1. Certifications & Compliance
Independently verified by accredited third-party auditors.
Annual independent audit of security, availability, processing integrity, confidentiality, and privacy controls
Information security management system certified to the latest international standard with annual surveillance audits
Full compliance with the EU General Data Protection Regulation, including SCCs, DPA, and appointed DPO
Compliant with India's Information Technology Act 2000 and IT (Amendment) Act 2008, including Section 43A SPDI Rules
2. Six Pillars of Dapplon Security
A defence-in-depth approach covering every layer of the stack.
AES-256 encryption for all data at rest. TLS 1.3 for all data in transit with forward secrecy. Encryption keys are managed via AWS KMS with mandatory rotation every 90 days. Database-level and file-level encryption are applied independently for defence in depth.
Role-based access control (RBAC) with least-privilege enforcement. Single Sign-On (SSO) via SAML 2.0 integration with identity providers including Okta, Azure AD, and Google Workspace. Multi-factor authentication (MFA) enforced for all administrative accounts. Automated session expiry and concurrent session limits apply.
AWS multi-region deployment with Mumbai (ap-south-1) as primary and Singapore (ap-southeast-1) for disaster recovery. All workloads run in isolated Virtual Private Clouds (VPCs) with private subnets. AWS WAF and Cloudflare protect all public endpoints from OWASP Top 10 threats.
Static application security testing (SAST) and dynamic application security testing (DAST) integrated into the CI/CD pipeline. Automated dependency vulnerability scanning via Dependabot and Snyk. Annual external penetration testing by CREST-accredited third-party firms.
SOC 2 Type II audit performed annually by an independent CPA firm; report available to customers under NDA. ISO 27001:2022 certification with annual surveillance and triennial recertification audits. Vulnerability Assessment and Penetration Testing (VAPT) conducted quarterly.
24/7 security monitoring via a Security Information and Event Management (SIEM) platform with automated threat detection and alerting. Dedicated on-call security rotation with defined escalation paths. P1 security incidents receive a 1-hour initial response SLA.
3. Comprehensive Security Controls
Dapplon implements multiple independent layers of security controls so that no single point of failure can expose your data. The controls below are validated annually by our external auditors.
4. Data Residency Options
Choose where your HR data is stored to meet local regulatory requirements. Data residency selection is available on Advance and Plus plans. Contact [email protected] to configure your preferred region.
| Region | Primary Data Centre | Available |
|---|---|---|
| India | AWS Mumbai (ap-south-1) | Yes |
| European Union | AWS Ireland (eu-west-1) | Yes |
| United States | AWS N. Virginia (us-east-1) | Yes |
| Singapore / APAC | AWS Singapore (ap-southeast-1) | Yes |
5. Responsible Disclosure & Bug Bounty
If you believe you have discovered a security vulnerability in Dapplon, please report it responsibly. Send a detailed description including reproduction steps, affected endpoints, and potential impact to [email protected]. We commit to acknowledging receipt within 48 hours and providing an initial assessment within 5 business days.
Dapplon operates a responsible disclosure programme. Valid reports of qualifying vulnerabilities in scope (authentication bypass, remote code execution, SQL injection, data exfiltration) are eligible for recognition and rewards. We will not pursue legal action against researchers who act in good faith and comply with our responsible disclosure guidelines.
Our security team is happy to answer detailed questions about our controls, architecture, and certifications. SOC 2 Type II reports are available to customers and prospects under NDA.