Information Security by Design & Default

We are committed to protect Confidentiality, Integrity and availability of the data of its interested parties by adopting security measures as appropriate in its production environment.

Full commitment from the leadership and management authority

Robust data security practices for engineering & service delivery

Compliance to industry-wide standards in information security

The following sections below detail the stringent security practices that are adopted when we develop and host App Studio OpenX for our clients.


VPC & Security groups

Every customer’s application is hosted in a dedicated VPC. Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.

Access Controls

Access to applications is through IAM following the principle of least privilege. Role-based access through IAM is enforced for the segregation of duties. Access to the production is restricted to a very limited set of users based on job roles. Access to the production environment for developers and Quality Assurance team members are restricted based on their job responsibilities.


Data at rest is encrypted using AES 256 bit encryption and FIPS 140-2 compliant TLS encryption for data in transit. Unique Encryption per customer is followed and encryption keys are managed via AWS Key Management Service (AWS) and are rotated on a yearly basis.


Product Roadmapping

The product road-map is defined and reviewed periodically by the Technical Product Manager. Security fixes are prioritized and are bundled in the earliest possible sprint.

Quality Assurance

All changes are tested by the Quality Assurance team and criteria are established for performing code reviews, web vulnerability assessment, and advanced security tests.

Vulnerability Assessment & Penetration testing

Vulnerability assessment and penetration testing is done by a Third-party independent vendor annually as per industry standards.

Version Control

Source Code is managed centrally with version controls and access restricted based on various teams that are assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.

DevOps Squad

Our DevOps sprints are powered by a multi-disciplinary Squad of members including the Product Owner, Squad Lead, Tribe Lead and Members, and Quality Assurance.


Highly scalable DNS

Route users to the best endpoint based on geo-proximity, latency, health, and other considerations.

Platform Load Balancing

Automatically distribute application traffic across multiple availability zones that support high availability, auto-scaling, and robust security.

Business Continuity & Disaster Recovery

Near real-time backups taken across multiple availability zones in encrypted and access controlled containers. Mirrored multiple Availability Zones are set up and serve customers in real-time thereby providing seamless DR capability.

Cloud Agnostic

High Resilient and fault-tolerant architecture with the ability to be hosted in AWS & Azure Clouds.


Information Security Steering Committee (ISSC)

The executive leadership team comprising of principals and partners sets the tone and commitment toward information security objectives.

Information Security Team

Principal Information Security Officer (PISO) is responsible for information security initiatives. The information security team reports to the ISSC and takes care of newer initiatives and projects, ensuring compliance on steady-state and delivering continuous improvements to the security posture.

Risk Management

The information security team assesses security risks annually and on an ongoing basis when major changes occur. The various feeder channels that are factored for risk management include findings from audits, incidents, changing threat landscape, and changing contractual/regulatory.

Policies & procedures

Policies and procedures in line with ISO 27001:2013 standards are defined and regularly audited. The processes are reviewed annually and any changes are communicated to all relevant employees.

Employee Vetting

All employees undergo mandatory background verification checks before being on-boarded to their teams. Empaneled third-party service providers perform background verifications covering identity, whereabouts, education history, employment history, and criminal history.

Training & awareness

Requirements for the responsible handling of data including any types of personal information are communicated to all employees as part of their induction into the organization and an annual refresher training is conducted for all employees

Audit & Compliance

All processes and controls are audited by independent audit entities either from the internal organization or from independent external bodies. Audit Plans are formulated in such a way that all departments are audited at least once in a year. The audit’s findings are reported directly to the ISSC and the Information Security team tracks and report the remediation of the audit findings until its closure.

Incident & Breach Management

Procedures are established for reporting incidents and tracking it for timely communication, investigation, and resolution.

With great trust comes great responsibility.