Security & Compliance

Built with security at every layer

At Selfeey, security and compliance are not afterthoughts — they are foundational to how we design, build, and operate our products. Whether you are managing customer relationships, patient health records, hotel guests, or recruitment pipelines, you are handling sensitive data that deserves rigorous protection. Our compliance program is built around that responsibility.

This page provides a transparent view of the controls we have implemented, the frameworks we are working toward, and our ongoing commitments to the organizations and individuals who rely on Selfeey every day.

Our Products

Selfeey's compliance framework spans four core products, each serving distinct industries with their own regulatory landscapes:

  • CRM — Customer Relationship Management platform for sales and service teams managing customer data and interactions at scale.
  • HMIS — Health Management Information System designed for healthcare providers, handling protected health information (PHI) with strict privacy and security requirements.
  • Hotel CRM — Hospitality-focused customer management for hotels and property groups, managing guest profiles, preferences, and booking histories.
  • RPS — Recruiter Productivity System built for staffing and talent acquisition teams, handling candidate data, and communications.

Our Compliance Roadmap

Selfeey is on a deliberate, focused path to full compliance across every regulatory framework that governs the industries we serve. This is not a background effort — it is a company-wide priority with dedicated engineering and security resources, a structured roadmap, and executive accountability at every stage.

We have already laid a strong technical foundation: AES-256 encryption, RBAC, MFA, Secure API Integration, Keycloak-powered SSO, Consent Manager Integration, encrypted backups, and a 6-year log retention policy are all live across our products. These are not incremental steps — they represent the core of what regulators and customers expect from a trusted software platform.

What lies ahead is equally intentional. Logging and monitoring rollout, SOC 1 and SOC 2 audit engagements, full HIPAA certification, and DPDP Act compliance are all on an active timeline with defined milestones. We are not waiting for compliance to become urgent — we are building it in, systematically and without compromise, because we believe the organizations and individuals who use Selfeey deserve nothing less.

Our commitment is simple: we will not stop until every control is in place, every framework is satisfied, and every product meets the highest standard of data protection we can deliver.

Regulatory Frameworks

🏥 HIPAA Compliance — In Progress

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient health information in the United States. HIPAA compliance is a priority for Selfeey, particularly for our HMIS product which is purpose-built for healthcare environments where the confidentiality, integrity, and availability of protected health information (PHI) is non-negotiable.

HIPAA compliance is organized across three core safeguard categories, and Selfeey has made significant progress across all three:

  • Technical Safeguards — Already implemented controls include AES-256 encryption at rest, Secure API Integration with enforced TLS in transit, Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA), and a 6-year audit log retention policy. These directly satisfy HIPAA's requirements for access control, audit controls, transmission security, and integrity controls.
  • Administrative Safeguards — We are actively formalizing risk assessment documentation, workforce training programs, and Business Associate Agreement (BAA) processes as part of our path to full HIPAA certification. This work is on an active timeline, and we are committed to reaching full HIPAA compliance without delay.
Primary product: HMIS | Related controls: AES-256 Encryption, Secure API Integration, RBAC & MFA, 6-Year Log Retention, Encrypted Backups

🛡️ SOC 1 & SOC 2 Compliance — In Progress

Service Organization Control (SOC) reports are independent, third-party audits that validate how an organization manages and protects the data entrusted to it. Selfeey is actively pursuing both SOC 1 and SOC 2 certification, and this effort is among our highest compliance priorities.

SOC 1 evaluates the internal controls relevant to financial reporting. For Selfeey's CRM and RPS products especially — where data integrity directly impacts business decisions and financial workflows — this certification demonstrates that our systems operate reliably and accurately.

SOC 2 evaluates controls across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Our existing implementation of AES-256 encryption, RBAC, MFA, encrypted backups, logging, and consent management directly maps to these criteria and forms the technical backbone of our SOC 2 readiness.

A formal audit engagement is currently underway. We expect to complete SOC 2 Type I audit findings and will progress to Type II — which evaluates controls over an extended observation period — thereafter. We are moving through this process at pace and with full organizational commitment. Results will be made available to customers and partners under NDA upon request.

