Legal
Security
Our commitment to protecting your data and infrastructure through enterprise-grade security practices, certifications, and transparency.
Last updated: 1 January 2025
Security is not a checkbox at ThinkMindLabs — it is a core engineering discipline embedded into every layer of our platform. We maintain a dedicated security team, undergo independent third-party audits, and follow a continuous improvement programme aligned with ISO 27001 and SOC 2 frameworks.
1. Security Certifications and Compliance
| Standard / Framework | Status | Scope |
|---|---|---|
| SOC 2 Type II | Certified (annual audit) | Platform, API, infrastructure |
| ISO/IEC 27001:2022 | In progress (target Q3 2025) | Information security management |
| GDPR (EU/UK) | Compliant | All personal data processing |
| DPDPA 2023 (India) | Compliant | All personal data processing |
| PCI-DSS Level 1 | Compliant via Stripe/Razorpay | Payment card data (not stored by us) |
| OWASP Top 10 | Tested annually | All web-facing applications |
Current audit reports and compliance documentation are available to enterprise customers under NDA. Contact security@thinkmindlabs.com to request access.
2. Data Encryption
2.1 Encryption at Rest
- All customer data encrypted using AES-256-GCM
- Database encryption with per-tenant key isolation for enterprise customers
- Encryption keys managed via AWS KMS / Google Cloud KMS with automatic rotation every 90 days
- Backup data encrypted with separate keys stored in geographically distinct locations
2.2 Encryption in Transit
- All communications encrypted with TLS 1.3 (TLS 1.2 minimum); older protocols disabled
- Perfect Forward Secrecy (PFS) enforced on all endpoints
- HSTS with minimum 1-year max-age and preloading enabled
- API endpoints enforce certificate pinning for high-security integrations
- Internal service-to-service communication encrypted via mutual TLS (mTLS)
3. Infrastructure Security
3.1 Cloud Architecture
- Multi-region deployment across AWS and GCP with no single point of failure
- VPC isolation with strict network segmentation between customer environments
- Zero-trust network architecture — no implicit trust based on network location
- DDoS protection via Cloudflare Enterprise with automatic mitigation
- Web Application Firewall (WAF) with custom rulesets for AI API abuse prevention
3.2 Access Controls
- Role-Based Access Control (RBAC) with least-privilege principles
- Multi-factor authentication (MFA) mandatory for all ThinkMindLabs employees accessing production systems
- Privileged Access Management (PAM) for all administrative operations with session recording
- Access reviews conducted quarterly; departing employees deprovisioned within 4 hours
- Production access requires approval workflow; all access logged immutably
3.3 Supply Chain Security
- Software Bill of Materials (SBOM) maintained for all production dependencies
- Automated dependency scanning via Snyk and GitHub Dependabot
- Container images scanned for vulnerabilities before deployment
- Third-party vendors assessed via a formal vendor security review programme
4. Application Security
- Secure SDLC: Security requirements integrated from design through deployment
- Code review: All production code requires peer review; security-sensitive changes require security team sign-off
- Static analysis: SAST tools run on every pull request; blocking on high/critical findings
- Dynamic analysis: DAST scanning performed on staging before each major release
- Penetration testing: Independent third-party penetration test conducted annually; critical findings remediated within 48 hours
- Bug bounty: Coordinated vulnerability disclosure programme (see Section 7)
5. Operational Security
5.1 Logging and Monitoring
- Centralised, tamper-evident log aggregation with 12-month retention
- 24/7 Security Operations Centre (SOC) monitoring with automated alerting
- Anomaly detection powered by ML-based threat intelligence
- API usage monitoring for abuse patterns, credential stuffing, and scraping attempts
5.2 Incident Response
- Documented Incident Response Plan (IRP) tested via annual tabletop exercises
- Dedicated incident response team with defined escalation paths and roles
- Security incidents classified by severity; P0/P1 incidents activate 24/7 response
- Customer notification for material incidents within 72 hours of discovery (GDPR) and as required under DPDPA
- Post-incident root cause analysis published internally; summaries shared with affected customers
5.3 Business Continuity
- Recovery Time Objective (RTO): 4 hours for critical services
- Recovery Point Objective (RPO): 1 hour for customer data
- Automated daily backups with 30-day retention; weekly backups retained for 1 year
- Disaster recovery tested via annual failover drills
- Status page updated in real-time at status.thinkmindlabs.com
6. AI-Specific Security
Operating an AI platform introduces unique security considerations beyond traditional software:
- Prompt injection defence: Input sanitisation and detection systems to prevent adversarial prompt manipulation
- Model output filtering: Automated safety classifiers applied to outputs before delivery
- Data isolation: Customer prompts and outputs are never cross-contaminated between tenants
- Model weight protection: Proprietary model weights stored in isolated, hardware-secured environments; never exposed via API
- Rate limiting and abuse prevention: Adaptive rate limiting to prevent API abuse, credential stuffing, and resource exhaustion
- Watermarking: Enterprise customers can enable cryptographic output watermarking for provenance tracking
7. Vulnerability Disclosure Programme
We operate a coordinated vulnerability disclosure programme. If you believe you have found a security vulnerability in ThinkMindLabs products:
- Report to: security@thinkmindlabs.com (PGP key available on request)
- Include: Description of the vulnerability, steps to reproduce, potential impact, and your contact details
- Acknowledgement: We will acknowledge receipt within 24 hours
- Response SLA: Initial assessment within 72 hours; critical vulnerabilities triaged within 24 hours
- Safe harbour: We will not pursue legal action against researchers who act in good faith and follow responsible disclosure guidelines
- Recognition: Researchers who discover and responsibly disclose valid vulnerabilities are acknowledged in our Hall of Fame
Scope: thinkmindlabs.com and all subdomains, API endpoints (api.thinkmindlabs.com), and developer portal. Out of scope: social engineering attacks, physical security, third-party services used by ThinkMindLabs.
8. Employee Security
- Background verification for all employees with access to production systems or customer data, in compliance with Indian law
- Security awareness training mandatory at onboarding and annually thereafter
- Phishing simulation exercises conducted quarterly
- Acceptable Use Policy and information security policies acknowledged by all employees
- Confidentiality agreements signed by all employees and contractors
9. Enterprise Security Features
Enterprise customers on our Professional and Enterprise plans have access to additional security controls:
- Single Sign-On (SSO) via SAML 2.0 and OIDC integration with your identity provider
- Dedicated VPC and private networking via AWS PrivateLink or GCP Private Service Connect
- Customer-managed encryption keys (CMEK)
- Audit log streaming to your SIEM (Splunk, Datadog, Elastic)
- IP allowlisting and network access controls
- Custom data residency (India, EU, US, APAC regions)
- Annual security review and dedicated security contact
Contact enterprise@thinkmindlabs.com to discuss enterprise security requirements.
10. Contact the Security Team
- Security incidents and vulnerability reports: security@thinkmindlabs.com
- Enterprise security enquiries: enterprise@thinkmindlabs.com
- General security questions: contact@thinkmindlabs.com
- Status and uptime: status.thinkmindlabs.com
- Address: ThinkMindLabs Private Limited, Cyber City, Gurugram, Haryana 122002, India