The boring questions your security team is about to ask.
Already answered. PCI DSS, HIPAA, GDPR, DPDP, SOC 2 status. NDA terms, IP transfer, data handling, engineer access, code escrow. One page so procurement doesn’t have to chase a six-email thread.
Six regimes. Each one named with the actual status.
No badge soup. No certifications we don’t hold. What follows is the honest posture per regulation — what we’ve shipped against, what’s in progress, and what’s aligned but not formally certified.
PCI DSS v4.0
Architected card-data flows for Series A and Series B FinTechs under PCI DSS scope. Standard pattern: tokenisation vault in an isolated VPC, scope reduction down to two services, audit-log immutability on every privileged action. Most recent engagement: 80% scope reduction, Type 1 sign-off in 6 weeks.
DefinitionHIPAA (US)
PHI handling, encryption at rest and in transit, audit logging, minimum-necessary access, and BAA execution for healthcare engagements. We treat HIPAA as architecture input from sprint one, not paperwork at launch. FHIR-first for new EHR integrations; HL7 v2 bridges where the existing system requires it.
DefinitionGDPR (EU)
Consent capture, data-residency posture, right-to-erasure pipelines, 72-hour breach notification flow, and Data Processing Agreements available for EU-data clients. Processor-controller structure documented in the standard MSA; DPIA support available for high-risk processing.
DefinitionDPDP Act, 2023 (India)
DPDP compliance built into Indian-data products by default — consent-based processing, Data Fiduciary obligations, breach notification to the Data Protection Board, and cross-border transfer controls. Our Indian client engagements ship DPDP-aligned data flows from week one, not retrofitted at audit time.
DefinitionSOC 2
Type 1 audit under preparation with sub-processor inventory, access reviews, and the AICPA Trust Service Criteria controls in place. The interim posture documentation (security overview, sub-processor list, access-control narrative) is shareable under NDA today for procurement teams that need evidence before Type 1 lands.
DefinitionISO/IEC 27001
Annex A control selection mapped to TantraDev's operational practices. We are not currently ISO 27001 certified — but for enterprise procurement that requires it, we can describe the control coverage in detail and the path to formal certification. Most international enterprise engagements have accepted this posture in lieu of certification.
DefinitionThe standard MSA is short.
No retained-rights carve-outs, no warranty exclusions that surprise you at exit, no auto-renewal traps. Four clauses that show up in every contract we sign.
Mutual NDA before the first deep-dive call.
Standard, not negotiated. Signed before architecture diagrams or any sensitive context is exchanged. Sample template on request.
100% IP transfer at project end.
All code, designs, infrastructure-as-code, and supporting documentation transferred to the client at handoff. No retained-rights carve-outs. No background-IP claims on the work we ship.
30-day exit clause on every engagement.
Either side can give 30 days' notice — for any reason or none. The handover at exit is the same handover at scheduled completion: code, IaC, runbooks, on-call playbook, KT sessions with the receiving team. The runbook works without us.
Code escrow available on request.
Standard third-party escrow with a major escrow agent (Iron Mountain, NCC Group). Triggers and release conditions written into the MSA. We have set this up twice for enterprise clients with continuity-of-service requirements.
Your data, in your accounts.
We are stewards of access, not custodians of data. Every architectural decision favours the client retaining custody — your cloud, your VPC, your repositories, your secret stores.
Region-pinned by default.
Client data stays in the region the SOW specifies — AWS regions for US, Frankfurt for EU, ap-south-1 (Mumbai) for India. Cross-region replication only where the SOW says it should happen, and never to TantraDev-administered accounts.
Engineer access is least-privilege.
Engineers receive production access on a per-engagement basis with the minimum scope needed to ship and operate. Access is reviewed at sprint boundaries and revoked at engagement end. We do not maintain standing access to client production systems.
Every privileged action is logged.
Audit-log requirements are an architecture input from week one. Production accesses, deployments, configuration changes, and any read of sensitive data emit immutable audit events that the client's own SIEM can ingest.
Encryption posture is non-negotiable.
TLS 1.3 in transit, AES-256 at rest, customer-managed keys (BYOK) on request. Secrets in HashiCorp Vault, AWS Secrets Manager, or the client's existing secrets stack — never in repositories, never in deployment configuration, never in chat.
The six signals procurement screens for.
What procurement asks. In the order they ask it.
Need the evidence pack under NDA?
Sub-processor inventory, access-control narrative, sample MSA and DPA, SOC 2 interim posture documentation. Shared under mutual NDA, signed within 24 hours.