← Back to home

Data Security

INTO 10 is a software-as-a-service capability platform that processes enterprise learning, performance, and AI-interaction data on behalf of our customers. Security is foundational to that role. This page describes the technical, organizational, and operational controls we use to protect customer data, AI workloads, and the underlying infrastructure.

This document supplements our Privacy Policy and Terms and Conditions. Specific commitments for an enterprise customer are governed by the applicable Order Form, Data Processing Addendum, and any negotiated security exhibits.

1. Security Governance

Security at INTO 10 is owned at the executive level and operationalized through a dedicated security and platform engineering function.

• A designated CTO / Privacy Contact owns information security, privacy, and incident response.
• Documented internal security policies cover access management, change management, vendor risk, data classification, secure development, and incident response.
• Security policies are reviewed at least annually and updated to reflect platform, regulatory, and threat-landscape changes.
• Security responsibilities are written into role descriptions for engineering, operations, and customer-facing teams.

2. Infrastructure & Hosting

The Platform is hosted on trusted, enterprise-grade cloud infrastructure providers that maintain industry-recognized certifications such as ISO/IEC 27001, SOC 2, and equivalent regional standards.

• Physical security, environmental controls, and hardware lifecycle are managed by the underlying cloud provider.
• Production infrastructure is logically segregated from staging and development environments.
• Customer data is processed in approved cloud regions, with regional pinning available for enterprise customers where contractually agreed.
• Infrastructure is provisioned through codified configuration to ensure consistency, auditability, and rapid recovery.

3. Network & Perimeter Security

• All inbound traffic to the Platform is served over HTTPS using modern TLS (1.2 or higher) with strong cipher suites.
• HTTP Strict Transport Security (HSTS) is enforced on production domains.
• Internal services are protected by virtual private networks, security groups, and least-privilege firewall rules.
• Distributed denial-of-service mitigation, rate limiting, and a web application firewall protect against common abuse and exploitation patterns.
• Administrative interfaces are not exposed to the public internet without authenticated, controlled access paths.

4. Encryption

Customer data is encrypted both in transit and at rest using industry-standard algorithms.

• In transit: TLS 1.2+ for all client-server and service-to-service communication; certificate management is automated and monitored.
• At rest: AES-256 (or stronger equivalent) encryption for primary data stores, object storage, backups, and audio assets.
• Key management: Cryptographic keys are stored in managed key-management services with rotation, access logging, and separation of duties between key custodians and data operators.
• Secrets, API keys, and credentials are stored in dedicated secret stores — never in source code or configuration files.

5. Identity, Authentication & Access Control

Access to the Platform — and to systems that process customer data — is governed by strong identity, authentication, and authorization controls.

• Authorized Users authenticate using company email or phone number with OTP, or via enterprise-authorized access controls configured by the customer.
• Single Sign-On (SSO) via SAML or OIDC is available for enterprise customers on supported plans.
• Internal access to production systems requires multi-factor authentication and individual, named accounts — never shared credentials.
• Role-based access control (RBAC) enforces least-privilege; access is granted only to the minimum data and capabilities required for the role.
• Access is reviewed periodically and revoked immediately upon role change or separation.

6. Tenant Isolation (Multi-Tenant SaaS)

INTO 10 is a multi-tenant SaaS platform. Each Enterprise Client’s data is logically isolated through enforced tenant identifiers at the application, query, and storage layers.

• Every request is bound to an authenticated tenant context; cross-tenant data access is blocked by design at multiple layers.
• AI sessions, transcripts, audio, scores, and analytics are partitioned per tenant.
• Tenant-scoped encryption envelopes and access policies prevent accidental commingling of data.
• For enterprise customers requiring dedicated environments, isolated single-tenant deployments may be available under separate commercial terms.

7. AI Model & Workload Security

Because the Platform delivers AI-led learning, simulations, and roleplays, we apply additional controls to the AI layer.

• No customer training on public models: Customer Content is not used to train public AI models or shared with third parties for AI model improvement.
• Prompt & output handling: Prompts, transcripts, and AI Outputs are stored within the customer’s tenant scope and encrypted at rest.
• Model access: Calls to underlying AI providers are authenticated, audited, and routed through allowlisted endpoints over encrypted channels.
• Guardrails: The Platform applies input validation, output filtering, and abuse detection to reduce the risk of prompt injection, harmful content, and policy violations.
• De-identification for improvement: Any internal use of data to improve INTO 10’s own systems uses anonymized, aggregated, or de-identified data, consistent with our Privacy Policy.

8. Secure Development Lifecycle

• Code changes follow a peer-reviewed pull-request workflow with required approvals before merge.
• Automated static analysis, dependency scanning, and secret scanning run on every change.
• Critical dependencies are tracked, and high-severity vulnerabilities are remediated within risk-based service-level targets.
• Container and infrastructure images are built from trusted bases and scanned for known vulnerabilities before deployment.
• Production deployments require change-management approvals; rollback procedures are documented and tested.
• Engineers receive periodic secure-coding and privacy training.

