Trust & Security

How Aagman handles visitor data.

How Aagman handles visitor data, who can see it, and what happens when things go wrong. Honest answers to procurement and IT questions, before the contract.

Data stays in India

AWS ap-south-1, Mumbai

12-month default retention

Configurable per site under contract

RBAC + audit-logged viewing

Every record access is logged

No SOC 2 or ISO 27001 today

Honest: certifications are on our roadmap

Visitor data handling

We collect visitor name, photo, host, purpose, and in/out timestamps. Visitor records and photos are stored in AWS ap-south-1 (Mumbai). Published media assets (avatar clips, audio) are hosted on Cloudflare R2. The default retention is 12 months and is configurable per site (we can shorten or extend it under contract).

Access control

Site admins use role-based access control (RBAC). Every viewer interaction with a visitor record is itself audit-logged. Bulk export is gated behind admin role. SAML SSO is on the roadmap for Enterprise tier.

Audit logs

Visitor entry, exit, host notification, and admin actions are logged immutably and exportable in CSV format. Logs are retained per the site's data-retention policy and are available to your compliance team on demand.

Data residency

Application database and visitor records stay in AWS ap-south-1 (Mumbai). Published media assets are on Cloudflare R2. Backups are region-locked. We do not move visitor data outside India.

Sub-processors

We use a small set of vendors. Each is listed below with region and purpose. We do not share visitor data with third parties for marketing.

Certifications

Aagman follows industry-standard practices for data handling. Formal certifications such as SOC 2 Type II and ISO 27001 are on our roadmap. We do not currently claim them.

Incident response

Security issues should be reported to security@kaizenlabs.co.in. We acknowledge within 1 business day and target a fix or written status within 5 business days, depending on severity.

DPA

Our Data Processing Addendum is available on request. Email security@kaizenlabs.co.in and we'll walk through clauses with your legal/IT team before signature.

Sub-processors

Vendors that touch visitor data.

We keep this list short and current. If we add or remove one, customers under AMC are notified at least 30 days in advance.

Amazon Web Services

Mumbai (ap-south-1)

Application hosting, primary database, visitor records and photos

Cloudflare R2

Global CDN with India edge

Published media assets: avatar clips and audio files. No visitor records flow through R2.

MSG91 (Routemobile)

India

WhatsApp Business API and SMS host notifications when a visitor checks in

Resend

Global (transactional email)

Transactional email for admin alerts and contact-form replies [FLAG FOR OWNER: verify still active]

Vercel

Frankfurt (fra1) for marketing site only

Marketing-site hosting (kaizenlabs.co.in). Not used for the Aagman runtime.

Security roadmap

What we're working on.

  • SOC 2 Type II readiness

    Targeting initial audit window in late 2026, subject to deployment growth. We'll publish the audit window once committed.

  • SAML SSO + SCIM

    On the Enterprise tier roadmap. Required for multi-site rollouts that integrate with your IdP.

  • Customer-trust portal

    A self-serve portal for sub-processor change notifications, audit reports, and DPA history. Planned alongside SOC 2.

FAQ

Where is Aagman visitor data stored?

Visitor records and photos are stored in the AWS ap-south-1 region (Mumbai). Published media assets such as avatar clips are on Cloudflare R2. Backups stay region-locked. Visitor data does not leave India in normal operation.

Is Aagman SOC 2 or ISO 27001 certified?

Not today. Aagman follows industry-standard practices for data handling. Formal SOC 2 Type II and ISO 27001 certifications are on our roadmap and we do not claim them currently.

Can we get Aagman's DPA?

Yes. Email security@kaizenlabs.co.in to request the Data Processing Addendum. We can walk through clauses with your legal team before signature.

How does Aagman handle a security incident?

Report security issues to security@kaizenlabs.co.in. We acknowledge within 1 business day and target a fix or written status within 5 business days, depending on severity. Customers are notified directly for incidents that affect their data.

Who can see visitor records?

Only the site admins your organisation explicitly authorises. Access is RBAC-controlled and every view is audit-logged. We do not access visitor records ourselves except for support cases you raise.

Need a deeper review for procurement?

Walk through the DPA, data-flow diagrams, and reference checks with your IT and security teams.