1. Data Encryption

All data transmitted between clients and Optivra systems is encrypted using TLS 1.3 or higher. Data at rest is encrypted using AES-256. We use industry-standard cryptographic protocols to ensure the confidentiality and integrity of all client data at every stage of processing and storage.

2. Access Control

Optivra enforces strict role-based access control (RBAC) across all internal systems. Access to client data is granted on a need-to-know basis and is regularly audited. Multi-factor authentication (MFA) is mandatory for all team members with access to production environments. We conduct quarterly access reviews to revoke unnecessary permissions.

3. Data Isolation

Client data is logically isolated within our infrastructure. We maintain strict data separation policies to ensure that data belonging to one client is never accessible to another. All production environments use dedicated, isolated compute resources where required by contract.

4. Incident Response

Optivra maintains a documented Incident Response Plan (IRP). In the event of a security incident, we commit to notifying affected clients within 72 hours of discovery. Our incident response team conducts root cause analysis and provides detailed post-incident reports to affected parties. All incidents are logged and reviewed to improve our defenses.

5. Data Retention & Deletion

Client data is retained only for the duration required to deliver contracted services, or as specified in the Master Service Agreement (MSA). Upon contract termination or client request, all client data is securely purged from our systems within 30 days. We provide written confirmation of data deletion upon request.

6. Third-Party Security

All third-party vendors and sub-processors used by Optivra are vetted for security compliance. We require vendors handling client data to maintain at minimum SOC 2 Type II certification. We maintain an up-to-date register of all sub-processors and can provide this upon request.

7. Vulnerability Management

Optivra conducts regular internal security assessments and participates in periodic third-party penetration testing. Critical vulnerabilities are patched within 48 hours of discovery. High and medium severity issues are remediated within 14 and 30 days respectively. We maintain a responsible disclosure policy for external security researchers.

8. Physical Security

Our engineering operations run primarily on Tier-1 cloud infrastructure providers (AWS, GCP, Azure) that maintain SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certifications. All physical access to data centers is controlled by our cloud providers' security protocols.

9. Contact Our Security Team

To report a security vulnerability or for any security-related inquiries, please contact us at:

hello@optivra.in

Security Policy