9. Monitoring, Logging & Auditing

• Application, infrastructure, and security events are centrally logged in a tamper-resistant store.
• Authentication events, administrative actions, and access to sensitive resources generate audit trails retained for compliance and forensic purposes.
• Anomaly detection and alerting cover authentication failures, unusual access patterns, and indicators of compromise.
• Logs are protected by access controls and encryption equivalent to other production data.

10. Backup & Business Continuity

• Production data stores are backed up on a regular schedule appropriate to data criticality.
• Backups are encrypted, integrity-checked, and stored in resilient storage with appropriate redundancy.
• Restore procedures are documented and exercised periodically to validate recoverability.
• Disaster recovery plans address infrastructure failure, regional outages, and data corruption scenarios with defined recovery objectives.

11. Vulnerability Management & Testing

• Internal vulnerability scans run on a continuous basis against application and infrastructure surfaces.
• Third-party penetration testing is conducted periodically against the Platform; remediation is tracked through closure.
• Critical vulnerabilities are triaged immediately and remediated according to defined severity-based service levels.
• Patches and security updates to the operating system, runtime, and libraries are applied on a managed cadence.

12. Incident Response

INTO 10 maintains a documented incident-response process covering detection, triage, containment, eradication, recovery, and post-incident review.

• Incidents are classified by severity and routed to an on-call team with predefined responsibilities.
• Affected Enterprise Clients will be notified of confirmed security incidents that materially affect their data, consistent with contractual and legal obligations and without undue delay.
• Post-incident reviews are conducted to identify root causes and implement corrective actions.
• Communication channels for security incidents are documented in the Order Form or DPA where applicable.

13. Personnel Security

• Employees and contractors with access to customer data are subject to background verification where permitted by law.
• All personnel sign confidentiality agreements as a condition of employment or engagement.
• Mandatory training covers security awareness, privacy, acceptable use, and incident reporting.
• Devices used to access production systems are subject to endpoint controls including disk encryption, screen-lock, and managed configuration.
• Access is revoked promptly upon role change or separation.

14. Vendor & Sub-Processor Management

• Sub-processors and critical vendors are evaluated for security, privacy, and operational maturity prior to onboarding.
• Vendor relationships are governed by written agreements that include confidentiality, security, and data protection commitments.
• A list of sub-processors handling personal data may be made available to Enterprise Clients on request and is referenced in our Privacy Policy.
• Material changes to the sub-processor list affecting customer data are communicated in accordance with contractual obligations.

15. Data Retention & Deletion

Data retention is configurable per Enterprise Client and governed by the Order Form, applicable Data Processing Addendum, and legal requirements.

• Customer Content is retained for the duration of the subscription unless otherwise agreed.
• On termination, Customer Content is deleted or anonymized in accordance with the applicable retention schedule, subject to legal hold requirements.
• Backups containing deleted Customer Content age out according to the backup retention schedule.
• Audit logs and security records may be retained for longer periods where required for legal, regulatory, or operational purposes.

16. Compliance & Regulatory Alignment

• INTO 10’s control framework is designed with reference to recognized standards including ISO/IEC 27001 and SOC 2 Type II principles.
• The Platform supports customer obligations under applicable data protection laws, including India’s Digital Personal Data Protection Act (DPDP) and other regional frameworks as relevant.
• Specific certifications, audit reports, and compliance artifacts — where available — may be shared with Enterprise Clients under appropriate confidentiality terms.
• Data Processing Addenda are available to support customer compliance obligations.

17. Shared Responsibility

Security is a shared responsibility between INTO 10 and our Enterprise Clients. INTO 10 secures the Platform; customers are responsible for how they configure and use it, including:

• Managing Authorized User accounts, roles, and removal upon separation.
• Configuring SSO, password policies, and session settings appropriate to the organization’s risk profile.
• Communicating to Authorized Users how INTO 10 will be used, what data is collected, and what managers may see.
• Reviewing and approving the content uploaded to the Platform.
• Reporting suspected security events through the channels defined below.

18. Reporting Security Issues

We welcome responsible disclosure from researchers, customers, and Authorized Users. To report a suspected vulnerability or security incident, please contact us using the details below. Please include a description of the issue, steps to reproduce, and any supporting evidence; avoid testing that could degrade the Service or expose user data.

Security Contact: CTO / Privacy Contact
INTOTEN INNOVATIONS PRIVATE LIMITED
3103, Tower 3, Godrej Meridien, Sector 106, Gurugram, Haryana – 122006, India
Email: hello@into10.com

19. Changes to this Page

We will update this page as our security program evolves. Material changes that affect contractual commitments will be communicated to Enterprise Clients in accordance with the applicable Order Form or DPA.