Everything your security team will ask about

In private AWS account deployment, data lives in your own AWS account in your chosen region (ap-south-1 for India). PolicyCentral.ai has zero access. The platform is deployed as infrastructure code into your environment. Your AWS team can verify at any time through CloudTrail logs, IAM role inspection, and S3 bucket policy review. In SaaS deployment, a Data Processing Agreement (DPA) and sub-processor list are available as part of the commercial agreement for third-party risk assessment.

Available under NDA: SOC 2 Type II report, Data Processing Agreement (DPA), Sub-processor list (AWS services used), Penetration test reports, and security questionnaire responses (CAIQ/SIG or your organization's own format). As an AWS Global ISV Partner, the company meets AWS security review requirements. Documentation is structured to meet standard FSI vendor onboarding and RBI TPRM framework requirements.

Data at rest: AES-256 encryption using AWS KMS. In private account deployments, your organization controls the KMS keys. Data in transit: TLS 1.2 / TLS 1.3 for all client-server communications. Document storage uses Amazon S3 with server-side encryption. AI processing (Bedrock, Polly, Translate) happens within the AWS service boundary, and documents are not sent to external APIs outside the AWS ecosystem.

Yes, and this is precisely what private AWS account deployment is designed for. The platform's infrastructure runs in your AWS account, governed by your IAM policies. No PolicyCentral.ai employee has AWS console access to your account. Support for application-level issues is provided through logs you choose to share (typically anonymized error logs), not through direct data access. This meets the "zero vendor data access" requirement increasingly standard in FSI InfoSec policies.

Two levels: Employee level: each employee sees only policies targeted to their profile (department, designation, grade, location). They cannot navigate to policies outside their designated scope. Admin level: admins are assigned department-specific publishing rights (HR admin can only publish HR policies; they cannot modify Legal or IT policies). All admin actions are logged with timestamps, and the Maker-Checker audit trail captures every publishing action, approval, and modification.

When marked as terminated in HRMS and the sync runs, access is automatically deprovisioned. In SSO/AD-integrated deployments, disabling the employee's AD account (standard IT offboarding) simultaneously revokes PolicyCentral.ai access, so no separate deprovisioning step is required. Historical compliance data (read receipts, attestations, e-sign records) is preserved, not deleted, as regulatory audit windows may require access to historical records for ex-employees.

Minimal: No patching, as security patches and updates are applied by the vendor with no action required from your IT team. No version upgrades, as new features deploy continuously and appear automatically in your instance. No infrastructure scaling, as the platform auto-scales on AWS. Routine IT involvement post-go-live: employee data sync monitoring (automated), occasional firewall rule updates, user deprovisioning (automated via AD). Estimated ongoing IT overhead: 1–2 hours per month.

Yes. PolicyCentral.ai undergoes periodic penetration testing by third-party security firms. The most recent report is available under NDA as part of the vendor security assessment process. As an AWS Global ISV Partner, the platform also benefits from AWS's own security review process, which includes security architecture review requirements.

All data is exportable: policy content, compliance records (read receipts, attestation data, e-sign logs, timestamps, employee profiles), version histories, analytics, in standard formats (CSV, Excel, JSON), not proprietary formats. For private AWS account deployments, the data already lives in your own S3 buckets and databases, so vendor lock-in at the data layer doesn't exist. Off-boarding includes a supported data export process.

WorkApps has been operational since 2017 (8 years), is venture-funded, and serves 70+ FSI institutions including Kotak Mahindra Bank (83,700 employees). The AWS infrastructure underpinning the platform has a 99.99% uptime SLA. A vendor business continuity event would not immediately affect a private AWS account deployment, as your instance runs independently. Business continuity documentation and customer references for TPRM purposes are available on request.