NIRNYA

Trust · Data security

Built in,
not bolted on.

Legal data is the most sensitive data your company produces — counterparty terms, deal economics, employee records, regulator correspondence. NIRNYA was engineered with that fact as the starting assumption, not a checkbox.

DPDP Act 2023 · IndiaUK GDPR + DPA 2018EU GDPRUAE Federal DP LawDIFC DP LawSOC 2 Type II · in progressISO/IEC 27001:2022 · in progress

Pillar 01

Encryption, end to end

Documents and matters never travel or rest in clear text. Keys are scoped per engagement, not per platform.

What this means in practice

  • TLS 1.3 for every connection — browser, API, storage
  • AES-256 at rest for documents, database rows, and message attachments
  • Per-engagement encryption keys; rotated on enterprise contracts
  • Storage buckets are private by default; access is via short-lived signed URLs (1-hour expiry)

Pillar 02

India-resident data, by default

Production data lives in Indian regions unless your engagement specifies otherwise. No silent cross-border movement.

What this means in practice

  • India region by default for SaaS engagements
  • UAE region available for DIFC / ADGM engagements
  • United Kingdom region available for UK / EU engagements
  • Cross-border transfers happen only under documented contractual safeguards (SCCs / IDTA)

Pillar 03

Compliance, taken seriously

Engineered to meet the data-protection laws in every market we serve, and the security standards enterprise procurement asks for.

What this means in practice

  • Digital Personal Data Protection Act 2023 (India)
  • UK GDPR + Data Protection Act 2018; EU GDPR
  • UAE Federal Data Protection Law (Federal Decree-Law 45/2021); DIFC DP Law
  • SOC 2 Type II — in progress, expected end of Q3
  • ISO/IEC 27001:2022 — in progress, expected end of Q4

Pillar 04

Access, scoped to need

Every database row, document, and message is access-controlled at the data layer. Defence in depth, not just at the application.

What this means in practice

  • Row-Level Security on every table — your team sees only your data
  • Role-based access: client, reviewer, admin — strictly enforced
  • NIRNYA reviewers operate under engagement-specific NDAs
  • Sub-processor list available on request; reviewed quarterly

Pillar 05

Audit trail, complete

Every access, every change, every approval is recorded. The audit log is your evidence — for your auditor, your board, your regulator.

What this means in practice

  • Every API call logged with user, matter, action, timestamp
  • Every reviewer edit captured with diff
  • Every status change captured with the person responsible
  • Logs retained for the engagement plus 12 months minimum

Pillar 06

Incident response, rehearsed

Even good security has bad days. When something goes wrong, the response is faster than the discovery.

What this means in practice

  • 24-hour customer notification SLA on any security event
  • Defined runbook covering containment, eradication, recovery, lessons
  • Regulator notification under DPDP / GDPR timelines as required
  • Post-incident report delivered within 14 days

For procurement & security teams

The full security pack
is ready on day one.

For enterprise procurement: detailed architecture diagrams, our latest penetration-test summary, the DPA template, our sub-processor list, and the incident-response runbook — all available the moment your engagement partner is assigned.

Related · Trust

Confidentiality & privilege →

The legal layer of trust — privilege preservation, documents never used to train models, and the same standard outside counsel are held to.

Related · Platform

Inside the platform →

How the platform itself works — intake, research, analysis, senior review, delivery — and what the architecture looks like.