Built to Watch.
Engineered to Protect.

Security Principles

Our security program is built on four core principles:

• Defense in Depth: Multiple layers of security controls across edge devices, network, application, and data layers.
• Privacy by Default: Edge processing keeps video data on-farm. Cloud services receive only anonymized analytics and alerts.
• Continuous Improvement: Regular security assessments, penetration testing, and vulnerability management.
• Transparency: Clear communication about our security practices, data handling, and incident response.

Where Your Data Lives

Edge-First Architecture

Nayandi AI processes video data at the edge (on-farm) using local compute devices. This minimizes data transmission, reduces latency, and enhances privacy. Only alerts, analytics, and aggregated insights are transmitted to cloud services.

Cloud Infrastructure

Our cloud services are hosted on AWS (Amazon Web Services) infrastructure in India and Asia-Pacific regions. AWS provides:

• ISO 27001, SOC 2 Type II, and PCI DSS certified data centers
• Physical security, redundancy, and disaster recovery
• Network isolation, DDoS protection, and encryption services

Environment Separation

We maintain strict separation between production, staging, and development environments with isolated networks, credentials, and access controls.

How We Safeguard Your Data

Encryption in Transit

All data transmitted between edge devices, mobile apps, web dashboards, and cloud services is encrypted using TLS 1.2 or higher. We enforce HTTPS for all web traffic and use certificate pinning for mobile apps.

Encryption at Rest

Farm operational data, video recordings (if stored), and analytics databases are encrypted at rest using AES-256 encryption. Encryption keys are managed using AWS Key Management Service (KMS) with automatic rotation.

Data Minimization

We collect only the data necessary to provide our services. Video feeds are processed in real-time at the edge. Raw video is not transmitted to the cloud unless explicitly configured by the customer for debugging or model improvement.

Backups & Retention

Encrypted backups are performed daily with geographic redundancy. Backup retention follows our data retention policies (see Privacy Policy). Backups are tested quarterly for integrity and recoverability.

Secure Development Practices

• Secure Coding Standards: We follow OWASP Top 10 guidelines and conduct code reviews for security issues.
• Dependency Scanning: Automated scanning for vulnerable dependencies in third-party libraries. Critical vulnerabilities patched within 48 hours.
• Penetration Testing: Annual third-party penetration tests of web applications, APIs, and edge devices.
• Vulnerability Disclosure: Responsible disclosure program for security researchers (see Responsible Disclosure section).
• Secure APIs: API authentication using JWT tokens, rate limiting, input validation, and output encoding to prevent injection attacks.
• Session Management: Secure session handling with HTTP-only cookies, CSRF protection, and automatic session expiration.

Who Can Access What

• Role-Based Access Control (RBAC): Users and employees are assigned roles with minimum necessary permissions. Farm owners control access to their farm data.
• Multi-Factor Authentication (MFA): Required for all employee accounts and available for customer accounts. SMS, authenticator apps, and hardware tokens supported.
• Just-in-Time (JIT) Elevation: Administrative access to production systems requires approval, justification, and time-limited elevation.
• Access Reviews: Quarterly reviews of user permissions and access logs to identify anomalies.
• Credential Management: Secrets (API keys, database passwords) stored in encrypted vaults with audit logging.

Detection & Response

• Centralized Logging: All system events, access logs, and security events are centrally logged with tamper-proof audit trails.
• Real-Time Alerting: Anomaly detection and automated alerts for suspicious activities (failed logins, privilege escalations, data exfiltration attempts).
• Network Segmentation: Production environments isolated from corporate networks. Edge devices use VPN tunnels or private networks.
• DDoS Protection: AWS Shield and CloudFlare provide protection against distributed denial-of-service attacks.
• Intrusion Detection: Network and host-based intrusion detection systems (IDS) monitor for malicious activity.

When Things Go Wrong

Despite our best efforts, security incidents can occur. We maintain a documented incident response plan with defined roles, escalation procedures, and communication protocols.

Our incident response lifecycle includes:

• Detection: Automated alerts and manual reporting channels.
• Containment: Isolate affected systems to prevent spread.
• Investigation: Root cause analysis and forensic examination.
• Remediation: Patch vulnerabilities and restore normal operations.
• Notification: Inform affected customers and authorities as required by law.
• Post-Mortem: Document lessons learned and improve processes.

For security incidents, contact us immediately at security@thequills.ai

Standards We Follow

While we are a startup, we model our security program on industry-recognized frameworks including ISO 27001, SOC 2, and NIST Cybersecurity Framework. We prioritize controls relevant to our risk profile and customer needs.

• Data Protection Laws: Compliance with India's Digital Personal Data Protection Act (DPDP Act) and GDPR for European customers.
• Agricultural Regulations: Adherence to animal welfare and farm data privacy requirements.
• Contractual Obligations: Data Processing Addendums (DPAs) and Business Associate Agreements (BAAs) available for enterprise customers.

For security questionnaires, compliance documentation, or audit requests, contact support@thequills.ai

Human Firewall

• Background Checks: Employees with access to customer data undergo background verification appropriate to their role and location.
• Security Training: Mandatory security awareness training for all employees covering phishing, social engineering, data handling, and incident reporting.
• Confidentiality Agreements: All employees and contractors sign confidentiality and data protection agreements.
• Offboarding: Immediate revocation of access for departing employees with exit interviews and equipment return.

Third-Party Security

We carefully evaluate security practices of third-party vendors who process customer data. Vendors are selected based on security posture, compliance certifications, and data handling practices.

Key vendors include AWS (cloud hosting), email service providers, and analytics tools. A complete list of subprocessors is available in our Data Processing Addendum.

Always Available

Our architecture is designed for high availability with redundancy across availability zones, automated failover, and geographic distribution. Edge devices continue to operate during cloud service outages. Recovery Time Objective (RTO) is 4 hours for critical services. Recovery Point Objective (RPO) is 24 hours for customer data.

Security Researchers Welcome

We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please report it to us privately so we can fix it before public disclosure.

What to Include in Your Report

• Detailed description of the vulnerability
• Steps to reproduce the issue
• Potential impact and severity assessment
• Your contact information for follow-up

Our Commitments

• Acknowledge receipt within 48 hours
• Provide status updates every 7 days
• Credit you in our security advisories (if desired)
• No legal action for good-faith security research

Out of Scope

• Physical attacks on edge devices or farm facilities
• Social engineering attacks on employees or customers
• Denial-of-service (DoS) attacks
• Automated scanning without prior approval

Get in Touch