Sarvam AI
Sarvam Motif

Sarvam Trust Center

Complete data residency in India. ISO 27001 and SOC 2 Type II certified. This is our Trust Center, covering how we approach data security and compliance, the certifications we hold, the controls we operate, and direct answers to the questions we hear most from security teams.

How we think about security

Four commitments that shape how we build, ship, and operate. They show up in our architecture, our policies, and how our team works day to day.

01 / Posture

Secure by default.

Every design decision starts from the conservative position. Least-privilege access, encryption at rest and in transit, tenant isolation, and ephemeral storage are defaults, not toggles you have to opt into.

02 / Track record

Built for high-stakes environments.

Multiple deployment models for different security needs: managed SaaS, single-tenant on-premises, or fully air-gapped with zero external network dependency. We've run all three in production for banks, government, and critical public infrastructure.

03 / Data stewardship

Your data stays yours.

Customer Managed Keys for Enterprise ensure that even we cannot see your data at rest. We don't share data across tenants. We don't move it across borders unless you ask us to. Custom models trained on a customer's data remain inside the customer's environment, with weights they own and we never reuse.

04 / Transparency

Honest about where we are.

We're ISO 27001:2022 certified and hold SOC 2 Type II. ISO 42001 is in progress, and we'll publish it when it's done. We won't claim a control we don't run.

Compliance

Independent audits are how we hold ourselves accountable. The frameworks below cover information security, AI management, financial regulation, and India's data protection law.
ISO 27001

ISO 27001:2022

Information Security Management System. Audited annually by an accredited third party.

Certified
SOC 2 Type I

SOC 2 Type I

Trust Services Criteria covering Security, Availability, and Confidentiality.

Report available
SOC 2 Type II

SOC 2 Type II

Operating effectiveness of controls across an audit window. Certified.

Certified
ISO 42001

ISO 42001

AI Management System. Scoped and underway as part of our security roadmap.

In progress
DPDP

India DPDP Act

Digital Personal Data Protection Act, 2023. Our processes are built around consent, purpose limitation, and data principal rights.

In progress
RBI

RBI FREE-AI

The Reserve Bank of India's Framework for Responsible and Ethical AI in the BFSI sector.

Aligned
MeitY

MeitY Guidelines

Ministry of Electronics and IT cloud and AI security guidelines, applied across our UIDAI, NPCI, and IndiaAI deployments.

Aligned
CERT-In

CERT-In

Indian Computer Emergency Response Team directives for incident logging, retention, and reporting.

In touch

Resources

The documentation behind our practices. Most reports are released under a mutual NDA. Our security team responds within two business days.

Privacy Policy

How we collect, process, and retain data across our products and APIs.

Visit

Controls

A summary view of the technical and organisational controls we operate every day, across security, privacy, and AI safety.
Continuously monitored

Access Security

  • SSO and MFA enforced for all production access
  • Role-based access control with least-privilege defaults
  • Unique user IDs and password hashing with salt
  • Idle session timeout and a documented joiner, mover, leaver workflow
  • Quarterly user access reviews

Network Security

  • Azure Firewall Manager (Premium) with IDPS
  • WAF, IP allowlisting, and port restrictions
  • mTLS at integration boundaries; OAuth 2.0 and JWT
  • VNet segmentation between environments

Data Protection

  • AES-256 at rest, TLS 1.2 or higher in transit
  • CMEK and BYOK with configurable rotation
  • India-only residency for Indian deployments
  • Configurable retention with certified deletion at termination
  • PII masking, pseudonymisation, and redaction

Incident Response

  • Documented Incident Management Policy within the ISMS
  • Detection via Azure Monitor and Grafana dashboards
  • Customer notification within two hours of discovery
  • L1, L2, L3 triage with a mandatory lessons-learned retro

Change Management

  • Documented change policy with required PR review
  • Segregated development, staging, and production environments
  • Zero-downtime deploys; phased rollouts behind feature flags
  • Production data is never used in non-production environments

Vulnerability Management

  • Continuous code scanning in private repositories
  • Annual third-party penetration testing
  • Secure SDLC with security gates prior to production
  • High and critical findings closed before promotion

Availability and Recovery

  • 99.9% uptime SLA on enterprise contracts
  • Daily encrypted backups with real-time replication for critical data
  • Multi-AZ and multi-DC redundancy and failover
  • BCP and DR plan tested against agreed RPO and RTO targets

People and Organisation

  • Background verification through SpringVerify for every hire
  • NDAs and confidentiality agreements at onboarding
  • Security and privacy training at hire, with annual refreshers
  • Dedicated InfoSec function with executive sponsorship

AI and Model Security

  • Inference-time guardrails against prompt injection
  • Input and output sanitisation with sensitive-content filtering
  • Versioned models, prompts, and evaluations with audit trail
  • Customer data is never used to train models for other customers

Talk to our security team

Frequently asked questions

AI agents that understand, learn, and always deliver.

Contact Us