Security

How we protect your data.

Last updated: April 2026

NiyamHR is built on enterprise-grade infrastructure with security as a foundational principle — not an afterthought. Here's how your data is protected today.

Encryption

  • At rest: All user data stored in Google Cloud Firestore is encrypted using AES-256 with Google-managed encryption keys.
  • In transit: All connections use TLS 1.3 HTTPS, including the application, data storage, authentication, and AI service integrations.
  • Secrets: API keys and sensitive credentials are stored in Google Cloud Secret Manager with strict IAM-based access controls.

Infrastructure

NiyamHR is hosted on Google Cloud (Firebase App Hosting), which maintains SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and PCI-DSS certifications at the infrastructure layer. These certifications cover the physical data centres, network security, and platform services that NiyamHR runs on.

Authentication and access

  • User accounts protected by Firebase Authentication with email verification
  • Role-based access control: Founders, HR admins, Managers, and Employees see only the data their role permits
  • Organisation-level data isolation: no cross-organisation data leakage
  • Session tokens are managed by Firebase with configurable expiry

AI service integration

NiyamHR uses Anthropic's Claude API for mentorship and DNA analysis. Per Anthropic's policy, your data is not used to train their models. API calls are encrypted in transit and data is not retained for model training.

Data residency

User data is stored in Google Cloud's global infrastructure. Primary region for Indian users is us-central1. We are evaluating India-region data residency options as part of our DPDPA compliance roadmap.

Our security roadmap

NiyamHR is a startup in Early Access. We are transparent about where we are on our security journey and where we're headed:

  • Today: Google Cloud infrastructure certifications inherited; encryption at rest and in transit; role-based access control; secret management
  • Next 3-6 months: Formal DPDPA 2023 compliance program; internal security policies and incident response documentation; vulnerability scanning
  • 6-12 months: Independent penetration testing; SOC 2 Type I gap assessment
  • 12-24 months: SOC 2 Type II certification aligned with enterprise requirements; ISO 27001 roadmap for global enterprise customers

Responsible disclosure

If you believe you've found a security vulnerability in NiyamHR AI Mentor, please report it responsibly to support@niyamhr.in. We take all reports seriously, respond within 48 hours, and work to address verified issues promptly.

Incident response

In the event of a security incident that affects your data, we will notify affected users within 72 hours of discovery, in line with DPDPA 2023 requirements.

Have specific security or compliance questions for your organisation? We're happy to discuss your requirements directly. Contact support@niyamhr.in.

Madraz Buzz Media · Chennai, Tamil Nadu, India