Security & Data Protection

Architecture

• Per-tenant SQL database. Every customer runs on a dedicated database \u2014 no shared-schema multi-tenancy.
• AES-256 + RSA encryption on the GST IRN payload sent to the IRIS IRP portal.
• TLS 1.2+ for all HTTP traffic. HSTS enforced.
• ClamAV antivirus scans every file uploaded to the platform.
• Row-level audit covers ~98 row entities automatically via the [DataAuditLog] attribute — 152 references across 106 .cs files in the product codebase.

Authentication

• OAuth 2.0 SSO via Google Workspace and Microsoft 365.
• Granular role-based permissions with module-level and feature-level gates.
• Hierarchy access graph for manager / rep visibility.
• Branch- and company-level scoping for multi-entity tenants.

Data residency

Customer tenant data is hosted on servers in India. No cross-border transfers without explicit written consent.

Reporting a vulnerability

Email connect@upgearcrm.com with the subject "Security disclosure". We triage within 24 hours and aim to resolve high-severity reports within 7 days.

A detailed security white paper for enterprise procurement reviews is available on request.