Applies to: CRM, HMIS, Hotel CRM, RPS

🇮🇳 DPDP Act Compliance — In Progress

The Digital Personal Data Protection (DPDP) Act, 2023 is India's landmark data protection legislation governing how organizations collect, process, store, and manage the personal data of Indian citizens. As an Indian-origin platform serving customers primarily operating within India, compliance with the DPDP Act is a core regulatory obligation for Selfeey across all four products — not merely a checkbox, but a reflection of our values around data dignity and individual rights.

The DPDP Act is built around the concept of Data Principals (the individuals whose data is collected) and Data Fiduciaries (organizations like Selfeey that determine the purpose and means of processing). As a Data Fiduciary, Selfeey is fully committed to upholding every protection the Act affords to individuals whose data flows through our systems — and we are on track to meet all obligations as the Act's rules are finalized by MeitY.

Key obligations we are actively addressing:

  • Consent-Based Processing — Personal data may only be processed for a lawful purpose with free, informed, specific, and unambiguous consent from the Data Principal. Our Consent Manager Integration directly supports this requirement, capturing and maintaining verifiable, timestamped consent records across all products. Consent can be granted, modified, or withdrawn at any time, and those changes are reflected across the system immediately.
  • Purpose Limitation — Data collected for a specific purpose cannot be used for any other purpose without fresh consent. Selfeey's data architecture and access controls are being reviewed and tightened to enforce strict purpose boundaries across CRM, HMIS, Hotel CRM, and RPS, ensuring that data collected in one context is never repurposed without authorization.
  • Data Principal Rights — The DPDP Act grants individuals the right to access their data, correct inaccuracies, and request erasure. We are implementing dedicated workflows across all products to allow our customers — acting as Data Fiduciaries on behalf of their own users — to honor these requests in a timely, auditable, and legally compliant manner.
  • Data Minimisation — Selfeey collects only the personal data that is genuinely necessary for the stated purpose of each product. Our product teams conduct ongoing reviews to ensure no surplus data is collected, retained beyond its useful purpose, or stored in unnecessary locations.
  • Breach Notification — The DPDP Act mandates prompt notification to the Data Protection Board of India and affected Data Principals in the event of a personal data breach. Selfeey's in-progress logging and monitoring infrastructure will serve as the detection backbone of our breach notification process, with formal response, escalation, and communication procedures currently being defined and tested.
  • Data Localisation — We are closely monitoring the Government of India's evolving guidance on cross-border data transfers and localisation requirements as the rules under the DPDP Act are finalized by MeitY. Our infrastructure roadmap will align accordingly as binding rules are published, and we are prepared to move quickly.
Applies to: CRM, HMIS, Hotel CRM, RPS

Compliance Controls

🔒 AES-256 Encryption at Rest — Implemented

All data stored across Selfeey's infrastructure is encrypted using AES-256 — the same encryption standard used by governments, financial institutions, and leading technology companies worldwide. This applies universally across all products and covers every layer of data storage: primary databases, object and file storage, and backup archives.

Encryption keys are managed through a dedicated key management system with strict access controls and regular rotation policies. This means that even in the unlikely event of unauthorized physical or network access to storage infrastructure, the underlying data remains completely unreadable without the proper decryption keys. This control directly supports HIPAA's technical safeguard requirements, SOC 2's confidentiality criteria, and DPDP's obligation to implement appropriate security safeguards for personal data.

Applies to: CRM, HMIS, Hotel CRM, RPS

🔗 Secure API Integration — Implemented

Modern software ecosystems depend on integrations, and every integration is a potential attack surface. Selfeey's API security framework ensures that all data exchanged between our products and third-party systems is protected at every step of the journey.

All API communication is enforced over HTTPS with TLS 1.2 or higher, preventing interception or tampering in transit. Every API connection requires token-based authentication using short-lived, scoped tokens — meaning no integration has broader access than it explicitly needs. Incoming data is subject to strict validation and sanitization to prevent injection attacks. All API activity is logged and tied to specific integration identities, creating a complete audit trail of every data exchange.

