Security & Compliance
VipraGo processes some of the most sensitive data a company holds — salaries, attendance, identity documents. Security is therefore architectural, not bolted on: multi-tenant isolation, five-tier RBAC, AES-256 encryption for PII, immutable HMAC-hashed audit logs, and GDPR + India DPDP compliance, hosted on Google Cloud Platform with a 99.9% uptime SLA.
Multi-tenant isolation
Every record carries an organization identifier. Tenancy middleware scopes every authenticated request — and every database query — to the caller's organization, so one customer's data can never appear in another's results. Enterprise plans add dedicated cloud instances and India/EU data residency.
Role-based access control (RBAC)
- Five role tiers: super admin, admin, manager, member, viewer — plus granular per-user permission overrides.
- Scoped permissions (self, team, assigned) enforced in the backend, not just hidden in the UI.
- Salary data is strictly scoped: employees see their own; managers see only what org policy allows for direct reports; org-wide payroll views require admin permissions.
Encryption
| Layer | Control |
|---|---|
| In transit | TLS 1.3 on all connections |
| At rest | AES-256 for personally identifiable fields (PAN, Aadhaar, bank details) plus encrypted cloud storage |
| Authentication | JWT-based sessions with role claims; bcrypt password hashing; rate-limited login endpoints |
Immutable audit logs
Logins, approvals, payroll actions, asset events, GDPR actions, and admin overrides are written to append-only audit tables with row-level HMAC hashes, making tampering detectable. Audit records are never updated or deleted, and are queryable by administrators with date-range and actor filters.
GDPR & DPDP
- Right to erasure: anonymisation API that removes personal data while preserving statutory accounting records.
- Data portability: machine-readable export of an individual's data.
- Retention: automated purge jobs honour configured retention windows.
- India DPDP Act: consent-aware processing and India data-residency options for enterprise plans.
Infrastructure
Google Cloud Platform — serverless Cloud Run, managed Cloud SQL, secrets in GCP Secret Manager, automated backups with point-in-time recovery, and a 99.9% uptime SLA. ISO 27001 certification is in progress.
Frequently asked questions
- Can VipraBot (the AI) act outside a user's permissions?
- No. Every VipraBot action executes through the same permission-checked APIs as the UI; the agent inherits the requesting user's role and is audit-logged like any human action.
- Is customer data used to train AI models?
- Customer data is used to serve that customer's organization. It is not sold or used to train shared foundation models.
- How do I report a vulnerability?
- Email support@viprasoftware.com with subject "Security". We acknowledge within 24 hours.
This page summarises VipraGo's security architecture for evaluation purposes. For questionnaires (SIG, CAIQ) and DPAs, contact sales@viprasoftware.com.