Security
Last updated: 12 May 2026
This page summarises how we think about security for Captverse. It is descriptive, not a contractual commitment or certification statement, and does not replace your own security assessments, enterprise security questionnaires, or signed agreements. For data handling details, see the Privacy Policy; for legal terms, see the Terms of Use.
1. Security governance
Aarohii AI Solution Private Limited treats the confidentiality, integrity, and availability of customer data as a core responsibility. We apply risk-based controls across engineering, operations, and vendor management. Specific commitments (for example uptime targets, audit rights, or breach notification windows) may be set out in a customer’s enterprise agreement or order form where purchased.
2. Encryption and transport security
Client connections to Captverse are protected using industry-standard transport layer security (TLS). Sensitive configuration such as integration secrets should be stored using platform controls designed for secrets management; users should avoid sharing long-lived tokens in unsecured channels.
3. Authentication and access control
Access to the application is gated by email-and-password authentication with policies intended to reduce weak credentials. Workspace members may additionally enrol in time-based one-time password (TOTP) multi-factor authentication (MFA) through the Identity settings. Enterprise workspaces can connect a corporate identity provider using SAML 2.0 for single sign-on (SSO), and automate user provisioning and deprovisioning via SCIM 2.0 (RFC 7644). Within a workspace, role-based access patterns limit which users can view or modify CRM entities, settings, billing, or integrations. Administrators should follow least-privilege principles when inviting teammates, revoking access for departing staff, and reviewing immutable audit trails available in the Identity dashboard (exportable as CSV via API).
4. Application security practices
Our engineering lifecycle aims to reduce common classes of defects, including:
- input validation and output encoding to mitigate injection and cross-site scripting risks;
- authorisation checks on server-side APIs so client UI alone cannot bypass permissions;
- dependency maintenance and monitoring for known vulnerabilities;
- logging and alerting suitable for operational debugging and security investigations, subject to privacy constraints.
We do not publicly document every control to avoid assisting attackers; customers with due-diligence requirements may request additional information under NDA where available.
5. Infrastructure and subprocessors
Captverse runs on managed cloud infrastructure and may use subprocessors for hosting, databases, email delivery, error reporting, and similar functions. We evaluate vendors for alignment with our security expectations and use contractual clauses that require appropriate confidentiality and security measures. A customer’s administrator controls most data ingress; review your integration list regularly.
6. Backups and resilience
We employ backup and redundancy patterns intended to recover from hardware failures or regional disruptions according to our internal recovery objectives. Customers should also export critical records periodically if their compliance programme requires local copies.
7. Incident response
If we become aware of a security incident affecting customer data in our control, we will investigate, contain, and remediate in line with our internal procedures and applicable law. Where contract or law requires customer notification, we will provide information without undue delay, consistent with the need to preserve forensic integrity and coordinate with authorities.
8. What you can do
Security is shared. We recommend enforced strong passwords or single sign-on if/when offered, phishing awareness training for revenue teams, careful handling of webhook URLs, and limiting API keys to the minimum scopes required. Report suspected vulnerabilities or misuse to legal@captverse.com with enough detail for reproduction; please avoid disruptive testing against production without prior written agreement.
9. Certifications
Unless separately communicated in writing for your account, we do not claim ISO 27001, SOC 2 Type II, PCI DSS validation, or other formal certifications on this page. If certifications become applicable, we will update customer-facing materials and your account team as appropriate.
