Trust & Security
How Aagman handles visitor data.
Procurement and IT teams ask these questions. Here are the honest answers, before the contract.
Visitor data handling
We collect visitor name, photo, ID image, host, purpose, and in/out timestamps. Data is stored in the AWS Mumbai region. The default retention is 12 months and is configurable per site (we can shorten or extend it under contract).
Access control
Site admins use role-based access control (RBAC). Every viewer interaction with a visitor record is itself audit-logged. Bulk export is gated behind admin role. SAML SSO is on the roadmap for Enterprise tier.
Audit logs
Visitor entry, exit, host notification, and admin actions are logged immutably and exportable in CSV format. Logs are retained per the site's data-retention policy and are available to your compliance team on demand.
Data residency
Production data — visitor records, photos, ID images — stays in AWS ap-south-1 (Mumbai). Backups are region-locked. We do not move visitor data outside India.
Sub-processors
We use a small set of vendors. Each is listed below with region and purpose. We do not share visitor data with third parties for marketing.
Certifications
Aagman follows industry-standard practices for data handling. Formal certifications such as SOC 2 Type II and ISO 27001 are on our roadmap. We do not currently claim them.
Incident response
Security issues should be reported to security@kaizenlabs.co.in. We acknowledge within 1 business day and target a fix or written status within 5 business days, depending on severity.
DPA
Our Data Processing Addendum is available on request — security@kaizenlabs.co.in. We're happy to walk through clauses with your legal/IT team before signature.
Sub-processors
Vendors that touch visitor data.
We keep this list short and current. If we add or remove one, customers under AMC are notified at least 30 days in advance.
| Vendor | Region | Purpose |
|---|---|---|
Amazon Web Services | Mumbai (ap-south-1) | Application hosting, primary database, object storage (visitor photos and IDs) |
Resend | Global (transactional email) | Transactional email — host notifications, admin alerts, contact form replies |
WhatsApp Business API | Meta | WhatsApp host notifications when a visitor checks in |
Cloudflare | Global CDN | DNS, edge caching, DDoS protection (no visitor data flows through CDN) |
Vercel | Frankfurt (fra1) for marketing site only | Marketing-site hosting (kaizenlabs.co.in). Not used for the Aagman runtime. |
Security roadmap
What we're working on.
SOC 2 Type II readiness
Targeting initial audit window in late 2026, subject to deployment growth. We'll publish the audit window once committed.
SAML SSO + SCIM
On the Enterprise tier roadmap. Required for multi-site rollouts that integrate with your IdP.
Customer-trust portal
A self-serve portal for sub-processor change notifications, audit reports, and DPA history. Planned alongside SOC 2.
Need a deeper review for procurement?
Walk through the DPA, data-flow diagrams, and reference checks with your IT and security teams.