Security, by design.

Infizia is the AI-native sub-brand of Contezza Techno Solution Pvt. Ltd., a private company incorporated in India in 2012. We build enterprise software for clients across healthcare, sales, finance, and other regulated domains, so security is wired into how we design, build, and run our products — not an afterthought.

This page summarises the controls and practices we apply on infizia.in and across customer deployments. For the privacy specifics around data collected on this site, see our Privacy Policy.

We classify the data we handle into three tiers, each with its own treatment:

• Public. Marketing content, brochures, partner names — no sensitivity, served via CDN.
• Internal. Server logs, operational metrics, build artefacts. Restricted to engineers on a need-to-know basis.
• Restricted. Customer inquiry data, contact form submissions, and any client data handled in deployments. Encrypted at rest, access logged, and scoped to authorised roles.

All connections to infizia.in and our APIs are encrypted with TLS 1.2 or higher. HTTP requests are redirected to HTTPS, HSTS is enabled with preload, and we use modern cipher suites only.

Email between our systems and Zoho is encrypted in transit; delivery to your mailbox depends on your provider’s TLS posture.

• Email and form submissions. Stored in the Zoho Mail mailbox for sales@infizia.in. Zoho encrypts mailboxes at rest using AES-256.
• Server logs and platform storage. Encrypted at rest by the hosting provider using vendor-managed keys. Retention is finite — see the Privacy Policy for current durations.
• Customer-deployed Infizia products. Application data is encrypted at rest using cloud-provider-managed keys (Google Cloud KMS or equivalent). Customer-supplied keys are supported on enterprise plans.

• Named accounts only. No shared credentials. Every engineer authenticates with their own identity for everything they touch.
• Multi-factor authentication. Required on all admin tooling — Zoho, GitHub, hosting provider, cloud accounts.
• Least privilege. Access is scoped to the role and the project. We review permissions on join, role change, and offboarding.
• No prod from laptops. Production changes go through CI/CD with peer review. Direct production access is rare, audited, and time-boxed.

For Infizia products deployed to multiple customers, isolation is enforced at three levels:

• Logical isolationby default: each tenant’s data is partitioned by tenant ID and protected by row-level access controls.
• Schema or database isolation on enterprise plans: a dedicated schema or database instance per tenant.
• Dedicated deployment on regulated-industry contracts: a separate cluster or VPC for the customer.

We instrument the platform so we can answer what happened, when, and to which record — quickly:

• Centralised, structured application logs with retention windows.
• Audit trails for data-touching actions (read, write, export, delete) on customer-deployed products.
• Metrics and tracing for latency, error rate, and saturation across services.
• Alerts on anomalous access patterns and authentication failures.

If we detect or are notified of a security incident, our process is:

1. Acknowledge within 24 hours of confirmation.
2. Contain the impact and rotate any exposed credentials.
3. Investigate the root cause and produce a written incident report.
4. Communicate transparently with affected customers, including timeline, scope, and remediation steps.
5. Improve — every post-mortem produces concrete fixes and we ship them.

For data breaches involving personal data, we follow the notification timelines required by the applicable law (DPDP Act rules in India, GDPR Article 33 in the EU, and so on).

We design and operate the platform against the controls published by the major frameworks even where formal audits are not yet in place:

• SOC 2-ready. Our controls cover the Trust Services Criteria (security, availability, confidentiality). A formal audit is on our roadmap and will be pursued when the customer mix justifies it.
• DPDP-ready.Our data handling on this site and in customer deployments is aligned with the obligations of India’s Digital Personal Data Protection Act, 2023.
• GDPR-aware. For visitors and customers in the EU / UK, we apply GDPR-aligned processing principles and rights handling.
• India IT Rules. Our site complies with the Information Technology Act, 2000 and the Intermediary Guidelines and Digital Media Ethics Code Rules, 2021 to the extent they apply.

We do not currently claim ISO 27001 or SOC 2 Type II certification. When we obtain any such attestation, this page and the marketing site will be updated.

We rely on a small set of trusted vendors. Their certifications cover their slice of the stack:

• Zoho Corporation. ISO/IEC 27001, SOC 2 Type II, GDPR-compliant — see Zoho Security.
• Google Cloud (GCP). ISO/IEC 27001/27017/27018, SOC 1/2/3, PCI DSS, HIPAA-ready services where applicable.
• Red Hat. Common Criteria EAL 4+ for RHEL, FIPS 140-3 modules, and the associated supply-chain attestations.

• Code review. Every change is reviewed by at least one peer before merge.
• Automated testing and CI. Type checks, lint, and tests run on every push.
• Dependency hygiene. Pinned versions, automated vulnerability alerts, prompt patching for high-severity issues. Pinning is documented in package.json and lockfiles.
• Secret management. Secrets live in vendor-managed secret stores (hosting provider env vars, GitHub Actions secrets) — never in source.
• Bot protection. Forms on this site are protected by Google reCAPTCHA v3 with score thresholding.

If you believe you have found a security vulnerability in our site or a customer deployment, please tell us. We appreciate responsible disclosure and we’ll get back quickly.

• Email: sales@infizia.in (subject line: Security disclosure)
• We acknowledge within 1 working day, share an investigation timeline within 5 working days, and publish credit (with your permission) once fixed.
• Please do not access data that isn’t yours, run automated scans against production, or attempt to disrupt our service while testing.