSA PDPL. Region-specific data residency available on request. | READY |
| Data hosting (default) | AWS Mumbai region (ap-south-1). Customer data stays in-region; no replication outside except DR. | READY |
| Data hosting (GCC option) | AWS Bahrain (me-south-1) or UAE (me-central-1). Specified in Order Schedule. | READY |
| Encryption in transit | TLS 1.3 for all customer-facing endpoints. Minimum TLS 1.2 enforced. | READY |
| Encryption at rest | AES-256 for all customer data stores and backups. Keys managed in AWS KMS with rotation policy. | READY |
| Multi-factor authentication | Mandatory for all Vikaas operator accounts with access to customer data (TOTP-based). | READY |
| Annual penetration testing | Annual third-party pen test. Summaries available for enterprise customers under NDA. | READY |
| SOC 2 Type II | Audit engaged with Big-4 audit firm. Trust Services Criteria in scope: Security, Availability, Confidentiality, Privacy. Bridge letters available on request. | Q4 2026 |
| AI provider certification | Specific providers disclosed under NDA. All contracted with appropriate data handling certifications and training opt-out. | READY |
| Right to audit | Available for engagements >₹50L annual value, with reasonable notice. | READY |
| Sub-processor list | Current list shared on first engagement and on request. 30-day advance notice before any new sub-processor that processes customer-confidential data. | READY |
| ISO 27001 | Scoping for 2027 certification cycle, following SOC 2 Type II completion. | 2027 |
What we collect. How we hold it. When we delete it.
Four principles that govern every byte of customer-related data Vikaas handles.
Minimal collection
We collect only what's needed to run your pipeline — ICP definitions, brand voice samples, account or candidate lists, conversation transcripts, and performance metrics. We don't touch your end-customer transaction data, employee payroll, or any sensitive personal categories.
In-region hosting
Customer data stays in your chosen region by default — AWS Mumbai for India engagements, AWS Bahrain or UAE for GCC engagements. No replication outside the region except for in-region disaster recovery. Specify your region in the Order Schedule.
90-day post-engagement retention
Active customer data is retained for the engagement plus 90 days for clean handoff support. After that window, all customer-confidential data is deleted from production systems. Encrypted backups overwritten within 90 days. Early deletion available on written request.
Data subject rights
We assist with access, correction, and deletion requests from buyers or candidates engaged through your pipeline, per DPDP and applicable law. Standard response within 5 business days of customer notification. Emergency deletion (regulatory order) within 5 business days.
Where AI runs. Where humans don't leave the room.
AI procurement scrutiny is increasing in 2026. We disclose specifically where AI is used in service delivery and — critically — where it is not permitted to act without human oversight.
Signal scoring & message drafting
AI ranks buyer and candidate profiles for fit against the customer's ICP, drafts message variants in the customer's voice, classifies inbound replies by intent, and assists internal workflows (enrichment, deduplication, prioritisation). These are the AI's core contributions to the engine.
No autonomous external action
AI does not send messages, update your CRM, add candidates to your ATS, or route leads to your Slack — without human operator review first. Every externally visible action requires human approval. This is not a constraint we're working to remove; it's by design.
Never used for model training
Customer-confidential data is contractually prohibited from being used to train any general-purpose AI model accessible outside our engagement with the specific customer. Enforced through contracts with all AI providers in our stack. AI provider details disclosed under NDA to enterprise procurement on request.
Every AI action is logged
Every AI-generated artifact — message draft, signal score, intent classification — is logged with timestamp, inputs, output, and human reviewer identity. Customer audit access to these logs is available on reasonable request, subject to confidentiality and data minimisation requirements.
Your account. Our discipline.
Because the service depends on operating your LinkedIn account, we treat this as a security-sensitive operation with specific commitments.
You stay the owner
Your LinkedIn account is always yours. We operate it on your behalf; we have no claim on the account, its connections, its history, or any data in LinkedIn. Access is returned within 5 business days of any pipeline termination.
Conservative pacing
We stay under 100 connection requests per week from any single account. No third-party automation tools that violate LinkedIn's terms. Messaging volumes ramp gradually over the first 4 weeks. Operating discipline keeps restriction rates below 1.5% — well below industry average.
Secure credential handling
Account access is held in enterprise-grade encrypted secret management systems, accessible only to the assigned senior operator. Credentials are revoked immediately upon any personnel change or engagement termination. No local copies retained beyond 90 days.
If something goes wrong
In the unlikely event of an account restriction attributable to our operation: we cease immediately, provide a written incident report within 5 business days, assist the appeal process at no charge, and issue a one-month service credit for the affected pipeline.
The complete brief. For your IT and security teams.
The Security & Onboarding Brief covers everything on this page in depth, plus: sub-processor list, incident response timeline, customer onboarding checklist, and data subject rights procedures. Available as a Word document your procurement team can annotate and circulate.
10-page procurement reference. Covers compliance posture, data handling, AI usage, sub-processors, incident response, and customer onboarding checklist. Email trust@vikaas.ai to receive a copy, or request it during the discovery call.
Questions our docs don't answer?
trust@vikaas.ai responds within one business day.
Enterprise procurement has specific needs. If you need custom data processing agreements, right-to-audit provisions, or information about specific sub-processors, contact our trust team directly.