How Dheemai protects your data, what we comply with, and who we work with to deliver our AI image detection platform.
Trust is fundamental to what we do. Dheemai handles documents, images, and identity data that customers rely on us to keep safe. This page consolidates how we run our security programme, the standards we align to, the subprocessors we depend on, and how to report a vulnerability if you find one.
Encryption at rest and in transit, least-privilege access, segmented environments.
Aligned with GDPR and global enterprise security baselines.
Production data hosted in Indian regions by default. Air-gapped option for sensitive workloads.
Public list of subprocessors and a clear path to report security issues.
How we keep customer data safe across our infrastructure, applications, and people.
| Surface | What we do |
|---|---|
| Data in transit | FILL IN — e.g. TLS 1.3 across all public endpoints, HSTS enforced, modern cipher suites only. |
| Data at rest | FILL IN — e.g. AES-256 for databases and object storage, AWS KMS / GCP KMS for key management. |
| Secrets management | FILL IN — e.g. AWS Secrets Manager / HashiCorp Vault, rotated every N days. |
| Authentication | FILL IN — SSO via Google Workspace, MFA enforced site-wide. |
| Authorisation | FILL IN — RBAC for production access; least-privilege IAM policies. |
| Production access | FILL IN — gated through Bastion / break-glass workflow with audit logging. |
| Employee offboarding | FILL IN — automated revocation within N hours of HR trigger. |
| Code review | FILL IN — every PR requires N approvers; security-sensitive PRs require security team review. |
| Static analysis | FILL IN — GitHub Advanced Security / Snyk / Semgrep on every PR. |
| Dependency scanning | FILL IN — Dependabot / Renovate; critical vulnerabilities patched within N days. |
| Penetration testing | FILL IN — independent third-party pentest cadence; latest report on request under NDA. |
| Logging & monitoring | FILL IN — centralised logs in N tool; alerts routed to on-call. |
| Backups | FILL IN — frequency, retention, restore tested cadence. |
| RTO / RPO | FILL IN — recovery time / recovery point objectives. |
| Incident response | FILL IN — runbook, on-call rotation, post-mortem policy. |
Where we stand against globally recognised security and privacy standards. Status accurate as of the date at the top of this page.
| Standard | Status | Notes |
|---|---|---|
| GDPR (EU) | FILL IN | FILL IN — current alignment with EU General Data Protection Regulation. Note any SCC arrangements for EU customer data. |
| SOC 2 Type II | FILL IN | FILL IN — e.g. "Type I targeted Q3 2026, Type II Q1 2027" or current report availability under NDA. |
| ISO/IEC 27001 | FILL IN | FILL IN — ISMS scope and certification timeline. |
| HIPAA (US health data) | FILL IN | FILL IN — if applicable to insurance/health workflows. |
| RBI / SEBI / IRDAI (India financial KYC) | Compatible | FILL IN — confirm specific RBI / SEBI / IRDAI guidelines our KYC stack supports. |
Auditor reports available under NDA. Email trust@dheemai.com from your work address to request the latest report.
live (green), progress (amber, "In progress"), planned (grey, "Planned"). Edit the span class accordingly. Remove any row that doesn't apply.
We use the following subprocessors to operate our services. Production customer data is hosted in FILL IN PRIMARY REGION by default; customers on regulated workloads can request a region-locked deployment.
| Subprocessor | Purpose | Region | Data category |
|---|---|---|---|
| Amazon Web Services | Compute, storage, networking | FILL IN — e.g. ap-south-1 (Mumbai) | FILL IN — uploaded images, metadata, logs |
| Google Cloud Platform | Compute (Cloud Run), Vertex AI | FILL IN — e.g. asia-south1 | FILL IN |
| Netlify | Marketing site hosting | Global CDN | None (static marketing pages only) |
| Google (AI Studio / Gemini) | Vision LLM inference | FILL IN | FILL IN — image content sent for analysis |
| OpenRouter | Backup VLM inference (Qwen) | FILL IN | FILL IN — image content sent for analysis |
| Google Analytics | Website analytics | Global | Anonymised page-view telemetry |
| FILL IN | FILL IN (e.g. email, payments, CRM) | FILL IN | FILL IN |
We notify customers of material changes to this list at least FILL IN — e.g. 30 days before they take effect. Subscribe to updates by emailing trust@dheemai.com.
If you believe you've found a security vulnerability in any Dheemai product or website, please report it to us. We commit to acknowledging reports within FILL IN — e.g. 2 business days and to keeping you informed throughout triage.
We will not pursue or support legal action against researchers who:
FILL IN — typically: physical attacks, social engineering of staff, denial-of-service, automated scanning that produces excessive traffic, vulnerabilities in third-party services we don't control.
Real-time availability and incident history: FILL IN — link to status.dheemai.com or your status page provider (Statuspage, Better Stack, Instatus, etc.). Subscribe on the status page to be notified of incidents and scheduled maintenance.
Different inboxes for different concerns. We respond from these addresses, so please verify the sender domain on any incoming mail.