Compliance
Appice operates under the certifications, regulations, and frameworks that matter to our customers — banks, insurers, healthcare, telcos, and government across India, GCC, and EU.
Certification status
| Standard | Status | Scope | Evidence |
|---|---|---|---|
| SOC 2 Type II | In progress | Security, Availability, Confidentiality | Q2 2026 target. Type I report available now under NDA. |
| ISO/IEC 27001:2022 | Planned | ISMS for production environments | Gap assessment Q3 2026; certification target Q4 2026. |
| ISO/IEC 27701 | Planned | Privacy extension to 27001 | Bundled with 27001 certification track. |
| GDPR (EU) | Compliant | Processor obligations under Art. 28 | DPA, Standard Contractual Clauses, DPO appointed. |
| India DPDP Act 2023 | Compliant | Data fiduciary and processor roles | India-resident infrastructure; consent and grievance flows. |
| HIPAA (US) | BAA available | Healthcare customers | Business Associate Agreement signed on request. |
| RBI Cybersecurity Framework | Aligned | Banks under RBI jurisdiction | Deployed at 10+ Tier-1 Indian banks. |
| SAMA Cybersecurity Framework (KSA) | Aligned | Saudi banks | GCC region deployment; data resident in Saudi Arabia. |
| PCI-DSS | Out of scope | — | Appice does not store, process, or transmit cardholder data. |
How we run the program
Compliance at Appice is owned by a dedicated Information Security team reporting to the CTO. The program is built on three loops:
- Continuous control monitoring. Drata-style automation pulls evidence daily from cloud accounts, identity provider, and CI/CD. Drift is flagged within minutes.
- Quarterly internal audit. Sample-based control testing across access management, change management, vulnerability management, and incident response.
- Annual external audit. Independent CPA firm performs SOC 2 Type II audit. ISO 27001 surveillance audits annually after certification.
Customer questionnaires and due diligence
Standard responses to common security questionnaires (CAIQ, SIG, VSAQ) are maintained and refreshed quarterly. We can typically complete custom questionnaires within 5 business days. Email security@appice.ai with your form attached.
Sector-specific commitments
Banking and financial services
- India: aligned with RBI's Cyber Security Framework for banks (June 2016 circular and updates) and the IT Outsourcing Master Direction.
- GCC: aligned with SAMA (Saudi Arabia), CBUAE (UAE) and CBB (Bahrain) cybersecurity frameworks for the financial sector.
- EU: aligned with EBA Outsourcing Guidelines and DORA where relevant to outsourced ICT services.
Healthcare
- HIPAA Business Associate Agreement available. Healthcare PHI is segregated and access-restricted.
- India: aligned with the Digital Information Security in Healthcare Act (DISHA) draft framework.
Government
- India: deployable on MeghRaj-cloud-hosted infrastructure for government workloads requiring sovereign cloud.
- India: STQC-empanelled audit on request for government tenders.
Need an evidence pack? SOC 2 Type I report, latest pen-test summary, and ISO 27001 readiness statement are available under NDA. Contact security@appice.ai.