This implementation directly satisfies HIPAA's Technical Safeguard requirements for transmission security and integrity controls. It also supports DPDP's requirement to protect personal data against unauthorized processing during transfer, and is aligned with OWASP API Security best practices.

Applies to: CRM, HMIS, Hotel CRM, RPS | Required under: HIPAA Technical Safeguards, DPDP Security Obligations

👤 Role-Based Access Control (RBAC) & Multi-Factor Authentication (MFA) — Implemented

The principle of least privilege is central to Selfeey's access control philosophy. Every user account is assigned a role that defines exactly what data they can see and what actions they can perform. A recruiter in RPS cannot access patient records in HMIS. A hotel front desk agent cannot modify financial configurations in Hotel CRM. Access boundaries are enforced at the application layer and audited continuously.

Multi-Factor Authentication adds a critical second layer of protection. Even if a user's password is exposed through phishing or credential stuffing, MFA ensures that a second factor — such as a one-time code from an authenticator app — is required before access is granted. MFA is mandatory across all Selfeey products and cannot be disabled by end users.

Together, RBAC and MFA directly support HIPAA's access control requirements, SOC 2's security criteria, and DPDP's obligation on Data Fiduciaries to implement appropriate technical measures to prevent unauthorized access to personal data.

Applies to: CRM, HMIS, Hotel CRM, RPS

📊 Logging & Monitoring — In Progress

Visibility is the foundation of security. You cannot respond to what you cannot see. Selfeey is actively rolling out a centralized logging and real-time monitoring infrastructure across all four products, and this is one of our most actively resourced in-progress initiatives. When complete, this system will capture a comprehensive stream of security-relevant events: user logins and logouts, data access and modifications, permission changes, API calls, system errors, and administrative actions.

Logs will be shipped to a tamper-resistant, centralized platform with real-time alerting for anomalous activity — including unusual login patterns, bulk data exports, or access from unexpected geographies. Automated alerts will be triaged by our security team with defined response playbooks.

This capability is a core component of our SOC 2 readiness, supports HIPAA's audit control requirements, and will serve as the detection infrastructure underpinning our DPDP breach notification obligations. We are moving through this rollout at pace and this page will be updated as each product reaches full monitoring coverage.

Applies to: CRM, HMIS, Hotel CRM, RPS

🗄️ 6-Year Log Retention — Implemented

Audit logs across all Selfeey products are retained for a minimum of six years. This retention period is deliberately aligned with the most stringent requirements across the regulatory landscapes our products operate in — including HIPAA's requirement to retain documentation related to policies, procedures, and PHI-related activity, and the anticipated record-keeping expectations under the DPDP Act and its forthcoming rules.

Retained logs are stored in encrypted, access-controlled archives and are available for retrieval in the event of a compliance audit, internal investigation, legal hold, or regulatory inquiry. Log integrity is protected to ensure that historical records cannot be altered or deleted once written.

Applies to: CRM, HMIS, Hotel CRM, RPS | Required under: HIPAA, DPDP

💾 Encrypted Backups — Implemented

Regular backups are critical for business continuity, but backups that are not secured represent a significant risk. Selfeey's backup infrastructure applies the same AES-256 encryption standard to backup data as to live production data. Backups are stored in geographically separate locations to protect against regional failures, and access to backup archives is restricted to authorized personnel through role-based controls.

Backup restoration processes are tested on a regular schedule to ensure that recovery time objectives can be met and that backup integrity is maintained over time. This ensures that in the event of data loss, corruption, or a ransomware incident, customer data can be recovered quickly and completely — supporting business continuity obligations under SOC 2 and the data protection requirements of both HIPAA and the DPDP Act.

Applies to: CRM, HMIS, Hotel CRM, RPS

✅ Consent Manager Integration — Implemented

Meaningful consent is the cornerstone of both modern data privacy law and ethical data practice. Selfeey's products are integrated with a consent management platform that captures, stores, and enforces consent preferences at the point of data collection — across every product and every user type.

