Trust Center · Information Security

Security You Can Trust.

Enterprise-grade protection for your e-invoicing data — independently audited, regionally sovereign, enterprise-ready.

View certifications
ISO 27001
ISO 27001:2022
Information Security
SOC 2
SOC 2 Type II
Operational Trust Center
GDPR
GDPR Ready
Data Protection
SSL
SSL Secured
Encrypted in Transit

Trusted by 5,000+ enterprises across 50+ countries

IntelVolvoToyotaApollo TyresStandard CharteredMarriottNestleL'OrealSaint GobainCoca ColaIKEAHondaAdidasReckittPumaCustomerCustomerCustomerCustomerCustomerCustomerCustomerCustomerCustomer
01 — Certifications

Independently audited. Not self-declared.

Every certification is verified by an external auditing body after evidence review. These are the standards your procurement and legal teams will ask for — already in place.

Information Security Systems

ISO 27001:2022

The current international standard for information security management. Independent auditors verify that controls across people, processes, and technology are actually working — not just documented.

Operational Trust Center

SOC 2 Type II

Tests how well security, availability, and confidentiality controls operate over time — not just on paper.

Data Protection Regulation

GDPR

EU data protection law setting strict rules on how personal data is collected, processed, stored, and shared.

Regulatory approvals:
UAE — FTAKSA — ZATCAFrance — PAIndia — IRP
02 — Data Residency

Your data stays in your country.

No cross-border e-invoicing data transfer under normal operations. Each region runs on dedicated, sovereign infrastructure.

SCCs
Data transfer mechanism aligned with GDPR Standard Contractual Clauses
Data Mandate
Your data never leaves the country it's regulated in
1B+
Invoices processed across sovereign regions
Saudi Arabia
KSA
OCI — Saudi Arabia West (Jeddah)
Sovereign
UAE
UAE
OCI — UAE (East)
Sovereign
France
France
S3NS France (Sovereign Cloud)
Sovereign
Malaysia
EU / MY
AWS — Paris / Singapore
In-Region
03 — Disaster Recovery

Built to keep your business running.

Multi-cloud redundancy across AWS, Oracle Cloud, Azure and Google Cloud. Failover tested. Recovery measured.

99.9%
Uptime SLA
Always-on infrastructure
Monitored 24/7 across all layers
Redundant cloud architecture
  • Multi-AZ deployment with automatic failover across isolated availability zones
  • Versioned backups supporting point-in-time restoration
  • Disaster recovery procedures tested periodically to validate restoration readiness
  • Continuous monitoring and alerting for infrastructure and service health
Same-region DR
< 1 hr RTO
RPO < 15 min · OCI UAE → AWS UAE
Cross-region DR
< 4 hrs RTO
RPO < 15 min · OCI UAE → AWS EU
Cloud providers in active rotation
awsOracle CloudAzureGoogle Cloud
04 — Data Security

Every byte encrypted.

Encryption at rest, in transit, and per tenant. Customer-provided data processed only for invoicing and statutory compliance.

Every byte encrypted, every tenant isolated.

AES-256 at rest
TLS 1.2+ in transit
Logical tenant segregation

What data do we process?

B2B
Buyer/seller legal entity details, VAT IDs, billing/shipping addresses, invoice values, tax breakdowns, transaction metadata, compliance identifiers.
B2B2C
Limited customer-provided end-customer data embedded within invoice payloads where required for invoicing or statutory compliance.Such as names, contact details, delivery addresses, or consumer tax identifiers.
Consumer PII, if present, is processed solely for invoicing and regulatory compliance purposes under applicable data protection laws and DPA controls.
05 — Access, Identity & API Security

No standing access. Every request verified.

Zero implicit trust. Identity is verified at every layer, and every action is logged for audit.

