3.1 Security Commitment
Scrini is engineered for enterprise hiring, with controls mapped to SOC 2 Type II and aligned with ISO/IEC 27001. We apply defense-in-depth across people, process, application, and infrastructure.
3.2 Technical Safeguards
Encryption: TLS 1.3 in transit; AES-256 at rest with cloud KMS; encrypted disks/snapshots.
Identity & Access: SSO/SAML 2.0, SCIM provisioning, RBAC/ABAC, MFA, least-privilege IAM, just-in-time elevation, session timeouts, IP allow-listing.
Network Security: Private VPCs, subnet isolation, security groups, WAF, DDoS protections, secrets vault (HSM-backed), egress controls.
Application Security: secure SDLC, code review, dependency scanning, SAST/DAST, signed builds, environment separation, feature flags.
Data Controls: field-level permissions, tenant isolation, event-sourced audit logs, immutable log storage, webhook signing & verification.
Resilience: automated backups (geo-redundant), multi-AZ architecture, checkpointing, documented RPO/RTO, disaster-recovery runbooks and tests.
3.3 Organizational Controls
Mandatory security & privacy training; background checks for personnel with production access; NDAs; timely access revocation on off-boarding.
Change management, vendor risk management, and secure third-party onboarding with DPAs and SCCs/UK Addendum where required.
Least-data principle: collect the minimum necessary; prefer in-tenant processing where feasible.
3.4 Monitoring & Testing
Centralized logging and SIEM for anomaly detection; 24×7 on-call alerting.
Vulnerability scanning on every build; weekly dependency checks; infrastructure configuration scanning.
Independent penetration tests at least annually; remediation tracked to closure (executive summaries available under NDA).
3.5 Incident Response & Breach Notification
We follow a documented IR plan: Detect → Contain → Eradicate → Recover → Post-mortem.
If a confirmed data breach affects personal data, we notify impacted Clients without undue delay and within 72 hours where required, including scope, impact, and mitigation steps.
3.6 Sub-Processors (Illustrative)
Cloud hosting & storage: Amazon Web Services; (optional) Google Cloud for analytics.
Communications: email/SMS/voice providers (e.g., Twilio); voice/video synthesis providers (e.g., ElevenLabs) where enabled.
Support & productivity: ticketing, logging, monitoring, and incident-management tools.
A current list is available on request; we provide advance notice of material changes as required by the DPA.
3.7 Customer-Configurable Controls
Custom roles & granular permissions; PII field restrictions.
SSO/MFA enforcement and session policies; IP allow-lists.
Data-retention windows; export & deletion tools; audit-log exports; webhook signing secrets rotation.
3.8 Responsible Disclosure
If you believe you’ve found a vulnerability, email support@scrini.ai with details and a proof of concept. Please avoid accessing, modifying, or deleting data. We acknowledge and triage reports promptly.
3.9 Contact (Security)
support@scrini.ai | +91-9457234349
Scrini AI Tech LLP, Gali No. 12/3, Burari, City Delhi, North Delhi, Delhi 110084, India