Security Policy

Security Architecture Principles

Pravakta's security model is built on six non-negotiable principles:

1. Zero Data Egress — no customer call data leaves the customer's infrastructure perimeter
2. Defence in Depth — security controls at network, application, data, and personnel layers
3. Least Privilege — access rights are minimised at every level
4. Encryption Everywhere — all data in transit and at rest is encrypted
5. Continuous Monitoring — automated detection of anomalies across all corporate systems
6. Verified Compliance — annual third-party audits of all security controls

Infrastructure Security

2.1 Platform Deployment

The Pravakta AI Voice Stack is deployed as containerised workloads (Kubernetes/Docker) on the customer's cloud account (AWS, Azure, GCP) or on-premise servers. Pravakta-managed infrastructure is used only for corporate systems and the company website.

2.2 Container & Image Security

• All container images are built from hardened, minimal base images (no unnecessary packages)
• Images are scanned for CVEs before every release using automated tools (Trivy, Snyk)
• Container registries used by customers are the customer's own private registries
• No Pravakta build system has access to customer container environments

2.3 Corporate Infrastructure

• Cloud production systems are deployed in ISO 27001-certified regions with encryption at rest and in transit
• Backups are encrypted, versioned, and tested quarterly for restoration integrity
• System hardening follows CIS Benchmarks applicable to each operating system

Data Security

3.1 Encryption

• All Pravakta corporate data in transit: TLS 1.3 minimum (TLS 1.2 deprecated)
• WebRTC voice channels: DTLS-SRTP end-to-end encryption
• All Pravakta corporate data at rest: AES-256 encryption
• Customer platform data (on customer infra): governed by customer's encryption policies — Pravakta recommends AES-256 at rest and TLS 1.3 in transit

3.2 Key Management

Pravakta's corporate encryption keys are managed in cloud-native KMS services (AWS KMS / Azure Key Vault). For customer deployments, all keys are generated within and managed by the customer's own KMS — Pravakta holds no copy of any customer encryption key.

3.3 Data Classification

Pravakta classifies all data it handles into four tiers: Public (marketing content), Internal (company operations), Confidential (employee data, financial records), and Restricted (cryptographic keys, security reports). Access controls are applied per classification tier.

Access Control

4.1 Principle of Least Privilege

All Pravakta employees and contractors are granted the minimum level of access necessary for their role. Access is reviewed quarterly and revoked within 24 hours of role change or departure.

4.2 Authentication Requirements

• All corporate systems: mandatory Multi-Factor Authentication (MFA)
• Remote access: VPN with certificate-based authentication and MFA
• SSO provider: SAML 2.0 with strong password policy (minimum 12 characters, complexity enforced)
• Privileged access (admin): hardware security keys (FIDO2/WebAuthn)

4.3 Customer Infrastructure Access

Pravakta engineers access customer infrastructure only for deployment activities and authorised support, subject to:

• Written authorisation from the customer's designated administrator
• Just-in-time access provisioned for the specific engagement duration
• Full audit logging of all commands executed
• Access revocation immediately upon task completion

Network Security

5.1 Corporate Network

• Zero-trust network architecture — no implicit trust based on network location
• All inter-service communication authenticated and encrypted
• Ingress traffic inspected by Web Application Firewall (WAF)
• DDoS protection at network perimeter
• Network segmentation between production, staging, and corporate systems

5.2 Customer Platform Network

Pravakta's platform components communicate within the customer's VPC/virtual network. Recommended network controls include:

• Network Security Groups / Firewall rules limiting ingress to authorised sources
• No inbound internet access to AI inference nodes (ASR, LLM, TTS)
• Outbound internet access blocked except for approved update endpoints

Vulnerability Management

6.1 Scanning

• Automated SAST (Static Application Security Testing) on every code commit
• Container image scanning on every build (CVE database updated daily)
• DAST (Dynamic Application Security Testing) against staging environments bi-weekly
• Dependency scanning with automatic alerts for known vulnerabilities

6.2 Patch Policy

• Critical CVEs (CVSS 9.0+): Emergency patch within 72 hours
• High CVEs (CVSS 7.0–8.9): Patch within 14 days
• Medium CVEs (CVSS 4.0–6.9): Patch within 30 days
• Low CVEs: Next scheduled release cycle

6.3 Penetration Testing

Pravakta commissions an independent third-party penetration test of its platform and corporate systems at least annually. Results are reviewed by the security team and remediated per the patch policy. Executive summaries are available to customers under NDA.

Incident Response

7.1 Response Process

1. Detection — automated monitoring alerts and employee reports
2. Classification — severity assessed (Critical / High / Medium / Low)
3. Containment — immediate isolation of affected systems
4. Investigation — root cause analysis
5. Remediation — fix applied and verified
6. Post-Incident Review — lessons learned documented and controls updated

7.2 Customer Notification

Pravakta will notify affected customers of security incidents that may affect their use of the Platform or Pravakta's corporate data within:

• 72 hours of confirmed Critical incidents
• 5 business days of confirmed High incidents

Notifications will include: nature of the incident, data potentially affected, steps taken, and recommended customer actions.

Vendor & Supply Chain Security

Pravakta evaluates all third-party vendors and service providers for security posture before onboarding. Requirements include:

• Completion of a Pravakta security questionnaire
• Review of recent audit reports (SOC 2, ISO 27001, or equivalent)
• Execution of a Data Processing Agreement where personal data is involved
• Annual re-assessment of critical vendors

All vendor integrations are scoped to the minimum data and access necessary. Vendor contracts include security incident notification requirements and the right to audit.

Audits & Certifications

Pravakta maintains the following certifications, independently audited annually:

Enterprise customers on Scale and Sovereign tiers may request a copy of the latest SOC 2 Type II report by contacting security@pravakta.ai.

Responsible Disclosure

Pravakta operates a responsible vulnerability disclosure programme. Security researchers who discover vulnerabilities in Pravakta systems or the Platform are encouraged to report them to security@pravakta.ai.

Pravakta commits to:

• Acknowledging receipt within 48 hours
• Providing a preliminary assessment within 5 business days
• Keeping the reporter informed of progress
• Crediting the reporter (with consent) upon resolution
• Not pursuing legal action against good-faith researchers who follow this policy

Pravakta requests that researchers: refrain from accessing or modifying customer data; avoid denial-of-service attacks; and not disclose findings publicly until Pravakta has had a reasonable opportunity to investigate and remediate.

Policy Updates

This Security Policy is reviewed and updated at least annually by Pravakta's security team and approved by the Chief Information Security Officer. Material changes will be communicated to enterprise customers via the registered contact on their account with at least 30 days' notice.

For security questions, auditor requests, or to report a security concern, contact: security@pravakta.ai