Trust & Security
How Aagman handles visitor data.
How Aagman handles visitor data, who can see it, and what happens when things go wrong. Honest answers to procurement and IT questions, before the contract.
Data stays in India
AWS ap-south-1, Mumbai
12-month default retention
Configurable per site under contract
RBAC + audit-logged viewing
Every record access is logged
No SOC 2 or ISO 27001 today
Honest: certifications are on our roadmap
Visitor data handling
We collect visitor name, photo, host, purpose, and in/out timestamps. Visitor records and photos are stored in AWS ap-south-1 (Mumbai). Published media assets (avatar clips, audio) are hosted on Cloudflare R2. The default retention is 12 months and is configurable per site (we can shorten or extend it under contract).
Access control
Site admins use role-based access control (RBAC). Every viewer interaction with a visitor record is itself audit-logged. Bulk export is gated behind admin role. SAML SSO is on the roadmap for Enterprise tier.
Audit logs
Visitor entry, exit, host notification, and admin actions are logged immutably and exportable in CSV format. Logs are retained per the site's data-retention policy and are available to your compliance team on demand.
Data residency
Application database and visitor records stay in AWS ap-south-1 (Mumbai). Published media assets are on Cloudflare R2. Backups are region-locked. We do not move visitor data outside India.
Sub-processors
We use a small set of vendors. Each is listed below with region and purpose. We do not share visitor data with third parties for marketing.
Certifications
Aagman follows industry-standard practices for data handling. Formal certifications such as SOC 2 Type II and ISO 27001 are on our roadmap. We do not currently claim them.
Incident response
Security issues should be reported to security@kaizenlabs.co.in. We acknowledge within 1 business day and target a fix or written status within 5 business days, depending on severity.
DPA
Our Data Processing Addendum is available on request. Email security@kaizenlabs.co.in and we'll walk through clauses with your legal/IT team before signature.
Sub-processors
Vendors that touch visitor data.
We keep this list short and current. If we add or remove one, customers under AMC are notified at least 30 days in advance.
| Vendor | Region | Purpose |
|---|---|---|
Amazon Web Services | Mumbai (ap-south-1) | Application hosting, primary database, visitor records and photos |
Cloudflare R2 | Global CDN with India edge | Published media assets: avatar clips and audio files. No visitor records flow through R2. |
MSG91 (Routemobile) | India | WhatsApp Business API and SMS host notifications when a visitor checks in |
Resend | Global (transactional email) | Transactional email for admin alerts and contact-form replies [FLAG FOR OWNER: verify still active] |
Vercel | Frankfurt (fra1) for marketing site only | Marketing-site hosting (kaizenlabs.co.in). Not used for the Aagman runtime. |
Mumbai (ap-south-1)
Application hosting, primary database, visitor records and photos
Global CDN with India edge
Published media assets: avatar clips and audio files. No visitor records flow through R2.
India
WhatsApp Business API and SMS host notifications when a visitor checks in
Global (transactional email)
Transactional email for admin alerts and contact-form replies [FLAG FOR OWNER: verify still active]
Frankfurt (fra1) for marketing site only
Marketing-site hosting (kaizenlabs.co.in). Not used for the Aagman runtime.
Security roadmap
What we're working on.
SOC 2 Type II readiness
Targeting initial audit window in late 2026, subject to deployment growth. We'll publish the audit window once committed.
SAML SSO + SCIM
On the Enterprise tier roadmap. Required for multi-site rollouts that integrate with your IdP.
Customer-trust portal
A self-serve portal for sub-processor change notifications, audit reports, and DPA history. Planned alongside SOC 2.
FAQ
Where is Aagman visitor data stored?
Visitor records and photos are stored in the AWS ap-south-1 region (Mumbai). Published media assets such as avatar clips are on Cloudflare R2. Backups stay region-locked. Visitor data does not leave India in normal operation.
Is Aagman SOC 2 or ISO 27001 certified?
Not today. Aagman follows industry-standard practices for data handling. Formal SOC 2 Type II and ISO 27001 certifications are on our roadmap and we do not claim them currently.
Can we get Aagman's DPA?
Yes. Email security@kaizenlabs.co.in to request the Data Processing Addendum. We can walk through clauses with your legal team before signature.
How does Aagman handle a security incident?
Report security issues to security@kaizenlabs.co.in. We acknowledge within 1 business day and target a fix or written status within 5 business days, depending on severity. Customers are notified directly for incidents that affect their data.
Who can see visitor records?
Only the site admins your organisation explicitly authorises. Access is RBAC-controlled and every view is audit-logged. We do not access visitor records ourselves except for support cases you raise.
Need a deeper review for procurement?
Walk through the DPA, data-flow diagrams, and reference checks with your IT and security teams.