This integration is directly aligned with two of our most important regulatory obligations. Under the DPDP Act, 2023, personal data of Indian citizens may only be processed with free, informed, specific, and unambiguous consent — and that consent must be verifiable, withdrawable, and purpose-specific. Our consent manager creates a timestamped, auditable record of every consent interaction, ensuring that Selfeey customers can demonstrate compliance as Data Fiduciaries under the Act. Under HIPAA, patient authorization requirements for the use and disclosure of protected health information are similarly addressed through documented consent workflows within our HMIS product.

Beyond regulatory compliance, this integration reflects a deeper principle: the individuals whose data enters Selfeey-powered systems — whether customers, patients, hotel guests, or job candidates — deserve to know how their data is used and to have genuine control over it.

Applies to: CRM, HMIS, Hotel CRM, RPS | Required under: DPDP Act 2023, HIPAA Authorization Requirements

Identity & Single Sign-On

🔑 Keycloak-Powered OAuth 2.0 / OIDC — Implemented

Managing identity securely across multiple products and user bases is one of the most complex challenges in enterprise software. Selfeey addresses this with Keycloak — a battle-tested, open-source identity and access management platform trusted by organizations worldwide — as the backbone of our authentication infrastructure.

Keycloak implements the OAuth 2.0 authorization framework and OpenID Connect (OIDC) identity layer, enabling secure, standards-based Single Sign-On across all four Selfeey products. This means users authenticate once and move seamlessly between CRM, HMIS, Hotel CRM, and RPS without re-entering credentials — while every session remains fully audited and centrally governed.

What this means for your organization:

  • Single Sign-On (SSO) — One secure, centralized login experience across all Selfeey products, reducing password fatigue and the security risks that come with it.
  • Federated Identity — Selfeey can connect directly to your existing identity providers, including Microsoft Active Directory, LDAP directories, Google Workspace, or SAML-based enterprise IdPs — so your team logs in with the credentials they already know.
  • Token-Based Authentication — Access is governed by short-lived, cryptographically signed tokens with narrow scopes, minimizing the risk of token misuse or replay attacks.
  • Centralized Session Management — Administrators can view all active sessions across all products and revoke access instantly — critical for offboarding employees or responding to a security incident.
  • Fine-Grained Authorization — Keycloak works in tandem with Selfeey's RBAC system to ensure that SSO convenience does not come at the expense of access control precision.

From a regulatory perspective, Keycloak's centralized identity architecture supports HIPAA's access control and audit requirements, SOC 2's security and availability criteria, and DPDP's requirement that Data Fiduciaries implement appropriate technical measures to ensure that only authorized individuals can access personal data.

Our Commitment

Security and compliance are not destinations — they are ongoing disciplines that demand focus, resources, and organizational will. At Selfeey, we bring all three.

We are fully committed to achieving complete compliance across HIPAA, SOC 1, SOC 2, and the DPDP Act — and we are moving at pace. Dedicated engineering and security resources are assigned to compliance work full-time. Our roadmap has defined milestones, owners, and timelines. Progress is reviewed at the leadership level regularly, and compliance gaps are treated with the same urgency as product-critical issues.

The regulatory landscape is evolving rapidly — particularly in India as MeitY finalizes the DPDP Act's rules, and globally as data protection expectations continue to rise. We are not building compliance to a fixed moment in time. We are building a compliance function that grows, adapts, and stays ahead — so that our customers never have to worry about whether Selfeey is keeping up.

We believe that trust is earned through transparency and demonstrated action. That is why we publish this page openly — not to make claims, but to show our work and hold ourselves accountable. Every control listed here is either fully operational or on an active, committed timeline.

If you are a customer, prospective partner, enterprise evaluating Selfeey, or an individual with questions about how your personal data is handled, we welcome your questions. We are happy to provide additional documentation, complete security questionnaires, execute Business Associate Agreements for HIPAA-covered entities, or arrange a dedicated compliance review with our team.

Contact Us

This page reflects the current compliance posture of Selfeey's products as of 2025. It is reviewed and updated regularly as milestones are reached. For enterprise compliance documentation, to request SOC audit reports, to discuss HIPAA Business Associate Agreements, or for any DPDP-related inquiries including Data Principal rights requests, please contact our security team.

Email: security@selfeey.com