MFA + SSO
SAML/OIDC-based enterprise SSO. Multi-factor authentication enforced for privileged access.
RBAC
Role-based access control with least privilege. Permissions scoped to function, not seniority.
Audit Logs
Every activity monitored, logged and traceable. Tamper-evident audit trail.
Session Timeout
Inactivity triggers timeout — authorization stays restricted to the active user only.
API Security
OAuth 2.0Customer-defined token expiryRate limitingWAF on all endpointsAPI security testing
06 — Infrastructure & Cloud Security

Defense in depth. No single point of failure.

Six layers of independent controls. Each one designed to stop an attack the layer before it might miss.

L1
Edge Protection

WAF & Anti-DDoS

WAF · Anti-DDoS

Filters malicious traffic before reaching the VPC. DDoS mitigation at scale.

L2
Intrusion Detection

Cloud Posture & Data Posture

SentinelOne CSPM + DSPM

Continuous threat intelligence. Real-time anomaly detection across all resources.

L3
Endpoint Security

EDR on every workload

SentinelOne + EDR

AI-powered detection on all endpoints and containers. Cloud-native.

L4
Network Segmentation

Private VPC isolation

VPC + Security Groups

Private subnets, no public IPs. Traffic isolated between customer workloads.

L5
Alerting & Response

24/7 IR Team

Incident Response Team

Sev-1 triggers immediate on-call response. Fine-tuned audit logs.

L6
Secure SDLC

Shift-left at CI/CD

SAST + DAST + OSS

Vulnerabilities blocked at CI/CD before code reaches production.

07 — Vulnerability & Threat Management

Testing built into every release.

Static, dynamic, and AI-specific testing — applied continuously, not just before audits.

VAPT

Penetration Testing

Continuous · OWASP Top 10 · Reports on request · Third-party testing across all attack surfaces.

SAST / OSS

CI/CD pipeline security

Every build · Insecure code blocked before production.

AI Sec

AI threat coverage

OWASP LLM Top 10 · Prompt injection · AI attack vectors.

Secure coding

SDLC practices

Code scanning · Secure code training across engineering teams.

08 — Incident Response

Rapid response. Guaranteed SLAs.

Five-step playbook from detection to RCA. P0 incidents trigger customer notification within 24 hours.

Response SLA
P0
< 24 hrs
Customer notification + First Resolution Time SLA for all security incidents.
01 · DETECT

24/7 monitoring across all layers

SentinelOne SIEM & EDR, AWS/Oracle cloud-native WAF, DDoS alerts.

02 · TRIAGE

Severity classified, P0 declared

Incident scored by risk impact. PagerDuty escalates to 24/7 Security on-call.

03 · CONTAIN

Affected asset isolated

Isolation, access revocation, and workload quarantine per playbook.

04 · NOTIFY

Customer alerted within 24 hrs

Formal notification issued within 24 hrs + First Response Time (FRT) SLA for incidents.

05 · RESOLVE

Root cause fixed, RCA delivered

Post-incident review. RCA shared with customers. Controls updated, runbooks revised, learnings fed back into detection.

Logging coverage:
Workspace audit (real-time)Extended audit (on request)SIEM + EDR
09 — Privacy Management & Data Handling

You control the data. We process and protect it.

Privacy controls aligned with GDPR, UAE PDPL, KSA PDPL, and India's DPDP Act. Documentation ready for your DPO.

RoPA

Records of Processing

Purpose, retention, subprocessors, and transfer records maintained for applicable processing activities.

DPIA

Privacy Assessment Support

Technical and organizational measure (TOM) artefacts maintained to support customer assessments.

DSAR

Data Subject Requests

Supported through admin workflows and privacy support processes. Standardised response timelines.

Subprocessors

Enterprise-grade vetting

Every third-party subprocessor is independently vetted and bound to ClearTax's security requirements.

Ready to run it past your compliance team?

We'll walk you through certifications, data handling practices, and regional coverage — and provide documentation your legal and procurement teams can act on.

Contact sales

Book a live demo

Our compliance specialists will walk you through certifications and regional coverage.